Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32kDiag.exe log


  • This topic is locked This topic is locked
13 replies to this topic

#1 bonkers1961

bonkers1961

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 12 November 2009 - 04:03 PM

Tried Malware bytes, HJT, spybot. they all crash and wont run. Here is my partial log from Win32Diag.exe ( Has been running for 50 Min.)
Running from: C:\Documents and Settings\Brian\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Brian\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\windows'...



Cannot access: C:\windows\$NtUninstallKB824141$\user32.dll

[1] 2005-03-02 10:19:56 577024 C:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll (Microsoft Corporation)

[1] 2007-03-08 07:48:36 578048 C:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll (Microsoft Corporation)

[1] 2007-03-08 07:36:28 577536 C:\windows\$NtServicePackUninstall$\user32.dll (Microsoft Corporation)

[1] 2002-11-01 14:26:46 528896 C:\windows\$NtUninstallKB824141$\user32.dll ()

[1] 2003-07-30 04:00:00 560128 C:\windows\$NtUninstallKB826939$\user32.dll ()

[1] 2004-08-03 23:56:46 577024 C:\windows\$NtUninstallKB890859$\user32.dll (Microsoft Corporation)

[1] 2005-03-02 10:09:30 577024 C:\windows\$NtUninstallKB925902$\user32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:08 578560 C:\windows\ServicePackFiles\i386\user32.dll (Microsoft Corporation)

[1] 2004-06-17 09:58:35 560128 C:\windows\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\user32.dll (Microsoft Corporation)

[1] 2008-04-13 16:12:08 578560 C:\windows\system32\user32.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB824141$\win32k.sys

[1] 2005-03-01 17:11:25 1836160 C:\windows\$hf_mig$\KB890859\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2005-10-05 16:10:04 1839360 C:\windows\$hf_mig$\KB896424\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2007-03-08 05:49:49 1843968 C:\windows\$hf_mig$\KB925902\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2008-03-19 01:40:27 1845888 C:\windows\$hf_mig$\KB941693\SP2QFE\win32k.sys (Microsoft Corporation)

[1] 2008-09-15 04:25:27 1846912 C:\windows\$hf_mig$\KB954211\SP3QFE\win32k.sys (Microsoft Corporation)

[1] 2009-02-09 03:08:53 1847552 C:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys (Microsoft Corporation)

[1] 2009-04-17 02:50:18 1847808 C:\windows\$hf_mig$\KB968537\SP3QFE\win32k.sys (Microsoft Corporation)

[1] 2008-03-19 01:47:00 1845248 C:\windows\$NtServicePackUninstall$\win32k.sys (Microsoft Corporation)

[1] 2003-07-30 04:00:00 1813632 C:\windows\$NtUninstallKB817611$\win32k.sys (Microsoft Corporation)

[1] 2003-07-15 16:01:52 1677056 C:\windows\$NtUninstallKB824141$\win32k.sys ()

[1] 2004-08-03 22:17:40 1835904 C:\windows\$NtUninstallKB890859$\win32k.sys (Microsoft Corporation)

[1] 2005-03-01 17:06:57 1836288 C:\windows\$NtUninstallKB896424$\win32k.sys (Microsoft Corporation)

[1] 2005-10-05 16:05:59 1839488 C:\windows\$NtUninstallKB925902$\win32k.sys (Microsoft Corporation)

[1] 2007-03-08 05:47:48 1843584 C:\windows\$NtUninstallKB941693$\win32k.sys (Microsoft Corporation)

[1] 2008-04-13 11:30:10 1845632 C:\windows\$NtUninstallKB954211$\win32k.sys (Microsoft Corporation)

[1] 2008-09-15 04:12:56 1846400 C:\windows\$NtUninstallKB958690$\win32k.sys (Microsoft Corporation)

[1] 2009-02-09 03:13:27 1846784 C:\windows\$NtUninstallKB968537$\win32k.sys (Microsoft Corporation)

[1] 2008-04-13 11:30:10 1845632 C:\windows\ServicePackFiles\i386\win32k.sys (Microsoft Corporation)

[1] 2004-08-05 10:15:00 1845888 C:\windows\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\sp1qfe\win32k.sys (Microsoft Corporation)

[1] 2009-04-17 04:26:40 1847168 C:\windows\system32\dllcache\win32k.sys (Microsoft Corporation)

[1] 2009-04-17 04:26:40 1847168 C:\windows\system32\win32k.sys (Microsoft Corporation)

[1] 2009-11-12 10:16:00 0 C:\windows\win32k.sys ()



Cannot access: C:\windows\$NtUninstallKB826939$\accwiz.exe

[1] 2004-08-03 23:56:47 183808 C:\windows\$NtServicePackUninstall$\accwiz.exe (Microsoft Corporation)

[1] 2003-07-30 04:00:00 179200 C:\windows\$NtUninstallKB826939$\accwiz.exe ()

[1] 2008-04-13 16:12:11 184320 C:\windows\ServicePackFiles\i386\accwiz.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:11 184320 C:\windows\system32\accwiz.exe (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\crypt32.dll

[1] 2004-08-03 23:56:41 597504 C:\windows\$NtServicePackUninstall$\crypt32.dll (Microsoft Corporation)

[1] 2003-07-30 04:00:00 557568 C:\windows\$NtUninstallKB826939$\crypt32.dll ()

[1] 2008-04-13 16:11:51 599040 C:\windows\ServicePackFiles\i386\crypt32.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 599040 C:\windows\system32\crypt32.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\cryptsvc.dll

[1] 2004-08-03 23:56:41 60416 C:\windows\$NtServicePackUninstall$\cryptsvc.dll (Microsoft Corporation)

[1] 2003-03-31 11:49:16 53760 C:\windows\$NtUninstallKB826939$\cryptsvc.dll ()

[1] 2008-04-13 16:11:51 62464 C:\windows\ServicePackFiles\i386\cryptsvc.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:51 62464 C:\windows\system32\cryptsvc.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\hh.exe

[1] 2005-05-26 15:26:50 10752 C:\windows\$hf_mig$\KB896358\SP2QFE\hh.exe (Microsoft Corporation)

[1] 2005-05-26 15:22:01 10752 C:\windows\$NtServicePackUninstall$\hh.exe (Microsoft Corporation)

[1] 2003-07-30 04:00:00 10752 C:\windows\$NtUninstallKB826939$\hh.exe ()

[1] 2004-08-03 23:56:50 10752 C:\windows\$NtUninstallKB896358$\hh.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 10752 C:\windows\hh.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 10752 C:\windows\ServicePackFiles\i386\hh.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 10752 C:\windows\system32\dllcache\hh.exe (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\hhctrl.ocx

[1] 2004-12-02 10:35:33 539648 C:\windows\$hf_mig$\KB890175\SP2QFE\hhctrl.ocx ()

[1] 2005-05-26 18:08:59 546304 C:\windows\$hf_mig$\KB896358\SP2QFE\hhctrl.ocx ()

[1] 2006-07-14 07:37:53 546304 C:\windows\$hf_mig$\KB922616\SP2QFE\hhctrl.ocx ()

[1] 2007-01-23 11:24:27 546304 C:\windows\$hf_mig$\KB928843\SP2QFE\hhctrl.ocx ()

[1] 2007-01-23 11:29:20 546304 C:\windows\$NtServicePackUninstall$\hhctrl.ocx ()

[1] 2003-07-30 04:00:00 511560 C:\windows\$NtUninstallKB826939$\hhctrl.ocx ()

[1] 2004-08-03 21:22:58 526848 C:\windows\$NtUninstallKB890175$\hhctrl.ocx ()

[1] 2004-11-30 21:19:54 539648 C:\windows\$NtUninstallKB896358$\hhctrl.ocx ()

[1] 2005-05-26 18:04:27 546304 C:\windows\$NtUninstallKB922616$\hhctrl.ocx ()

[1] 2006-07-14 07:25:57 546304 C:\windows\$NtUninstallKB928843$\hhctrl.ocx ()

[1] 2008-04-13 16:09:36 545280 C:\windows\ServicePackFiles\i386\hhctrl.ocx ()

[2] 2003-07-30 04:00:00 87552 C:\windows\system32\dllcache\hhctrlui.dll (Microsoft Corporation)

[1] 2008-04-13 16:09:36 545280 C:\windows\system32\hhctrl.ocx ()

[2] 2003-07-30 04:00:00 87552 C:\windows\system32\mui\0009\hhctrlui.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\hhsetup.dll

[1] 2005-05-26 18:08:59 41472 C:\windows\$hf_mig$\KB896358\SP2QFE\hhsetup.dll (Microsoft Corporation)

[1] 2005-05-26 18:04:27 41472 C:\windows\$NtServicePackUninstall$\hhsetup.dll (Microsoft Corporation)

[1] 2003-07-30 04:00:00 37888 C:\windows\$NtUninstallKB826939$\hhsetup.dll ()

[1] 2004-08-03 23:56:42 38912 C:\windows\$NtUninstallKB896358$\hhsetup.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 41472 C:\windows\ServicePackFiles\i386\hhsetup.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:54 41472 C:\windows\system32\hhsetup.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\html32.cnv

[1] 2003-07-30 04:00:00 401480 C:\windows\$NtUninstallKB826939$\html32.cnv ()

[1] 2003-06-27 11:38:50 311864 C:\windows\ServicePackFiles\i386\html32.cnv ()



Cannot access: C:\windows\$NtUninstallKB826939$\itircl.dll

[1] 2005-05-26 18:08:59 155136 C:\windows\$hf_mig$\KB896358\SP2QFE\itircl.dll (Microsoft Corporation)

[1] 2005-05-26 18:04:27 155136 C:\windows\$NtServicePackUninstall$\itircl.dll (Microsoft Corporation)

[1] 2003-01-10 13:43:48 143872 C:\windows\$NtUninstallKB825119$\itircl.dll (Microsoft Corporation)

[1] 2003-07-30 04:00:00 143872 C:\windows\$NtUninstallKB826939$\itircl.dll ()

[1] 2004-08-03 23:56:42 143872 C:\windows\$NtUninstallKB896358$\itircl.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 155136 C:\windows\ServicePackFiles\i386\itircl.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 155136 C:\windows\system32\itircl.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\itss.dll

[1] 2005-05-26 18:08:59 137216 C:\windows\$hf_mig$\KB896358\SP2QFE\itss.dll (Microsoft Corporation)

[1] 2005-05-26 18:04:27 137216 C:\windows\$NtServicePackUninstall$\itss.dll (Microsoft Corporation)

[1] 2003-07-30 04:00:00 122368 C:\windows\$NtUninstallKB826939$\itss.dll ()

[1] 2003-01-10 13:43:48 122368 C:\windows\$NtUninstallKB840315$\itss.dll (Microsoft Corporation)

[1] 2004-08-03 23:56:42 134144 C:\windows\$NtUninstallKB896358$\itss.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 138240 C:\windows\ServicePackFiles\i386\itss.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:55 138240 C:\windows\system32\itss.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\locator.exe

[1] 2004-08-03 23:56:50 75264 C:\windows\$NtServicePackUninstall$\locator.exe (Microsoft Corporation)

[1] 2003-07-30 04:00:00 68096 C:\windows\$NtUninstallKB826939$\locator.exe ()

