Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects from google search and "Survey" links (server2.mediajmp.com)


  • This topic is locked This topic is locked
30 replies to this topic

#1 CorradoVT

CorradoVT

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 10 January 2010 - 12:30 AM

I've been fighting a losing battle against browser hijacks/redirects for a few days with no luck.

I've run Ad-Aware (already had this installed), removed an outdated version of Norton Systemworks and replaced with Comcast's McAfee offering (which may need to be reinstalled since I think the hijack corrupted it). I yanked a few "unusual" items via an old build of HijackThis, then downloaded & ran SuperAntiSpywarePro, Norman Malware Cleaner, and Malware Bytes Anti-Malware. Everything is coming up "clean" with those tools now, but I've still got the bug(s).


DDS Report below, RootRepeal & DDS Attach file attached.

DDS (Ver_09-12-01.01) - NTFSx86
Run by [me] at 23:42:53.31 on Sat 01/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.482 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
D:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\LogMeIn\x86\RaMaint.exe
D:\Program Files\LogMeIn\x86\LogMeIn.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\System32\svchost.exe -k imgsvc
D:\WINDOWS\System32\dmadmin.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
D:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\firefox.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\dwnld\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAP Bar: {62999427-33fc-4baf-9c9c-bce6bd127f08} - d:\program files\dap\DAPIEBar.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [PMCRemote] c:\program files\pinnacle\shared files\\programs\remote\Remoterm.exe
uRun: [PMCLoader] c:\program files\pinnacle\tvcenter pro\PMCLoader.exe -checktasks
uRun: [SUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LogMeIn GUI] "d:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [Picasa Media Detector] d:\program files\picasa2\PicasaMediaDetector.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - d:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} - hxxps://ahsworks.umsa.usf.edu/Touchworks/AHSCompressionEngine.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {46965FE7-2129-407B-938C-BE358A56D11E} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/aicviewer3.cab
DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/idxwfcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094349474328
DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} - hxxps://ahsworks.umsa.usf.edu/touchworks/Common/Components/AtalaSoft/ImgX61.cab
DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} - hxxps://ahsworks.umsa.usf.edu/touchworks/ResultWorks/chworks/flowsheets/pe32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.6319907407
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/IDXTools.cab
DPF: {A4CC92F0-CAE7-11D4-910D-00B0D0134884} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/RTFWrapper.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/wspell.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/TWRTF.cab
DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} - hxxps://ahsworks.umsa.usf.edu/touchworks/DictateBar.cab
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxps://ahsworks.umsa.usf.edu/touchworks/Common/Components/Printing/activexviewer.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/aic_viewer2.cab
DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/idxwfcb.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?321
DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} - hxxps://ahsworks.umsa.usf.edu/ahsweb/IDXWF/Context/IDXTools.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/IDXBrowser.cab
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\dap\dapie.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
mASetup: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\msnetmtg.inf,NetMtg.Install.PerUser.NT
mASetup: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\wmp11.inf,PerUserStub

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\erinen~1\applic~1\mozilla\firefox\profiles\fqgfi91a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32.dll
FF - plugin: d:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: d:\program files\picasa2\npPicasa3.dll
FF - plugin: d:\program files\plugins\npatgpc.dll
FF - plugin: d:\program files\plugins\npmozax.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
d:\program files\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-8-22 64160]
R1 mfehidk;McAfee Inc. mfehidk;d:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R1 RCFOX;SonicWALL IPsec Driver;d:\windows\system32\drivers\RCFOX.SYS [2008-6-21 101528]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 BCMNTIO;BCMNTIO;d:\progra~1\checkit\diagno~1\BCMNTIO.sys [2008-4-21 3744]
R2 EAPPkt;Realtek EAPPkt Protocol;d:\windows\system32\drivers\EAPPkt.sys [2008-4-19 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 LMIInfo;LogMeIn Kernel Information Provider;d:\program files\logmein\x86\rainfo.sys [2008-4-21 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-4-13 46112]
R2 MAPMEM;MAPMEM;d:\progra~1\checkit\diagno~1\MAPMEM.sys [2008-4-21 3904]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-9 144704]
R2 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-11-6 34064]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-9 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;d:\windows\system32\drivers\mfeavfk.sys [2010-1-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;d:\windows\system32\drivers\mfebopk.sys [2010-1-9 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;d:\windows\system32\drivers\mfesmfk.sys [2010-1-9 40552]
R3 OmniTV;Cx2388x AvStream Video Capture;d:\windows\system32\drivers\OmniTV.sys [2009-3-28 401280]
R3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 mferkdk;McAfee Inc. mferkdk;d:\windows\system32\drivers\mferkdk.sys [2010-1-9 34248]
S3 NDISKIO;NDISKIO;\??\d:\docume~1\erinen~1\locals~1\temp\0000085d.nmc\nse\bin\ndiskio.sys --> d:\docume~1\erinen~1\locals~1\temp\0000085d.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;d:\docume~1\erinen~1\locals~1\temp\00000525.nmc\nse\bin\nsak.sys [2010-1-9 18120]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2008-4-13 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2008-4-13 24344]
S3 rcvpn;SonicWALL VPN Adapter;d:\windows\system32\drivers\rcvpn.sys [2008-6-21 24876]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;d:\windows\system32\drivers\wg111v2.sys [2008-4-19 194304]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;d:\windows\system32\drivers\ma101rndxp.sys [2008-4-19 76160]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-4-13 280344]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;d:\windows\system32\drivers\wind502u.sys [2008-4-19 336256]
S4 GFI LANguard N.S.S. 6.0 attendant service;GFI LANguard N.S.S. 6.0 attendant service;d:\program files\gfi\languard network security scanner 6.0\lnssatt.exe [2008-4-21 102400]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SRTSERVERDAEMON;Titan FTP Server Daemon;c:\windows\system32\srxTitan.exe [2008-4-13 329352]

============== File Associations ===============

chm.file="c:\windows\hh.exe" %1
inffile=c:\documents and settings\erin ennis\desktop\notepad.exe %1
inifile=c:\documents and settings\erin ennis\desktop\notepad.exe %1
txtfile="%WinDir%\NOTEPAD.EXE" %1

=============== Created Last 30 ================

2010-01-10 04:08:04 0 d-sh--w- d:\documents and settings\erin ennis\PrivacIE
2010-01-10 02:58:30 0 d-sh--w- d:\documents and settings\erin ennis\IETldCache
2010-01-09 18:30:07 0 dc-h--w- d:\windows\ie8
2010-01-09 16:06:21 1967 ----a-w- d:\windows\system32\Config.MPF
2010-01-09 15:53:28 40552 ----a-w- d:\windows\system32\drivers\mfesmfk.sys
2010-01-09 15:53:27 35272 ----a-w- d:\windows\system32\drivers\mfebopk.sys
2010-01-09 15:53:26 79816 ----a-w- d:\windows\system32\drivers\mfeavfk.sys
2010-01-09 15:42:07 34248 ----a-w- d:\windows\system32\drivers\mferkdk.sys
2010-01-09 15:40:48 524288 ----a-w- D:\dwlnd.scr
2010-01-09 05:39:42 0 d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-09 05:39:12 0 d-----w- d:\docume~1\erinen~1\applic~1\SUPERAntiSpyware.com
2010-01-09 04:55:15 0 d-----w- d:\docume~1\erinen~1\applic~1\Malwarebytes
2010-01-09 04:55:05 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 04:55:03 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-09 04:55:02 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-01-09 04:09:42 1984 ----a-w- d:\windows\system32\d3d9caps.dat
2010-01-09 00:10:09 0 dc----w- d:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2010-01-09 17:27:04 95360 ----a-w- d:\windows\system32\drivers\atapi.sys
2010-01-09 17:27:04 95360 ----a-w- d:\windows\system32\dllcache\atapi.sys
2009-11-25 14:20:17 15688 ----a-w- d:\windows\system32\lsdelete.exe
2009-11-14 00:49:00 129784 ------w- d:\windows\system32\pxafs.dll
2009-11-14 00:49:00 120056 ------w- d:\windows\system32\pxcpyi64.exe
2009-11-14 00:49:00 118520 ------w- d:\windows\system32\pxinsi64.exe
2009-11-14 00:47:32 90112 ----a-w- d:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- d:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- d:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- d:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- d:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- d:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- d:\windows\system32\DivX.dll
2009-10-29 07:46:51 133120 ----a-w- d:\windows\system32\dllcache\extmgr.dll
2009-10-28 14:36:11 13824 ----a-w- d:\windows\system32\dllcache\ieudinit.exe
2009-10-21 06:00:55 75776 ----a-w- d:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- d:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- d:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- d:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- d:\windows\system32\dllcache\http.sys
2009-10-13 10:53:29 266752 ----a-w- d:\windows\system32\oakley.dll
2009-10-13 10:53:29 266752 ------w- d:\windows\system32\dllcache\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- d:\windows\system32\raschap.dll
2009-10-12 13:54:17 69632 ------w- d:\windows\system32\dllcache\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- d:\windows\system32\rastls.dll
2009-10-12 13:54:17 112128 ------w- d:\windows\system32\dllcache\rastls.dll

============= FINISH: 23:45:44.89 ===============

More info (too focused on getting the "files" attached in the last one).

I first observed funny behavior about a week ago in the form a pop-up window when visiting woot.com. I was linked to a 'survey' with FQDN hxxp://server2.mediajmp.com (most recent redirect was to hxxp://server2.mediajmp.com/surveys/cpv-in...?sub=didit.com). I'm a volunteer mod for the woot.com site and was able to verify that this was *not* coming from woot. Another one I got while getting examples for this post is hxxp://www.thewebsitesurvey.com/ (popped to a new tab when I launched www.google.com).

On Friday, I think I picked up something else. "New" behavior is that clicking any links from a google search (FF or IE) skip me through a few redirects to land on another 'random' (never seems to be the same) search/marketing site.

Example:
Target link from this search: hxxp://www.google.com/search?source=ig&hl=en&rlz=&=&q=TestSearch&aq=f&oq=&aqi=g-s1g-sx4

I clicked the link for the "UKAS Testing : Multiple Test Search" entry with this link: hxxp://www.ukas.org/testing/directorysearch.asp
and was redirected to hxxp://welcometopuertorico.org/search.php
which redirected to hxxp://se1.94319.asklots.com/jump1/?affili...p;mr=1&rc=0
and finally dumped me here hxxp://www.hollywoodlife.com/?utm_source=a...id=ae1_hl_jan10[/url]

If I copy/paste the link from google (or drag/drop to the address bar, I get to the expected site.

LMK if you need/want more examples.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 12 January 2010 - 11:02 PM.


BC AdBot (Login to Remove)

 


#2 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 13 January 2010 - 09:11 PM

Update: I dropped a second bootable drive into the PC, booted to the new one (knowing I'm rolling the dice and risking infection of the second drive), re-ran all the AV/Anti-Malware, cleaned a bunch more Malware/Worms/Trojans and DNS Registry keys, but I've still got the Google Search redirects on the the primary drive.

Anyone know if the Norman software is supposed to work in Safe mode? Mine won't. That makes me suspicious.

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 16 January 2010 - 12:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 16 January 2010 - 12:40 PM

Thanks, myrti. I've had the PC shut down since my last message (working on my clean Work laptop now). I'm firing the infected PC up now to follow your recommended COA and follow up shortly.

I appreciate the help!

-ErinE...

#5 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 16 January 2010 - 01:13 PM

I have changed my network connection (new router on a 10. network from a router on a 172.19. network) and the logs show some thrashing as I re-configured the PC to hit the new network.

