Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses picked up by Avira


  • This topic is locked This topic is locked
24 replies to this topic

#1 montfish

montfish

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 29 July 2010 - 08:56 PM

Hello,

I am receiving warnings from my Avira antivirus software about TR/Dropper.Gen trojan and HTML/Infected.WebPage.Gen. Avira doesn't seem to be able to get rid of them. I am attaching a HiJack this log.

Your help is greatly appreciated!
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:34 PM, on 7/29/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
D:Program FilesAviraAntiVir Desktopsched.exe
C:WINDOWSExplorer.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSAGRSMMSG.exe
C:program filessupport.comclientbintgcmd.exe
D:Program FilesAviraAntiVir Desktopavgnt.exe
D:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32ezSP_Px.exe
C:WINDOWSsystem32ctfmon.exe
C:DOCUME~1DOUGFI~1LOCALS~1TempRs1.exe
C:WINDOWSRmulea.exe
C:Program Filessonyusbsircsusbsircs.exe
D:Program FilesAviraAntiVir Desktopavguard.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesSonyGiga Pocketshwserv.exe
D:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
D:Program FilesSunbelt SoftwarePersonal FirewallSbPFLnch.exe
C:WINDOWSsystem32sdpasvc.exe
C:WINDOWSSystem32tcpsvcs.exe
D:Program FilesSunbelt SoftwarePersonal FirewallSbPFSvc.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32MsPMSPSv.exe
D:Program FilesSunbelt SoftwarePersonal FirewallSbPFCl.exe
C:Program FilesSonyGiga PocketRM_SV.exe
C:WINDOWSsystem32wuauclt.exe
C:Program Filesinternet exploreriexplore.exe
C:WINDOWSSystem32svchost.exe
D:Program FilesMozilla Firefoxfirefox.exe
D:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:Program Filesrpbrowserrecordplugin.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:Program FilesSharedlib.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [ATIPTA] "C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe"
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [NvCplDaemon] "RUNDLL32.EXE" C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [VAIO Recovery] "C:WINDOWSSonysysVAIO RecoveryPartSeal.exe"
O4 - HKLM..Run: [ZTgServerSwitch] "c:program filessupport.comclientbintgcmd.exe" /server
O4 - HKLM..Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..Run: [avgnt] "D:Program FilesAviraAntiVir Desktopavgnt.exe" /min
O4 - HKLM..Run: [SunJavaUpdateSched] "D:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [ezShieldProtector for Px] C:WINDOWSsystem32ezSP_Px.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SUPERAntiSpyware] D:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [8JE5UHC6FZ] C:DOCUME~1DOUGFI~1LOCALS~1TempRs1.exe
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196572587812
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popca...aploader_v6.cab
O17 - HKLMSystemCCSServicesTcpip..{CBB53649-E24D-43AD-A5E8-C5FC4035A3DC}: NameServer = 93.188.162.73,93.188.161.6
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 93.188.162.73,93.188.161.6
O17 - HKLMSystemCS2ServicesTcpipParameters: NameServer = 93.188.162.73,93.188.161.6
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 93.188.162.73,93.188.161.6
O18 - Filter hijack: text/html - {6a2d70e1-1ffd-4d79-9207-198fbb0098a5} - C:WINDOWSmsyuv.dll
O20 - Winlogon Notify: !SASWinLogon - D:Program FilesSUPERAntiSpywareSASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:Program FilesAviraAntiVir Desktopsched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:Program FilesAviraAntiVir Desktopavguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:Program FilesSonyGiga Pocketshwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:Program FilesJavajre6binjqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - D:Program FilesSunbelt SoftwarePersonal FirewallSbPFLnch.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsubleepa Electric Industrial Co.,Ltd. - C:WINDOWSsystem32sdpasvc.exe
O23 - Service: ServiceLayer - Nokia. - C:Program FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:Program FilesSonyGiga Pockethalsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:Program FilesSonyGiga PocketRM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - D:Program FilesSunbelt SoftwarePersonal FirewallSbPFSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSptisrv.exe