[1] 2008-04-13 16:12:24 75264 C:\windows\ServicePackFiles\i386\locator.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:24 75264 C:\windows\system32\locator.exe (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\magnify.exe

[1] 2004-08-03 23:56:50 72704 C:\windows\$NtServicePackUninstall$\magnify.exe (Microsoft Corporation)

[1] 2003-07-30 04:00:00 67584 C:\windows\$NtUninstallKB826939$\magnify.exe ()

[1] 2008-04-13 16:12:24 72704 C:\windows\ServicePackFiles\i386\magnify.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:24 72704 C:\windows\system32\magnify.exe (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\migwiz.exe

[1] 2004-08-03 23:56:51 240128 C:\windows\$NtServicePackUninstall$\migwiz.exe (Microsoft Corporation)

[1] 2003-07-30 04:00:00 230400 C:\windows\$NtUninstallKB826939$\migwiz.exe ()

[1] 2008-04-13 16:12:25 245248 C:\windows\ServicePackFiles\i386\migwiz.exe (Microsoft Corporation)

[2] 2008-04-13 16:12:25 241152 C:\windows\ServicePackFiles\i386\migwiza.exe (Microsoft Corporation)

[2] 2004-08-03 23:56:51 236032 C:\windows\ServicePackFiles\i386\migwiz_a.exe (Microsoft Corporation)

[2] 2008-04-13 16:12:25 241152 C:\windows\system32\dllcache\migwiza.exe (Microsoft Corporation)

[2] 2004-08-03 23:56:51 236032 C:\windows\system32\dllcache\migwiz_a.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:25 245248 C:\windows\system32\usmt\migwiz.exe (Microsoft Corporation)

[2] 2008-04-13 16:12:25 241152 C:\windows\system32\usmt\migwiza.exe (Microsoft Corporation)

[2] 2004-08-03 23:56:51 236032 C:\windows\system32\usmt\migwiz_a.exe (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\mrxsmb.sys

[1] 2005-01-18 19:51:57 451584 C:\windows\$hf_mig$\KB885250\SP2QFE\mrxsmb.sys (Microsoft Corporation)

[1] 2004-10-27 17:15:16 448128 C:\windows\$hf_mig$\KB885835\SP2QFE\mrxsmb.sys (Microsoft Corporation)

[1] 2006-05-05 02:16:39 454400 C:\windows\$hf_mig$\KB914389\SP2QFE\mrxsmb.sys (Microsoft Corporation)

[1] 2008-10-24 03:41:11 455936 C:\windows\$hf_mig$\KB957097\SP3QFE\mrxsmb.sys (Microsoft Corporation)

[1] 2006-05-05 01:41:45 453120 C:\windows\$NtServicePackUninstall$\mrxsmb.sys (Microsoft Corporation)

[1] 2003-07-30 04:00:00 407552 C:\windows\$NtUninstallKB826939$\mrxsmb.sys ()

[1] 2004-10-27 17:14:18 448128 C:\windows\$NtUninstallKB885250$\mrxsmb.sys (Microsoft Corporation)

[1] 2004-08-03 22:15:16 451456 C:\windows\$NtUninstallKB885835$\mrxsmb.sys (Microsoft Corporation)

[1] 2005-01-18 20:26:52 451584 C:\windows\$NtUninstallKB914389$\mrxsmb.sys (Microsoft Corporation)

[1] 2008-04-13 11:17:01 456576 C:\windows\$NtUninstallKB957097$\mrxsmb.sys (Microsoft Corporation)

[1] 2008-10-24 03:21:09 455296 C:\windows\Driver Cache\i386\mrxsmb.sys (Microsoft Corporation)

[1] 2008-04-13 11:17:01 456576 C:\windows\ServicePackFiles\i386\mrxsmb.sys (Microsoft Corporation)

[1] 2008-10-24 03:21:09 455296 C:\windows\system32\dllcache\mrxsmb.sys (Microsoft Corporation)

[1] 2008-10-24 03:21:09 455296 C:\windows\system32\drivers\mrxsmb.sys (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\msconv97.dll

[1] 2003-07-30 04:00:00 143434 C:\windows\$NtUninstallKB826939$\msconv97.dll ()

[1] 2004-07-17 10:42:18 116288 C:\windows\ServicePackFiles\i386\msconv97.dll (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\narrator.exe

[1] 2004-08-03 23:56:54 53760 C:\windows\$NtServicePackUninstall$\narrator.exe (Microsoft Corporation)

[1] 2003-07-30 04:00:00 51200 C:\windows\$NtUninstallKB826939$\narrator.exe ()

[1] 2008-04-13 16:12:29 53760 C:\windows\ServicePackFiles\i386\narrator.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:29 53760 C:\windows\system32\narrator.exe (Microsoft Corporation)



Cannot access: C:\windows\$NtUninstallKB826939$\newdev.dll

[1] 2004-08-03 23:56:44 248832 C:\windows\$NtServicePackUninstall$\newdev.dll (Microsoft Corporation)

[1] 2003-07-30 04:00:00 238080 C:\windows\$NtUninstallKB826939$\newdev.dll ()

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 12 November 2009 - 04:06 PM

Hello bonkers1961,

And :( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 bonkers1961

bonkers1961
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 12 November 2009 - 05:13 PM

combofix text

ComboFix 09-11-13.04 - Brian 11/12/2009 13:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.298 [GMT -8:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\avjelge.exe
c:\docume~1\Brian\LOCALS~1\Temp\csrss.exe
c:\docume~1\Brian\LOCALS~1\Temp\lsass.exe
c:\docume~1\Brian\LOCALS~1\Temp\services.exe
c:\docume~1\Brian\LOCALS~1\Temp\svchost.exe
c:\docume~1\Brian\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Brian\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Administrator\Application Data\itizako.lib
c:\documents and settings\Administrator\Cookies\cusiryj.sys
c:\documents and settings\Administrator\Cookies\enuvi.dl
c:\documents and settings\Administrator\Local Settings\Application Data\ojyhugat.dll
c:\documents and settings\Administrator\Local Settings\Application Data\upojoda.pif
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\anotysa.inf
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\ofytubej.com
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\rotitupowe.bat
c:\documents and settings\All Users\Application Data\asosyci.bat
c:\documents and settings\All Users\Application Data\garetuhij.vbs
c:\documents and settings\All Users\Application Data\patyg.bin
c:\documents and settings\Brian\Application Data\iniasd.txt
c:\documents and settings\Brian\Application Data\lizkavd.exe
c:\documents and settings\Brian\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Brian\Application Data\seres.exe
c:\documents and settings\Brian\Application Data\svcst.exe
c:\documents and settings\Brian\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Brian\Desktop\Windows Police Pro.lnk
c:\documents and settings\Brian\Local Settings\Temporary Internet Files\index.dat
c:\documents and settings\Brian\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Brian\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Brian\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Brian\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Brian\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
C:\hrngen.exe
C:\p2hhr.bat
C:\pgkso.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\exejyjil.bat
c:\program files\Common Files\jykecen.dl
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
C:\qgferewy.exe
c:\recycler\S-1-5-21-1129104598-3505460007-2405350716-500
c:\recycler\S-1-5-21-1844237615-1801674531-725345543-500
c:\recycler\S-1-5-21-1958632107-3251158543-1152284756-500
c:\recycler\S-1-5-21-2530520543-3370927767-832300917-500
c:\recycler\S-1-5-21-3050832978-363202024-3319799698-500
c:\recycler\S-1-5-21-4272853618-324874107-898760114-500
c:\windows\ixyry._dl
c:\windows\msa.exe
c:\windows\otererew.ban
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\Data
c:\windows\system32\drivers\gasfkyemiklivp.sys
c:\windows\system32\gasfkyffmmpwxf.dll
c:\windows\system32\gasfkyitpejuow.dat
c:\windows\system32\gasfkyrqowqlkh.dll
c:\windows\system32\gytyqus.ban
c:\windows\system32\halojoge.dll
c:\windows\system32\onamip.scr
c:\windows\system32\qorevukyg.vbs
c:\windows\system32\selekide.dll
c:\windows\system32\t5rt7gss.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wijidapa.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\tebud.bin
D:\Install.exe
d:\my documents\ZbThumbnail.info

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 21:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-12 21:45 . 2009-11-12 21:45 -------- d-----w- c:\windows\LastGood.Tmp
2009-11-02 23:59 . 2009-11-03 00:02 -------- d-----w- c:\program files\Spybot - Search & Destroyb
2009-11-02 23:45 . 2009-11-02 23:46 -------- d-----w- c:\program files\Mal222221
2009-11-02 23:30 . 2009-11-02 23:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-02 22:39 . 2009-11-02 23:41 -------- d-----w- c:\program files\Mal22222
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
2009-11-02 22:19 . 2009-11-02 22:19 17392 ----a-w- c:\windows\dovupe.dat
2009-11-02 22:19 . 2009-11-02 22:19 11504 ----a-w- c:\windows\qili.com
2009-11-02 22:14 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 21:46 . 2009-11-02 21:46 -------- d-----w- c:\program files\Trend Micro
2009-11-02 21:29 . 2008-12-11 16:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-02 21:29 . 2009-08-24 22:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-02 21:29 . 2009-08-19 19:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-02 21:29 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\program files\Spyware Doctor
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-11-02 21:28 . 2009-11-12 22:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 21:18 . 2009-11-02 21:18 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-02 21:11 . 2009-11-03 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 21:11 . 2009-11-03 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 21:06 . 2009-11-02 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-02 21:06 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:06 . 2009-11-02 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:06 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 20:26 . 2009-11-02 20:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-02 20:25 . 2009-11-02 20:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 19:17 . 2009-11-02 21:33 -------- d-----w- c:\program files\malware bytes for anitvirus pr 2010
2009-10-31 19:04 . 2009-10-31 19:07 -------- d--h--w- c:\windows\PIF
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 18:16 . 2009-10-02 04:24 0 ----a-r- c:\windows\win32k.sys
2009-11-02 23:18 . 2007-05-05 17:42 -------- d-----w- c:\program files\McAfee
2009-10-07 19:10 . 2009-10-07 19:10 120832 ----a-w- C:\dwwsnyeb.exe
2009-10-07 19:10 . 2009-10-07 19:10 45568 ----a-w- C:\pjrvs.exe
2009-10-07 19:10 . 2009-10-07 19:10 95744 ----a-w- C:\vufjb.exe
2009-10-07 19:10 . 2009-10-07 19:09 52224 ----a-w- C:\uccxui.exe
2009-10-07 19:10 . 2009-10-07 19:09 208384 ----a-w- C:\sdfxmtlu.exe
2009-10-07 19:09 . 2009-10-07 19:09 8704 ----a-w- C:\cgcxo.exe
2009-10-07 19:09 . 2009-10-07 19:09 39936 ----a-w- C:\siyfiejh.exe
2009-10-02 04:29 . 2009-10-02 04:25 82944 ----a-w- c:\windows\system32\drivers\95208a5c.sys
2009-10-02 04:24 . 2009-10-02 04:24 79360 ----a-w- C:\aefxixl.exe
2009-10-02 04:24 . 2009-10-02 04:24 201200 ----a-w- C:\prdfjhha.exe
2009-10-01 19:53 . 2009-10-01 19:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf
2009-10-01 19:53 . 2009-10-01 19:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-24 01:53 . 2009-09-24 01:52 -------- d-----w- c:\program files\iTunes
2009-09-24 01:52 . 2009-09-24 01:52 -------- d-----w- c:\program files\iPod
2009-09-24 01:52 . 2008-04-18 16:16 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 01:43 . 2009-09-24 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-23 06:47 . 2007-05-05 17:19 -------- d-----w- c:\documents and settings\Brian\Application Data\Skype
2009-09-23 03:01 . 2009-02-25 17:20 -------- d-----w- c:\documents and settings\Brian\Application Data\skypePM
2009-09-17 04:57 . 2007-05-05 17:41 -------- d-----w- c:\program files\Garmin
2009-09-03 00:07 . 2008-04-28 04:23 488968 ----a-w- c:\documents and settings\Brian\Application Data\Real\Update\setup\setup.exe
2009-08-29 02:42 . 2009-10-01 19:50 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-10-01 19:50 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-21 19:34 . 2009-08-21 19:03 68951 ----a-w- c:\windows\hpoins05.dat
2009-08-21 19:00 . 2009-08-21 18:01 166130 ----a-w- c:\windows\hpoins30.dat
2009-08-21 16:40 . 2009-08-21 16:40 46 ----a-w- c:\windows\hpqscr01.dat
2009-08-21 16:35 . 2009-08-21 16:35 46 ----a-w- c:\windows\hposcr05.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
"gStart"="c:\program files\Garmin\gStart.exe" [2006-09-06 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"WatchDog"="c:\program files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"SiteAdvisor"="c:\program files\SiteAdvisor\4456\SiteAdv.exe" [2006-11-03 35928]
"Adobe Photo Downloader"="d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-04 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2004-6-30 103424]
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-4-4 209016]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2007-6-8 1078]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2005-7-5 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"d:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/2/2009 1:29 PM 206256]
R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2/9/2004 7:41 PM 4736]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/2/2009 1:29 PM 348752]
S2 gupdate1c9ad6ac413a932;Google Update Service (gupdate1c9ad6ac413a932);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 8:57 AM 133104]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [4/12/2008 4:34 PM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [4/12/2008 4:31 PM 544768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 16:56]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 16:56]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2003-12-03 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-11-10 19:22]