OTL logs:

OTL.txt
QUOTE
OTL logfile created on: 1/16/2010 12:45:06 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = D:\Documents and Settings\Erin Ennis\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 29.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 13.29 Gb Free Space | 35.69% Space Free | Partition Type: NTFS
Drive D: | 219.72 Gb Total Space | 10.58 Gb Free Space | 4.81% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive S: | 13.16 Gb Total Space | 4.69 Gb Free Space | 35.63% Space Free | Partition Type: NTFS

Computer Name: TOURAEG
Current User Name: Erin Ennis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/16 12:44:07 | 00,547,328 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Erin Ennis\Desktop\OTL.exe
PRC - [2010/01/11 21:30:23 | 00,136,176 | ---- | M] (Google Inc.) -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
PRC - [2010/01/11 21:30:23 | 00,135,664 | ---- | M] (Google Inc.) -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2010/01/05 07:56:02 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/12/09 18:22:33 | 00,921,072 | ---- | M] (Google Inc.) -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/11/25 09:19:52 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/11/25 09:19:51 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2009/10/28 11:50:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/01 22:46:16 | 00,116,032 | ---- | M] (LogMeIn, Inc.) -- D:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/10/01 22:46:08 | 00,378,176 | ---- | M] (LogMeIn, Inc.) -- D:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/07/08 20:22:24 | 05,134,864 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/05/14 13:48:42 | 00,644,368 | ---- | M] (Pinnacle Systems GmbH) -- C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe
PRC - [2008/05/09 10:09:50 | 00,267,536 | ---- | M] (Pinnacle Systems) -- C:\Program Files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe
PRC - [2007/04/17 13:03:50 | 00,063,048 | ---- | M] (LogMeIn, Inc.) -- D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2007/04/17 13:03:50 | 00,063,040 | ---- | M] (LogMeIn, Inc.) -- D:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2005/04/07 15:26:10 | 01,421,336 | ---- | M] (Cisco Systems, Inc.) -- D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2004/08/04 02:56:57 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\svchost.exe
PRC - [2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sessmgr.exe
PRC - [2004/08/04 02:56:48 | 00,005,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dllhost.exe
PRC - [2001/03/15 04:18:18 | 00,049,254 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe


========== Modules (SafeList) ==========

MOD - [2010/01/16 12:44:07 | 00,547,328 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Erin Ennis\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (JavaQuickStarterService)
SRV - [2009/11/25 09:19:51 | 01,028,432 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/01 22:46:16 | 00,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- D:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/07/07 15:32:22 | 00,253,952 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\es.dll -- (EventSystem)
SRV - [2007/11/06 15:22:26 | 00,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/09/29 02:56:34 | 00,483,328 | ---- | M] (ATI Technologies Inc.) [Disabled | Stopped] -- D:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/09/27 11:10:02 | 00,230,672 | ---- | M] (SonicWALL, Inc.) [On_Demand | Stopped] -- D:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)
SRV - [2007/04/17 13:03:50 | 00,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- D:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2007/02/05 10:11:18 | 00,075,320 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2007/02/05 10:11:16 | 00,112,184 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service)
SRV - [2007/01/03 20:40:21 | 00,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/12/14 02:21:20 | 00,045,056 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 02:02:08 | 00,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 01:46:16 | 00,057,344 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/10/20 20:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2006/10/18 20:47:16 | 00,027,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mspmsnsv.dll -- (WmdmPmSN)
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/04/07 15:26:10 | 01,421,336 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2005/03/21 14:00:22 | 00,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\msiexec.exe -- (MSIServer)
SRV - [2005/02/28 12:02:28 | 00,102,400 | ---- | M] (GFI Software Ltd.) [Disabled | Stopped] -- D:\Program Files\GFI\LANguard Network Security Scanner 6.0\lnssatt.exe -- (GFI LANguard N.S.S. 6.0 attendant service)
SRV - [2004/08/05 09:31:56 | 00,329,352 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\srxTitan.exe -- (SRTSERVERDAEMON)
SRV - [2004/08/04 02:56:57 | 00,126,464 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv)
SRV - [2004/08/04 02:56:56 | 00,140,800 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr)
SRV - [2004/08/04 02:56:53 | 00,006,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC)
SRV - [2004/08/04 02:56:51 | 00,032,768 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc)
SRV - [2004/08/04 02:56:50 | 00,150,016 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2004/08/04 02:56:48 | 00,005,120 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2004/08/04 02:56:48 | 00,005,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp)
SRV - [2004/08/04 02:56:46 | 00,174,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\w32time.dll -- (W32Time)
SRV - [2004/08/04 02:56:45 | 00,170,496 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2004/08/04 02:56:44 | 00,382,464 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2004/05/15 21:10:00 | 00,516,096 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2003/10/03 11:24:06 | 00,090,112 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Giga Pocket\RM_SV.exe -- (Sony TV Tuner Manager)
SRV - [2003/10/03 11:24:06 | 00,077,824 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Giga Pocket\shwserv.exe -- (Giga Pocket Hardware Detector)
SRV - [2003/09/25 12:38:56 | 00,118,784 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Giga Pocket\halsv.exe -- (Sony TV Tuner Controller)
SRV - [2003/05/12 18:08:52 | 00,942,080 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Giga Pocket\GPVSvr.exe -- (VAIOMediaPlatform-VideoServer-AppServer)
SRV - [2003/03/25 19:39:02 | 00,262,144 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe -- (VAIOMediaPlatform-PhotoServer-AppServer)
SRV - [2003/03/19 23:02:38 | 00,675,840 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe -- (VAIOMediaPlatform-VideoServer-UPnP) VAIO Media Video Server (UPnP)
SRV - [2003/03/19 23:02:38 | 00,675,840 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe -- (VAIOMediaPlatform-PhotoServer-UPnP) VAIO Media Photo Server (UPnP)
SRV - [2003/03/19 23:02:38 | 00,675,840 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe -- (VAIOMediaPlatform-MusicServer-UPnP) VAIO Media Music Server (UPnP)
SRV - [2003/03/18 19:03:24 | 00,536,648 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe -- (VAIOMediaPlatform-MusicServer-AppServer)
SRV - [2003/02/10 15:11:12 | 00,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe -- (VAIOMediaPlatform-VideoServer-HTTP) VAIO Media Video Server (HTTP)
SRV - [2003/02/10 15:11:12 | 00,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe -- (VAIOMediaPlatform-PhotoServer-HTTP) VAIO Media Photo Server (HTTP)
SRV - [2003/02/10 15:11:12 | 00,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe -- (VAIOMediaPlatform-MusicServer-HTTP) VAIO Media Music Server (HTTP)


========== Driver Services (SafeList) ==========

DRV - [2010/01/05 07:56:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- D:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/04 16:54:12 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/10/01 22:46:10 | 00,083,288 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- D:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/07/03 09:49:08 | 00,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/11/20 14:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- D:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/29 14:34:02 | 00,401,280 | ---- | M] (YUAN High-Tech Development Co. Ltd.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\OmniTV.sys -- (OmniTV)
DRV - [2008/02/28 14:31:50 | 00,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- D:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/11/06 15:22:06 | 00,034,064 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/09/29 03:06:00 | 02,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/09/27 14:49:50 | 00,101,528 | ---- | M] (SonicWALL, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\RCFOX.SYS -- (RCFOX)
DRV - [2007/07/09 17:40:52 | 00,128,144 | R--- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/04/17 13:00:28 | 00,010,144 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\LMImirr.sys -- (LMImirr)
DRV - [2007/04/14 11:00:36 | 00,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2007/04/05 10:55:14 | 00,046,112 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2007/02/07 04:22:24 | 00,194,304 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2006/09/24 08:28:46 | 00,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- D:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/07/13 13:03:48 | 00,079,328 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\mqdmserd.sys -- (mqdmserd)
DRV - [2006/07/13 13:03:12 | 00,092,064 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\mqdmmdm.sys -- (mqdmmdm)
DRV - [2006/07/13 13:02:40 | 00,009,232 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\mqdmmdfl.sys -- (mqdmmdfl) Motorola USB Modem (Filter)
DRV - [2006/07/13 12:58:00 | 00,066,656 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\mqdmbus.sys -- (mqdmbus) Motorola DM Composite Driver (WDM)
DRV - [2005/11/08 08:58:20 | 00,024,876 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\rcvpn.sys -- (rcvpn)
DRV - [2005/11/03 09:40:07 | 00,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- D:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005/08/10 07:44:04 | 00,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- D:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/05/16 08:20:39 | 00,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- D:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2005/04/07 16:23:50 | 00,299,083 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2005/04/01 10:43:02 | 00,066,048 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\EAPPkt.sys -- (EAPPkt)
DRV - [2005/03/21 11:00:24 | 00,004,096 | ---- | M] (SuperAdBlocker.com) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\sabprocenum.sys -- (SABProcEnum)
DRV - [2005/02/08 10:27:00 | 00,005,185 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2005/01/26 04:22:20 | 00,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2004/08/04 01:10:12 | 00,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2004/08/04 01:07:55 | 00,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/04 00:59:50 | 00,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2004/08/04 00:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/03/25 19:49:56 | 00,336,256 | ---- | M] (Envara Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\wind502u.sys -- (wind502u)
DRV - [2004/03/05 16:09:02 | 00,003,904 | ---- | M] () [Kernel | Auto | Running] -- D:\Program Files\CheckIt\Diagnostics\MAPMEM.SYS -- (MAPMEM)
DRV - [2004/03/05 16:09:00 | 00,003,744 | ---- | M] () [Kernel | Auto | Running] -- D:\Program Files\CheckIt\Diagnostics\BCMNTIO.SYS -- (BCMNTIO)
DRV - [2003/10/03 16:26:08 | 00,765,568 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\smrt.sys -- (smrt)
DRV - [2003/07/16 21:28:02 | 00,017,142 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CBTNDIS5.sys -- (CBTNDIS5)
DRV - [2003/05/14 15:01:42 | 00,062,673 | R--- | M] (Funk Software, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\odysseyIM3.sys -- (odysseyIM3)
DRV - [2003/04/02 13:58:12 | 00,543,360 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2003/03/13 21:14:28 | 00,112,288 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel® Graphics Platform (SoftBIOS)
DRV - [2003/03/13 21:14:16 | 00,078,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel® Graphics Chipset (KCH)
DRV - [2003/03/13 21:13:04 | 00,090,395 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2003/03/11 08:21:38 | 00,121,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\e1000325.sys -- (E1000) Intel®
DRV - [2003/03/04 14:56:26 | 00,145,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2003/02/25 17:26:44 | 00,024,344 | ---- | M] (Internet Security Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RapNet.sys -- (RapNet)
DRV - [2003/02/25 17:26:28 | 00,036,644 | ---- | M] (Internet Security Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RapFile.sys -- (RapFile)
DRV - [2003/02/14 14:59:00 | 01,169,792 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2003/02/06 14:46:48 | 00,018,304 | R--- | M] (SONICblue Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\RIOXDRV.sys -- (RIOXDRV)
DRV - [2002/12/18 10:03:24 | 00,036,184 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\SonyWBMS.sys -- (SONYWBMS) Sony Memory Stick controller(WB)
DRV - [2002/12/04 16:28:10 | 00,730,956 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2002/08/29 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/07/17 08:53:02 | 00,016,877 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- D:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/05/13 19:43:06 | 00,015,399 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\netmotcm.sys -- (ndiscm)
DRV - [2002/04/01 16:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2002/02/28 06:12:52 | 00,076,160 | ---- | M] (ATMEL) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\ma101rndxp.sys -- (USBFVNETR)
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2000/12/05 18:18:02 | 00,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [1996/04/03 14:33:26 | 00,005,248 | ---- | M] () [Kernel | Boot | Running] -- D:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1541965403-1578699039-901216024-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1541965403-1578699039-901216024-1005\S-1-5-21-1541965403-1578699039-901216024-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.cnn.com/"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: D:\Program Files\components [2010/01/08 21:23:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: D:\Program Files\plugins [2010/01/08 21:23:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.02\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2008/11/10 00:57:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.02\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2010/01/11 23:04:39 | 00,000,000 | ---D | M]

[2008/09/04 21:42:09 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Erin Ennis\Application Data\Mozilla\Extensions
[2010/01/09 11:05:47 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Erin Ennis\Application Data\Mozilla\Firefox\Profiles\fqgfi91a.default\extensions
[2010/01/09 11:05:46 | 00,000,000 | ---D | M] (DownloadHelper) -- D:\Documents and Settings\Erin Ennis\Application Data\Mozilla\Firefox\Profiles\fqgfi91a.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