--
End of file - 9379 bytes

Hi - Here is the updated Hijack This log you requested. I am continuing to get redirects in IE.
Thanks.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:02:43 PM, on 8/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
D:Program FilesAviraAntiVir Desktopsched.exe
C:WINDOWSExplorer.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSAGRSMMSG.exe
C:program filessupport.comclientbintgcmd.exe
D:Program FilesAviraAntiVir Desktopavgnt.exe
D:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32ezSP_Px.exe
D:Program FilesiTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
D:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program Filessonyusbsircsusbsircs.exe
D:Program FilesAviraAntiVir Desktopavguard.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSonyGiga Pocketshwserv.exe
D:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
D:Program FilesSunbelt SoftwarePersonal FirewallSbPFLnch.exe
C:WINDOWSsystem32sdpasvc.exe
C:WINDOWSSystem32tcpsvcs.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32MsPMSPSv.exe
C:Program FilesSonyGiga PocketRM_SV.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32wuauclt.exe
C:Program Filesinternet exploreriexplore.exe
D:Program FilesMozilla Firefoxfirefox.exe
D:Program FilesTrend MicroHijackThisHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:Program Filesrpbrowserrecordplugin.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:Program FilesSharedlib.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [ATIPTA] "C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe"
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [NvCplDaemon] "RUNDLL32.EXE" C:WINDOWSSystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [VAIO Recovery] "C:WINDOWSSonysysVAIO RecoveryPartSeal.exe"
O4 - HKLM..Run: [ZTgServerSwitch] "c:program filessupport.comclientbintgcmd.exe" /server
O4 - HKLM..Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..Run: [avgnt] "D:Program FilesAviraAntiVir Desktopavgnt.exe" /min
O4 - HKLM..Run: [SunJavaUpdateSched] "D:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [ezShieldProtector for Px] C:WINDOWSsystem32ezSP_Px.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "D:Program FilesiTunesiTunesHelper.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SUPERAntiSpyware] D:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [8JE5UHC6FZ] C:DOCUME~1DOUGFI~1LOCALS~1TempRs1.exe
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196572587812
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popca...aploader_v6.cab
O17 - HKLMSystemCCSServicesTcpip..{CBB53649-E24D-43AD-A5E8-C5FC4035A3DC}: NameServer = 93.188.162.73,93.188.161.6
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 93.188.162.73,93.188.161.6
O17 - HKLMSystemCS2ServicesTcpipParameters: NameServer = 93.188.162.73,93.188.161.6
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 93.188.162.73,93.188.161.6
O18 - Filter hijack: text/html - {6a2d70e1-1ffd-4d79-9207-198fbb0098a5} - C:WINDOWSmsyuv.dll
O20 - Winlogon Notify: !SASWinLogon - D:Program FilesSUPERAntiSpywareSASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:WINDOWSSystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:WINDOWSSystem32browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:Program FilesAviraAntiVir Desktopsched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:Program FilesAviraAntiVir Desktopavguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:Program FilesSonyGiga Pocketshwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:Program FilesJavajre6binjqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - D:Program FilesSunbelt SoftwarePersonal FirewallSbPFLnch.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsubleepa Electric Industrial Co.,Ltd. - C:WINDOWSsystem32sdpasvc.exe
O23 - Service: ServiceLayer - Nokia. - C:Program FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:Program FilesSonyGiga Pockethalsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:Program FilesSonyGiga PocketRM_SV.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - D:Program FilesSunbelt SoftwarePersonal FirewallSbPFSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:Program FilesCommon FilesSony SharedAVLibSptisrv.exe

--
End of file - 9842 bytes

Edited by Budapest, 05 August 2010 - 10:45 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 07 August 2010 - 01:46 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 07 August 2010 - 05:02 PM

Hi Myrti,

Thanks for responding. I am experiencing redirects in both IE and Firefox when clicking on links following a google, yahoo etc. search. Also, unwanted popups at any given time. Per your request, I am attaching OTL.txt and Extra.txt. Thanks for helping!

OTL.txt:

OTL logfile created on: 8/7/2010 5:45:37 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Doug Fisher\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 13.97 Gb Total Space | 1.55 Gb Free Space | 11.07% Space Free | Partition Type: NTFS
Drive D: | 129.07 Gb Total Space | 37.65 Gb Free Space | 29.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 25.48 Gb Total Space | 6.22 Gb Free Space | 24.42% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOUG
Current User Name: Doug Fisher
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/07 17:40:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Doug Fisher\Desktop\OTL.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/05/19 07:58:44 | 002,017,280 | ---- | M] (SUPERAntiSpyware.com) -- D:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/10/31 07:24:28 | 001,365,288 | ---- | M] (Sunbelt Software, Inc.) -- D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
PRC - [2008/10/31 07:24:28 | 000,095,528 | ---- | M] (Sunbelt Software, Inc.) -- D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
PRC - [2008/10/31 07:24:26 | 001,705,256 | ---- | M] (Sunbelt Software, Inc.) -- D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/14 06:51:45 | 028,768,528 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2003/10/07 00:26:10 | 000,229,376 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\usbsircs\USBsircs.exe
PRC - [2003/10/03 16:24:06 | 000,090,112 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Giga Pocket\RM_SV.exe
PRC - [2003/10/03 16:24:06 | 000,077,824 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Giga Pocket\shwserv.exe
PRC - [2003/06/23 20:32:54 | 001,409,024 | ---- | M] (Support.com, Inc.) -- C:\Program Files\support.com\client\bin\tgcmd.exe
PRC - [2003/03/31 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe
PRC - [2002/08/20 14:29:26 | 000,040,960 | ---- | M] (Easy Systems Japan Ltd.) -- C:\WINDOWS\system32\ezSP_Px.exe
PRC - [2001/08/07 15:27:44 | 000,049,152 | ---- | M] ( Matsubleepa Electric Industrial Co.,Ltd.) -- C:\WINDOWS\system32\sdpasvc.exe


