Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bootup message - probable problem(s)


  • This topic is locked This topic is locked
23 replies to this topic

#1 drmajcher

drmajcher

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 14 October 2009 - 09:26 AM

I keep getting the message :

Windows can not find c:\windows\is-RIOMQ.exe /REG

each time I boot up. I highly suspect I've got a problem (s).

Below is my HIJACKTHIS log.

I'm running Windows XP PRO.

Any help is greatly appreciated !
=====================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:46 AM, on 10/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GEST] m|P
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LNrKpv - CPUID - C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5341 bytes

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 27 October 2009 - 03:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 28 October 2009 - 09:59 AM

Hello & thanks for responding.

I continue to get the message : Windows cannot find 'C:\Windows\is-RIOMQ.exe' each time I boot up.
In addition, I've had occasions where I've lost internet connection after initially being on the internet
after about 4 to 5 minutes. I'm suspecting an infection or multiple infections.

Below is the DDS.txt log & attached is a zip of the attach log.

Your help is tremendously appreciated !


DDS (Ver_09-10-26.01) - FAT32x86
Run by Joe at 10:42:53.21 on Wed 10/28/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.553 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joe\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GEST] m|P
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-RIOMQ.exe" /REG
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPAGER.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\0hdwm7w5.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-27 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-27 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-27 108552]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-10-1 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-27 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-27 297752]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-10-1 65576]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\drivers\C-itNT.sys [2009-10-13 899884]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-17 1684736]
S3 LNrKpv;LNrKpv;c:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s --> c:\program files\cpuid\pc wizard 2009\data\pcwizntl.exe -s [?]
S3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2009-9-17 17912]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2009-9-17 264576]

=============== Created Last 30 ================

2009-10-22 19:52:40 0 d-----w- C:\Fla2004Tape1
2009-10-22 19:25:12 0 d-----r- C:\Program Files
2009-10-22 19:19:06 0 d-----w- C:\IBM Camera Driver
2009-10-21 23:55:48 0 d-----w- c:\program files\MSXML 4.0
2009-10-13 19:35:58 0 d-----w- C:\Music
2009-10-13 19:33:56 0 d-----w- C:\Realtek Sound Card Driver
2009-10-13 17:29:20 90624 ----a-w- c:\windows\system32\kswdmcap.ax
2009-10-13 17:29:20 90624 ----a-w- c:\windows\system32\dllcache\kswdmcap.ax
2009-10-13 17:29:20 28672 ----a-w- c:\windows\system32\vidcap.ax
2009-10-13 17:29:20 28672 ----a-w- c:\windows\system32\dllcache\vidcap.ax
2009-10-13 17:29:18 61952 ----a-w- c:\windows\system32\kstvtune.ax
2009-10-13 17:29:18 61952 ----a-w- c:\windows\system32\dllcache\kstvtune.ax
2009-10-13 17:29:16 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-10-13 17:29:16 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-10-13 17:29:16 20992 ----a-w- c:\windows\system32\dshowext.ax
2009-10-13 17:29:16 20992 ----a-w- c:\windows\system32\dllcache\dshowext.ax
2009-10-13 17:29:13 43008 ----a-w- c:\windows\system32\ksxbar.ax
2009-10-13 17:29:13 43008 ----a-w- c:\windows\system32\dllcache\ksxbar.ax
2009-10-13 17:24:20 0 d-----w- c:\program files\IBM PC Camera
2009-10-13 17:23:23 0 d-----w- C:\SETUP
2009-10-12 19:35:07 0 d--h--w- C:\$AVG8.VAULT$
2009-10-12 17:38:21 0 d-----w- c:\program files\Audacity
2009-10-04 22:24:06 0 d-----w- c:\program files\Trend Micro
2009-10-02 20:37:21 0 d-----w- C:\My Recordings
2009-10-02 00:44:21 0 d-----w- c:\program files\FREE Hi-Q Recorder
2009-10-02 00:21:38 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-10-02 00:21:38 140288 ----a-w- c:\windows\system32\comdlg32.ocx
2009-10-01 21:06:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 18:51:54 0 d-----w- C:\Regclean
2009-10-01 18:32:12 0 d-----w- c:\program files\Yahoo!
2009-10-01 18:31:44 0 d-----w- c:\program files\CCleaner
2009-10-01 18:15:41 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2009-10-01 18:15:41 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2009-10-01 18:15:37 0 d-----w- c:\program files\Sunbelt Software
2009-10-01 17:55:20 0 d-----w- c:\program files\COMODO
2009-10-01 16:09:59 11264 ----a-w- c:\windows\system32\SpOrder.dll
2009-10-01 14:01:57 0 d-----w- c:\windows\pss
2009-10-01 01:57:00 0 d-----w- c:\program files\AskBarDis
2009-10-01 01:56:30 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-10-01 01:53:24 0 d-----w- c:\program files\Zone Labs
2009-10-01 01:52:58 0 d-----w- c:\windows\Internet Logs
2009-09-30 22:31:49 0 d-----w- c:\program files\common files\HP
2009-09-30 22:31:33 974848 ----a-w- c:\windows\system32\hpost_p02b.dll
2009-09-30 22:31:33 737280 ----a-w- c:\windows\system32\hposwia_p02b.dll
2009-09-30 22:31:33 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-09-30 22:31:33 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-09-30 22:31:33 307200 ----a-w- c:\windows\system32\hposc_p02a.dll
2009-09-30 22:29:53 585 ------w- c:\windows\hpomdl36.dat
2009-09-30 22:29:53 130279 ----a-w- c:\windows\hpoins36.dat
2009-09-30 22:22:04 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-09-30 22:21:51 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-09-30 22:21:38 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-09-30 22:21:38 121344 ----a-w- c:\windows\system32\hpf3l083.dll
2009-09-30 22:21:30 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-09-30 19:45:24 129829 ------w- c:\windows\hpoins36.dat.temp
2009-09-30 02:07:11 585 ------w- c:\windows\hpomdl36.dat.temp
2009-09-30 02:04:26 0 d-----w- c:\program files\common files\Hewlett-Packard
2009-09-30 02:04:08 0 d-----w- c:\program files\HP
2009-09-30 02:04:07 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-30 02:04:07 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-30 02:04:06 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-09-30 02:04:06 25856 ----a-w- c:\windows\system32\dllcache\usbprint.sys
2009-09-30 02:04:04 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-09-30 02:04:04 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