2004-03-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 00:12]

2004-03-10 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\mmvqs8qp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-gikikijik - c:\windows\system32\wijidapa.dll
SharedTaskScheduler-{164a5411-6cf3-4ab7-891f-45e2f8378761} - c:\windows\system32\wijidapa.dll
SSODL-mezapigem-{164a5411-6cf3-4ab7-891f-45e2f8378761} - c:\windows\system32\wijidapa.dll
AddRemove-nickarcade - c:\program files\nickarcade\uninstall.exe
AddRemove-Trailer Life Directory Campground Navigator 2008_is1 - j:\tldcn2008\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 14:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuapi.dll.wusetup.311281.bak 561688 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.312546.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.315093.bak 1809944 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,1b,56,82,5d,b7,79,4b,ad,28,8f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,1b,56,82,5d,b7,79,4b,ad,28,8f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4144)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\program files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
c:\program files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\system32\wscntfy.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-11-12 14:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 22:08

Pre-Run: 466,628,083,712 bytes free
Post-Run: 468,214,640,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\windows="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 486D893EA6FFFBA3A902EC7A98E0A60C



Thanks elise

Edited by bonkers1961, 12 November 2009 - 05:15 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 13 November 2009 - 05:38 AM

Hello bonkers1961,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\dovupe.dat
c:\windows\qili.com
c:\windows\win32k.sys
C:\dwwsnyeb.exe
C:\pjrvs.exe
C:\vufjb.exe
C:\uccxui.exe
C:\sdfxmtlu.exe
C:\cgcxo.exe
C:\siyfiejh.exe
C:\aefxixl.exe
C:\prdfjhha.exe
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • Win32kDiag.txt
  • Junction log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 bonkers1961

bonkers1961
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 13 November 2009 - 07:42 PM