========== Modules (SafeList) ==========

MOD - [2010/08/07 17:40:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Doug Fisher\Desktop\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 02:01:17 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/05/31 12:32:00 | 000,867,080 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- D:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- D:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/10/31 07:24:28 | 001,365,288 | ---- | M] (Sunbelt Software, Inc.) [Auto | Running] -- D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe -- (SPF4)
SRV - [2008/10/31 07:24:28 | 000,095,528 | ---- | M] (Sunbelt Software, Inc.) [Auto | Running] -- D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe -- (SbPF.Launcher)
SRV - [2008/08/07 11:17:30 | 000,575,488 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2005/10/14 06:51:45 | 028,768,528 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2005/10/14 06:51:12 | 000,239,320 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2005/10/14 06:50:19 | 000,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2005/10/14 04:53:50 | 000,087,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2004/08/04 03:56:44 | 000,086,016 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2003/10/21 01:00:56 | 001,286,144 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe -- (VAIOMediaPlatform-VideoServer-AppServer)
SRV - [2003/10/21 01:00:40 | 000,712,704 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-VideoServer-UPnP) VAIO Media Video Server (UPnP)
SRV - [2003/10/21 01:00:40 | 000,712,704 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-PhotoServer-UPnP) VAIO Media Photo Server (UPnP)
SRV - [2003/10/21 01:00:40 | 000,712,704 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-MusicServer-UPnP) VAIO Media Music Server (UPnP)
SRV - [2003/10/21 01:00:38 | 000,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-VideoServer-HTTP) VAIO Media Video Server (HTTP)
SRV - [2003/10/21 01:00:38 | 000,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-PhotoServer-HTTP) VAIO Media Photo Server (HTTP)
SRV - [2003/10/21 01:00:38 | 000,057,344 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-MusicServer-HTTP) VAIO Media Music Server (HTTP)
SRV - [2003/10/21 01:00:14 | 000,925,696 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe -- (VAIOMediaPlatform-PhotoServer-AppServer)
SRV - [2003/10/21 01:00:08 | 000,503,897 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe -- (VAIOMediaPlatform-MusicServer-AppServer)
SRV - [2003/10/03 16:24:06 | 000,090,112 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Sony\Giga Pocket\RM_SV.exe -- (Sony TV Tuner Manager)
SRV - [2003/10/03 16:24:06 | 000,077,824 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\Giga Pocket\shwserv.exe -- (Giga Pocket Hardware Detector)
SRV - [2003/09/25 17:38:56 | 000,118,784 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Giga Pocket\halsv.exe -- (Sony TV Tuner Controller)
SRV - [2003/07/28 21:31:14 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe -- (SPTISRV)
SRV - [2003/03/31 08:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp)
SRV - [2001/08/07 15:27:44 | 000,049,152 | ---- | M] ( Matsubleepa Electric Industrial Co.,Ltd.) [Auto | Running] -- C:\WINDOWS\System32\sdpasvc.exe -- (SDPASVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Internet Explorer\SABProcEnum.sys -- (SABProcEnum)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\DOUGFI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/05/19 07:58:44 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/07 16:04:07 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/03/07 16:04:07 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- D:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/11 08:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/12/07 21:04:25 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- D:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/02/07 18:58:29 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/10/31 07:09:06 | 000,270,888 | R--- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbFw.sys -- (SbFw)
DRV - [2008/06/21 04:54:54 | 000,066,600 | R--- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbhips.sys -- (sbhips)
DRV - [2008/06/21 04:54:54 | 000,065,576 | ---- | M] (Sunbelt Software, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SbFwIm.sys -- (SBFWIMCL)
DRV - [2007/09/17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2004/03/22 21:59:52 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/10/30 15:20:54 | 000,766,848 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smrt.sys -- (smrt)
DRV - [2003/08/18 21:56:00 | 001,343,803 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/05/23 14:44:00 | 001,171,648 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)
DRV - [2000/12/05 20:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://news.yahoo.com [binary data]
IE - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.658
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: D:\Program Files\browserrecord [2008/10/05 13:55:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/08/02 21:59:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.5\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/08/02 21:59:51 | 000,000,000 | ---D | M]