==================== Find3M ====================

2009-10-01 23:20:28 9887 ----a-w- c:\windows\mozver.dat
2009-09-28 03:33:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-28 03:33:08 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-28 03:33:02 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-28 01:43:52 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-22 21:59:34 15600 ----a-w- c:\windows\gdrv.sys
2009-09-22 21:38:44 23600 ----a-w- c:\windows\system32\drivers\TVICHW32.SYS
2009-09-21 18:11:04 4096 ----a-w- c:\windows\d3dx.dat
2009-09-17 20:35:44 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-09-17 19:15:00 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-04 07:31:04 2170880 ----a-w- c:\windows\MicCal.exe

============= FINISH: 10:43:46.51 ===============

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 28 October 2009 - 01:43 PM

Hello, drmajcher and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Step 1

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.







Step 2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<







Please post back with:
  • Gmer-Logfile
  • Both RSIT-Logfiles

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 28 October 2009 - 04:01 PM

Hello Tom,

Thanks again for responding as your help to me is greatly appreciated.

I have read and followed your instructions. Below is gmer.log , followed by the 2 txt files from RSIT.

=============================================

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-28 15:54:17
Windows 5.1.2600 Service Pack 2
Running: cqpl6hnq.exe; Driver: C:\DOCUME~1\Joe\LOCALS~1\Temp\kxlyqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xF4247160]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xF4246868]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xF4243320]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xF4245E90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xF4245D9C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xF42463FC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xF4247210]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xF4243786]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xF4243846]
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xF767901C]
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xF7679168]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xF4246B54]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xF42435CA]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xF42464EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xF4246E8C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xF42439BC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xF4246DE0]