O1 HOSTS File: ([2006/12/06 22:10:45 | 00,000,044 | R--- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (DAP Bar) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll ()
O3 - HKU\S-1-5-21-1541965403-1578699039-901216024-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] D:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [LogMeIn GUI] D:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKU\S-1-5-21-1541965403-1578699039-901216024-1005..\Run: [Google Update] D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKU\S-1-5-21-1541965403-1578699039-901216024-1005..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe (Pinnacle Systems GmbH)
O4 - HKU\S-1-5-21-1541965403-1578699039-901216024-1005..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe ()
O4 - HKU\S-1-5-21-1541965403-1578699039-901216024-1005..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] D:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] D:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 153
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1541965403-1578699039-901216024-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxacm.CAB (Reg Error: Key error.)
O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} https://ahsworks.umsa.usf.edu/Touchworks/AH...ssionEngine.cab (Engine Class)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {46965FE7-2129-407B-938C-BE358A56D11E} https://ahsworks.umsa.usf.edu/touchworks/Do.../aicviewer3.cab (AICViewer.Viewer)
O16 - DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} https://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/...ext/idxwfcc.cab (Participant Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://v5.windowsupdate.microsoft.com/v5co...b?1094349474328 (WUWebControl Class)
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} https://ahsworks.umsa.usf.edu/touchworks/Co...Soft/ImgX61.cab (Atalasoft ImgXCtrl6.ImgXCtrl (CAB))
O16 - DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} https://ahsworks.umsa.usf.edu/touchworks/Re...sheets/pe32.cab (Pesgoa Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7867.6319907407 (Reg Error: Key error.)
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} https://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/...xt/IDXTools.cab (TerminalID Class)
O16 - DPF: {A4CC92F0-CAE7-11D4-910D-00B0D0134884} https://ahsworks.umsa.usf.edu/touchworks/Do.../RTFWrapper.cab (Wrapper Class)
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} https://ahsworks.umsa.usf.edu/touchworks/Do...ured/wspell.cab (WSpell Spelling Checker Control)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} https://ahsworks.umsa.usf.edu/touchworks/Do...tured/TWRTF.cab (TWRTFControl)
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} https://ahsworks.umsa.usf.edu/touchworks/DictateBar.cab (DictateBandInstaller)
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Registry Information Class)
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} https://ahsworks.umsa.usf.edu/touchworks/Co...tivexviewer.cab (Crystal Report Viewer Control)
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl..._4_0_03-win.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} https://ahsworks.umsa.usf.edu/touchworks/Do...aic_viewer2.cab (AIC_ViewerAS2.Viewer)
O16 - DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} https://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/...ext/idxwfcb.cab (Clipboard Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?321 (QDiagHUpdateObj Class)
O16 - DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} https://ahsworks.umsa.usf.edu/ahsweb/IDXWF/...xt/IDXTools.cab (IDXTimeOut Class)
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} https://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/.../IDXBrowser.cab (BrowserObj Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - D:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - D:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O24 - Desktop WallPaper: D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/02 08:32:19 | 00,000,017 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/02 08:32:19 | 00,000,017 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - D:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/16 12:44:06 | 00,547,328 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Erin Ennis\Desktop\OTL.exe
[2010/01/11 23:10:24 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware_2010
[2010/01/11 23:04:11 | 00,000,000 | ---D | C] -- C:\Program Files\Java_2010
[2010/01/11 22:51:16 | 00,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/01/11 21:48:23 | 00,014,848 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\kbdhid.sys
[2010/01/11 21:48:05 | 00,021,504 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\hidserv.dll
[2010/01/11 21:33:44 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Erin Ennis\My Documents\Downloads
[2010/01/11 21:30:35 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\Temp
[2010/01/09 23:08:04 | 00,000,000 | -HSD | C] -- D:\Documents and Settings\Erin Ennis\PrivacIE
[2010/01/09 21:58:30 | 00,000,000 | -HSD | C] -- D:\Documents and Settings\Erin Ennis\IETldCache
[2010/01/09 13:30:07 | 00,000,000 | -H-D | C] -- D:\WINDOWS\ie8
[2010/01/09 10:53:28 | 00,040,552 | ---- | C] (McAfee, Inc.) -- D:\WINDOWS\System32\drivers\mfesmfk.sys
[2010/01/09 10:53:27 | 00,035,272 | ---- | C] (McAfee, Inc.) -- D:\WINDOWS\System32\drivers\mfebopk.sys
[2010/01/09 10:53:26 | 00,079,816 | ---- | C] (McAfee, Inc.) -- D:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/01/09 10:42:07 | 00,034,248 | ---- | C] (McAfee, Inc.) -- D:\WINDOWS\System32\drivers\mferkdk.sys
[2010/01/09 00:39:42 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/01/09 00:39:12 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Erin Ennis\Application Data\SUPERAntiSpyware.com
[2010/01/08 23:55:15 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Erin Ennis\Application Data\Malwarebytes
[2010/01/08 23:55:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/08 23:55:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/08 23:55:02 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/01/08 19:10:09 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2009/12/25 10:23:38 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\PCHealth
[2009/09/11 16:58:58 | 00,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2009/07/04 18:38:22 | 00,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/10/26 13:27:50 | 00,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/22 21:04:06 | 00,000,000 | --SD | M] -- D:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/04/20 10:32:12 | 00,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Local Settings\Application Data\Sony Corporation
[2008/04/20 10:32:12 | 00,000,000 | ---D | M] -- D:\Documents and Settings\LocalService\Application Data\pdf995
[2008/04/20 10:32:06 | 00,000,000 | --SD | M] -- D:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/20 10:32:06 | 00,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Sony Corporation
[2008/04/20 10:32:06 | 00,000,000 | ---D | M] -- D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[6 D:\Documents and Settings\Erin Ennis\My Documents\*.tmp files -> D:\Documents and Settings\Erin Ennis\My Documents\*.tmp -> ]
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[16 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/16 12:44:07 | 00,547,328 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Erin Ennis\Desktop\OTL.exe
[2010/01/16 12:40:57 | 00,000,349 | ---- | M] () -- D:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2010/01/16 12:38:20 | 00,005,731 | ---- | M] () -- D:\WINDOWS\System32\Config.MPF
[2010/01/16 12:37:16 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/01/16 12:37:10 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/01/16 12:37:04 | 13,415,75168 | -HS- | M] () -- D:\hiberfil.sys
[2010/01/16 12:36:12 | 00,000,012 | ---- | M] () -- D:\WINDOWS\bthservsdp.dat
[2010/01/16 12:36:09 | 00,000,278 | -HS- | M] () -- D:\Documents and Settings\Erin Ennis\ntuser.ini
[2010/01/16 12:36:08 | 07,340,032 | -H-- | M] () -- D:\Documents and Settings\Erin Ennis\NTUSER.DAT
[2010/01/16 12:20:09 | 00,001,158 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/01/12 20:31:34 | 00,000,946 | ---- | M] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1541965403-1578699039-901216024-1005Core.job
[2010/01/11 21:33:27 | 00,002,339 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\Desktop\Google Chrome.lnk
[2010/01/09 23:07:13 | 00,001,734 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\Desktop\HijackThis.lnk
[2010/01/09 22:18:38 | 00,000,942 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/01/09 22:18:37 | 00,000,000 | ---- | M] () -- D:\WINDOWS\system.ini
[2010/01/09 21:52:32 | 00,001,984 | ---- | M] () -- D:\WINDOWS\System32\d3d9caps.dat
[2010/01/09 15:10:10 | 00,000,432 | -H-- | M] () -- D:\WINDOWS\tasks\User_Feed_Synchronization-{7B713B1C-A60E-464C-B429-5370C86EF95D}.job
[2010/01/09 14:50:02 | 00,000,583 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\Desktop\Shortcut to Norman_Malware_Cleaner.exe.lnk
[2010/01/09 13:55:12 | 00,118,784 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/09 13:35:55 | 00,001,355 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/01/09 13:17:52 | 00,000,488 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\Desktop\Shortcut to HijackThis.exe.lnk
[2010/01/09 12:27:04 | 00,095,360 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\atapi.sys
[2010/01/09 10:59:44 | 00,000,584 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2010/01/09 10:40:50 | 00,524,288 | ---- | M] () -- D:\dwlnd.scr
[2010/01/09 00:39:31 | 00,000,780 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2010/01/08 23:55:09 | 00,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/08 23:10:06 | 00,000,116 | ---- | M] () -- D:\WINDOWS\NeroDigital.ini
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/01/02 16:19:25 | 00,041,984 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Homebrew Alcohol table.xls
[2009/12/31 13:44:38 | 00,000,026 | ---- | M] () -- D:\WINDOWS\Debug.ini
[2009/12/31 13:44:37 | 00,000,016 | ---- | M] () -- D:\WINDOWS\Temp.ini
[2009/12/31 13:44:22 | 00,000,405 | ---- | M] () -- D:\WINDOWS\umaxuapi.ini
[2009/12/30 12:11:30 | 00,521,766 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/30 12:11:30 | 00,441,124 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2009/12/30 12:11:30 | 00,071,060 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2009/12/25 10:12:22 | 00,242,192 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/25 03:31:25 | 00,030,208 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Dopplebock 10 gal Extract.doc
[2009/12/24 23:59:51 | 03,461,103 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Chat Cypres Lodi Cab 2009 American Oak SMALL.psd
[2009/12/24 23:59:45 | 12,218,224 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Chat Cypres Lodi Cab 2009 French Oak.psd
[2009/12/24 23:59:40 | 38,593,518 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Wine Labels on 8164.psd
[2009/12/23 11:37:39 | 07,549,952 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Label10.doc
[2009/12/22 21:19:16 | 34,571,592 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Intolerance #3 Labels.psd
[2009/12/22 21:01:46 | 09,800,793 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Intolerance Barleywine.psd
[2009/12/22 18:59:30 | 07,750,656 | ---- | M] () -- D:\Documents and Settings\Erin Ennis\My Documents\Wine Label.doc
[6 D:\Documents and Settings\Erin Ennis\My Documents\*.tmp files -> D:\Documents and Settings\Erin Ennis\My Documents\*.tmp -> ]