[2009/03/20 21:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Extensions
[2009/03/20 21:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/08/06 21:21:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\extensions
[2010/01/21 22:37:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/10/09 22:49:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\extensions\bkmrksync@nokia.com
[2008/10/09 22:59:37 | 000,000,908 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\searchplugins\IMDB.xml
[2010/08/05 22:06:33 | 000,002,143 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\searchplugins\marketwatch.xml
[2008/09/06 18:34:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/11/12 23:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2008/05/30 21:31:53 | 000,081,920 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2004/11/17 19:21:00 | 000,110,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
[2006/11/09 16:20:40 | 002,111,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npswf32.dll
[2004/01/13 22:09:25 | 000,176,176 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2009/08/09 12:09:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll (RealPlayer)
O3 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [American Airlines DealFinder] File not found
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] D:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe (Sony Electronics Inc)
O4 - HKLM..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe (Support.com, Inc.)
O4 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005..\Run: [8JE5UHC6FZ] C:\DOCUME~1\DOUGFI~1\LOCALS~1\Temp\Rs1.exe File not found
O4 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk = C:\Program Files\Sony\usbsircs\USBsircs.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/pub/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (LinkedIn ContactFinderControl)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1196572587812 (WUWebControl Class)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX27.cab (Groove Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe (Virtools WebPlayer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/in...r_installer.exe (Virtools WebPlayer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.3.209 167.206.3.143 167.206.3.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.73,93.188.161.6
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Doug Fisher\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - D:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/01 21:36:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/12/30 23:12:20 | 000,000,286 | ---- | M] () - G:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2000/07/09 14:49:10 | 000,000,205 | ---- | M] () - G:\autoexec.nav -- [ FAT32 ]
O33 - MountPoints2\{238debac-290a-11dc-ab0d-000ea6811a01}\Shell\AutoRun\command - "" = K:\setupSNK.exe -- File not found
O33 - MountPoints2\{407b6a7a-affe-11dc-ac00-000ea6811a01}\Shell - "" = AutoRun
O33 - MountPoints2\{407b6a7a-affe-11dc-ac00-000ea6811a01}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a8e5ae8-e811-11de-b02b-000ea6811a01}\Shell - "" = AutoRun
O33 - MountPoints2\{4a8e5ae8-e811-11de-b02b-000ea6811a01}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - Services: "VAIOMediaPlatform-VideoServer-HTTP"
MsConfig - Services: "VAIOMediaPlatform-VideoServer-AppServer"
MsConfig - Services: "VAIOMediaPlatform-PhotoServer-HTTP"
MsConfig - Services: "VAIOMediaPlatform-MusicServer-HTTP"
MsConfig - Services: "VAIOMediaPlatform-MusicServer-AppServer"
MsConfig - Services: "iPod Service"
MsConfig - Services: "Bonjour Service"
MsConfig - Services: "Apple Mobile Device"
MsConfig - Services: "VAIOMediaPlatform-VideoServer-UPnP"
MsConfig - Services: "VAIOMediaPlatform-PhotoServer-UPnP"
MsConfig - Services: "VAIOMediaPlatform-PhotoServer-AppServer"
MsConfig - Services: "VAIOMediaPlatform-MusicServer-UPnP"
MsConfig - Services: "wuauserv"
MsConfig - Services: "CCALib8"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE - (Microsoft Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe - (Intuit Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk - C:\Program Files\Sony\Giga Pocket\ReserveModule.exe - (Sony Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE - (WinZip Computing LP)
MsConfig - StartUpReg: Ad-Watch - hkey= - key= - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe File not found
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AppleSyncNotifier - hkey= - key= - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
MsConfig - StartUpReg: ezShieldProtector for Px - hkey= - key= - File not found
MsConfig - StartUpReg: HPWUTOOLBOX - hkey= - key= - C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: HPWU_MPM_Agent - hkey= - key= - C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\mpm.exe ()
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: PC Suite Tray - hkey= - key= - D:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - D:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: WinampAgent - hkey= - key= - D:\Program Files\Winamp\winampa.exe (Nullsoft)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {2298d453-bcae-4519-bf33-1cbf3faf1524} - Q867801
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5820512A-4E02-4D71-96AA-3EAD1F9EFE92} - Yahoo! Tracking for IE7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {944AE294-471B-E244-BA27-DB2B463F1862} - Browser Customizations
ActiveX: {96543d59-497a-4801-a1f3-5936aacaf7b1} - Q828750
ActiveX: {9F9F36A4-6680-4104-B9F1-883262F2282D} - Yahoo! Toolbar for Internet Explorer
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CA0BCD9A-12F7-15B1-7F4E-E5BFCDD4E918} - Browser Customizations
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Ligos Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.dvsd - C:\Program Files\Common Files\Sony Shared\VideoLib\sonydv.dll (Sony Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll (Ligos Corporation)
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll (Ligos Corporation)
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Ligos Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - C:\WINDOWS\System32\iprip.dll (Microsoft Corporation)
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/08/07 17:40:40 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Doug Fisher\Desktop\OTL.exe
[2010/08/04 22:57:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Doug Fisher\Application Data\American Airlines DealFinder
[2010/07/31 22:55:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/07/31 22:49:02 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/07/31 22:46:35 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/07/15 22:22:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/14 20:00:47 | 000,000,000 | ---D | C] -- C:\Program Files\Shared