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[200] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre6\bin\jqs.exe[388] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[396] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[396] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[396] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetConnectA 771C44DB 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetConnectW 771D5D4C 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[396] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[396] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[396] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[396] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[448] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[448] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\nvsvc32.exe[468] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\nvsvc32.exe[468] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\nvsvc32.exe[468] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\nvsvc32.exe[468] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\nvsvc32.exe[468] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\nvsvc32.exe[468] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[496] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[496] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[496] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[496] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[496] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[496] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[520] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00030004
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0003011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0003057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0003034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00030464
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00030608
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00030720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] WININET.dll!InternetConnectA 771C44DB 5 Bytes JMP 00030F54
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00030D24
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00030E3C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] WININET.dll!InternetConnectW 771D5D4C 5 Bytes JMP 00030FE0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00030DB0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[708] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00030EC8
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[776] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[780] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\csrss.exe[940] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[940] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!CreateThread 7C81082F 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!WinExec 7C86114D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[940] KERNEL32.dll!SetThreadContext 7C862849 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[964] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[964] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[964] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[964] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[964] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[964] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[1008] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[1008] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[1008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[1008] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[1008] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[1020] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[1020] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[1020] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1216] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1264] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1388] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1388] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1388] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1388] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1388] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1388] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetConnectA 771C44DB 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetConnectW 771D5D4C 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1480] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1500] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1500] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1500] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1500] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1500] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1500] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1516] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1652] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1652] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1652] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1652] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1652] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1652] WININET.dll!InternetConnectA 771C44DB 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1652] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1652] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1652] WININET.dll!InternetConnectW 771D5D4C 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1652] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1652] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1924] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1924] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1924] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1924] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1924] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2012] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2044] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[2068] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[2068] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[2068] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[2068] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[2068] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[2068] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wscntfy.exe[2104] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wscntfy.exe[2104] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wscntfy.exe[2104] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00070720
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[2412] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2984] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\WINDOWS\RTHDCPL.EXE[3012] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\WINDOWS\RTHDCPL.EXE[3012] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\WINDOWS\RTHDCPL.EXE[3012] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 00130004
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!VirtualAllocEx 7C809AA2 5 Bytes JMP 0013011C
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!CreateRemoteThread 7C810626 5 Bytes JMP 001304F0
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!CreateThread 7C81082F 5 Bytes JMP 0013057C
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 001303D8
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!CreateProcessInternalA 7C81DA9E 5 Bytes JMP 0013034C
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00130464
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] kernel32.dll!SetThreadContext 7C862849 5 Bytes JMP 00130608
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 001307AC
.text C:\Documents and Settings\Joe\Desktop\cqpl6hnq.exe[3492] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00130720

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\NtfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

==========================================================================

Logfile of random's system information tool 1.06 (written by random/random)
Run by Joe at 2009-10-28 15:55:54
Microsoft Windows XP Professional Service Pack 2
System drive C: has 34 GB (71%) free of 47 GB
Total RAM: 959 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:56 PM, on 10/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joe\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Joe.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GEST] m|P
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LNrKpv - CPUID - C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5059 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-09-27 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2003-08-06 106548]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-01 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-31 7634944]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-31 86016]
"Tweak UI"=TWEAKUI.CPL,TweakMeUp []
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2003-08-06 114741]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-04-12 14156800]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-17 2025752]
"GEST"=m|P []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"InnoSetupRegFile.0000000001"=C:\WINDOWS\is-RIOMQ.exe /REG []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-17 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-17 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe /OM []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-02-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility.lnk]
C:\PROGRA~1\TRENDnet\TEW-42~1\WlanCU.exe [2007-07-10 634880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
C:\PROGRA~1\OPENOF~1.3\program\QUICKS~1.EXE [2007-08-17 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-09-27 11952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Gigabyte\ET5\update.exe"="C:\Program Files\Gigabyte\ET5\update.exe:*:Enabled:ftptest"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\System32\RUNDLL32.EXE"="C:\WINDOWS\System32\RUNDLL32.EXE:*:Enabled:Run a DLL as an App"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