[3 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[16 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/11 21:33:27 | 00,002,339 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Desktop\Google Chrome.lnk
[2010/01/11 21:30:34 | 00,000,946 | ---- | C] () -- D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1541965403-1578699039-901216024-1005Core.job
[2010/01/11 20:25:03 | 13,415,75168 | -HS- | C] () -- D:\hiberfil.sys
[2010/01/09 23:07:13 | 00,001,734 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Desktop\HijackThis.lnk
[2010/01/09 14:50:02 | 00,000,583 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Desktop\Shortcut to Norman_Malware_Cleaner.exe.lnk
[2010/01/09 13:17:52 | 00,000,488 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Desktop\Shortcut to HijackThis.exe.lnk
[2010/01/09 11:06:21 | 00,005,731 | ---- | C] () -- D:\WINDOWS\System32\Config.MPF
[2010/01/09 10:59:44 | 00,000,584 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2010/01/09 10:40:48 | 00,524,288 | ---- | C] () -- D:\dwlnd.scr
[2010/01/09 00:39:31 | 00,000,780 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Professional.lnk
[2010/01/08 23:55:09 | 00,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/08 23:09:42 | 00,001,984 | ---- | C] () -- D:\WINDOWS\System32\d3d9caps.dat
[2009/12/24 01:53:38 | 38,593,518 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\My Documents\Wine Labels on 8164.psd
[2009/12/23 11:20:10 | 07,549,952 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\My Documents\Label10.doc
[2009/12/22 21:19:15 | 34,571,592 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\My Documents\Intolerance #3 Labels.psd
[2009/12/22 18:59:23 | 07,750,656 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\My Documents\Wine Label.doc
[2009/12/22 18:46:39 | 03,461,103 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\My Documents\Chat Cypres Lodi Cab 2009 American Oak SMALL.psd
[2009/12/20 14:05:40 | 00,030,208 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\My Documents\Dopplebock 10 gal Extract.doc
[2009/12/20 13:05:53 | 00,000,744 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Desktop\Shortcut to googletalk.exe.lnk
[2009/03/28 19:58:36 | 00,201,488 | ---- | C] () -- D:\WINDOWS\System32\MACD32.DLL
[2009/03/28 19:58:36 | 00,141,584 | ---- | C] () -- D:\WINDOWS\System32\MAMC32.DLL
[2009/03/28 19:58:36 | 00,063,248 | ---- | C] () -- D:\WINDOWS\System32\MASD32.DLL
[2008/12/15 13:57:30 | 00,051,304 | ---- | C] () -- D:\WINDOWS\System32\drivers\atnt40k.sys
[2008/08/23 12:14:58 | 00,210,944 | ---- | C] () -- D:\WINDOWS\System32\Msvcrt10.dll
[2008/08/23 12:14:57 | 00,065,536 | ---- | C] () -- D:\WINDOWS\System32\adistres.dll
[2008/08/20 16:50:31 | 00,000,076 | ---- | C] () -- D:\WINDOWS\Setup Wizard.INI
[2008/04/19 16:19:34 | 00,024,576 | ---- | C] () -- D:\WINDOWS\System32\drivers\udnt.sys
[2008/04/19 16:19:34 | 00,000,010 | ---- | C] () -- D:\WINDOWS\System32\drivers\tmbi.sys
[2008/04/19 16:19:28 | 00,050,784 | ---- | C] () -- D:\WINDOWS\System32\drivers\atntwink.sys
[2008/04/19 16:18:46 | 00,524,288 | ---- | C] () -- D:\WINDOWS\System32\xvidcore.dll
[2008/04/19 16:18:46 | 00,139,264 | ---- | C] () -- D:\WINDOWS\System32\xvidvfw.dll
[2008/04/19 16:18:46 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\zxmsn.dll
[2008/04/19 16:18:45 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\xcwer32.dll
[2008/04/19 16:18:38 | 00,049,152 | R--- | C] () -- D:\WINDOWS\System32\winchip.dll
[2008/04/19 16:18:38 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\wecxg32.dll
[2008/04/19 16:18:36 | 00,425,984 | ---- | C] () -- D:\WINDOWS\System32\vxdmdcdlg.dll
[2008/04/19 16:18:36 | 00,163,840 | ---- | C] () -- D:\WINDOWS\System32\vpnapi.dll
[2008/04/19 16:18:36 | 00,010,240 | ---- | C] () -- D:\WINDOWS\System32\vidx16.dll
[2008/04/19 16:18:35 | 00,040,960 | ---- | C] () -- D:\WINDOWS\System32\usq3400.dll
[2008/04/19 16:18:33 | 00,022,056 | ---- | C] () -- D:\WINDOWS\System32\tntlvr.dll
[2008/04/19 16:18:31 | 00,344,064 | ---- | C] () -- D:\WINDOWS\System32\STDGPCtr.dll
[2008/04/19 16:18:31 | 00,299,008 | ---- | C] () -- D:\WINDOWS\System32\STDWhCtr.dll
[2008/04/19 16:18:31 | 00,000,242 | ---- | C] () -- D:\WINDOWS\System32\sub.dll
[2008/04/19 16:18:30 | 00,028,672 | ---- | C] () -- D:\WINDOWS\System32\SQUSBIO.dll
[2008/04/19 16:18:29 | 00,032,768 | ---- | C] () -- D:\WINDOWS\System32\sqEp2Usb.dll
[2008/04/19 16:18:28 | 00,000,004 | ---- | C] () -- D:\WINDOWS\System32\shimgvwr.dll
[2008/04/19 16:18:27 | 00,026,624 | ---- | C] () -- D:\WINDOWS\System32\Setfcnam.dll
[2008/04/19 16:18:25 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\sdfup.dll
[2008/04/19 16:18:22 | 00,008,784 | ---- | C] () -- D:\WINDOWS\System32\ractrlkeyhook.dll
[2008/04/19 16:18:21 | 00,363,520 | ---- | C] () -- D:\WINDOWS\System32\psisdecd.dll
[2008/04/19 16:18:21 | 00,000,000 | ---- | C] () -- D:\WINDOWS\System32\px.ini
[2008/04/19 16:18:18 | 00,051,716 | ---- | C] () -- D:\WINDOWS\System32\pdf995mon.dll
[2008/04/19 16:18:17 | 00,000,682 | ---- | C] () -- D:\WINDOWS\System32\oeminfo.ini
[2008/04/19 16:18:15 | 00,000,002 | ---- | C] () -- D:\WINDOWS\System32\nthst32.dll
[2008/04/19 16:18:12 | 00,000,034 | ---- | C] () -- D:\WINDOWS\System32\mtjpgb.dll
[2008/04/19 16:18:11 | 00,141,824 | ---- | C] () -- D:\WINDOWS\System32\msvdm.dll
[2008/04/19 16:18:10 | 00,065,536 | ---- | C] () -- D:\WINDOWS\System32\MSRTEDIT.DLL
[2008/04/19 16:18:02 | 00,000,174 | ---- | C] () -- D:\WINDOWS\System32\mcini.ini
[2008/04/19 16:18:01 | 00,100,512 | ---- | C] () -- D:\WINDOWS\System32\m1ati16.dll
[2008/04/19 16:18:00 | 00,208,896 | ---- | C] () -- D:\WINDOWS\System32\lockout.dll
[2008/04/19 16:18:00 | 00,045,056 | ---- | C] () -- D:\WINDOWS\System32\lockres.dll
[2008/04/19 16:17:59 | 00,000,000 | ---- | C] () -- D:\WINDOWS\System32\krnldbg.dll
[2008/04/19 16:17:57 | 00,040,960 | ---- | C] () -- D:\WINDOWS\System32\IsUser11b.dll
[2008/04/19 16:17:54 | 00,009,136 | ---- | C] () -- D:\WINDOWS\System32\INETWH16.DLL
[2008/04/19 16:17:50 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\icvbr.dll
[2008/04/19 16:17:50 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\icqrt.dll
[2008/04/19 16:17:50 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\icnfe.dll
[2008/04/19 16:17:49 | 01,572,864 | ---- | C] () -- D:\WINDOWS\System32\IAIFGPCt.dll
[2008/04/19 16:17:48 | 00,006,932 | ---- | C] () -- D:\WINDOWS\System32\glscan.sys
[2008/04/19 16:17:48 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\gupd.dll
[2008/04/19 16:17:45 | 00,126,976 | ---- | C] () -- D:\WINDOWS\System32\e1000msg.dll
[2008/04/19 16:17:45 | 00,012,288 | ---- | C] () -- D:\WINDOWS\System32\e100bmsg.dll
[2008/04/19 16:17:39 | 00,176,152 | ---- | C] () -- D:\WINDOWS\System32\CSGina.dll
[2008/04/19 16:17:38 | 00,019,968 | ---- | C] () -- D:\WINDOWS\System32\Cpuinf32.dll
[2008/04/19 16:17:37 | 00,098,304 | ---- | C] () -- D:\WINDOWS\System32\CodecManager.dll
[2008/04/19 16:17:36 | 00,532,480 | ---- | C] () -- D:\WINDOWS\System32\CddbPlaylist2Sony.dll
[2008/04/19 16:17:36 | 00,034,304 | ---- | C] () -- D:\WINDOWS\System32\Cinemres.dll
[2008/04/19 16:17:36 | 00,029,696 | ---- | C] () -- D:\WINDOWS\System32\Cinmhook.dll
[2008/04/19 16:17:36 | 00,015,427 | ---- | C] () -- D:\WINDOWS\System32\Cinemsup.sys
[2008/04/19 16:17:36 | 00,004,704 | ---- | C] () -- D:\WINDOWS\System32\Cinemast.dll
[2008/04/19 16:17:36 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\cidpoq32.dll
[2008/04/19 16:17:36 | 00,000,766 | ---- | C] () -- D:\WINDOWS\System32\cidft.dll
[2008/04/19 16:17:35 | 00,162,816 | ---- | C] () -- D:\WINDOWS\System32\ccmpeg.dll
[2008/04/19 16:17:35 | 00,036,864 | ---- | C] () -- D:\WINDOWS\System32\cbldrm.dll
[2008/04/19 16:17:30 | 00,262,416 | ---- | C] () -- D:\WINDOWS\System32\ASFV2.DLL
[2008/04/19 16:17:29 | 00,041,068 | ---- | C] () -- D:\WINDOWS\System32\ActPanel.dll
[2008/04/19 16:17:23 | 00,000,142 | ---- | C] () -- D:\WINDOWS\wpd99.drv
[2008/04/19 16:17:23 | 00,000,016 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2008/04/19 16:17:23 | 00,000,000 | ---- | C] () -- D:\WINDOWS\wsem218.dll
[2008/04/19 16:17:22 | 00,135,200 | ---- | C] () -- D:\WINDOWS\u2x00_32.dll
[2008/04/19 16:17:22 | 00,106,528 | ---- | C] () -- D:\WINDOWS\u1230_32.dll
[2008/04/19 16:17:22 | 00,068,608 | ---- | C] () -- D:\WINDOWS\vufile32.dll
[2008/04/19 16:17:22 | 00,065,536 | ---- | C] () -- D:\WINDOWS\u2200_32.dll
[2008/04/19 16:17:22 | 00,030,208 | ---- | C] () -- D:\WINDOWS\uxmail32.dll
[2008/04/19 16:17:22 | 00,027,648 | ---- | C] () -- D:\WINDOWS\vudcli32.dll
[2008/04/19 16:17:22 | 00,018,366 | ---- | C] () -- D:\WINDOWS\uns3400.ini
[2008/04/19 16:17:22 | 00,016,474 | ---- | C] () -- D:\WINDOWS\uns5400.ini
[2008/04/19 16:17:22 | 00,002,321 | ---- | C] () -- D:\WINDOWS\vista32d.ini
[2008/04/19 16:17:22 | 00,001,335 | ---- | C] () -- D:\WINDOWS\vista32.ini
[2008/04/19 16:17:22 | 00,000,405 | ---- | C] () -- D:\WINDOWS\umaxuapi.ini
[2008/04/19 16:17:22 | 00,000,065 | ---- | C] () -- D:\WINDOWS\umaxdrv.ini
[2008/04/19 16:17:22 | 00,000,029 | ---- | C] () -- D:\WINDOWS\UNWISE.INI
[2008/04/19 16:17:22 | 00,000,000 | ---- | C] () -- D:\WINDOWS\U12A_20e.INI
[2008/04/19 16:17:21 | 00,000,098 | ---- | C] () -- D:\WINDOWS\ST2004.INI
[2008/04/19 16:17:21 | 00,000,061 | ---- | C] () -- D:\WINDOWS\smscfg.ini
[2008/04/19 16:17:21 | 00,000,016 | ---- | C] () -- D:\WINDOWS\Temp.ini
[2008/04/19 16:17:20 | 00,010,438 | ---- | C] () -- D:\WINDOWS\scan05a.ini
[2008/04/19 16:17:20 | 00,000,608 | ---- | C] () -- D:\WINDOWS\QUICKEN.INI
[2008/04/19 16:17:17 | 00,000,805 | ---- | C] () -- D:\WINDOWS\orun32.ini
[2008/04/19 16:17:17 | 00,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2008/04/19 16:17:17 | 00,000,265 | ---- | C] () -- D:\WINDOWS\pixcache.ini
[2008/04/19 16:17:17 | 00,000,028 | ---- | C] () -- D:\WINDOWS\pdf995.ini
[2008/04/19 16:17:16 | 00,000,116 | ---- | C] () -- D:\WINDOWS\NeroDigital.ini
[2008/04/19 16:17:15 | 00,000,189 | ---- | C] () -- D:\WINDOWS\KPCMS.INI
[2008/04/19 16:17:15 | 00,000,063 | ---- | C] () -- D:\WINDOWS\mdm.ini
[2008/04/19 16:17:08 | 00,000,052 | ---- | C] () -- D:\WINDOWS\intuprof.ini
[2008/04/19 16:17:08 | 00,000,000 | ---- | C] () -- D:\WINDOWS\JoyAct.INI
[2008/04/19 16:17:07 | 00,000,095 | ---- | C] () -- D:\WINDOWS\AtxTaxcutPref03.ini
[2008/04/19 16:17:07 | 00,000,027 | ---- | C] () -- D:\WINDOWS\blackice.INI
[2008/04/19 16:17:07 | 00,000,027 | ---- | C] () -- D:\WINDOWS\AtxTaxcutControl03.ini
[2008/04/19 16:17:07 | 00,000,026 | ---- | C] () -- D:\WINDOWS\Debug.ini
[2008/04/15 19:53:35 | 00,001,359 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/04/15 19:53:06 | 00,000,098 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Application Data\AVSDVDPlayer.m3u
[2008/04/15 19:51:32 | 00,118,784 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/15 19:51:32 | 00,000,133 | ---- | C] () -- D:\Documents and Settings\Erin Ennis\Local Settings\Application Data\fusioncache.dat
[2008/04/15 19:48:27 | 00,123,800 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/11/06 15:19:28 | 00,053,299 | ---- | C] () -- D:\WINDOWS\System32\pthreadVC.dll
[2007/08/23 11:55:34 | 03,596,288 | ---- | C] () -- D:\WINDOWS\System32\qt-dx331.dll
[2007/08/23 11:50:04 | 00,000,416 | ---- | C] () -- D:\WINDOWS\System32\dtu100.dll.manifest
[2007/01/26 01:04:12 | 00,138,752 | ---- | C] () -- D:\WINDOWS\System32\mase32.dll
[2007/01/26 01:04:12 | 00,027,648 | ---- | C] () -- D:\WINDOWS\System32\ma32.dll
[1996/04/03 14:33:26 | 00,005,248 | ---- | C] () -- D:\WINDOWS\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> D:\boot.ini:SummaryInformation
@Alternate Data Stream - 114 bytes -> D:\Documents and Settings\All Users\Application Data\TEMP:94E74D1A
< End of report >