[1996/11/18 00:00:00 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/07 17:47:00 | 000,000,300 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/08/07 17:40:43 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Doug Fisher\Desktop\OTL.exe
[2010/08/07 17:37:29 | 000,610,054 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/07 17:37:29 | 000,503,160 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/07 17:37:29 | 000,095,396 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/07 17:37:00 | 000,000,258 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/08/07 17:35:00 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/07 17:32:52 | 000,000,292 | -H-- | M] () -- C:\WINDOWS\tasks\339a61fd.job
[2010/08/07 17:32:52 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/07 17:32:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/06 22:58:31 | 015,990,784 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\ntuser.dat
[2010/08/06 22:58:28 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Doug Fisher\ntuser.ini
[2010/08/01 13:02:34 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\Desktop\HiJackThis.lnk
[2010/07/31 17:58:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/30 20:48:36 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\Desktop\gmer.zip
[2010/07/30 20:39:50 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\Desktop\dds.scr
[2010/07/15 22:32:30 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Doug Fisher\Desktop\Microsoft Office Outlook 2003.lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/30 20:48:35 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Doug Fisher\Desktop\gmer.zip
[2010/07/30 20:39:50 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Doug Fisher\Desktop\dds.scr
[2010/07/28 18:14:59 | 000,000,300 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/07/28 18:14:48 | 000,000,258 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/07/28 18:14:44 | 000,000,292 | -H-- | C] () -- C:\WINDOWS\tasks\339a61fd.job
[2010/03/14 19:52:43 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/04/19 21:18:45 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/04/01 19:30:49 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2007/03/04 19:55:45 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/03/04 19:55:19 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2006/12/23 14:45:48 | 000,479,232 | ---- | C] () -- C:\WINDOWS\System32\MusicCitydll2.dll
[2006/12/23 14:45:19 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\Decln.dll
[2006/12/23 14:45:18 | 000,014,629 | ---- | C] () -- C:\WINDOWS\System32\Declw.dll
[2006/12/23 14:45:08 | 000,005,834 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI
[2006/11/03 23:11:36 | 000,684,032 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2006/11/03 23:11:36 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2006/08/27 20:06:41 | 000,002,345 | ---- | C] () -- C:\WINDOWS\CONTOUR.INI
[2006/07/22 11:55:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PestPatrol5.INI
[2006/02/26 00:34:00 | 000,372,736 | R--- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2006/02/26 00:34:00 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2005/12/17 01:21:52 | 000,000,092 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2005/09/14 19:24:27 | 000,000,256 | ---- | C] () -- C:\WINDOWS\usbfhom.dll
[2005/07/24 17:50:47 | 000,000,082 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/07/22 22:11:50 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/06/16 23:37:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/06/11 12:14:41 | 000,001,652 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/06/01 22:36:06 | 000,000,120 | ---- | C] () -- C:\WINDOWS\MSMAIL32.INI
[2005/05/31 22:31:15 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
[2005/03/26 00:08:25 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2004/12/14 09:26:21 | 000,000,010 | ---- | C] () -- C:\WINDOWS\System32\Cktm.dll
[2004/08/16 23:21:37 | 000,000,030 | ---- | C] () -- C:\WINDOWS\morphexe.INI
[2004/07/01 23:34:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/07/01 23:32:12 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2004/06/23 22:14:58 | 000,001,125 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2004/05/17 17:29:07 | 000,000,028 | ---- | C] () -- C:\WINDOWS\Systems.ini
[2004/03/02 19:52:57 | 000,001,295 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2004/03/02 19:52:23 | 000,000,508 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/12/02 16:44:25 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/12/02 16:41:26 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2003/12/02 16:40:09 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\ASFV2.DLL
[2003/12/02 16:39:35 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2003/12/02 16:01:22 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/12/01 21:53:24 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/12/01 21:39:54 | 000,000,800 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/12/01 20:28:56 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2003/12/01 20:28:51 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/12/01 20:28:51 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/12/01 20:28:41 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\cbldrm.dll
[2003/12/01 20:28:40 | 000,000,730 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/12/01 20:28:20 | 000,022,150 | ---- | C] () -- C:\WINDOWS\msyuv.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/06/12 16:21:12 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\winchip.dll
[2002/03/29 14:45:56 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\wwnet32i.dll
[1999/06/21 17:00:00 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\u25dts.dll
[1999/06/21 17:00:00 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\u2ldts.dll
[1999/06/21 17:00:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\u2lsamp1.dll
[1999/01/22 06:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/11/08 17:00:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\u2lbar.dll
[1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[1997/09/12 00:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[1997/09/12 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/09/12 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/09/12 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\hlinkprx.dll
[1997/08/28 17:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\U25STORE.DLL
[1997/08/28 17:00:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\U25TOTAL.DLL