======List of files/folders created in the last 1 months======

2009-10-28 15:55:54 ----D---- C:\rsit
2009-10-24 18:24:56 ----D---- C:\Qoobox
2009-10-24 18:24:55 ----A---- C:\Bug.txt
2009-10-24 18:24:37 ----D---- C:\32788R22FWJFW
2009-10-22 14:54:19 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-10-22 14:52:40 ----D---- C:\Fla2004Tape1
2009-10-22 14:25:12 ----RD---- C:\Program Files
2009-10-22 14:19:06 ----D---- C:\IBM Camera Driver
2009-10-21 18:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-10-21 18:55:48 ----D---- C:\Program Files\MSXML 4.0
2009-10-13 14:35:58 ----D---- C:\Music
2009-10-13 14:33:56 ----D---- C:\Realtek Sound Card Driver
2009-10-13 12:29:16 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2009-10-13 12:24:22 ----N---- C:\WINDOWS\system32\PicEng.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\C-itnt.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\camiodll.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\camfc.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\CamCapEx.dll
2009-10-13 12:24:20 ----D---- C:\Program Files\IBM PC Camera
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_yv12.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_yuy2.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\xl_x263dec.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_uyvy.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_I420.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\x263.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\bundle.ini
2009-10-13 12:23:23 ----D---- C:\SETUP
2009-10-12 14:35:07 ----HD---- C:\$AVG8.VAULT$
2009-10-12 12:38:21 ----D---- C:\Program Files\Audacity
2009-10-04 17:24:06 ----D---- C:\Program Files\Trend Micro
2009-10-02 15:37:21 ----D---- C:\My Recordings
2009-10-01 19:44:21 ----D---- C:\Program Files\FREE Hi-Q Recorder
2009-10-01 19:21:38 ----A---- C:\WINDOWS\system32\msvcr70.dll
2009-10-01 17:32:37 ----D---- C:\Documents and Settings\Joe\Application Data\Leadertech
2009-10-01 16:06:08 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\java.exe
2009-10-01 13:51:54 ----D---- C:\Regclean
2009-10-01 13:35:47 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-10-01 13:32:12 ----D---- C:\Program Files\Yahoo!
2009-10-01 13:31:44 ----D---- C:\Program Files\CCleaner
2009-10-01 13:15:37 ----D---- C:\Program Files\Sunbelt Software
2009-10-01 12:55:20 ----D---- C:\Program Files\COMODO
2009-10-01 12:44:05 ----D---- C:\WINDOWS\Sun
2009-10-01 11:10:27 ----D---- C:\Documents and Settings\All Users\Application Data\MailFrontier
2009-10-01 11:09:59 ----A---- C:\WINDOWS\system32\SpOrder.dll
2009-10-01 09:01:57 ----D---- C:\WINDOWS\pss
2009-09-30 20:57:00 ----D---- C:\Program Files\AskBarDis
2009-09-30 20:53:43 ----N---- C:\WINDOWS\system32\spmsg.dll
2009-09-30 20:53:40 ----HD---- C:\WINDOWS\$NtUninstallKB943232$
2009-09-30 20:53:24 ----D---- C:\Program Files\Zone Labs
2009-09-30 20:52:58 ----D---- C:\WINDOWS\Internet Logs
2009-09-30 17:31:49 ----D---- C:\Program Files\Common Files\HP
2009-09-30 17:31:33 ----A---- C:\WINDOWS\system32\hppldcoi.dll
2009-09-30 17:31:33 ----A---- C:\WINDOWS\system32\hposwia_p02b.dll
2009-09-30 17:31:33 ----A---- C:\WINDOWS\system32\hpost_p02b.dll
2009-09-30 17:31:33 ----A---- C:\WINDOWS\system32\hposc_p02a.dll
2009-09-30 17:31:33 ----A---- C:\WINDOWS\system32\difxapi.dll
2009-09-30 17:21:38 ----RA---- C:\WINDOWS\system32\hpzids01.dll
2009-09-30 17:21:38 ----A---- C:\WINDOWS\system32\hpf3l083.dll
2009-09-29 21:04:26 ----D---- C:\Program Files\Common Files\Hewlett-Packard
2009-09-29 21:04:08 ----D---- C:\Program Files\HP

======List of files/folders modified in the last 1 months======

2009-10-28 10:47:40 ----A---- C:\WINDOWS\win.ini
2009-10-21 21:36:36 ----ASH---- C:\boot.ini
2009-10-21 21:36:36 ----A---- C:\WINDOWS\system.ini
2009-10-01 09:04:22 ----A---- C:\WINDOWS\RTacDbg.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-09-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-09-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-09-27 108552]
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-10-31 270888]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-09-17 21035]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-06 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-06 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-06 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-06 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-06 83284]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-06 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-06 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-06 98068]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-06 100373]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-04-15 2564032]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-31 3964256]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 XIRLINK;IBM PC Camera; C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2002-03-12 899884]
S1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 ET5Drv;ET5Drv; \??\C:\WINDOWS\system32\Drivers\ET5Drv.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2008-10-13 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2008-10-13 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2008-10-13 21568]
S3 kxlyqpow;kxlyqpow; \??\C:\DOCUME~1\Joe\LOCALS~1\Temp\kxlyqpow.sys []
S3 MarkFun_NT;MarkFun_NT; \??\C:\Program Files\Gigabyte\ET5\markfun.w32 []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-19 264576]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-09-27 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-09-27 297752]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-01 153376]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-31 155715]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-27 1028432]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 LNrKpv;LNrKpv; C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe [2009-06-23 22016]