Extras.txt

QUOTE
OTL Extras logfile created on: 1/16/2010 12:45:06 PM - Run 1
OTL by OldTimer - Version 3.1.25.2 Folder = D:\Documents and Settings\Erin Ennis\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 29.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 13.29 Gb Free Space | 35.69% Space Free | Partition Type: NTFS
Drive D: | 219.72 Gb Total Space | 10.58 Gb Free Space | 4.81% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive S: | 13.16 Gb Total Space | 4.69 Gb Free Space | 35.63% Space Free | Partition Type: NTFS

Computer Name: TOURAEG
Current User Name: Erin Ennis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe (Microsoft Corporation)
.ini [@ = inifile] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe (Microsoft Corporation)
.txt [@ = txtfile] -- "%WinDir%\NOTEPAD.EXE" %1

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [open] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
inffile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
inifile [open] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
inifile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
jsfile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
jsfile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
jsefile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- "%WinDir%\NOTEPAD.EXE" %1
txtfile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
txtfile [printto] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
vbefile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
vbsfile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe %1 (Microsoft Corporation)
wsffile [print] -- C:\Documents and Settings\Erin Ennis\Desktop\notepad.exe /p %1 (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"8231:TCP" = 8231:TCP:*:Enabled:BitComet 8231 TCP
"8231:UDP" = 8231:UDP:*:Enabled:BitComet 8231 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\SmartFTP\SmartFTP.exe" = C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP -- (SmartFTP)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"D:\Program Files\Sony\Station\LaunchPad\_aunchPad.exe" = D:\Program Files\Sony\Station\LaunchPad\_aunchPad.exe:*:Disabled:_aunchPad -- ()
"C:\Program Files\Nortel Networks\Extranet.exe" = C:\Program Files\Nortel Networks\Extranet.exe:*:Disabled:Contivity VPN Client -- File not found
"D:\Program Files\KaZaA Lite\Kazaa.exe" = D:\Program Files\KaZaA Lite\Kazaa.exe:*:Disabled:KaZaA Lite -- File not found
"D:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe" = D:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Disabled:LaunchPad -- ()
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" = C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe:*:enabled:SV_Httpd -- (Sony Corporation)
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe" = C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe:*:enabled:UPnPFramework -- (Sony Corporation)
"C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe" = C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0 -- (SmartSoft Ltd.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{008739FA-4232-45BE-A58B-00B1C6998BFD}" = Costco Photo Organizer
"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{0674B216-AB46-42EB-BEA9-60702316154E}" = GFI LANguard Network Security Scanner
"{086704FD-FC5E-4CD2-8A16-8BE684D8CAB8}" = Click to DVD 1.4.05
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = VERITAS RecordNow Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D490016-5D01-4CB3-A037-55814AC63D2E}" = Giga Pocket Hardware Library 5.5
"{11C762F9-95EA-486A-A8E7-683A50C231C1}" = SmartFTP
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1DBB465A-5DFC-4E3A-9A8A-15612D2386F0}" = Turbo Tax Offer
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 2.5
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{28336AFC-722C-4E17-B286-2A7C906183C0}" = ImageStation Tour
"{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}" = Data Lifeguard
"{2D448D0B-20D5-4CD6-84F7-DB9868CB5F6C}" = Cisco Systems VPN Client 4.6.03.0021
"{30642CE1-217B-40C0-92E2-6BF849599D9E}" = Network Smart Capture
"{3101857A-2D36-4DD5-A092-27478119601A}" = Rio Internet Update
"{314C19E0-7FA5-11D5-A6B4-0050BA724CB6}" = Vstascan
"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{339E14FF-8FDC-4809-AAF2-87BA22905C7F}" = DirectX for Managed Code Update (December 2004)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359DF8A4-5248-4DE0-8966-D92ADEBE71B2}" = Wootalyzer
"{36FE914F-1B2B-4D83-B3E1-032A508E9EC4}" = Experience VAIO
"{374E48BA-CBC1-4134-86B9-7A97B0E76B2E}" = Home Office Page for Experience VAIO
"{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}" = Music Visualizer Library 1.4.00
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3F6D8E57-4386-40CB-AEA1-12CA1E422BA9}" = Giga Pocket Demo Movie
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4570E5E0-62A2-48BD-87F3-EB7232EC4558}" = VAIO Remote Commander Utility 5.5
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4EDB1CA5-983F-4FC3-A8E3-E34981E05A60}" = Pinnacle VideoSpin
"{53648F92-1CC5-22D2-A6DF-00A0C9A23BCD}" = SonicWALL Global VPN Client 4.0.0.830
"{5441CBC1-081B-45F1-A5EF-71C3EADF5E9D}" = Motorola Driver Installation
"{57BFC2F4-2A2E-4DC3-A0C0-E53A147631E2}" = Motorola Wireless USB Adapter
"{59324A56-6450-47D1-87DE-E8CEB8EE74D0}" = Firmware upgrade utility 2.0C For Sony DW-U12A DVD-RW Drive
"{59C61B54-2123-4B0E-8D5F-5DD1C7AE5421}" = Giga Pocket 5.5
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{63C6BABD-0BF7-488B-9AB5-B989E23CC581}" = VAIO Media Video Server 2.5
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony Video Shared Library
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 2.5
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{785598B3-495D-4239-B5B8-CE37F6EA3CBD}" = Rio Music Manager
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo
"{7B37D327-29D4-450C-A60A-946DB54E9DA9}" = Giga Pocket 5.5
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C2F71B2-6C73-11D6-B659-00C04F790F76}" = Click to DVD 1.4.05
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{7E8C69A9-8D00-4539-9AF3-A051ADF2B947}" = TaxCut Vermont 2008
"{8214CC02-6271-4DC8-B8DD-779933450264}" = VERITAS RecordNow
"{8419C98D-6818-443B-9362-156519FE4C6B}" = Windows Messenger 5.1
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{99D42EC7-652B-4819-B3E6-6450C815E03F}" = Odyssey Client
"{9D4B411F-42F9-4566-9621-13D3A969F871}" = Redistributable_MM
"{9E30D77F-CE1B-4674-8AFB-0DE22E5AC3A8}" = VAIO Media Photo Server 2.5
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 4.3
"{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}" = DiscWizard for Windows
"{A3135847-7761-45F3-BA2B-C7EE0A398B21}" = WebEx Access Anywhere
"{A743BBCC-3438-4BB3-8397-6C9D9AC125A6}" = Timershot Powertoy for Windows XP
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC1E4C93-C1E7-11D6-9D10-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.0_03
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2B30EC0-FB6A-43BB-9B38-0C3B32D75B40}_is1" = Sony Download Taxi 1.5.0.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}" = LogMeIn
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{BDF820F3-79A6-4ACF-B910-43B26BB894CC}" = Microsoft Network Monitor 3.1
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C169D3BB-9A27-43F5-9979-09A0D65FE95C}" = SmartFTP Client
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC763DAB-9DC6-4992-B952-ACF563D6F7E1}" = VAIO TV Page
"{CCAC48E4-4B4D-43CB-ABB5-E817E39873B3}" = VAIO Media Setup 2.5
"{CCD663AE-610D-4BDF-AAB0-E914B044527D}" = OpenMG Secure Module 4.7.00
"{CD522250-7AEE-4266-A821-6FB7C7018F13}" = ImageShack QuickLoad
"{CD7D5804-C157-48A6-AEE0-4A40A4B5C054}" = VAIO System Information
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional
"{CEC2A5B9-CE19-4F2E-9C8F-F310C0EAB993}" = ArcSoft Media Card Companion
"{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}" = TaxCut Premium + State + Efile 2007
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{D4B06CBB-8CEF-41A9-8245-ECE384523A85}" = Giga Pocket Hardware Library 5.5
"{D6500891-AD1C-4E72-AB13-30897FE3C94D}" = Wootalyzer
"{DB10AF3B-E30E-49F9-84AC-26785D689E13}" = MainConcept MPEG Encoder
"{DB2112AD-0000-DAD1-0000-000004281965}" = Titan FTP Server
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF0DD6E9-F673-4466-8353-70B50A506FD9}" = VAIO Media Platform 2.5
"{DF733005-0F40-11D6-9254-0000F460E7A9}" = VAIO Media Music Server 2.5
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = WG111v2 Configuration Utility
"{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}" = VAIO Help and Support
"{E6B1F8A7-2EF2-47DC-B7D4-BA7E0C885D56}" = CuteFTP 6 Home
"{EDEAF307-51B7-41FF-8B08-AE646117172E}" = Microsoft Upgrade Offer
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}" = QuickTime
"{F251B999-08A9-4704-999C-9962F0DFD88E}" = Virtual Desktop Manager Powertoy for Windows XP
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}" = Pinnacle TVCenter Pro
"{F447B5EC-734E-4B07-ADA7-CDC9C38BB29F}" = Wootalyzer
"{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"{FA3C0B6A-25CE-40BA-8C67-B0A22B5A7027}" = TaxCut Vermont 2007
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 0.9.14
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FF005ABC-1422-4BEC-91C4-DD5935E56AAA}" = DVD Creation
"18 Wheels of Steel Pedal to the Metal" = 18 Wheels of Steel Pedal to the Metal
"360Share Pro" = 360Share Pro(remove only)
"ActiveTouchMeetingClient" = WebEx
"Ad-Aware" = Ad-Aware
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Illustrator 9.0" = Adobe Illustrator 9.0
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"Any Video Converter_is1" = Any Video Converter 2.7.6
"AnyTV Free_is1" = AnyTV Free 2.33
"ApecSoft AVI 3GP Joiner_is1" = AVI 3GP Joiner V2.10
"Applian FLV Player2.0.24" = Applian FLV Player
"AspectData Free_is1" = AspectData Free 1.0
"ATI Display Driver" = ATI Display Driver
"ATI NT DVD Player" = ATI NT DVD Player
"Audacity_is1" = Audacity 1.0.0
"Audio Capture" = River Past Audio Capture
"AVI MPEG WMV Joiner_is1" = AVI MPEG WMV Joiner
"AVS DVD Player_is1" = AVS DVD Player version 2.4
"BitComet" = BitComet 0.90
"BitTorrent" = BitTorrent 3.4.2
"CasProg" = CasProg
"CheckIt Diagnostics" = CheckIt Diagnostics
"DeductionPro 2006" = DeductionPro 2006
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Download Accelerator Plus " = Download Accelerator Plus
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"Easy AVI/MPEG/RM/WMV Joiner_is1" = Easy AVI/MPEG/RM/WMV Joiner 3.5
"Fastream NETFile FTP (a.k.a. FTP++)" = Fastream NETFile FTP (a.k.a. FTP++)
"Free Video Converter_is1" = Free Video Converter V 1.0
"Fx, Joiner" = Fx, Joiner
"HijackThis" = HijackThis 1.99.1
"hp deskjet 930c series" = hp deskjet 930c series (Remove only)
"ICOO Loader_is1" = ICOO Loader 2.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Inkscape" = Inkscape 0.45.1
"InstallShield_{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"InstallShield_{CCD663AE-610D-4BDF-AAB0-E914B044527D}" = OpenMG Secure Module 4.7.00
"InstallShield_{DB10AF3B-E30E-49F9-84AC-26785D689E13}" = MainConcept MPEG Encoder
"InstallShield_{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}" = VAIO Help and Support
"InstallShield_{E6B1F8A7-2EF2-47DC-B7D4-BA7E0C885D56}" = CuteFTP 6 Home
"InstallShield_{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"Intelli-studio" = SAMSUNG Intelli-studio
"InterAct Gaming Devices" = InterAct Gaming Devices
"Java Web Start" = Java Web Start
"Joystick 2 Mouse 3" = Joystick 2 Mouse 3
"KaZaA Lite 1.7.2" = KaZaA Lite 1.7.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"MovieJoiner" = Movie Joiner
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"Netscape (7.02)" = Netscape (7.02)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenMG HotFix4.7-07-13-22-01" = OpenMG Limited Patch 4.7-07-14-05-01
"Pdf995" = Pdf995 (installed by TaxCut)
"PdfEdit995" = PdfEdit995 (installed by TaxCut)
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Adapters and Drivers
"PSP Video 9" = PSP Video 9 2.25
"RealPlayer 6.0" = RealOne Player
"Registry Mechanic_is1" = Registry Mechanic 6.0
"RMJ" = Rejump Movie Joiner
"ScummVM_is1" = ScummVM 0.11.1
"Shockwave" = Shockwave
"SmartFTP Client 2.0 Setup Files" = SmartFTP Client 2.0 Setup Files (remove only)
"SpeedFan" = SpeedFan (remove only)
"Steam" = Steam
"TaxCut 2003" = TaxCut 2003
"TaxCut 2004" = TaxCut 2004
"TaxCut Deluxe 2005" = TaxCut Deluxe 2005
"TaxCut Premium 2006" = TaxCut Premium 2006
"TeamSpeak 2 RC2_is1" = TeamSpeak 2 RC2
"TmNations_is1" = TrackMania Nations ESWC 1.7.9
"Trillian" = Trillian
"VAIO Support" = VAIO Support
"VDMSound" = VDMSound
"VideoAccess" = VideoAccess
"VisDir Free Disk Space Finder_is1" = VisDir Free Disk Space Finder v 1.2
"War FTP Daemon" = War FTP Daemon
"WIC" = Windows Imaging Component
"Windows Media Encoder 7" = Windows Media Encoder 7.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinPcapInst" = WinPcap 4.0.2
"WinRAR archiver" = WinRAR archiver
"Wireshark" = Wireshark 1.0.2
"Wisdom-soft ScreenHunter 4.0 Free" = Wisdom-soft ScreenHunter 4.0 Free
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1541965403-1578699039-901216024-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/16/2010 1:20:47 PM | Computer Name = TOURAEG | Source = cvpnd | ID = 58720257
Description =