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe


< MD5 for: AGP440.SYS >
[2004/10/12 20:51:27 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/10/12 20:51:27 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys
[2001/08/17 17:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/10/12 20:51:27 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2004/10/12 20:51:27 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2003/03/31 08:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2002/10/24 19:59:48 | 000,087,040 | ---- | M] (Microsoft Corporation) MD5=F1D915C3870E741D83B5142F3B358761 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2003/03/31 08:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\netlogon.dll
[2003/03/31 08:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\cache\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\cache\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2003/03/31 08:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/05/04 13:20:32 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/05/04 13:20:33 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2003/12/01 13:31:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/12/01 13:31:11 | 000,606,208 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/12/01 13:31:11 | 000,397,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CAAA7DD7
< End of report >


Extra.txt:

OTL Extras logfile created on: 8/7/2010 5:45:37 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Doug Fisher\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 13.97 Gb Total Space | 1.55 Gb Free Space | 11.07% Space Free | Partition Type: NTFS
Drive D: | 129.07 Gb Total Space | 37.65 Gb Free Space | 29.17% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 25.48 Gb Total Space | 6.22 Gb Free Space | 24.42% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOUG
Current User Name: Doug Fisher
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" File not found
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "D:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "D:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "D:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"22837:TCP" = 22837:TCP:*:Enabled:BitComet 22837 TCP
"22837:UDP" = 22837:UDP:*:Enabled:BitComet 22837 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"D:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" = D:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe -- (Skinkers Communications)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Sony\Giga Pocket\gps.exe" = C:\Program Files\Sony\Giga Pocket\gps.exe:*:Enabled:Giga Pocket Server -- (Sony Corporation)
"C:\Program Files\support.com\client\bin\tgcmd.exe" = C:\Program Files\support.com\client\bin\tgcmd.exe:*:Enabled:tgcmd Module -- (Support.com, Inc.)
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" = C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation)
"D:\Program Files\LimeWire\LimeWire.exe" = D:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"D:\Program Files\realplay.exe" = D:\Program Files\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"D:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe" = D:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe -- (Skinkers Communications)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D490016-5D01-4CB3-A037-55814AC63D2E}" = Giga Pocket Hardware Library 5.5
"{0EE4030A-8FD4-4798-A21D-17E525B1F7CF}" = Corel Snapfire
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A524CFE-DF85-4555-8BC2-0C89DBD8BC2C}" = PC Connectivity Solution
"{1CBE3804-20DF-48DA-B048-895C206E80A5}" = Microsoft SQL Server VSS Writer
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 2.6
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{23E5C72C-CC08-4EE0-9CC2-D925B232B331}" = Microsoft MSDN 2005 Express Edition - ENU
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}" = Music Visualizer Library 1.4.00
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4BAC29B6-145B-49D0-A2FC-A79AE4F606E5}" = TaxCut New York 2008
"{4C75086F-7753-41B9-8B4C-F38DE6CC8C20}" = VAIO Remote Commander Utility 6.2
"{4D1D6640-CD43-4AD9-A52F-E48265DB28E0}" = VAIO BrightColor Wallpaper
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 5.0
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{58381EE3-A57D-448F-BC8E-FFC66987615E}" = TaxCut New York 2007
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FA1C51C-6E35-42C1-B2EC-DC9FA1E20694}" = OpenMG Secure Module 3.3.01
"{61100673-2546-42E1-BF92-467B5CB2AC6D}" = DeductionPro 2008
"{6755A780-599A-11D5-A8D4-00010287680B}" = Panasonic USB R/W Driver for SD Memory Card
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony Video Shared Library
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 2.6
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage 1.6.00
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 2.6
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C2F71B2-6C73-11D6-B659-00C04F790F76}" = Click to DVD 1.3
"{82B1150E-9B37-49FC-83EB-D52197D900D0}" = Sunbelt Personal Firewall
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{88DA0A52-3372-4803-971A-ADFB961707E8}" = PictureGear Studio 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}" = DeductionPro 2007
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD 5 for VAIO
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{93B80FB1-7A23-11D3-B250-00105A1F4184}" =
"{979F6A6B-4CB0-424E-8E70-AA2ED38B4CCC}" = Giga Pocket Demo Movie
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC60C8C1-855E-45AB-8D95-1D16F8A38E78}" = UGuide
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BA7A3288-228D-4031-A93A-B5F6B3415E15}" = Misc
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{BF251EAF-8697-4E89-BF09-C998F97BBC40}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CD7D5804-C157-48A6-AEE0-4A40A4B5C054}" = VAIO System Information
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9A795B-2E4A-42D3-A4C4-333D5BF39350}" = TaxCut Premium + State + Efile 2007
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DDC146FA-73E0-4FA1-A353-841EA14BF600}" = Drag'n Drop CD+DVD
"{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}" = Corel Paint Shop Pro Photo XI
"{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}" = VAIO Help and Support
"{EA8CE34B-C4C6-41DB-9AD2-5C73AC7A9A59}" = New York Times - Times Reader
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{EEDE14A2-A5DC-459E-BB58-178EED03712F}" = Giga Pocket 5.5
"{F1CD25A0-5401-40B2-BAA9-E267408B16DF}" = Toolbox
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"3DGroove" = 3D Groove Playback Engine
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"American Airlines DealFinder" = American Airlines DealFinder (remove only)
"ATI Display Driver" = ATI Display Driver
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AviSynth" = AviSynth 2.5
"C5A76DC11BABDA0A881E7BE8DDEB641365A77FFD" = Windows Driver Package - Nokia Modem (05/22/2008 3.8)
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"CSCLIB" = Canon Camera Support Core Library
"CutePDF Writer Installation" = CutePDF Writer 2.8
"DeductionPro 2006" = DeductionPro 2006
"DivX Content Uploader" = DivX Content Uploader
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"eMusic Promotion" = eMusic - 50 Free MP3 offer
"EOS Utility" = Canon Utilities EOS Utility
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}" = VAIO Help and Support
"InstallShield_{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"LimeWire" = LimeWire 5.5.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft MSDN 2005 Express Edition - ENU" = Microsoft MSDN 2005 Express Edition - ENU
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MoodLogic" = MoodLogic
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.0.5)" = Mozilla Firefox (3.0.5)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"Offshore Navigator Lite" = Maptech Chartbook Companion CD (with Offshore Navigator Lite)
"Pdf995" = Pdf995 (installed by TaxCut)
"PdfEdit995" = PdfEdit995 (installed by TaxCut)
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Adapters and Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SequoiaView" = SequoiaView
"ST6UNST #1" = WDSuite V9.0
"TaxCut Premium 2006" = TaxCut Premium 2006
"VAIO Support" = VAIO Support
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Year of Audi" = Year of Audi Screen Saver
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2386598982-814884606-4127854664-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"Winamp Detect" = Winamp Application Detect