-----------------EOF-----------------


==============================================

info.txt logfile of random's system information tool 1.06 2009-10-28 15:55:57

======Uninstall list======

@BIOS -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}\setup.exe" -l0x9 -removeonly
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM PC Camera\Uninst.isu"
-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}
Ad-Aware-->"C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
Adobe Acrobat 4.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
DMIView B7.0108.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EE1008C-11A1-4F4F-8DB7-27573924DE78}\setup.exe" -l0x9 -removeonly
DriverAgent by eSupport.com-->RunDll32.exe advpack.dll,LaunchINFSection driveragent_exe.inf,TVICHW32Remove
EasyTune5-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Gigabyte\ET5\Uninst.isu" -c"C:\Program Files\Gigabyte\ET5\uninstdrv.dll"
Face_Wizard B07.0509.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E76FCE6B-9999-4250-8C75-B2DA4AD41268}\setup.exe" -l0x9 -removeonly
FREE Hi-Q Recorder 1.9-->"C:\Program Files\FREE Hi-Q Recorder\unins000.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB943232)-->"C:\WINDOWS\$NtUninstallKB943232$\spuninst\spuninst.exe"
HP Photosmart C4600 All-In-One Driver 13.0 Rel .5-->C:\Program Files\HP\Digital Imaging\{44C81D1A-0520-49BB-B510-98B8DD414EA1}\setup\hpzscr01.exe -datfile hposcr36.dat -onestop -forcereboot
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
Java™ 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Microsoft Bootvis-->MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Office 97, Professional Edition-->C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (1.5)-->C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.3-->MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
PC Wizard 2009.1.90-->"C:\Program Files\CPUID\PC Wizard 2009\unins000.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sunbelt Personal Firewall-->MsiExec.exe /X{82B1150E-9B37-49FC-83EB-D52197D900D0}
Super Fast Shutdown 1.0-->"C:\Program Files\Super Fast Shutdown\unins000.exe"
Total Commander (Remove or Repair)-->c:\totalcmd\tcuninst.exe
TRENDnet TEW-424UB Wireless USB 2.0 Adapter Driver and Utility-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{C43421C0-0DCB-4F26-8A3B-BF16155F9879}
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
WinZip-->C:\WINUTILXP\WINZIP\WINZIP32.EXE /uninstall
Yahoo! Messenger-->C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Zip Motion Block Video codec (Remove Only)-->rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\ZMBV.INF

=====HijackThis Backups=====

O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG [2009-10-04]
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG [2009-10-18]

======Security center information======

AV: AVG Anti-Virus Free (disabled)
FW: Sunbelt Personal Firewall

======System event log======

Computer Name: GIGABYTE
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{EF9A483D-0D0F-4C9D-A814-531EB6E5655C}.

Record Number: 955
Source Name: Server
Time Written: 20090922163104.000000-240
Event Type: warning
User:

Computer Name: GIGABYTE
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{EF9A483D-0D0F-4C9D-A814-531EB6E5655C}.

Record Number: 930
Source Name: Server
Time Written: 20090922143629.000000-240
Event Type: warning
User:

Computer Name: GIGABYTE
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\BEDROOM28GIG on the network \Device\NetBT_Tcpip_{EF9A483D-0D0F-4C9D-A814-531EB6E5655C}.
The data is the error code.

Record Number: 906
Source Name: BROWSER
Time Written: 20090922130205.000000-240
Event Type: warning
User:

Computer Name: GIGABYTE
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{EF9A483D-0D0F-4C9D-A814-531EB6E5655C}.

Record Number: 903
Source Name: Server
Time Written: 20090922122657.000000-240
Event Type: warning
User:

Computer Name: GIGABYTE
Event Code: 2504
Message: The server could not bind to the transport \Device\NetBT_Tcpip_{EF9A483D-0D0F-4C9D-A814-531EB6E5655C}.

Record Number: 876
Source Name: Server
Time Written: 20090922114538.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: GIGABYTE
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 18
Source Name: WinMgmt
Time Written: 20090917141711.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GIGABYTE
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 17
Source Name: WinMgmt
Time Written: 20090917141711.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GIGABYTE
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20090917141510.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GIGABYTE
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20090917141510.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: GIGABYTE
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20090917141509.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\VDMSound;C:\Program Files\VDMSound;C:\Program Files\VDMSound;C:\Program Files\VDMSound
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VDMSPath"=C:\Program Files\VDMSound

-----------------EOF-----------------

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 29 October 2009 - 04:38 PM

Hi,

Did you try to install a program short before you get this message the first time?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 29 October 2009 - 06:42 PM

Hello Tom,

Yes, I believe I installed Free Hi-Q Recorder 1.92 shortly before I statred getting that message on
bootup.