-------Elise here are all the logs. Thanks for all your help-------

ComboFix 09-11-13.04 - Brian 11/13/2009 15:57.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.460 [GMT -8:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\aefxixl.exe"
"C:\cgcxo.exe"
"C:\dwwsnyeb.exe"
"C:\pjrvs.exe"
"C:\prdfjhha.exe"
"C:\sdfxmtlu.exe"
"C:\siyfiejh.exe"
"C:\uccxui.exe"
"C:\vufjb.exe"
"c:\windows\dovupe.dat"
"c:\windows\qili.com"
"c:\windows\win32k.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aefxixl.exe
C:\cgcxo.exe
c:\documents and settings\All Users\Documents\ugeqaku.scr
c:\documents and settings\All Users\Documents\wikadifok.pif
C:\dwwsnyeb.exe
C:\pjrvs.exe
C:\prdfjhha.exe
C:\sdfxmtlu.exe
C:\siyfiejh.exe
C:\uccxui.exe
C:\vufjb.exe
c:\windows\dovupe.dat
c:\windows\qili.com
c:\windows\win32k.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 23:52 . 2009-11-13 23:52 -------- d-----w- c:\windows\LastGood
2009-11-12 21:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 23:59 . 2009-11-03 00:02 -------- d-----w- c:\program files\Spybot - Search & Destroyb
2009-11-02 23:45 . 2009-11-02 23:46 -------- d-----w- c:\program files\Mal222221
2009-11-02 23:30 . 2009-11-02 23:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-11-02 22:39 . 2009-11-02 23:41 -------- d-----w- c:\program files\Mal22222
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\HP
2009-11-02 22:14 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 21:46 . 2009-11-02 21:46 -------- d-----w- c:\program files\Trend Micro
2009-11-02 21:29 . 2008-12-11 16:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-02 21:29 . 2009-08-24 22:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-02 21:29 . 2009-08-19 19:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-02 21:29 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\program files\Spyware Doctor
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-02 21:29 . 2009-11-02 21:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-11-02 21:28 . 2009-11-13 23:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 21:18 . 2009-11-02 21:18 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-02 21:11 . 2009-11-03 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 21:11 . 2009-11-03 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-02 21:06 . 2009-11-02 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-02 21:06 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:06 . 2009-11-02 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-02 21:06 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 20:26 . 2009-11-02 20:26 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-02 20:25 . 2009-11-02 20:25 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 19:17 . 2009-11-02 21:33 -------- d-----w- c:\program files\malware bytes for anitvirus pr 2010
2009-10-31 19:04 . 2009-10-31 19:07 -------- d--h--w- c:\windows\PIF
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 23:18 . 2007-05-05 17:42 -------- d-----w- c:\program files\McAfee
2009-10-01 19:53 . 2009-10-01 19:53 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf
2009-10-01 19:53 . 2009-10-01 19:53 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-24 01:53 . 2009-09-24 01:52 -------- d-----w- c:\program files\iTunes
2009-09-24 01:52 . 2009-09-24 01:52 -------- d-----w- c:\program files\iPod
2009-09-24 01:52 . 2008-04-18 16:16 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 01:43 . 2009-09-24 01:43 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-23 06:47 . 2007-05-05 17:19 -------- d-----w- c:\documents and settings\Brian\Application Data\Skype
2009-09-23 03:01 . 2009-02-25 17:20 -------- d-----w- c:\documents and settings\Brian\Application Data\skypePM
2009-09-17 04:57 . 2007-05-05 17:41 -------- d-----w- c:\program files\Garmin
2009-09-04 21:03 . 2003-12-03 17:23 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 00:07 . 2008-04-28 04:23 488968 ----a-w- c:\documents and settings\Brian\Application Data\Real\Update\setup\setup.exe
2009-08-29 08:08 . 2004-02-07 01:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-10-01 19:50 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-10-01 19:50 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00 . 2003-12-03 17:23 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 19:34 . 2009-08-21 19:03 68951 ----a-w- c:\windows\hpoins05.dat
2009-08-21 19:00 . 2009-08-21 18:01 166130 ----a-w- c:\windows\hpoins30.dat
2009-08-21 16:40 . 2009-08-21 16:40 46 ----a-w- c:\windows\hpqscr01.dat
2009-08-21 16:35 . 2009-08-21 16:35 46 ----a-w- c:\windows\hposcr05.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-11-12_22.00.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-13 23:46 . 2009-11-13 23:46 16384 c:\windows\Temp\Perflib_Perfdata_930.dat
+ 2005-05-26 11:16 . 2009-08-07 03:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-12 14:37 . 2009-08-07 03:24 35552 c:\windows\system32\wups.dll
+ 2003-12-03 18:29 . 2009-08-07 03:24 53472 c:\windows\system32\wuauclt.exe
+ 2003-12-03 17:23 . 2009-06-25 08:25 54272 c:\windows\system32\wdigest.dll
+ 2009-11-12 22:03 . 2009-08-07 03:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-12 22:03 . 2009-08-07 03:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
- 2003-12-03 17:23 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2003-12-03 17:23 . 2009-06-25 08:25 56832 c:\windows\system32\secur32.dll
+ 2003-12-03 17:23 . 2009-11-12 22:33 71904 c:\windows\system32\perfc009.dat
- 2003-12-03 17:23 . 2009-11-02 21:40 71904 c:\windows\system32\perfc009.dat
+ 2007-08-14 02:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 02:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
+ 2003-12-03 17:23 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
- 2003-12-03 17:23 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2003-12-03 17:23 . 2009-06-24 11:18 92928 c:\windows\system32\drivers\ksecdd.sys
- 2009-07-16 00:44 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-07-16 00:44 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2004-08-12 14:37 . 2009-08-07 03:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2003-12-03 18:29 . 2009-08-07 03:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
+ 2007-08-20 10:04 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2006-05-10 05:22 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-10 05:22 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2003-12-03 17:23 . 2009-08-07 03:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2003-12-03 18:33 . 2009-11-13 23:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2003-12-03 18:33 . 2009-11-12 18:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2003-12-03 18:33 . 2009-11-13 23:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-12-03 18:33 . 2009-11-12 18:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-13 23:51 . 2009-11-13 23:51 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-12-03 17:23 . 2009-08-07 03:24 96480 c:\windows\system32\cdm.dll
+ 2009-06-25 03:56 . 2009-06-25 03:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 08:49 . 2008-05-28 08:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 04:58 . 2007-04-14 04:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 08:49 . 2008-05-28 08:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 04:57 . 2007-04-14 04:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 04:57 . 2007-04-14 04:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 08:49 . 2008-05-28 08:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 05:30 . 2007-04-14 05:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 09:30 . 2008-05-28 09:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2003-10-30 20:37 . 2009-06-24 20:56 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\ToGac.exe
+ 2003-10-30 20:37 . 2009-06-24 20:56 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\SetRegNI.exe
+ 2003-12-03 18:29 . 2009-06-24 06:01 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
- 2003-12-03 18:29 . 2007-01-02 23:29 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2003-12-03 18:29 . 2009-06-24 06:01 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2003-12-03 18:29 . 2007-01-02 23:29 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
+ 2003-10-23 02:48 . 2009-06-24 06:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
- 2003-10-23 02:48 . 2008-04-13 16:10 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
+ 2003-12-03 18:29 . 2009-06-24 06:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
- 2003-12-03 18:29 . 2008-04-13 16:10 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2009-11-12 22:31 . 2009-07-03 17:09 12800 c:\windows\ie8updates\KB974455-IE8\xpshims.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 55296 c:\windows\ie8updates\KB974455-IE8\msfeedsbs.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 25600 c:\windows\ie8updates\KB974455-IE8\jsproxy.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_76d838d4\System.Drawing.Design.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_31f8bb36\CustomMarshalers.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 90112 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a_3fc2bac9\System.Drawing.Design.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 61440 c:\windows\assembly\NativeImages1_v1.0.3705\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a_378855cf\CustomMarshalers.dll
+ 2009-11-13 23:51 . 2009-11-13 23:51 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\b4a9e413d5cd6d6ec2d50aa05381e293\UIAutomationProvider.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll
+ 2009-11-13 23:48 . 2009-11-13 23:48 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\3dd0f86c966c75755d62eab8ddf0634c\PresentationFontCache.ni.exe
+ 2009-11-13 23:47 . 2009-11-13 23:47 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\034d081fe294bab1ee1ecc98c1181424\PresentationCFFRasterizer.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-11-14 00:05 . 2009-11-14 00:05 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2003-12-03 18:29 . 2007-01-02 23:29 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2003-12-03 18:29 . 2009-06-29 19:57 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
- 2009-08-06 08:08 . 2009-08-06 08:08 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-08-06 08:08 . 2009-08-06 08:08 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-12 14:37 . 2009-08-07 03:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-12 14:37 . 2009-08-07 03:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-12 14:37 . 2009-08-07 03:23 575704 c:\windows\system32\wuapi.dll
+ 2003-12-03 18:38 . 2009-04-10 09:01 413032 c:\windows\system32\wmspdmod.dll
+ 2003-12-03 17:23 . 2009-06-25 08:25 147456 c:\windows\system32\schannel.dll
- 2003-12-03 17:23 . 2009-11-02 21:40 444028 c:\windows\system32\perfh009.dat
+ 2003-12-03 17:23 . 2009-11-12 22:33 444028 c:\windows\system32\perfh009.dat
+ 2003-12-03 17:23 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
- 2003-12-03 17:23 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
+ 2003-12-03 17:23 . 2009-06-25 08:25 136192 c:\windows\system32\msv1_0.dll
+ 2007-08-14 02:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
- 2007-08-14 02:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
+ 2003-12-03 17:23 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2003-12-03 17:23 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll
+ 2003-12-03 17:23 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
- 2003-12-03 17:23 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2003-12-03 17:23 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
+ 2003-12-03 17:23 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
- 2003-12-03 17:23 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2003-12-03 10:26 . 2009-11-13 23:45 399144 c:\windows\system32\FNTCACHE.DAT
- 2003-12-03 10:26 . 2009-08-06 13:44 399144 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-12 14:37 . 2009-08-07 03:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-12 14:37 . 2009-08-07 03:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-12 14:37 . 2009-08-07 03:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2003-12-03 18:38 . 2009-04-10 09:01 413032 c:\windows\system32\dllcache\wmspdmod.dll
+ 2004-02-07 01:05 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-08-21 17:52 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
- 2006-08-21 17:52 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
- 2007-08-14 02:44 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
+ 2007-08-14 02:44 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2007-08-20 10:04 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2007-08-20 10:04 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-04-17 02:48 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-07-16 00:44 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-07-16 00:44 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2003-12-03 17:23 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
- 2003-12-03 17:23 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-14 02:39 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-14 02:39 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-14 02:39 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-08-08 07:51 . 2009-08-08 07:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2008-05-28 08:49 . 2008-05-28 08:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 04:58 . 2007-04-14 04:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 08:48 . 2008-05-28 08:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 04:56 . 2007-04-14 04:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 09:30 . 2008-05-28 09:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 05:30 . 2007-04-14 05:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2003-10-23 02:01 . 2004-07-20 01:54 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2003-10-23 02:01 . 2009-06-24 05:59 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
- 2003-10-23 02:48 . 2008-04-13 16:09 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2003-10-23 02:48 . 2009-06-24 06:12 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 915456 c:\windows\ie8updates\KB974455-IE8\wininet.dll
+ 2009-11-12 22:31 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB974455-IE8\spuninst\updspapi.dll
+ 2009-11-12 22:31 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe
+ 2009-11-12 22:31 . 2009-07-03 17:09 206848 c:\windows\ie8updates\KB974455-IE8\occache.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 594432 c:\windows\ie8updates\KB974455-IE8\msfeeds.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 246272 c:\windows\ie8updates\KB974455-IE8\ieproxy.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 184320 c:\windows\ie8updates\KB974455-IE8\iepeers.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 386048 c:\windows\ie8updates\KB974455-IE8\iedkcs32.dll
+ 2009-11-12 22:31 . 2009-07-03 11:01 173056 c:\windows\ie8updates\KB974455-IE8\ie4uinit.exe
+ 2009-11-12 22:27 . 2009-11-12 22:27 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_ad4c339f\System.Drawing.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_e7495d65\System.Drawing.Design.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_3e70c28a\CustomMarshalers.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 847872 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a_e065d5dd\System.Drawing.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-11-13 23:51 . 2009-11-13 23:51 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bf92bc207f927cbbd6dfc9dc0c3eae68\WindowsFormsIntegration.ni.dll
+ 2009-11-13 23:51 . 2009-11-13 23:51 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\6f488b7644dc50a083868e91a4014466\UIAutomationTypes.ni.dll
+ 2009-11-13 23:51 . 2009-11-13 23:51 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2fbf25609b704061a93500efa6f241d\UIAutomationClient.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\e7666364bf9f3ba5f4833c9efedd8218\System.Web.Routing.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d0070c1c1a642ae30394e00bc0d82336\System.Web.DynamicData.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\1896753d02d146be1988d32241300f51\System.Web.Abstractions.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\408e637346ef628a3f54fb1b9b83ac9f\System.Transactions.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll
+ 2009-11-14 00:06 . 2009-11-14 00:06 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-11-14 00:06 . 2009-11-14 00:06 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll
+ 2009-11-13 23:50 . 2009-11-13 23:50 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ca6d7208c0fb72ff97429f2636ced321\System.Drawing.Design.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll
+ 2009-11-14 00:08 . 2009-11-14 00:08 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-11-14 00:07 . 2009-11-14 00:07 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-11-13 23:49 . 2009-11-13 23:49 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96f74da5fc40b92f09069230bc0df4f0\PresentationFramework.Royale.ni.dll
+ 2009-11-13 23:48 . 2009-11-13 23:48 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bb4d16b042b72c2c85a0f8ac9d48f28\PresentationFramework.Luna.ni.dll
+ 2009-11-13 23:48 . 2009-11-13 23:48 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\30c5c2682d3c5bdaa83bb9a36ee48afa\PresentationFramework.Aero.ni.dll
+ 2009-11-13 23:48 . 2009-11-13 23:48 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07e952efd70f5608e221a008e6231ace\PresentationFramework.Classic.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-11-14 00:07 . 2009-11-14 00:07 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\a17c65f0cffaa4f792dd38d50df9d526\ComSvcConfig.ni.exe
+ 2009-11-14 00:05 . 2009-11-14 00:05 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-11-12 22:12 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2003-12-03 18:29 . 2009-08-07 03:23 1929952 c:\windows\system32\wuaueng.dll
+ 2003-12-03 17:23 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
- 2004-01-21 23:20 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2004-01-21 23:20 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
- 2003-12-03 17:23 . 2008-04-14 00:12 1435648 c:\windows\system32\query.dll
+ 2003-12-03 17:23 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
- 2002-08-29 01:04 . 2009-02-06 11:06 2145280 c:\windows\system32\ntoskrnl.exe
+ 2002-08-29 01:04 . 2009-08-04 15:13 2145280 c:\windows\system32\ntoskrnl.exe
- 2002-08-29 01:04 . 2009-02-06 10:32 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2002-08-29 01:04 . 2009-08-04 14:20 2023936 c:\windows\system32\ntkrnlpa.exe
+ 2004-07-08 01:37 . 2009-08-29 08:08 5940224 c:\windows\system32\mshtml.dll
+ 2007-08-14 02:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
- 2007-08-14 02:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2003-12-03 18:29 . 2009-08-07 03:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 00:46 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
- 2004-01-21 23:20 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2004-01-21 23:20 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-07-17 16:22 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
+ 2008-10-16 00:46 . 2009-08-05 04:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 00:46 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-16 00:46 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-16 00:46 . 2009-02-08 02:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 00:46 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 00:46 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-16 00:46 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2004-07-08 01:37 . 2009-08-29 08:08 5940224 c:\windows\system32\dllcache\mshtml.dll
- 2007-08-20 10:04 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-20 10:04 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-08-08 07:51 . 2009-08-08 07:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2008-11-25 11:59 . 2008-11-25 11:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-08-08 07:51 . 2009-08-08 07:51 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2007-04-14 05:35 . 2007-04-14 05:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 09:35 . 2008-05-28 09:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 05:35 . 2007-04-14 05:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 09:35 . 2008-05-28 09:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 08:48 . 2008-05-28 08:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 04:57 . 2007-04-14 04:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 08:48 . 2008-05-28 08:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 04:57 . 2007-04-14 04:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2007-04-14 04:50 . 2007-04-14 04:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2008-05-28 08:43 . 2008-05-28 08:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2003-10-24 01:49 . 2009-06-29 19:58 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2003-10-24 01:49 . 2007-01-02 23:40 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2003-10-23 02:02 . 2007-12-17 11:59 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2003-10-23 02:02 . 2009-06-24 06:00 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
- 2003-10-23 02:01 . 2007-12-17 11:58 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
+ 2003-10-23 02:01 . 2009-06-24 06:00 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
+ 2003-10-24 01:56 . 2009-06-29 19:58 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
- 2003-10-24 01:56 . 2007-01-02 23:21 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 1208832 c:\windows\ie8updates\KB974455-IE8\urlmon.dll
+ 2009-11-12 22:31 . 2009-07-19 13:18 5937152 c:\windows\ie8updates\KB974455-IE8\mshtml.dll
+ 2009-11-12 22:31 . 2009-07-03 17:09 1985536 c:\windows\ie8updates\KB974455-IE8\iertutil.dll
+ 2008-10-16 00:46 . 2009-08-05 04:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 00:46 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-16 00:46 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 00:46 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-16 00:46 . 2009-02-08 02:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 00:46 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2008-10-16 00:46 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-11-12 22:27 . 2009-11-12 22:27 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_e7493d89\System.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_2911c64e\System.dll
+ 2009-11-12 22:28 . 2009-11-12 22:28 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_711cd5aa\System.Xml.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_58b5395a\System.Xml.dll
+ 2009-11-12 22:28 . 2009-11-12 22:28 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_42b1d2a2\System.Windows.Forms.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_291788d2\System.Windows.Forms.dll
+ 2009-11-12 22:28 . 2009-11-12 22:28 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_9ab1ac95\System.Drawing.dll
+ 2009-11-12 22:28 . 2009-11-12 22:28 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_e709fc33\System.Design.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_a7611617\System.Design.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_f1b60a5c\mscorlib.dll
+ 2009-11-12 22:28 . 2009-11-12 22:28 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_ca46a482\mscorlib.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 1855488 c:\windows\assembly\NativeImages1_v1.0.3705\System\1.0.3300.0__b77a5c561934e089_19973eab\System.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 2027520 c:\windows\assembly\NativeImages1_v1.0.3705\System.Xml\1.0.3300.0__b77a5c561934e089_33c91415\System.Xml.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 2953216 c:\windows\assembly\NativeImages1_v1.0.3705\System.Windows.Forms\1.0.3300.0__b77a5c561934e089_a787a46b\System.Windows.Forms.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 1454080 c:\windows\assembly\NativeImages1_v1.0.3705\System.Design\1.0.3300.0__b03f5f7f11d50a3a_9da8b03a\System.Design.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 3301376 c:\windows\assembly\NativeImages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_5dd68015\mscorlib.dll
+ 2009-11-13 23:47 . 2009-11-13 23:47 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\204d6e5b335134f23ca37638b9227ecf\WindowsBase.ni.dll
+ 2009-11-13 23:51 . 2009-11-13 23:51 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0f2ed6a204eb13841e99b77025464afc\UIAutomationClientsideProviders.ni.dll
+ 2009-11-13 23:47 . 2009-11-13 23:47 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
+ 2009-11-13 23:51 . 2009-11-13 23:51 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\981dea02bc63c0c083e335adf9018788\System.Web.Extensions.ni.dll
+ 2009-11-13 23:50 . 2009-11-13 23:50 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\99594bae1d022502925f5b9dfcdaae9a\System.Speech.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll
+ 2009-11-14 00:06 . 2009-11-14 00:06 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-11-13 23:50 . 2009-11-13 23:50 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\e5313735a40c0800f116e27fba4754db\System.Printing.ni.dll
+ 2009-11-14 00:06 . 2009-11-14 00:06 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-11-13 23:50 . 2009-11-13 23:50 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-11-13 23:49 . 2009-11-13 23:49 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll
+ 2009-11-13 23:49 . 2009-11-13 23:49 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\32788c58ff9f8324460604cf1fe7681b\System.Data.Linq.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll
+ 2009-11-13 23:49 . 2009-11-13 23:49 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\c0a42d2ad8a4078040b334f6770ea11f\System.Core.ni.dll
+ 2009-11-13 23:49 . 2009-11-13 23:49 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\954685c29689d2a6126ceca1fd55e904\ReachFramework.ni.dll
+ 2009-11-13 23:49 . 2009-11-13 23:49 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a3a6f52ce1d09a7bdccc8e7fc664792d\PresentationUI.ni.dll
+ 2009-11-13 23:47 . 2009-11-13 23:47 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\f906701365083c1473db31519147e263\PresentationBuildTasks.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2009-11-14 00:09 . 2009-11-14 00:09 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-11-14 00:07 . 2009-11-14 00:07 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-12 22:32 . 2009-11-12 22:32 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-11-12 22:33 . 2009-11-12 22:33 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2009-08-06 08:08 . 2009-08-06 08:08 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-12-03 05:24 . 2007-12-03 05:24 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2007-12-03 05:24 . 2007-12-03 05:24 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-12 22:27 . 2009-11-12 22:27 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2008-08-31 15:14 . 2008-08-31 15:14 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-12 22:26 . 2009-11-12 22:26 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-11-12 22:28 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
+ 2007-08-14 02:54 . 2009-08-29 08:08 11069440 c:\windows\system32\ieframe.dll
+ 2007-08-20 10:04 . 2009-08-29 08:08 11069440 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-11 05:08 . 2009-08-11 05:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-15 04:32 . 2009-08-15 04:32 11110912 c:\windows\Installer\1a38f5.msp
+ 2009-08-10 22:09 . 2009-08-10 22:09 17254912 c:\windows\Installer\1a38eb.msp
+ 2009-11-12 22:31 . 2009-07-20 01:48 11067392 c:\windows\ie8updates\KB974455-IE8\ieframe.dll
+ 2009-11-13 23:50 . 2009-11-13 23:50 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll
+ 2009-11-14 00:10 . 2009-11-14 00:10 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\5cea03cfb008f2eac1439a9905467f37\System.Web.ni.dll
+ 2009-11-14 00:06 . 2009-11-14 00:06 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
+ 2009-11-13 23:50 . 2009-11-13 23:50 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8b82e08c008924d51833cb0884bcbfc5\System.Design.ni.dll
+ 2009-11-13 23:48 . 2009-11-13 23:48 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\58c7ac6b6054038dc9346d7ec8e32b4c\PresentationFramework.ni.dll
+ 2009-11-13 23:47 . 2009-11-13 23:47 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\94badbd64df59de7da249f71da38b1c2\PresentationCore.ni.dll
+ 2009-11-13 23:47 . 2009-11-13 23:47 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856]
"gStart"="c:\program files\Garmin\gStart.exe" [2006-09-06 1891416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-14 50176]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"sHotKey"="c:\program files\SONY\sHotKey\sHotKey.exe" [2003-08-22 45056]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"WatchDog"="c:\program files\mobile PhoneTools\WatchDog.exe" [2004-08-14 36864]
"SiteAdvisor"="c:\program files\SiteAdvisor\4456\SiteAdv.exe" [2006-11-03 35928]
"Adobe Photo Downloader"="d:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-04 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-05-23 88363]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Camio Viewer.lnk - c:\program files\Sierra Imaging\Image Expert\IXApplet.exe [2004-6-30 103424]
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-4-4 209016]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_2cd672ae.exe [2007-6-8 1078]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2005-7-5 118784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"d:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/2/2009 1:29 PM 206256]
R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2/9/2004 7:41 PM 4736]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/2/2009 1:29 PM 348752]
S2 gupdate1c9ad6ac413a932;Google Update Service (gupdate1c9ad6ac413a932);c:\program files\Google\Update\GoogleUpdate.exe [3/25/2009 8:57 AM 133104]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [4/12/2008 4:34 PM 1527900]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [4/12/2008 4:31 PM 544768]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 16:56]