Error - 1/16/2010 1:20:47 PM | Computer Name = TOURAEG | Source = cvpnd | ID = 58720257
Description =

Error - 1/16/2010 1:20:48 PM | Computer Name = TOURAEG | Source = cvpnd | ID = 58720257
Description =

Error - 1/16/2010 1:22:51 PM | Computer Name = TOURAEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 1/16/2010 1:22:51 PM | Computer Name = TOURAEG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 1/16/2010 1:26:34 PM | Computer Name = TOURAEG | Source = Google Update | ID = 20
Description =

Error - 1/16/2010 1:34:48 PM | Computer Name = TOURAEG | Source = Google Update | ID = 20
Description =

Error - 1/16/2010 1:37:26 PM | Computer Name = TOURAEG | Source = cvpnd | ID = 58720257
Description =

Error - 1/16/2010 1:37:26 PM | Computer Name = TOURAEG | Source = cvpnd | ID = 58720257
Description =

Error - 1/16/2010 1:37:27 PM | Computer Name = TOURAEG | Source = cvpnd | ID = 58720257
Description =

[ System Events ]
Error - 1/16/2010 1:23:37 PM | Computer Name = TOURAEG | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/16/2010 1:23:37 PM | Computer Name = TOURAEG | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/16/2010 1:23:52 PM | Computer Name = TOURAEG | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 1/16/2010 1:23:52 PM | Computer Name = TOURAEG | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 1/16/2010 1:37:33 PM | Computer Name = TOURAEG | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 1/16/2010 1:37:33 PM | Computer Name = TOURAEG | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/16/2010 1:37:33 PM | Computer Name = TOURAEG | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/16/2010 1:37:33 PM | Computer Name = TOURAEG | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 1/16/2010 1:38:10 PM | Computer Name = TOURAEG | Source = Service Control Manager | ID = 7000
Description = The Java Quick Starter service failed to start due to the following
error: %%2

Error - 1/16/2010 1:39:29 PM | Computer Name = TOURAEG | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056


< End of report >


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 16 January 2010 - 01:48 PM

Hi,

Please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

please simply paste the logs, do not post them in quote- or code-tags.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 17 January 2010 - 01:57 PM

I have two physical (40GB & 250GB) (3 logical, C, D, and S) drives in this computer. D is the "default" boot drive, but I can also boot to C. S was intended to be a 3rd boot option, but the OS needs to be repaired.

So I booted to D and ran GMER on just D alone and saved the file below as GMER-D.log. I then booted to C and have attached that scan as GMER-C.log.

I then tried to run GMER for all drives and got very unpredictable results ranging from spontaneous reboots to blue screens with various errors (screen shots below).
Early on in my troubleshooting, I could run any of the Safe Mode options. I can no longer boot either C or D in Safe Mode; it hangs at the same .SYS file regardless of which drive I boot to (screen shot below).
When running GMER, my computer becomes increasingly unresponsive; lsass.exe (and in one case, winlogon.exe) monopolize all free processor cycles (and the default priority is High). Task Manager will take 30+ minutes to load. GMER.exe becomes unresponsive (screen shot, below). Once the C-drive scan completed, it literally took an hour and half to be able to key in a file name to save the file.





The net result is that I can get you something for D, I can get you something for C, but I cannot get anything for S.


GMER-D.log


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 15:43:13
Windows 5.1.2600 Service Pack 2
Running: w3bxo7sd.exe; Driver: D:\DOCUME~1\ERINEN~1\LOCALS~1\Temp\uxrdipog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]
SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA89E80B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA892B78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA892B738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA892B74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA892B7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA892B710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA892B724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA892B79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA892B776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA892B762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA892B7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA892B7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA892B7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 80502014 7 Bytes JMP A892B7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572084 5 Bytes JMP A892B714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80572399 7 Bytes JMP A892B7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 805763BC 5 Bytes JMP A892B78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057729B 5 Bytes JMP A892B7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80577713 7 Bytes JMP A892B7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8057AB25 5 Bytes JMP A892B766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80583B14 7 Bytes JMP A892B750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 8058539D 5 Bytes JMP A892B7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 805AA337 5 Bytes JMP A892B728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B9C00 5 Bytes JMP A892B73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062CDA3 5 Bytes JMP A892B77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[384] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[384] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C90FEF
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C90065
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C90040
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C90F72
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C90F83
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C90025
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C90F35
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C90087
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C900A2
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C90F09
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C900BD
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C90F9E
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C90FDE
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C90076
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C90014
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C90FCD
.text D:\WINDOWS\system32\services.exe[832] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C90F24
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00070FCA
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 0007004A
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0007001B
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00070000
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00070F83
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00070FEF
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00070F9E
.text D:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00070FB9
.text D:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA1
.text D:\WINDOWS\system32\services.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060022
.text D:\WINDOWS\system32\services.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060000
.text D:\WINDOWS\system32\services.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text D:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060011
.text D:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FC6
.text D:\WINDOWS\system32\services.exe[832] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00040FEF
.text D:\WINDOWS\system32\services.exe[832] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00040FD4
.text D:\WINDOWS\system32\services.exe[832] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00040FC3
.text D:\WINDOWS\system32\services.exe[832] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00040FB2
.text D:\WINDOWS\system32\services.exe[832] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00050000
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F00000
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F00F59
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F0004E
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F0003D
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F00F80
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F00FA5
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F00F37
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F00073
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F00EF7
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F00090
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F000B5
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F0002C
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F00FE5
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F00F48
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F0001B
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F00FD4
.text D:\WINDOWS\system32\lsass.exe[844] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F00F1C
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00EF0036
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00EF0FAF
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00EF0025
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00EF0FEF
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00EF0FC0
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00EF0000
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00EF0062
.text D:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00EF0051
.text D:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E50038
.text D:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E5001D
.text D:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E5000C
.text D:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E50FEF
.text D:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E50FB7
.text D:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E50FD2
.text D:\WINDOWS\system32\lsass.exe[844] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E4000A
.text D:\WINDOWS\system32\lsass.exe[844] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00E30000
.text D:\WINDOWS\system32\lsass.exe[844] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00E30FE5
.text D:\WINDOWS\system32\lsass.exe[844] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00E3001B
.text D:\WINDOWS\system32\lsass.exe[844] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00E30FCA
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C80000
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C80F9B
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C8009A
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C8007F
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C80FB6
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C80051
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C80F74
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C800BC
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C80103
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C800E8
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00C80F4F
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00C80062
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00C80025
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00C800AB
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00C80036
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00C80FEF
.text D:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00C800CD
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00C70FD4
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00C7006C
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00C70025
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00C70FEF
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00C7005B
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00C7000A
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00C70FB9
.text D:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00C7004A
.text D:\WINDOWS\system32\svchost.exe[996] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00C9000A
.text D:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FB7
.text D:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60038
.text D:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C6000C
.text D:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text D:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6001D
.text D:\WINDOWS\system32\svchost.exe[996] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FDE
.text D:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00C40FEF
.text D:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00C4000A
.text D:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00C40FD4
.text D:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00C40025
.text D:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C50FEF
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A30000
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A30F5C
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A30F77
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A30F94
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A30FA5
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A30051
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A30F24
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A3006C
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A30EF8
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A30F13
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A300B6
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A30FCA
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A3001B
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A30F41
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A30FE5
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A30036
.text D:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A30087
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A20FC0
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A20F6F
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A2001B
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A20FE5
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A20F8A
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A20000
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A2002C
.text D:\WINDOWS\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A20FA5
.text D:\WINDOWS\System32\svchost.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10F92
.text D:\WINDOWS\System32\svchost.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10FA3
.text D:\WINDOWS\System32\svchost.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FC8
.text D:\WINDOWS\System32\svchost.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10FEF
.text D:\WINDOWS\System32\svchost.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A1001D
.text D:\WINDOWS\System32\svchost.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A1000C
.text D:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00A00000
.text D:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00A00011
.text D:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00A00022
.text D:\WINDOWS\System32\svchost.exe[1060] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00A0003D
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CD0FE5
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CD006E
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CD0F79
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CD0053
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CD0F8A
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CD0FB9
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CD00C1
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CD00A6
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CD0F54
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CD00ED
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00CD0108
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00CD0036
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00CD0FCA
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00CD007F
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00CD001B
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00CD000A
.text D:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00CD00D2
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00CC0FBC
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00CC0F72
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00CC0FCD
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00CC0FDE
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00CC0039
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00CC0FEF
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00CC0028
.text D:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00CC0FAB
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CB0064
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CB003F
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CB001D
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 3 Bytes JMP 00CB0000
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_open + 4 77C2F56A 1 Byte [89]
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CB002E
.text D:\WINDOWS\system32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CB0FE3
.text D:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00C90000
.text D:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00C90011
.text D:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00C90022
.text D:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00C9003D
.text D:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CA0000
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00670000
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00670F79
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00670F94
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0067006C
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00670FAF
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00670051
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00670F48
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0067009A
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00670F1C
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00670F2D
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00670F0B
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00670FCA
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00670FEF
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00670089
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00670036
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00670025
.text D:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 006700AB
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00660FAF
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00660F72
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00660FCA
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00660000
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00660F83
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00660FE5
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0066002F
.text D:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00660F9E
.text D:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FAF
.text D:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065003A
.text D:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650029
.text D:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0065000C
.text D:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FCA
.text D:\WINDOWS\system32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FEF
.text D:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00640FEF
.text D:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00640000
.text D:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00640FD4
.text D:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00640FB9
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A80FEF
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A80F81
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A80F92
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A8006C
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A80FB9
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A80047
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A80F66
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A800A2
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A80F55
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A800EE
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A80F44
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A80FCA
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A8000A
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A80091
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A80036
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A80025
.text D:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A800C9
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00A70FC0
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00A70036
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00A70011
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00A70FDB
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00A70F79
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00A70000
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00A70F94
.text D:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00A70FAF
.text D:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60038
.text D:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60027
.text D:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FD2
.text D:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF
.text D:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FB7
.text D:\WINDOWS\System32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A6000C
.text D:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00A40FEF
.text D:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00A40FDE
.text D:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00A4001E
.text D:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00A40FCD
.text D:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A5000A
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0000
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F0F76
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F006B
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F0F91
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0FA2
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F003D
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F00BC
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F00A1
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F0103
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F00E8
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009F011E
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009F004E
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009F001B
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009F0086
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009F002C
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009F0FDB
.text D:\WINDOWS\System32\svchost.exe[1360] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009F00D7
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 009E002C
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 009E007D
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 009E0011
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 009E0000
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 009E0FC0
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 009E0FE5
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 009E0062
.text D:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 009E0047
.text D:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D005A
.text D:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D0049
.text D:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0FD9
.text D:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0000
.text D:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D002E
.text D:\WINDOWS\System32\svchost.exe[1360] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D001D
.text D:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 001B0000
.text D:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 001B0025
.text D:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 001B0036
.text D:\WINDOWS\System32\svchost.exe[1360] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 001B0FEF
.text D:\WINDOWS\System32\svchost.exe[1360] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009C0FEF
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A20FEF
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A20F8F
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A20084
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A20073
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A20062
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A20FC0
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A20F60
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A200B2
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A20F23
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A20F34
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00A20F08
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00A20047
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00A2000A
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00A20095
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00A20036
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00A2001B
.text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00A20F45
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00670FCA
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00670062
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00670025
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00670FEF
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00670FAF
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00670000
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00670051
.text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00670040
.text D:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660FC8
.text D:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660053
.text D:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00660FE3
.text D:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660000
.text D:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00660038
.text D:\WINDOWS\System32\svchost.exe[1612] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0066001D
.text D:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00640FEF
.text D:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 0064000A
.text D:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00640FD4
.text D:\WINDOWS\System32\svchost.exe[1612] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00640025
.text D:\WINDOWS\System32\svchost.exe[1612] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00650FEF
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00660FEF
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00660087
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00660076
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00660F9E
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0066005B
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00660FB9
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006600B5
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00660F6D
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00660F23
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006600C6
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 006600D7
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0066004A
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00660FDE
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00660098
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00660025
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00660014
.text D:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00660F52
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00650022
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00650F98
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00650FD1
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00650011
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0065005F
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00650000
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0065004E
.text D:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 0065003D
.text D:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0064005F
.text D:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!system 77C293C7 5 Bytes JMP 0064003A
.text D:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640029
.text D:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FEF
.text D:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640FD4
.text D:\WINDOWS\system32\svchost.exe[1648] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640018
.text D:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00670000
.text D:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00670FEF
.text D:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00670FD4
.text D:\WINDOWS\system32\svchost.exe[1648] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00670025
.text D:\WINDOWS\system32\svchost.exe[1648] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D30F2E
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D30F49
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D30F5A
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D30F6B
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D30F8D
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E50 1 Byte [E9]
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D30054
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D30F0C
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D30ED6
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D3006F
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00D30EC5
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00D30F7C
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00D30FD4
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00D30F1D
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00D30F9E
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00D30FB9
.text C:\WINDOWS\System32\dllhost.exe[1704] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00D30EE7
.text C:\WINDOWS\System32\dllhost.exe[1704] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D10FC3
.text C:\WINDOWS\System32\dllhost.exe[1704] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D10FD4
.text C:\WINDOWS\System32\dllhost.exe[1704] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D10029
.text C:\WINDOWS\System32\dllhost.exe[1704] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D10FEF
.text C:\WINDOWS\System32\dllhost.exe[1704] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D10044
.text C:\WINDOWS\System32\dllhost.exe[1704] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D10018
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00D2000A
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00D20065
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00D20FC3
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00D2004A
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00D20FA8
.text C:\WINDOWS\System32\dllhost.exe[1704] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00D2002F
.text C:\WINDOWS\System32\dllhost.exe[1704] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\System32\dllhost.exe[1704] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00CF0FD4
.text C:\WINDOWS\System32\dllhost.exe[1704] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00CF0FC3
.text C:\WINDOWS\System32\dllhost.exe[1704] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\dllhost.exe[1704] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AB0000
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AB0F4B
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AB0036
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AB0F5C
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AB0F83
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AB001B
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AB0F15
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AB0F30
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AB0093
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AB0078
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00AB00A4
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00AB0F94
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00AB0FDB
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00AB005B
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00AB0FAF
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00AB0FC0
.text C:\WINDOWS\System32\svchost.exe[1780] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00AB0EFA
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 00AA0FB9
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 00AA0F7C
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 00AA0FCA
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 00AA0FE5
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 00AA0039
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 00AA0000
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 00AA0F8D
.text C:\WINDOWS\System32\svchost.exe[1780] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 00AA0F9E
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A9004E
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A90FC3
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A90018
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A90033
.text C:\WINDOWS\System32\svchost.exe[1780] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A90FDE
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00A70FB9
.text C:\WINDOWS\System32\svchost.exe[1780] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00A70014
.text C:\WINDOWS\System32\svchost.exe[1780] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A80FEF
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02680FEF
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0268009D
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02680082
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02680067
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0268004A
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0268002F
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 026800E6
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 026800C9
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02680F72
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02680F83
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 02680F57
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 02680FA8
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02680FDE
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 026800B8
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 02680FC3
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 0268001E
.text D:\WINDOWS\system32\wuauclt.exe[2076] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 026800F7
.text D:\WINDOWS\system32\wuauclt.exe[2076] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0266004E
.text D:\WINDOWS\system32\wuauclt.exe[2076] msvcrt.dll!system 77C293C7 5 Bytes JMP 02660FC3
.text D:\WINDOWS\system32\wuauclt.exe[2076] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02660022
.text D:\WINDOWS\system32\wuauclt.exe[2076] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02660000
.text D:\WINDOWS\system32\wuauclt.exe[2076] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02660033
.text D:\WINDOWS\system32\wuauclt.exe[2076] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02660011
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 02670040
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 02670FB9
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 0267002F
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 02670FEF
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 0267006C
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 0267000A
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 0267005B
.text D:\WINDOWS\system32\wuauclt.exe[2076] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 02670FD4
.text D:\WINDOWS\system32\wuauclt.exe[2076] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 02640000
.text D:\WINDOWS\system32\wuauclt.exe[2076] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 02640FE5
.text D:\WINDOWS\system32\wuauclt.exe[2076] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 02640FCA
.text D:\WINDOWS\system32\wuauclt.exe[2076] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 0264001B
.text D:\WINDOWS\system32\wuauclt.exe[2076] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02650FEF
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001C000A
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001C0080
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001C0F8B
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001C0065
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001C0FA8
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001C0036
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001C009B
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001C0F53
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001C00B6
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001C0F1D
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001C0F02
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001C0FB9
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001C0025
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001C0F70
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001C0FD4
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001C0FE5
.text D:\WINDOWS\System32\svchost.exe[2924] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001C0F38
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0FB9
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0F79
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A000A
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A0FD4
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0040
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0FEF
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0F9E
.text D:\WINDOWS\System32\svchost.exe[2924] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A002F
.text D:\WINDOWS\System32\svchost.exe[2924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0064
.text D:\WINDOWS\System32\svchost.exe[2924] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0049
.text D:\WINDOWS\System32\svchost.exe[2924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F002E
.text D:\WINDOWS\System32\svchost.exe[2924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F000C
.text D:\WINDOWS\System32\svchost.exe[2924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F0FE3
.text D:\WINDOWS\System32\svchost.exe[2924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F001D
.text D:\WINDOWS\System32\svchost.exe[2924] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00700FEF
.text D:\WINDOWS\System32\svchost.exe[2924] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00700000
.text D:\WINDOWS\System32\svchost.exe[2924] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00700011
.text D:\WINDOWS\System32\svchost.exe[2924] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00700FC0
.text D:\WINDOWS\System32\svchost.exe[2924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001B000A
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001C000A
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001C0073
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001C0062
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001C0F88
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001C0051
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001C0036
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001C0F4D
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001C009F
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001C00C4
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001C0F21
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001C0F10
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001C0FAF
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001C0FEF
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001C0084
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001C0025
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001C0FD4
.text D:\WINDOWS\Explorer.EXE[3132] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001C0F32
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyExW 77DD6A8F 5 Bytes JMP 002A0FB9
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyExW 77DD774C 5 Bytes JMP 002A0F8D
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyExA 77DD7832 5 Bytes JMP 002A0FD4
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyW 77DD7926 5 Bytes JMP 002A0000
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyExA 77DDE834 5 Bytes JMP 002A0F9E
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegOpenKeyA 77DDEE08 5 Bytes JMP 002A0FEF
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyW 77DE45EE 5 Bytes JMP 002A0040
.text D:\WINDOWS\Explorer.EXE[3132] ADVAPI32.dll!RegCreateKeyA 77DE4706 5 Bytes JMP 002A0025
.text D:\WINDOWS\Explorer.EXE[3132] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FB9
.text D:\WINDOWS\Explorer.EXE[3132] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FD4
.text D:\WINDOWS\Explorer.EXE[3132] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0029
.text D:\WINDOWS\Explorer.EXE[3132] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B000C
.text D:\WINDOWS\Explorer.EXE[3132] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B003A
.text D:\WINDOWS\Explorer.EXE[3132] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FEF
.text D:\WINDOWS\Explorer.EXE[3132] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 002D0FEF
.text D:\WINDOWS\Explorer.EXE[3132] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 002D0FDE
.text D:\WINDOWS\Explorer.EXE[3132] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 002D0FCD
.text D:\WINDOWS\Explorer.EXE[3132] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 002D0FB2
.text D:\WINDOWS\Explorer.EXE[3132] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E50FEF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8966A841