Joe

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 30 October 2009 - 12:43 AM

Hi,

Please uninstall it, reboot your machine and install it again. Reboot your machine twice and post back with a fresh RSIT Logfile :(.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 30 October 2009 - 11:04 AM

Hi Tom,

I did as you requested. Wanted to note that I am still getting the message Windows cannot find 'c:\Windows\is-RIOMQ.exe'
upon bootup.

Below is the fresh RSIT logfile.

Thanks !

=================================

Logfile of random's system information tool 1.06 (written by random/random)
Run by Joe at 2009-10-30 12:00:42
Microsoft Windows XP Professional Service Pack 2
System drive C: has 33 GB (70%) free of 47 GB
Total RAM: 959 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:44 PM, on 10/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Joe\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Joe.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GEST] m|P
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LNrKpv - CPUID - C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5304 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-09-27 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2003-08-06 106548]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-01 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-31 7634944]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-31 86016]
"Tweak UI"=TWEAKUI.CPL,TweakMeUp []
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2003-08-06 114741]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-04-12 14156800]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-17 2025752]
"GEST"=m|P []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"InnoSetupRegFile.0000000001"=C:\WINDOWS\is-RIOMQ.exe /REG []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-17 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-17 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe /OM []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-02-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility.lnk]
C:\PROGRA~1\TRENDnet\TEW-42~1\WlanCU.exe [2007-07-10 634880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
C:\PROGRA~1\OPENOF~1.3\program\QUICKS~1.EXE [2007-08-17 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-09-27 11952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Gigabyte\ET5\update.exe"="C:\Program Files\Gigabyte\ET5\update.exe:*:Enabled:ftptest"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\System32\RUNDLL32.EXE"="C:\WINDOWS\System32\RUNDLL32.EXE:*:Enabled:Run a DLL as an App"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

======List of files/folders created in the last 1 months======

2009-10-30 11:44:20 ----D---- C:\Program Files\FREE Hi-Q Recorder
2009-10-28 15:55:54 ----D---- C:\rsit
2009-10-24 18:24:56 ----D---- C:\Qoobox
2009-10-24 18:24:55 ----A---- C:\Bug.txt
2009-10-24 18:24:37 ----D---- C:\32788R22FWJFW
2009-10-22 14:54:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-22 14:52:40 ----D---- C:\Fla2004Tape1
2009-10-22 14:25:12 ----RD---- C:\Program Files
2009-10-22 14:19:06 ----D---- C:\IBM Camera Driver
2009-10-21 18:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-10-21 18:55:48 ----D---- C:\Program Files\MSXML 4.0
2009-10-13 14:35:58 ----D---- C:\Music
2009-10-13 14:33:56 ----D---- C:\Realtek Sound Card Driver
2009-10-13 12:29:16 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2009-10-13 12:24:22 ----N---- C:\WINDOWS\system32\PicEng.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\C-itnt.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\camiodll.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\camfc.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\CamCapEx.dll
2009-10-13 12:24:20 ----D---- C:\Program Files\IBM PC Camera
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_yv12.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_yuy2.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\xl_x263dec.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_uyvy.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_I420.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\x263.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\bundle.ini
2009-10-13 12:23:23 ----D---- C:\SETUP
2009-10-12 14:35:07 ----HD---- C:\$AVG8.VAULT$
2009-10-12 12:38:21 ----D---- C:\Program Files\Audacity
2009-10-04 17:24:06 ----D---- C:\Program Files\Trend Micro
2009-10-02 15:37:21 ----D---- C:\My Recordings
2009-10-01 19:21:38 ----A---- C:\WINDOWS\system32\msvcr70.dll
2009-10-01 17:32:37 ----D---- C:\Documents and Settings\Joe\Application Data\Leadertech
2009-10-01 16:06:08 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\java.exe
2009-10-01 13:51:54 ----D---- C:\Regclean
2009-10-01 13:35:47 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-10-01 13:32:12 ----D---- C:\Program Files\Yahoo!
2009-10-01 13:31:44 ----D---- C:\Program Files\CCleaner
2009-10-01 13:15:37 ----D---- C:\Program Files\Sunbelt Software
2009-10-01 12:55:20 ----D---- C:\Program Files\COMODO
2009-10-01 12:44:05 ----D---- C:\WINDOWS\Sun
2009-10-01 11:10:27 ----D---- C:\Documents and Settings\All Users\Application Data\MailFrontier
2009-10-01 11:09:59 ----A---- C:\WINDOWS\system32\SpOrder.dll
2009-10-01 09:01:57 ----D---- C:\WINDOWS\pss