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/4/2010 6:38:32 AM | Computer Name = DOUG | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/4/2010 6:38:32 AM | Computer Name = DOUG | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 9940391

Error - 8/4/2010 6:38:32 AM | Computer Name = DOUG | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 9940391

Error - 8/4/2010 6:44:55 AM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/4/2010 9:14:08 PM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/5/2010 9:50:46 PM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/5/2010 10:25:26 PM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/5/2010 10:45:52 PM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 8/6/2010 8:09:28 PM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/7/2010 5:34:01 PM | Computer Name = DOUG | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

[ System Events ]
Error - 8/2/2010 9:43:44 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 8/4/2010 12:22:51 AM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/4/2010 9:30:14 PM | Computer Name = DOUG | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 8/5/2010 9:54:55 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/5/2010 9:55:13 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/5/2010 9:56:08 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/6/2010 8:14:48 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/6/2010 8:14:58 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/6/2010 8:15:23 PM | Computer Name = DOUG | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 8/6/2010 9:30:15 PM | Computer Name = DOUG | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >









#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 07 August 2010 - 05:17 PM

Hi,

please try running gmer next:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 08 August 2010 - 09:52 AM

Hi Myrti.

I've had some problems running gmer. I ran it a couple of times, each time about mid way through I received a dialogue box with the error "dwwin.exe -Application Error. The application failed to initialize properly (0x0000005). Click OK to terminate this application." The scan comtined to run behind this message. I was able to save the log, but unable to copy using gmer's copy button. I am posting the results of the scan that I was able to save as gmer.log.