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-25 16:56]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2003-12-03 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-11-10 19:22]

2004-03-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 00:12]

2004-03-10 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\mmvqs8qp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 16:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,1b,56,82,5d,b7,79,4b,ad,28,8f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5e,1b,56,82,5d,b7,79,4b,ad,28,8f,\
.
Completion time: 2009-11-13 16:16
ComboFix-quarantined-files.txt 2009-11-14 00:16
ComboFix2.txt 2009-11-12 22:08

Pre-Run: 468,007,084,032 bytes free
Post-Run: 467,880,386,560 bytes free

- - End Of File - - CA7D223857024A8C6B5E9C8227BDF5ED


Running from: C:\Documents and Settings\Brian\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Brian\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\windows'...



Cannot access: C:\windows\$NtUninstallKB824141$\user32.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB824141$\user32.dll

Cannot access: C:\windows\$NtUninstallKB824141$\win32k.sys

Attempting to restore permissions of : C:\windows\$NtUninstallKB824141$\win32k.sys

Cannot access: C:\windows\$NtUninstallKB826939$\accwiz.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\accwiz.exe

Cannot access: C:\windows\$NtUninstallKB826939$\crypt32.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\crypt32.dll

Cannot access: C:\windows\$NtUninstallKB826939$\cryptsvc.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\cryptsvc.dll

Cannot access: C:\windows\$NtUninstallKB826939$\hh.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\hh.exe

Cannot access: C:\windows\$NtUninstallKB826939$\hhctrl.ocx

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\hhctrl.ocx

Cannot access: C:\windows\$NtUninstallKB826939$\hhsetup.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\hhsetup.dll

Cannot access: C:\windows\$NtUninstallKB826939$\html32.cnv

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\html32.cnv

Cannot access: C:\windows\$NtUninstallKB826939$\itircl.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\itircl.dll

Cannot access: C:\windows\$NtUninstallKB826939$\itss.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\itss.dll

Cannot access: C:\windows\$NtUninstallKB826939$\locator.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\locator.exe

Cannot access: C:\windows\$NtUninstallKB826939$\magnify.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\magnify.exe

Cannot access: C:\windows\$NtUninstallKB826939$\migwiz.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\migwiz.exe

Cannot access: C:\windows\$NtUninstallKB826939$\mrxsmb.sys

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\mrxsmb.sys

Cannot access: C:\windows\$NtUninstallKB826939$\msconv97.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\msconv97.dll

Cannot access: C:\windows\$NtUninstallKB826939$\narrator.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\narrator.exe

Cannot access: C:\windows\$NtUninstallKB826939$\newdev.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\newdev.dll

Cannot access: C:\windows\$NtUninstallKB826939$\ntdll.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\ntdll.dll

Cannot access: C:\windows\$NtUninstallKB826939$\ntkrnlpa.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\ntkrnlpa.exe

Cannot access: C:\windows\$NtUninstallKB826939$\ntoskrnl.exe

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\ntoskrnl.exe

Cannot access: C:\windows\$NtUninstallKB826939$\ole32.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\ole32.dll

Cannot access: C:\windows\$NtUninstallKB826939$\pchshell.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\pchshell.dll

Cannot access: C:\windows\$NtUninstallKB826939$\raspptp.sys

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\raspptp.sys

Cannot access: C:\windows\$NtUninstallKB826939$\rpcrt4.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\rpcrt4.dll

Cannot access: C:\windows\$NtUninstallKB826939$\rpcss.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\rpcss.dll

Cannot access: C:\windows\$NtUninstallKB826939$\shell32.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\shell32.dll

Cannot access: C:\windows\$NtUninstallKB826939$\shmedia.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\shmedia.dll

Cannot access: C:\windows\$NtUninstallKB826939$\srrstr.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\srrstr.dll

Cannot access: C:\windows\$NtUninstallKB826939$\srv.sys

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\srv.sys

Cannot access: C:\windows\$NtUninstallKB826939$\user32.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\user32.dll

Cannot access: C:\windows\$NtUninstallKB826939$\winsrv.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB826939$\winsrv.dll

Cannot access: C:\windows\$NtUninstallKB828035$\msgsvc.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB828035$\msgsvc.dll

Cannot access: C:\windows\$NtUninstallKB828035$\wkssvc.dll

Attempting to restore permissions of : C:\windows\$NtUninstallKB828035$\wkssvc.dll

Cannot access: C:\windows\$NtUninstallQ828026$\msdxm.ocx

Attempting to restore permissions of : C:\windows\$NtUninstallQ828026$\msdxm.ocx

Cannot access: C:\windows\$NtUninstallQ828026$\wmp.dll

Attempting to restore permissions of : C:\windows\$NtUninstallQ828026$\wmp.dll

Found mount point : C:\windows\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\addins\addins

Found mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP620.tmp\ZAP620.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP620.tmp\ZAP620.tmp

Found mount point : C:\windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\assembly\tmp\tmp

Found mount point : C:\windows\BBSTORE\DSS\DSS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\BBSTORE\DSS\DSS

Found mount point : C:\windows\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Found mount point : C:\windows\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Found mount point : C:\windows\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Config\Config