======List of files/folders modified in the last 1 months======

2009-10-28 10:47:40 ----A---- C:\WINDOWS\win.ini
2009-10-21 21:36:36 ----ASH---- C:\boot.ini
2009-10-21 21:36:36 ----A---- C:\WINDOWS\system.ini
2009-10-01 09:04:22 ----A---- C:\WINDOWS\RTacDbg.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-09-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-09-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-09-27 108552]
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-10-31 270888]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-09-17 21035]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-06 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-06 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-06 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-06 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-06 83284]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-06 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-06 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-06 98068]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-06 100373]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-04-15 2564032]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-31 3964256]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 XIRLINK;IBM PC Camera; C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2002-03-12 899884]
S1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 ET5Drv;ET5Drv; \??\C:\WINDOWS\system32\Drivers\ET5Drv.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2008-10-13 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2008-10-13 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2008-10-13 21568]
S3 MarkFun_NT;MarkFun_NT; \??\C:\Program Files\Gigabyte\ET5\markfun.w32 []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-19 264576]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-09-27 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-09-27 297752]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-01 153376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-27 1028432]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-31 155715]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 LNrKpv;LNrKpv; C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe [2009-06-23 22016]

-----------------EOF-----------------


=======================================

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 30 October 2009 - 04:11 PM

Hi,

Please run Hijackthis, choose do a system scan only and place a check next to the following:

O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG

Close all open windows and click on fix checked. Now reboot your system and post back with a fresh RSIT-Logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 30 October 2009 - 06:21 PM

Tom,

I did as you instructed. I am still getting the message Windows cannot find 'c:\Windows\is-RIOMQ.exe'
upon bootup.

Below is the latest RIST - Logfile.

Thank you !

============================

Logfile of random's system information tool 1.06 (written by random/random)
Run by Joe at 2009-10-30 19:17:58
Microsoft Windows XP Professional Service Pack 2
System drive C: has 33 GB (70%) free of 47 GB
Total RAM: 959 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:00 PM, on 10/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joe\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Joe.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GEST] m|P
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-RIOMQ.exe" /REG
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LNrKpv - CPUID - C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 5236 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-09-27 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2003-08-06 106548]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-01 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1090816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-31 7634944]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-31 86016]
"Tweak UI"=TWEAKUI.CPL,TweakMeUp []
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2003-08-06 114741]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-04-12 14156800]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-10-17 2025752]
"GEST"=m|P []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"InnoSetupRegFile.0000000001"=C:\WINDOWS\is-RIOMQ.exe /REG []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2005-02-17 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-17 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe /OM []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-02-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility.lnk]
C:\PROGRA~1\TRENDnet\TEW-42~1\WlanCU.exe [2007-07-10 634880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
C:\PROGRA~1\OPENOF~1.3\program\QUICKS~1.EXE [2007-08-17 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-09-27 11952]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Gigabyte\ET5\update.exe"="C:\Program Files\Gigabyte\ET5\update.exe:*:Enabled:ftptest"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\System32\RUNDLL32.EXE"="C:\WINDOWS\System32\RUNDLL32.EXE:*:Enabled:Run a DLL as an App"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"