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c5505b33a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c5505b398
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c5505b398@001a0e9ab685 0x5C 0x90 0xF0 0xB9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000c5505b33a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000c5505b398 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000c5505b398@001a0e9ab685 0x5C 0x90 0xF0 0xB9 ...
Reg HKLM\SOFTWARE\Classes\.application\bootstrap@ bootstrap.application.1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ D:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Files - GMER 1.0.15 ----

File D:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----






GMER-C.log


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 10:06:04
Windows 5.1.2600 Service Pack 2
Running: w3bxo7sd.exe; Driver: C:\DOCUME~1\ERINEN~1\LOCALS~1\Temp\uwddipob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.application\bootstrap@ bootstrap.application.1

---- EOF - GMER 1.0.15 ----

Edited by CorradoVT, 17 January 2010 - 01:58 PM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 17 January 2010 - 02:19 PM

Hi,

you have been infected by a nasty rootkit on your D partition. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 17 January 2010 - 03:24 PM

Thanks, myrti. I'd like to try to clean what I've got and salvage as much as possible before etch-a-sketching the D-Drive. As far as this Trojan goes, is it only effective if I'm booting from D or am I in trouble if the drive is in any way connected to the computer? I have several external HD cases I can mount the infected drive, either for file archiving or clean-up.

I'll post the Combo fix results in a bit.

#10 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 17 January 2010 - 05:21 PM

ComboFix.txt

ComboFix 10-01-16.04 - Erin Ennis 01/17/2010 16:02:21.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279.723 [GMT -5:00]
Running from: d:\documents and settings\Erin Ennis\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\recycler\NPROTECT
d:\windows\system32\_000026_.tmp.dll
d:\windows\system32\krnldbg.dll