Found mount point : C:\windows\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Connection Wizard\Connection Wizard

Found mount point : C:\windows\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d1\d1

Found mount point : C:\windows\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d2\d2

Found mount point : C:\windows\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d3\d3

Found mount point : C:\windows\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d4\d4

Found mount point : C:\windows\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d5\d5

Found mount point : C:\windows\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d6\d6

Found mount point : C:\windows\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d7\d7

Found mount point : C:\windows\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\CSC\d8\d8

Found mount point : C:\windows\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\ftpcache\ftpcache

Found mount point : C:\windows\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\ime\imejp\applets\applets

Found mount point : C:\windows\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\ime\imejp98\imejp98

Found mount point : C:\windows\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\windows\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\java\classes\classes

Found mount point : C:\windows\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\java\trustlib\trustlib

Found mount point : C:\windows\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\windows\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\msapps\msinfo\msinfo

Found mount point : C:\windows\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\windows\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\windows\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\batch\batch

Cannot access: C:\windows\pchealth\helpctr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\windows\pchealth\helpctr\Binaries\helpsvc.exe

Found mount point : C:\windows\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\windows\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\windows\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\windows\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\windows\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\System\News\News

Found mount point : C:\windows\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\pchealth\helpctr\Temp\Temp

Found mount point : C:\windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\PIF\PIF

Found mount point : C:\windows\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Registration\CRMLog\CRMLog

Found mount point : C:\windows\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\windows\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup

Found mount point : C:\windows\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\Sun\Java\Deployment\Deployment

Found mount point : C:\windows\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\windows\Temp\HPSLPS002.log

Attempting to restore permissions of : C:\windows\Temp\HPSLPS002.log

[1] 2009-11-13 15:48:47 2092 C:\windows\Temp\HPSLPS002.log ()



Found mount point : C:\windows\TWAIN\TWAIN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\TWAIN\TWAIN

Found mount point : C:\windows\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


.
Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\hijakthis.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Mal22222\mbam.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Mal22222\tim.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Mal222221\mbit.exe: Access is denied.



Failed to open \\?\c:\\Program Files\malware bytes for anitvirus pr 2010\mbytes.exe.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


.
Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spybot - Search & Destroyb\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spyware Doctor\pctsSvc.exe: Access is denied.


.
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.


..
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.




...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\WINDOWS\Temp\HPSLPS002.log: Access is denied.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 14 November 2009 - 05:14 AM

Hello bonkers1961,

We need to reset the permissions altered by the malware on a file.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK (repeat the process for each of the following lines):

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\hijakthis.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Mal22222\mbam.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Mal22222\tim.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Mal222221\mbit.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\malware bytes for anitvirus pr 2010\mbytes.exe.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please start MBAM and click Check for updates on the Updates tab.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Do you know what these folders are? Did you create them?
c:\Program Files\Mal22222
c:\Program Files\Mal222221
c:\Program Files\malware bytes for anitvirus pr 2010


In your next reply, please include the following:
  • MBAM log

Edited by elise025, 14 November 2009 - 05:15 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 bonkers1961

bonkers1961
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 14 November 2009 - 11:51 PM

Elise,
When I was trying to run malwarebytes i changed the names in hope to be able to run the program so I creates these:

c:\Program Files\Mal22222
c:\Program Files\Mal222221
c:\Program Files\malware bytes for anitvirus pr 201

They were all downloads of the malware program

here is the malware log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/14/2009 8:49:30 PM
mbam-log-2009-11-14 (20-49-30).txt

Scan type: Full Scan (C:\|D:\|J:\|K:\|L:\|)
Objects scanned: 423594
Time elapsed: 1 hour(s), 28 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{014da6c4-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP2\A0000127.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 15 November 2009 - 02:43 AM

Hello ,

Looks better already :( How is everything running now?

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (post also attach.txt)
  • RootRepeal log

Edited by elise025, 15 November 2009 - 02:44 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 bonkers1961

bonkers1961
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 17 November 2009 - 12:32 AM

Elise,
The computer is running great no problems so far. thank you so much. here are the logs you requested. Also is the zip file "attach"


DDS (Ver_09-10-26.01) - NTFSx86
Run by Brian at 10:21:31.10 on Mon 11/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.267 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
svchost.exe
C:\Program Files\SiteAdvisor\4456\SiteAdv.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Garmin\gStart.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\ehome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\windows\System32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\wuauclt.exe
C:\windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN\Toolbar\3.0.0983.0\msntask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Brian\Desktop\dds.scr
C:\Program Files\Common Files\McAfee\HackerWatch\HWUpdChk.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\4608\SiteAdv.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [gStart] c:\program files\garmin\gStart.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [sHotKey] "c:\program files\sony\shotkey\sHotKey.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [WatchDog] c:\program files\mobile phonetools\WatchDog.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\4456\SiteAdv.exe
mRun: [Adobe Photo Downloader] "d:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "c:\program files\roxio\media experience\DMXLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\brian\startm~1\programs\startup\camiov~1.lnk - c:\program files\sierra imaging\image expert\IXApplet.exe
StartupFolder: c:\docume~1\brian\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_2cd672ae.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroyb\SDHelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\4608\SiteAdv.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\mmvqs8qp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-2 206256]
R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2004-2-9 4736]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-2 348752]
S2 gupdate1c9ad6ac413a932;Google Update Service (gupdate1c9ad6ac413a932);c:\program files\google\update\GoogleUpdate.exe [2009-3-25 133104]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-4-12 1527900]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2008-4-12 544768]

=============== Created Last 30 ================

2009-11-14 00:33:33 95616 ----a-w- c:\windows\junction.exe
2009-11-13 23:54:09 0 d-----w- C:\ComboFix
2009-11-12 22:30:17 127 ----a-w- c:\windows\system32\MRT.INI
2009-11-12 21:52:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-12 21:32:23 0 d-sha-r- C:\cmdcons
2009-11-12 21:30:42 98816 ----a-w- c:\windows\sed.exe
2009-11-12 21:30:42 77312 ----a-w- c:\windows\MBR.exe
2009-11-12 21:30:42 260608 ----a-w- c:\windows\PEV.exe
2009-11-12 21:30:42 161792 ----a-w- c:\windows\SWREG.exe
2009-11-03 00:08:41 452 --sha-r- c:\documents and settings\brian\ntuser.pol
2009-11-02 23:59:42 0 d-----w- c:\program files\Spybot - Search & Destroyb
2009-11-02 23:45:40 0 d-----w- c:\program files\Mal222221
2009-11-02 23:30:54 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-02 22:39:26 0 d-----w- c:\program files\Mal22222
2009-11-02 22:19:16 17556 ----a-w- c:\windows\system32\fofifuveg.lib
2009-11-02 22:14:37 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 21:46:07 0 d-----w- c:\program files\Trend Micro
2009-11-02 21:29:20 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-02 21:29:14 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-02 21:29:14 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-02 21:29:14 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-02 21:29:07 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-02 21:29:07 0 d-----w- c:\program files\common files\PC Tools
2009-11-02 21:29:02 0 d-----w- c:\program files\Spyware Doctor
2009-11-02 21:29:02 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-02 21:18:50 0 dc----w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-02 21:11:42 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-02 21:11:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-02 21:06:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 21:06:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 21:06:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 19:17:34 0 d-----w- c:\program files\malware bytes for anitvirus pr 2010
2009-10-31 19:04:56 0 d--h--w- c:\windows\PIF
2009-10-31 18:25:36 0 d-----w- c:\docume~1\brian\applic~1\Malwarebytes
2009-10-31 18:25:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-10-01 19:53:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf
2009-10-01 19:53:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 19:34:00 68951 ----a-w- c:\windows\hpoins05.dat
2009-08-21 19:00:36 166130 ----a-w- c:\windows\hpoins30.dat
2008-08-31 18:49:11 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083120080901\index.dat