======List of files/folders created in the last 1 months======

2009-10-30 11:44:20 ----D---- C:\Program Files\FREE Hi-Q Recorder
2009-10-28 15:55:54 ----D---- C:\rsit
2009-10-24 18:24:56 ----D---- C:\Qoobox
2009-10-24 18:24:55 ----A---- C:\Bug.txt
2009-10-24 18:24:37 ----D---- C:\32788R22FWJFW
2009-10-22 14:54:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-22 14:52:40 ----D---- C:\Fla2004Tape1
2009-10-22 14:25:12 ----RD---- C:\Program Files
2009-10-22 14:19:06 ----D---- C:\IBM Camera Driver
2009-10-21 18:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-10-21 18:55:48 ----D---- C:\Program Files\MSXML 4.0
2009-10-13 14:35:58 ----D---- C:\Music
2009-10-13 14:33:56 ----D---- C:\Realtek Sound Card Driver
2009-10-13 12:29:16 ----A---- C:\WINDOWS\system32\vfwwdm32.dll
2009-10-13 12:24:22 ----N---- C:\WINDOWS\system32\PicEng.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\C-itnt.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\camiodll.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\camfc.dll
2009-10-13 12:24:22 ----A---- C:\WINDOWS\system32\CamCapEx.dll
2009-10-13 12:24:20 ----D---- C:\Program Files\IBM PC Camera
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_yv12.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_yuy2.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\xl_x263dec.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_uyvy.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\Xl_I420.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\system32\x263.dll
2009-10-13 12:24:20 ----A---- C:\WINDOWS\bundle.ini
2009-10-13 12:23:23 ----D---- C:\SETUP
2009-10-12 14:35:07 ----HD---- C:\$AVG8.VAULT$
2009-10-12 12:38:21 ----D---- C:\Program Files\Audacity
2009-10-04 17:24:06 ----D---- C:\Program Files\Trend Micro
2009-10-02 15:37:21 ----D---- C:\My Recordings
2009-10-01 19:21:38 ----A---- C:\WINDOWS\system32\msvcr70.dll
2009-10-01 17:32:37 ----D---- C:\Documents and Settings\Joe\Application Data\Leadertech
2009-10-01 16:06:08 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-01 16:06:07 ----A---- C:\WINDOWS\system32\java.exe
2009-10-01 13:51:54 ----D---- C:\Regclean
2009-10-01 13:35:47 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-10-01 13:32:12 ----D---- C:\Program Files\Yahoo!
2009-10-01 13:31:44 ----D---- C:\Program Files\CCleaner
2009-10-01 13:15:37 ----D---- C:\Program Files\Sunbelt Software
2009-10-01 12:55:20 ----D---- C:\Program Files\COMODO
2009-10-01 12:44:05 ----D---- C:\WINDOWS\Sun
2009-10-01 11:10:27 ----D---- C:\Documents and Settings\All Users\Application Data\MailFrontier
2009-10-01 11:09:59 ----A---- C:\WINDOWS\system32\SpOrder.dll
2009-10-01 09:01:57 ----D---- C:\WINDOWS\pss

======List of files/folders modified in the last 1 months======

2009-10-28 10:47:40 ----A---- C:\WINDOWS\win.ini
2009-10-21 21:36:36 ----ASH---- C:\boot.ini
2009-10-21 21:36:36 ----A---- C:\WINDOWS\system.ini
2009-10-01 09:04:22 ----A---- C:\WINDOWS\RTacDbg.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 36864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-09-27 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-09-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-09-27 108552]
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-10-31 270888]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-09-17 21035]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-06 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-06 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-06 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-06 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-06 83284]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-06 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-06 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-06 98068]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-06 100373]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-04-15 2564032]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-31 3964256]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 XIRLINK;IBM PC Camera; C:\WINDOWS\system32\DRIVERS\C-itnt.sys [2002-03-12 899884]
S1 AmdPPM;AMD HwPState Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\system32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 ET5Drv;ET5Drv; \??\C:\WINDOWS\system32\Drivers\ET5Drv.sys []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2008-10-13 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2008-10-13 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2008-10-13 21568]
S3 MarkFun_NT;MarkFun_NT; \??\C:\Program Files\Gigabyte\ET5\markfun.w32 []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-19 264576]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-09-27 908056]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-09-27 297752]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-01 153376]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-27 1028432]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-31 155715]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 LNrKpv;LNrKpv; C:\Program Files\CPUID\PC Wizard 2009\Data\pcwizntl.exe [2009-06-23 22016]

-----------------EOF-----------------

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 31 October 2009 - 09:34 AM

Hi,



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    is-RIOMQ.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 31 October 2009 - 11:17 AM

Hi Tom,

Below is the SystemLook.txt , as requested.

Thanks.

===============================

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:15 on 31/10/2009 by Joe (Administrator - Elevation successful)

No Context: :regfind

No Context: is-RIOMQ.exe

-=End Of File=-

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:09 AM

Posted 31 October 2009 - 11:22 AM

Please follow steps 1-3 behind this link to backup your registry with ERUNT (use current date while naming the location).



We need to run an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the OTM icon on your desktop.
  • Paste the following code under the Paste Instructions for Items to be Moved area. Do not include the word "Code".
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "InnoSetupRegFile.0000000001"=-
    :Commands
    [EmptyTemp]
  • Push the large MoveIt! button.
    **OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Results line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 drmajcher

drmajcher
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 31 October 2009 - 03:02 PM

Tom,

As requested, here it is:


All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\InnoSetupRegFile.0000000001 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Joe
->Temp folder emptied: 187177 bytes
File delete failed. C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 761023 bytes
->Java cache emptied: 0 bytes
File delete failed. C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
->FireFox cache emptied: 98185542 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 96.70 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10312009_155552

Files moved on Reboot...
C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Joe\Local Settings\Application Data\Mozilla\Firefox\Profiles\0hdwm7w5.default\Cache\_CACHE_003_ moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_b4.dat not found!

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users