Infected copy of d:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-16 21:36 . 2010-01-16 21:36 -------- d-sh--w- d:\documents and settings\LocalService\IETldCache
2010-01-12 04:10 . 2010-01-12 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware_2010
2010-01-12 04:04 . 2010-01-12 04:04 -------- d-----w- c:\program files\Java_2010
2010-01-12 02:48 . 2004-08-04 05:58 14848 ----a-w- d:\windows\system32\drivers\kbdhid.sys
2010-01-12 02:48 . 2004-08-04 05:58 14848 ----a-w- d:\windows\system32\dllcache\kbdhid.sys
2010-01-12 02:48 . 2004-08-04 07:56 21504 ----a-w- d:\windows\system32\hidserv.dll
2010-01-12 02:48 . 2004-08-04 07:56 21504 ----a-w- d:\windows\system32\dllcache\hidserv.dll
2010-01-12 02:30 . 2010-01-12 02:32 -------- d-----w- d:\documents and settings\Erin Ennis\Local Settings\Application Data\Temp
2010-01-10 04:08 . 2010-01-10 04:08 -------- d-sh--w- d:\documents and settings\Erin Ennis\PrivacIE
2010-01-10 02:58 . 2010-01-10 02:58 -------- d-sh--w- d:\documents and settings\Erin Ennis\IETldCache
2010-01-10 02:52 . 2010-01-10 02:52 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2010-01-09 18:30 . 2010-01-09 18:35 -------- dc-h--w- d:\windows\ie8
2010-01-09 15:53 . 2009-11-04 21:54 40552 ----a-w- d:\windows\system32\drivers\mfesmfk.sys
2010-01-09 15:53 . 2009-11-04 21:54 35272 ----a-w- d:\windows\system32\drivers\mfebopk.sys
2010-01-09 15:53 . 2009-11-04 21:54 79816 ----a-w- d:\windows\system32\drivers\mfeavfk.sys
2010-01-09 15:42 . 2009-11-04 21:53 34248 ----a-w- d:\windows\system32\drivers\mferkdk.sys
2010-01-09 15:40 . 2010-01-09 15:40 524288 ----a-w- D:\dwlnd.scr
2010-01-09 05:39 . 2010-01-09 05:39 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-09 05:39 . 2010-01-09 05:39 -------- d-----w- d:\documents and settings\Erin Ennis\Application Data\SUPERAntiSpyware.com
2010-01-09 04:55 . 2010-01-09 04:55 -------- d-----w- d:\documents and settings\Erin Ennis\Application Data\Malwarebytes
2010-01-09 04:55 . 2010-01-07 21:07 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-01-09 04:55 . 2010-01-09 04:55 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-09 04:55 . 2010-01-07 21:07 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-01-09 04:09 . 2010-01-10 02:52 1984 ----a-w- d:\windows\system32\d3d9caps.dat
2010-01-09 00:10 . 2010-01-09 00:10 -------- dc----w- d:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2009-12-25 15:23 . 2009-12-25 15:23 -------- d-----w- d:\documents and settings\Erin Ennis\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 21:08 . 2009-03-22 09:10 12 ----a-w- d:\windows\bthservsdp.dat
2010-01-17 21:01 . 2008-04-22 23:37 -------- d-----w- d:\documents and settings\All Users\Application Data\McAfee
2010-01-09 17:27 . 2008-04-19 21:19 95360 ----a-w- d:\windows\system32\drivers\atapi.sys
2010-01-09 16:18 . 2003-09-25 13:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-09 15:30 . 2008-04-22 02:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-09 05:16 . 2008-04-22 02:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- d:\windows\system32\GPhotos.scr
2009-12-05 16:16 . 2009-11-30 06:28 -------- d-----w- d:\documents and settings\Erin Ennis\Application Data\Intelli-studio
2009-11-30 06:28 . 2009-11-30 06:28 -------- d-----w- c:\program files\Samsung
2009-11-29 05:43 . 2009-11-29 05:19 -------- d-----w- d:\documents and settings\Erin Ennis\Application Data\LimeWire
2009-11-27 14:42 . 2009-03-31 05:30 -------- d-----w- d:\documents and settings\Erin Ennis\Application Data\DivX
2009-11-25 14:20 . 2009-08-23 04:18 15688 ----a-w- d:\windows\system32\lsdelete.exe
2009-11-25 14:14 . 2009-03-29 01:01 -------- d-----w- c:\program files\DivX
2009-11-25 14:14 . 2009-11-25 14:14 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-14 00:49 . 2008-04-19 21:18 129784 ------w- d:\windows\system32\pxafs.dll
2009-11-14 00:49 . 2008-04-19 21:18 120056 ------w- d:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2008-04-19 21:18 118520 ------w- d:\windows\system32\pxinsi64.exe
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- d:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- d:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- d:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- d:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- d:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- d:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- d:\windows\system32\DivX.dll
2009-11-13 22:57 . 2009-11-13 22:57 922112 ------w- d:\windows\system32\imapi2fs.dll
2009-11-13 22:57 . 2009-11-13 22:57 426496 ------w- d:\windows\system32\imapi2.dll
2009-11-13 22:57 . 2008-04-19 21:19 62592 ----a-w- d:\windows\system32\drivers\cdrom.sys
2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- d:\windows\system32\drivers\mfehidk.sys
2009-10-21 06:00 . 2008-04-19 21:18 75776 ----a-w- d:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2008-04-19 21:17 25088 ----a-w- d:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2008-04-19 21:19 263552 ----a-w- d:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMCRemote"="c:\program files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe" [2008-05-09 267536]
"PMCLoader"="c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe" [2008-05-14 644368]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"Google Update"="d:\documents and settings\Erin Ennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-12 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="d:\windows\system32\dumprep 0 -u" [X]
"LogMeIn GUI"="d:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="d:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-8-23 49254]
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-15 98304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 03:46 87352 ----a-w- d:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LNSS Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LNSS Status Monitor.lnk
backup=c:\windows\pss\LNSS Status Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=c:\windows\pss\Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Erin Ennis^Start Menu^Programs^Startup^Zero PoPup Killer XP.lnk]
path=c:\documents and settings\Erin Ennis\Start Menu\Programs\Startup\Zero PoPup Killer XP.lnk
backup=c:\windows\pss\Zero PoPup Killer XP.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
d:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-02-14 19:59 88107 ----a-w- d:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2007-09-29 07:58 26112 ----a-w- d:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 17:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-03-11 18:24 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Joystick 2 Mouse]
2003-07-01 02:06 172032 ----a-w- d:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-05-09 19:00 1658080 --sh--w- c:\program files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-07 16:55 1871872 ----a-w- d:\program files\Nero\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
2009-02-06 17:14 110592 ----a-w- c:\windows\system32\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Services Process]
2009-02-06 17:14 110592 ----a-w- c:\windows\system32\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-06-18 07:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2003-03-17 18:52 1056768 ----a-w- c:\program files\Sony\VAIO Survey\SurveySA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
2002-07-14 19:50 11406 ----a-w- c:\program files\support.com\client\lserver\Server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- d:\program files\Google\Gmail Notifier(351)\gnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VAIOMediaPlatform-VideoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-VideoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-VideoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-MusicServer-UPnP"=3 (0x3)
"UPS"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Themes"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"RSVP"=3 (0x3)
"PolicyAgent"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Ip6FwHlp"=3 (0x3)
"VSS"=3 (0x3)
"SwPrv"=3 (0x3)
"RasAuto"=2 (0x2)
"seclogon"=2 (0x2)
"ClipSrv"=3 (0x3)
"SRTSERVERDAEMON"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"GFI LANguard N.S.S. 6.0 attendant service"=3 (0x3)
"ATI Smart"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"Sony TV Tuner Manager"=2 (0x2)
"Sony TV Tuner Controller"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Giga Pocket Hardware Detector"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"d:\\Program Files\\Sony\\Station\\LaunchPad\\_aunchPad.exe"=
"d:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Common Files\\Sony Shared\\VAIO Media Platform\\sv_httpd.exe"=
"c:\\Program Files\\Common Files\\Sony Shared\\VAIO Media Platform\\UPnPFramework.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8231:TCP"= 8231:TCP:BitComet 8231 TCP
"8231:UDP"= 8231:UDP:BitComet 8231 UDP

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [8/22/2009 11:09 PM 64160]
R1 RCFOX;SonicWALL IPsec Driver;d:\windows\system32\drivers\RCFOX.SYS [6/21/2008 9:55 AM 101528]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 BCMNTIO;BCMNTIO;d:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [4/21/2008 9:39 PM 3744]
R2 EAPPkt;Realtek EAPPkt Protocol;d:\windows\system32\drivers\EAPPkt.sys [4/19/2008 4:19 PM 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [4/13/2008 8:49 PM 46112]
R2 MAPMEM;MAPMEM;d:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [4/21/2008 9:39 PM 3904]
R2 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
R3 OmniTV;Cx2388x AvStream Video Capture;d:\windows\system32\drivers\OmniTV.sys [3/28/2009 8:00 PM 401280]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S2 LMIInfo;LogMeIn Kernel Information Provider;d:\program files\LogMeIn\x86\rainfo.sys [4/21/2008 9:42 PM 12856]
S3 NDISKIO;NDISKIO;\??\d:\docume~1\ERINEN~1\LOCALS~1\Temp\00000ffd.nmc\nse\bin\ndiskio.sys --> d:\docume~1\ERINEN~1\LOCALS~1\Temp\00000ffd.nmc\nse\bin\ndiskio.sys [?]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [4/13/2008 8:49 PM 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [4/13/2008 8:49 PM 24344]
S3 rcvpn;SonicWALL VPN Adapter;d:\windows\system32\drivers\rcvpn.sys [6/21/2008 9:51 AM 24876]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;d:\windows\system32\drivers\wg111v2.sys [4/19/2008 4:19 PM 194304]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;d:\windows\system32\drivers\ma101rndxp.sys [4/19/2008 4:19 PM 76160]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;d:\windows\system32\drivers\wind502u.sys [4/19/2008 4:19 PM 336256]
S4 GFI LANguard N.S.S. 6.0 attendant service;GFI LANguard N.S.S. 6.0 attendant service;d:\program files\GFI\LANguard Network Security Scanner 6.0\lnssatt.exe [4/21/2008 9:40 PM 102400]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SRTSERVERDAEMON;Titan FTP Server Daemon;c:\windows\system32\srxTitan.exe [4/13/2008 8:48 PM 329352]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
2009-03-08 09:32 128512 ----a-w- d:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
2009-03-08 09:32 128512 ----a-w- d:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 d:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:19]

2010-01-13 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1541965403-1578699039-901216024-1005Core.job
- d:\documents and settings\Erin Ennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-12 02:30]

2010-01-17 d:\windows\Tasks\User_Feed_Synchronization-{7B713B1C-A60E-464C-B429-5370C86EF95D}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
IE: Add to Google Photos Screensa&ver - d:\windows\system32\GPhotos.scr/200
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} - hxxps://ahsworks.umsa.usf.edu/Touchworks/AHSCompressionEngine.cab
DPF: {46965FE7-2129-407B-938C-BE358A56D11E} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/aicviewer3.cab
DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/idxwfcc.cab
DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} - hxxps://ahsworks.umsa.usf.edu/touchworks/ResultWorks/chworks/flowsheets/pe32.cab
DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/IDXTools.cab
DPF: {A4CC92F0-CAE7-11D4-910D-00B0D0134884} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/RTFWrapper.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/wspell.cab
DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/TWRTF.cab
DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} - hxxps://ahsworks.umsa.usf.edu/touchworks/DictateBar.cab
DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} - hxxps://ahsworks.umsa.usf.edu/touchworks/DocWorks/CHWorks/Unstructured/aic_viewer2.cab
DPF: {D14CA9D7-7C03-4E39-B076-0F3E852E705B} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/idxwfcb.cab
DPF: {EE7747CC-FFC7-4845-9178-DEF33578F752} - hxxps://ahsworks.umsa.usf.edu/ahsweb/IDXWF/Context/IDXTools.cab
DPF: {EECF9899-FC3A-4841-986F-30B874921B36} - hxxps://ahsworks.umsa.usf.edu/AHSWeb/IDXWF/Context/IDXBrowser.cab
FF - ProfilePath - d:\documents and settings\Erin Ennis\Application Data\Mozilla\Firefox\Profiles\fqgfi91a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\windows\system32\Macromed\Flash\NPSWF32.dll
FF - plugin: d:\documents and settings\Erin Ennis\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: d:\program files\Picasa2\npPicasa3.dll
FF - plugin: d:\program files\plugins\npatgpc.dll
FF - plugin: d:\program files\plugins\npmozax.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
inifile=c:\documents and settings\Erin Ennis\Desktop\notepad.exe %1
txtfile="%WinDir%\NOTEPAD.EXE" %1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-WgaLogon - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-EPSON Stylus Photo R800 - d:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI8JA.EXE
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-RunDLL - c:\windows\System32\bridge.dll
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
AddRemove-360Share Pro - c:\program files\360Share Pro\bt-uninst.exe
AddRemove-Ad-Aware SE Personal - d:\progra~1\Lavasoft\AD-AWA~2\UNWISE.EXE
AddRemove-KaZaA Lite 1.7.2 - d:\progra~1\KAZAAL~1\UNWISE.EXE
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 16:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4E9C6419-E048-C704-4943-A49738D14506}*]
"iapcmgoakikpcpjoel"=hex:6a,61,61,65,6e,67,6e,68,67,61,6c,62,6c,6a,66,65,6a,62,
68,6a,00,f2
"hajdcmppmhadnlcl"=hex:6a,61,61,65,6e,67,6e,68,67,61,6c,62,6c,6a,66,65,6a,62,
68,6a,00,d0

[HKEY_USERS\S-1-5-21-1541965403-1578699039-901216024-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
@DACL=(02 0000)
"svchost.exe"=dword:00001f40

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"er\\xp_inf\\cx_08174.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1304)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
d:\documents and settings\Erin Ennis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
d:\documents and settings\Erin Ennis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
d:\windows\system32\Ati2evxx.dll
d:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2624)
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
d:\windows\System32\netshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\dllhost.exe
d:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\System32\svchost.exe
c:\windows\system32\sessmgr.exe
c:\windows\System32\wbem\unsecapp.exe
d:\windows\system32\wscntfy.exe
d:\windows\system32\rundll32.exe
d:\documents and settings\Erin Ennis\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-01-17 16:19:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 21:19

Pre-Run: 11,107,848,192 bytes free
Post-Run: 11,102,724,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="WD250 Microsoft Windows Partition1" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="WD250 Microsoft Windows Partition2" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="WD400 Microsoft Windows XP Home" /fastdetect /NoExecute=OptIn

- - End Of File - - 590EC5500F0488262D2A926E5C4E874A


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 17 January 2010 - 05:26 PM

Hi,

how is your PC doing now? ComboFix should have taken out the infection, can you confirm that?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 23 January 2010 - 08:51 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 24 January 2010 - 09:21 PM

Hi,

topic reopened. Please let me know how the PC is doing.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 CorradoVT

CorradoVT
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 27 January 2010 - 01:29 AM

Hey, myrti. From your PM, I may be okay. I ran some additional AV scans and removed and re-installed McAfee on the affected drive. The majority of what was picked up after the ComboFix was in Restore volumes, but there were some other hits as well. Given that about 10 days have passed and I've left this machine online, but best guess is that if there was a lingering infection, it would have shown up by now.

What's the best approach to validate that the drive is as clean as possible?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:54 AM

Posted 29 January 2010 - 09:29 AM

Hi,

please provide a new OTL log and run a scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

As well as Eset:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users