============= FINISH: 10:22:13.53 ===============


GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-16 21:27:40
Windows 5.1.2600 Service Pack 3
Running: 8ov346gp.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\pxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7531D72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF75129A6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7512B98]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7532568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7532820]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7530A80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7532C8A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF7532036]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7512656]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB217D4EC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB217D52C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB217D470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB217D484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB217D500]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB217D4D8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB217D4C4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB217D542]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB217D516]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP B217D51A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8057C328 5 Bytes JMP B217D4F0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057CFC0 5 Bytes JMP B217D4C8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP B217D546 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP B217D530 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80581702 5 Bytes JMP B217D474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP B217D504 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805E1941 5 Bytes JMP B217D488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 80635977 5 Bytes JMP B217D4DC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FE5
.text C:\windows\System32\svchost.exe[436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40F5F
.text C:\windows\System32\svchost.exe[436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40054
.text C:\windows\System32\svchost.exe[436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40039
.text C:\windows\System32\svchost.exe[436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40F7C
.text C:\windows\System32\svchost.exe[436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40FB2
.text C:\windows\System32\svchost.exe[436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40094
.text C:\windows\System32\svchost.exe[436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40079
.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C400CA
.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40F31
.text C:\windows\System32\svchost.exe[436] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40F16
.text C:\windows\System32\svchost.exe[436] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40F97
.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FD4
.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40F4E
.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C4001E
.text C:\windows\System32\svchost.exe[436] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FC3
.text C:\windows\System32\svchost.exe[436] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C400A5
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FAF
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F5B
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FC0
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30000
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30022
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30FEF
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30F8A
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\windows\System32\svchost.exe[436] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30011
.text C:\windows\System32\svchost.exe[436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20040
.text C:\windows\System32\svchost.exe[436] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20025
.text C:\windows\System32\svchost.exe[436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FC6
.text C:\windows\System32\svchost.exe[436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\windows\System32\svchost.exe[436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FB5
.text C:\windows\System32\svchost.exe[436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FE3
.text C:\windows\System32\svchost.exe[436] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C00000
.text C:\windows\System32\svchost.exe[436] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C00FDB
.text C:\windows\System32\svchost.exe[436] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C00FCA
.text C:\windows\System32\svchost.exe[436] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C00FB9
.text C:\windows\System32\svchost.exe[436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE0000
.text C:\windows\System32\svchost.exe[632] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0F61
.text C:\windows\System32\svchost.exe[632] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0056
.text C:\windows\System32\svchost.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0F7C
.text C:\windows\System32\svchost.exe[632] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0F8D
.text C:\windows\System32\svchost.exe[632] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0FB9
.text C:\windows\System32\svchost.exe[632] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE009F
.text C:\windows\System32\svchost.exe[632] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE008E
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00DF
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE00C4
.text C:\windows\System32\svchost.exe[632] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CE0F2B
.text C:\windows\System32\svchost.exe[632] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CE0F9E
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CE0FEF
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CE0071
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CE0025
.text C:\windows\System32\svchost.exe[632] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CE0FDE
.text C:\windows\System32\svchost.exe[632] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CE0F46
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CD0FD4
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CD0F9E
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CD001B
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CD0FE5
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CD005B
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CD0000
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CD0FB9
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [ED, 88]
.text C:\windows\System32\svchost.exe[632] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CD0040
.text C:\windows\System32\svchost.exe[632] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CC0073
.text C:\windows\System32\svchost.exe[632] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CC0058
.text C:\windows\System32\svchost.exe[632] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CC0029
.text C:\windows\System32\svchost.exe[632] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CC0FEF
.text C:\windows\System32\svchost.exe[632] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CC0FDE
.text C:\windows\System32\svchost.exe[632] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CC000C
.text C:\windows\system32\services.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01510FEF
.text C:\windows\system32\services.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01510F69
.text C:\windows\system32\services.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01510054
.text C:\windows\system32\services.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01510F7A
.text C:\windows\system32\services.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01510039
.text C:\windows\system32\services.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01510FA8
.text C:\windows\system32\services.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01510F3D
.text C:\windows\system32\services.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01510F4E
.text C:\windows\system32\services.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01510F22
.text C:\windows\system32\services.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015100B1
.text C:\windows\system32\services.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015100D6
.text C:\windows\system32\services.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01510F97
.text C:\windows\system32\services.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0151000A
.text C:\windows\system32\services.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01510079
.text C:\windows\system32\services.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01510FC3
.text C:\windows\system32\services.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01510FD4
.text C:\windows\system32\services.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015100A0
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0150002C
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01500087
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0150001B
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01500FE5
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01500FCA
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01500000
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0150006C
.text C:\windows\system32\services.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01500051
.text C:\windows\system32\services.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014F0F86
.text C:\windows\system32\services.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 014F0FA1
.text C:\windows\system32\services.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014F0FD7
.text C:\windows\system32\services.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014F0000
.text C:\windows\system32\services.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014F0FBC
.text C:\windows\system32\services.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014F0011
.text C:\windows\system32\services.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014E0000
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF
.text C:\windows\system32\lsass.exe[780] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD008C
.text C:\windows\system32\lsass.exe[780] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F8D
.text C:\windows\system32\lsass.exe[780] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F9E
.text C:\windows\system32\lsass.exe[780] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FAF
.text C:\windows\system32\lsass.exe[780] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0047
.text C:\windows\system32\lsass.exe[780] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00CE
.text C:\windows\system32\lsass.exe[780] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD00B3
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00DF
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F50
.text C:\windows\system32\lsass.exe[780] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F2B
.text C:\windows\system32\lsass.exe[780] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FC0
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0000
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0F7C
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD002C
.text C:\windows\system32\lsass.exe[780] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD001B
.text C:\windows\system32\lsass.exe[780] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F6B
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FD4
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0FA8
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC001B
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC0FE5
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC005B
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0000
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FC0FB9
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1C, 89] {SBB AL, 0x89}
.text C:\windows\system32\lsass.exe[780] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0040
.text C:\windows\system32\lsass.exe[780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00058
.text C:\windows\system32\lsass.exe[780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D0003D
.text C:\windows\system32\lsass.exe[780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D00FD7
.text C:\windows\system32\lsass.exe[780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000
.text C:\windows\system32\lsass.exe[780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D0002C
.text C:\windows\system32\lsass.exe[780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00011
.text C:\windows\system32\lsass.exe[780] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070FE5
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50FEF
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F68
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D50067
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50F83
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50F9E
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50FB9
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50F46
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50F57
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D500B0
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50F17
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D500C1
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50040
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D5000A
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D50078
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D5001B
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FD4
.text C:\windows\system32\svchost.exe[1096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D5009F
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D40025
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D40FA5
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D40FCA
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D4000A
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D4006C
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D40FEF
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D40051
.text C:\windows\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D40040
.text C:\windows\system32\svchost.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D30044
.text C:\windows\system32\svchost.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D30FC3
.text C:\windows\system32\svchost.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D30FEF
.text C:\windows\system32\svchost.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D3000C
.text C:\windows\system32\svchost.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D30FD4
.text C:\windows\system32\svchost.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D30029
.text C:\windows\system32\svchost.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90FEF
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1112] kernel32.dll!CreateThread + 1B 7C8106F2 3 Bytes CALL 0044ACCE C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D6000A
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F7E
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60F8F
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60069
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60058
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60047
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D6009F
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D60084
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D60F2B
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F3C
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D60F1A
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60FC0
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60FEF
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F59
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D60036
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60025
.text C:\windows\system32\svchost.exe[1164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600BA
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50FC3
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50065
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D50FDE
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50FEF
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50FA8
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D5000A
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D50040
.text C:\windows\system32\svchost.exe[1164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D5002F
.text C:\windows\system32\svchost.exe[1164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D4006E
.text C:\windows\system32\svchost.exe[1164] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40053
.text C:\windows\system32\svchost.exe[1164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FE3
.text C:\windows\system32\svchost.exe[1164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40000
.text C:\windows\system32\svchost.exe[1164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40042
.text C:\windows\system32\svchost.exe[1164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D4001D
.text C:\windows\system32\svchost.exe[1164] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05370FEF
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05370F2C
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05370F3D
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05370F4E
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05370F6B
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05370F97
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05370EF9
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05370F0A
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0537006D
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05370ED4
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0537007E
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05370F7C
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05370FDE
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05370F1B
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05370FB2
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05370FC3
.text C:\windows\System32\svchost.exe[1260] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05370052
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0536002F
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05360065
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05360014
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05360FDE
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05360FA8
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05360FEF
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0536004A
.text C:\windows\System32\svchost.exe[1260] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05360FC3
.text C:\windows\System32\svchost.exe[1260] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05350FAB
.text C:\windows\System32\svchost.exe[1260] msvcrt.dll!system 77C293C7 5 Bytes JMP 05350036
.text C:\windows\System32\svchost.exe[1260] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 05350FD7
.text C:\windows\System32\svchost.exe[1260] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05350000
.text C:\windows\System32\svchost.exe[1260] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05350FBC
.text C:\windows\System32\svchost.exe[1260] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 05350011
.text C:\windows\System32\svchost.exe[1260] WS2_32.dll!socket 71AB4211 5 Bytes JMP 05340FE5
.text C:\windows\System32\svchost.exe[1260] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 05330000
.text C:\windows\System32\svchost.exe[1260] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 05330011
.text C:\windows\System32\svchost.exe[1260] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 05330022
.text C:\windows\System32\svchost.exe[1260] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0533003D
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00990FEF
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00990068
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00990057
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00990F7F
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0099003C
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00990FA1
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0099008A
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00990F4E
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009900C0
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009900A5
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009900D1
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00990F90
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00990FDE
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00990079
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00990FBC
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00990FCD
.text C:\windows\System32\svchost.exe[1336] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00990F27
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00980FAF
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0098005B
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00980FC0
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00980FDB
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0098004A
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00980000
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00980F9E
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B8, 88]
.text C:\windows\System32\svchost.exe[1336] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0098001B
.text C:\windows\System32\svchost.exe[1336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00970038
.text C:\windows\System32\svchost.exe[1336] msvcrt.dll!system 77C293C7 5 Bytes JMP 00970027
.text C:\windows\System32\svchost.exe[1336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00970FB7
.text C:\windows\System32\svchost.exe[1336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00970FEF
.text C:\windows\System32\svchost.exe[1336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0097000C
.text C:\windows\System32\svchost.exe[1336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00970FD2
.text C:\windows\System32\svchost.exe[1336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00960000
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FE5
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C60093
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60F9E
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60082
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60065
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C6002F
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600CB
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C600A4
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F68
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C600F7
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C6011C
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60040
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FD4
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F83
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60014
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60FC3
.text C:\windows\system32\svchost.exe[1472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600E6
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FC3
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50F75
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50FDE
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FEF
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50F86
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C5000A
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50F97
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FA8
.text C:\windows\system32\svchost.exe[1472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40053
.text C:\windows\system32\svchost.exe[1472] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40042
.text C:\windows\system32\svchost.exe[1472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40FE3
.text C:\windows\system32\svchost.exe[1472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40000
.text C:\windows\system32\svchost.exe[1472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40FD2
.text C:\windows\system32\svchost.exe[1472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40011
.text C:\windows\system32\svchost.exe[1472] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C3000A
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03110FEF
.text C:\windows\Explorer.EXE[1952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03110F77
.text C:\windows\Explorer.EXE[1952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03110076
.text C:\windows\Explorer.EXE[1952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03110F92
.text C:\windows\Explorer.EXE[1952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0311005B
.text C:\windows\Explorer.EXE[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03110FD4
.text C:\windows\Explorer.EXE[1952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031100AE
.text C:\windows\Explorer.EXE[1952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0311009D
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03110F29
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03110F3A
.text C:\windows\Explorer.EXE[1952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03110F0E
.text C:\windows\Explorer.EXE[1952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03110FB9
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03110000
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03110F66
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03110036
.text C:\windows\Explorer.EXE[1952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03110025
.text C:\windows\Explorer.EXE[1952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03110F55
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03100025
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03100F86
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03100FD4
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03100000
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03100F97
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03100FE5
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03100FA8
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [30, 8B]
.text C:\windows\Explorer.EXE[1952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03100FB9
.text C:\windows\Explorer.EXE[1952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01770F8B
.text C:\windows\Explorer.EXE[1952] msvcrt.dll!system 77C293C7 5 Bytes JMP 01770FA6
.text C:\windows\Explorer.EXE[1952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01770FD2
.text C:\windows\Explorer.EXE[1952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01770FEF
.text C:\windows\Explorer.EXE[1952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01770FC1
.text C:\windows\Explorer.EXE[1952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0177000C
.text C:\windows\Explorer.EXE[1952] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0FEF
.text C:\windows\Explorer.EXE[1952] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0FD4
.text C:\windows\Explorer.EXE[1952] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0FC3
.text C:\windows\Explorer.EXE[1952] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0014
.text C:\windows\Explorer.EXE[1952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01740000
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0095
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0084
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0073
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0058
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002C
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00CB
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F8F
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F3C
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F57
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00F0
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0047
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FE5
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00B0
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FCA
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B001B
.text C:\windows\system32\wuauclt.exe[1960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F68
.text C:\windows\system32\wuauclt.exe[1960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F86
.text C:\windows\system32\wuauclt.exe[1960] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A001B
.text C:\windows\system32\wuauclt.exe[1960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC6
.text C:\windows\system32\wuauclt.exe[1960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\windows\system32\wuauclt.exe[1960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FAB
.text C:\windows\system32\wuauclt.exe[1960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0022
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B007D
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0011
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0000
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0058
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FE5
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B0047
.text C:\windows\system32\wuauclt.exe[1960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB6
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0FEF
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0071
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0060
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0F86
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0F97
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0014
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC0F3A
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F57
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC00AE
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC009D
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0EF0
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0039
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC0FDE
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0082
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0FA8
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC0FCD
.text C:\windows\system32\svchost.exe[2288] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F1F
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB0FC0
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB003D
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FDB
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB0011
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0F8A
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0000
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AB0F9B
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CB, 88]
.text C:\windows\system32\svchost.exe[2288] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB002C
.text C:\windows\system32\svchost.exe[2288] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0027
.text C:\windows\system32\svchost.exe[2288] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0F9C
.text C:\windows\system32\svchost.exe[2288] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FC8
.text C:\windows\system32\svchost.exe[2288] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C0FEF
.text C:\windows\system32\svchost.exe[2288] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0FAD
.text C:\windows\system32\svchost.exe[2288] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C000C
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0089
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F94
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0062
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0051
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00A4
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F68
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00E1
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D0
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F2D
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FCA
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0025
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F79
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0040
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FEF
.text C:\windows\system32\svchost.exe[3124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00BF
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FDE
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290080
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029002F
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FEF
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FB9
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029005B
.text C:\windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029004A
.text C:\windows\system32\svchost.exe[3124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F7F
.text C:\windows\system32\svchost.exe[3124] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0F90
.text C:\windows\system32\svchost.exe[3124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FBC
.text C:\windows\system32\svchost.exe[3124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\windows\system32\svchost.exe[3124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FA1
.text C:\windows\system32\svchost.exe[3124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0000
.text C:\windows\system32\svchost.exe[3124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00970000
.text C:\windows\system32\svchost.exe[3124] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EC0000
.text C:\windows\system32\svchost.exe[3124] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EC001B
.text C:\windows\system32\svchost.exe[3124] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EC0FDB
.text C:\windows\system32\svchost.exe[3124] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EC0036
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00710FEF
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00710F84
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00710079
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0071005E
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00710FA1
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00710FB2
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0071009E
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00710F62
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007100CD
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00710F2A
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007100DE
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00710039
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00710FDE
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00710F73
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00710FC3
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00710014
.text C:\windows\System32\svchost.exe[3508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00710F45
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0070001B
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0070005B
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00700FD4
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0070000A
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700040
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00700FEF
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00700F9E
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [90, 88]
.text C:\windows\System32\svchost.exe[3508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00700FB9
.text C:\windows\System32\svchost.exe[3508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F0036
.text C:\windows\System32\svchost.exe[3508] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0FAB
.text C:\windows\System32\svchost.exe[3508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F0FC6
.text C:\windows\System32\svchost.exe[3508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F0FEF
.text C:\windows\System32\svchost.exe[3508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F001B
.text C:\windows\System32\svchost.exe[3508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0000
.text C:\windows\System32\svchost.exe[3508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00710FEF
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00710F5E
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00710F79
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0071005D
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00710F9E
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00710FAF
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0071009F
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00710F4D
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00710F3C
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007100D5
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007100E6
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00710040
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0071000A
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0071006E
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0071001B
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00710FD4
.text C:\windows\System32\svchost.exe[3684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007100B0
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00700FDB
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00700047
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00700022
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00700011
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00700F94
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00700000
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00700FA5
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [90, 88]
.text C:\windows\System32\svchost.exe[3684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00700FC0
.text C:\windows\System32\svchost.exe[3684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006F005F
.text C:\windows\System32\svchost.exe[3684] msvcrt.dll!system 77C293C7 5 Bytes JMP 006F0FD4
.text C:\windows\System32\svchost.exe[3684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006F003A
.text C:\windows\System32\svchost.exe[3684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006F000C
.text C:\windows\System32\svchost.exe[3684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006F0FE5
.text C:\windows\System32\svchost.exe[3684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006F0029
.text C:\windows\System32\svchost.exe[3684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo@imagepath \systemroot\system32\drivers\gasfkyemiklivp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main@aid 20124
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main\injector@* gasfkywsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyemiklivp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\modules@gasfkycmd.dll \systemroot\system32\gasfkyffmmpwxf.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\modules@gasfkylog.dat \systemroot\system32\gasfkyitpejuow.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\modules@gasfkywsp.dll \systemroot\system32\gasfkyrqowqlkh.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkyxxrdlqgo\modules@gasfky.dat \systemroot\system32\gasfkylkytjwpu.dat

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 17 November 2009 - 02:30 AM

You attached junction.zip, not attach.txt :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 bonkers1961

bonkers1961
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 18 November 2009 - 10:04 PM

Sorry about that the program said to zip the file here is the text file:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/10/2004 1:00:34 PM
System Uptime: 11/16/2009 10:15:07 AM (0 hours ago)

Motherboard: ASUSTek Computer Inc. | | P4SD-VL
Processor: Intel® Pentium® 4 CPU 3.40GHz | CPU 1 | 3391/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 435.772 GiB free.
D: is FIXED (NTFS) - 213 GiB total, 196.232 GiB free.
E: is CDROM ()
F: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is FIXED (NTFS) - 14 GiB total, 3.246 GiB free.
L: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Agere Systems AC'97 Modem
Device ID: PCI\VEN_8086&DEV_24D6&SUBSYS_8141104D&REV_02\3&267A616A&0&FE
Manufacturer: Agere
Name: Agere Systems AC'97 Modem
PNP Device ID: PCI\VEN_8086&DEV_24D6&SUBSYS_8141104D&REV_02\3&267A616A&0&FE
Service: Modem

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: deskjet 5800
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: hp
Name: deskjet 5800
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:

==== System Restore Points ===================

RP2: 11/13/2009 4:23:10 PM - Software Distribution Service 3.0

==== Installed Programs ======================


32 Bit HP CIO Components Installer
3D Groove Playback Engine
7300
7300_Help
7300Trb
Adobe Acrobat 4.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Premiere 6 LE
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Agere Systems AC'97 Modem
AiO_Scan
AiOSoftware
APC PowerChute Personal Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 4
Ask Toolbar
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
Avanquest update
Avatar Bobble Battles
Avery DesignPro
Bonjour
BufferChm
C4580
C4580_Help
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Click to DVD 1.3.01
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
CustomerResearchQFolder
DeLorme Street Atlas USA 2007 Plus
DeLorme Street Atlas USA 2009 Plus
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DiscWizard for Windows
DivX
DocProc
DocumentViewer
Drag'n Drop CD+DVD
DVgate Plus
eSupportQFolder
Family History Library Catalog
Family History Resource File Viewer 4.0
Family Tree Maker
Family Tree Maker 2005
Family Tree Maker Version 16
Fax
Firebird SQL Server - MAGIX Edition 2.0.0.1 (US)
Garmin PC Basemap v2
Garmin Training Center
Garmin Training Center 3.2.2
Garmin USB Drivers
Garmin WebUpdater
GenSmarts
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP eServices Local Prints and Save
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Imaging Device Functions 11.0
HP Photosmart C4500 All-In-One Driver Software 11.0 Rel .4
HP Photosmart Essential
HP Product Detection
HP PSC & OfficeJet 4.7
HP Software Update
HP Solution Center 11.0
HP Update
hpmdtab
HPProductAssistant
HPSystemDiagnostics
Image Expert
InstantShare
Intel® PRO Network Adapters and Drivers
InterVideo WinDVD 5 for VAIO
iPhone Configuration Utility
iQue - MapInstall and ContactLocation
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_08
Java 2 Runtime Environment, SE v1.4.2_01
Java™ 6 Update 15
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Macromedia Shockwave Player
MAGIX MP3 Maker 12 deluxe 8.1.1.114 (US)
MAGIX Photo Manager 2007 4.1.1.77 (US)
Malwarebytes' Anti-Malware
Managed DirectX (0901)
MarketResearch
Master Index for Pedigree Resource File
McAfee SecurityCenter
McAfee SiteAdvisor
Memories Disc Creator 2.0
Memory Stick Formatter
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Speech Recognition Engine 4.0 (English)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Microsoft XML Parser
mobile PhoneTools
MobileMe Control Panel
MoodLogic
Movielink eHome version 1.1
Mozilla Firefox (3.5.2)
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music Visualizer Library 1.4.00
MY CAMERA
MyMailList & AddressBook
Netscape (7.02)
Network
Nikon Message Center
NVIDIA Windows 2000/XP Display Drivers
OpenMG Metadata Extractor for Windows Media Player
OpenMG Secure Module 3.3.01
OpenOffice.org Installer 1.0
OptiPix Pro
Oregon Scientific Voice Recorder Link for VR668
overland
Palm Desktop for Garmin iQue 3200
PanoStandAlone
Pedigree Resource File
Personal Ancestral File Companion 5.1.5
PhotoGallery
PhotoshopdotcomInspirationBrowser
Picasa 3
PictureGear Studio 2.0
PictureProject
ProductContext
PS_AIO_04_C4580_ProductContext
PS_AIO_04_C4580_Software
PS_AIO_04_C4580_Software_Min
Puppy Luv: A New Breed
QuickTime
Readme
RealPlayer
Rhapsody
Rhapsody Player Engine
RootsMagic 3.2.2.0
RootsMagic 4.0.1.1
Roxio Drag-to-Disc
Roxio Easy Media Creator 9 Suite
Safari
Scan
Scan Manager 5.1
ScannerCopy
Screenblast ACID 4.0
Screenblast Sound Forge 1.1
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
SkinsHP1
Skype™ 4.0
Snail Mail
SoftV92 Data Fax Modem
SolutionCenter
SonicStage 1.6.00
SonicStage Mastering Studio 1.1
SonicStage Mastering Studio Plugins 1.0
SonicStage MP3 Add-on program
Sony Certificate PCH
Sony TV Tuner Library 1.0
Sony Video Shared Library
Sound Blaster Audigy LS
SpongeBob Atlantis SquareOff
SpongeBob SquarePants Diner Dash 2
SpongeBob SquarePants Obstacle Odyssey 2
Spybot - Search & Destroy
Spyware Doctor 6.1
Status
SureThing CD Labeler - Stomper Edition 32 bit
Thomas Guide DE
Toolbox
TrayApp
U3Launcher
Unload
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VAIO BrightColor Wallpaper
VAIO Edit Components
VAIO Help and Support
VAIO Media 2.6
VAIO Media Integrated Server 2.6
VAIO Media Redistribution 2.6
VAIO Registration
VAIO Support
VAIO Survey Standalone
VAIO System Information
Viewpoint Media Player (Remove Only)
WebFldrs XP
WebReg
Welcome to VAIO life
WildTangent Web Driver
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Driver Package - MARS (MR97310_USB_DUAL_CAMERA) Image (12/03/2002 1.2.9.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Xingtone Ringtone Maker
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/12/2009 9:59:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/12/2009 9:56:27 AM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/12/2009 9:56:24 AM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
11/12/2009 9:51:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: DMICall Fips intelppm mfehidk
11/12/2009 11:48:01 AM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: Access is denied.
11/12/2009 10:57:05 AM, error: Service Control Manager [7034] - The RoxMediaDB9 service terminated unexpectedly. It has done this 1 time(s).
11/12/2009 10:57:05 AM, error: Service Control Manager [7034] - The Roxio Hard Drive Watcher 9 service terminated unexpectedly. It has done this 1 time(s).
11/12/2009 10:39:22 AM, error: Service Control Manager [7016] - The VAIO Media Photo Server service has reported an invalid current state 272.
11/12/2009 10:17:48 AM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
11/12/2009 10:17:28 AM, error: Service Control Manager [7000] - The OmniForm Printer service failed to start due to the following error: The system cannot find the file specified.
11/12/2009 10:17:28 AM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
11/12/2009 10:14:49 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/12/2009 1:35:21 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V5 service terminated unexpectedly. It has done this 1 time(s).
11/12/2009 1:20:33 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/12/2009 1:20:27 PM, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/12/2009 1:18:08 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/12/2009 1:17:50 PM, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================


Thanks again,
Tim

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 19 November 2009 - 02:45 AM

Hello again :(

Looks good so far!

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 22 November 2009 - 08:31 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:20 PM

Posted 24 November 2009 - 04:16 AM

Due to lack of feedback this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users