Thanks.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-08 10:25:53
Windows 5.1.2600 Service Pack 2
Running: xbrpn2ln.exe; Driver: C:\DOCUME~1\DOUGFI~1\LOCALS~1\Temp\pxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xA8F27160]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xA8F26868]
SSDT A8CDB8B6 ZwCreateKey
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xA8F25E90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xA8F25D9C]
SSDT A8CDB8AC ZwCreateThread
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xA8F27210]
SSDT A8CDB8BB ZwDeleteKey
SSDT A8CDB8C5 ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xF741001C]
SSDT A8CDB8CA ZwLoadKey
SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xF7410168]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xA8F26B54]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xA8F235CA]
SSDT A8CDB898 ZwOpenProcess
SSDT A8CDB89D ZwOpenThread
SSDT A8CDB8D4 ZwReplaceKey
SSDT A8CDB8CF ZwRestoreKey
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xA8F264EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xA8F26E8C]
SSDT A8CDB8C0 ZwSetValueKey
SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA867D950]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xA8F26DE0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000B01A8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 000B0090
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 000B0694
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000B02C0
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000B0234
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 000B0004
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 000B011C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000B04F0
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 000B057C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000B03D8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 000B034C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 000B0464
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 000B0608
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000B07AC
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 000B0720
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000B08C4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 000B0838
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[156] WS2_32.dll!connect 71AB406A 5 Bytes JMP 000B0950
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text D:\Program Files\Avira\AntiVir Desktop\sched.exe[164] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[360] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[360] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[360] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[360] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[360] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[540] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[540] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[540] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[540] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[540] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[540] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[540] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[540] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[540] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00080EC8
.text C:\WINDOWS\System32\svchost.exe[540] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[540] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[540] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[656] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\AGRSMMSG.exe[688] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\AGRSMMSG.exe[688] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\AGRSMMSG.exe[688] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\program files\support.com\client\bin\tgcmd.exe[704] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\program files\support.com\client\bin\tgcmd.exe[704] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\program files\support.com\client\bin\tgcmd.exe[704] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WININET.DLL!InternetConnectA 3D94B0D2 5 Bytes JMP 00130F54
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WININET.DLL!InternetConnectW 3D94C2C0 5 Bytes JMP 00130FE0
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WININET.DLL!InternetOpenA 3D953081 5 Bytes JMP 00130D24
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WININET.DLL!InternetOpenW 3D9536B1 5 Bytes JMP 00130DB0
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WININET.DLL!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00130E3C
.text C:\program files\support.com\client\bin\tgcmd.exe[704] WININET.DLL!InternetOpenUrlW 3D998439 5 Bytes JMP 00130EC8
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[740] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\sdpasvc.exe[756] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\tcpsvcs.exe[800] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\tcpsvcs.exe[800] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\tcpsvcs.exe[800] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\tcpsvcs.exe[800] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\tcpsvcs.exe[800] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\tcpsvcs.exe[800] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00130F54
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00130FE0
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00130D24
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00130DB0
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00130E3C
.text D:\Program Files\Java\jre6\bin\jusched.exe[844] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\ezSP_Px.exe[852] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\ezSP_Px.exe[852] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\ezSP_Px.exe[852] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00030004
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0003011C
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000304F0
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0003057C
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000303D8
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0003034C
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00030464
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00030608
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000307AC
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00030720
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000308C4
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00030838
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00030950
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00030F54
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00030FE0
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00030D24
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00030DB0
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00030E3C
.text D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[856] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00030EC8
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\iTunes\iTunesHelper.exe[880] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\iTunes\iTunesHelper.exe[880] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\iTunes\iTunesHelper.exe[880] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WININET.DLL!InternetConnectA 3D94B0D2 5 Bytes JMP 00130F54
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WININET.DLL!InternetConnectW 3D94C2C0 5 Bytes JMP 00130FE0
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WININET.DLL!InternetOpenA 3D953081 5 Bytes JMP 00130D24
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WININET.DLL!InternetOpenW 3D9536B1 5 Bytes JMP 00130DB0
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WININET.DLL!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00130E3C
.text D:\Program Files\iTunes\iTunesHelper.exe[880] WININET.DLL!InternetOpenUrlW 3D998439 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[908] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[908] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00130F54
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00130FE0
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00130D24
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00130DB0
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00130E3C
.text C:\Program Files\sony\usbsircs\usbsircs.exe[912] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00130EC8
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[1036] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!CreateThread 7C810647 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!WinExec 7C86158D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[1076] KERNEL32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[1076] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[1076] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[1104] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[1104] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[1104] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[1104] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[1104] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[1104] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[1104] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\winlogon.exe[1104] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00070FE0
.text C:\WINDOWS\system32\winlogon.exe[1104] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00070D24
.text C:\WINDOWS\system32\winlogon.exe[1104] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00070DB0
.text C:\WINDOWS\system32\winlogon.exe[1104] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00070E3C
.text C:\WINDOWS\system32\winlogon.exe[1104] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00070EC8
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[1148] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[1148] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[1148] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[1160] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[1160] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[1160] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1240] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1296] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1416] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1416] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Sony\Giga Pocket\shwserv.exe[1460] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1544] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1544] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1544] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1544] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1544] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1544] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00080F54
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00080FE0
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00080D24
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00080DB0
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00080E3C
.text C:\WINDOWS\System32\svchost.exe[1544] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00080EC8
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1608] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1608] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\svchost.exe[1608] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\svchost.exe[1608] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\svchost.exe[1608] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\svchost.exe[1724] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\svchost.exe[1724] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\svchost.exe[1724] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\Java\jre6\bin\jqs.exe[1788] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1792] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1792] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1792] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1792] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wdfmgr.exe[1844] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wdfmgr.exe[1844] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wdfmgr.exe[1844] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1904] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1948] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1948] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1948] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1948] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1948] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2040] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\MsPMSPSv.exe[2076] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wscntfy.exe[2684] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wscntfy.exe[2684] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wscntfy.exe[2684] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00070720
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\iPod\bin\iPodService.exe[2756] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\iPod\bin\iPodService.exe[2756] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\iPod\bin\iPodService.exe[2756] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Sony\Giga Pocket\RM_SV.exe[2932] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[3248] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[3248] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[3248] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[3248] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[3248] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[3248] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wuauclt.exe[3960] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wuauclt.exe[3960] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wuauclt.exe[3960] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00080720
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 03881B4E C:\WINDOWS\msyuv.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 00130F54
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 00130FE0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00130D24
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00130DB0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00130E3C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00130EC8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] ws2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3980] ws2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!VirtualAlloc 7C809A61 5 Bytes JMP 00130004
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!VirtualAllocEx 7C809A82 5 Bytes JMP 0013011C
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!CreateRemoteThread 7C81043C 5 Bytes JMP 001304F0
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!CreateThread 7C810647 5 Bytes JMP 0013057C
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 001303D8
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!CreateProcessInternalA 7C81DDE6 5 Bytes JMP 0013034C
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00130464
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] kernel32.dll!SetThreadContext 7C862C89 5 Bytes JMP 00130608
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 001307AC
.text C:\Documents and Settings\Doug Fisher\Desktop\xbrpn2ln.exe[5312] USER32.dll!SetWindowsHookExA 7E4311D1 5 Bytes JMP 00130720

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 08 August 2010 - 06:42 PM

Hi,

please also run a scan with ComboFix:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 08 August 2010 - 07:28 PM

Hi Myrti,

Thanks for being so helpful. I am attaching the combofix.txt log below.

Regards.
Doug


ComboFix 10-08-08.01 - Doug Fisher 08/08/2010 19:59:17.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1476 [GMT -4:00]
Running from: c:\documents and settings\Doug Fisher\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Doug Fisher\Recent\ANTIGEN.dll
c:\documents and settings\Doug Fisher\Recent\DBOLE.dll
c:\documents and settings\Doug Fisher\Recent\ddv.sys
c:\documents and settings\Doug Fisher\Recent\eb.dll
c:\documents and settings\Doug Fisher\Recent\eb.tmp
c:\documents and settings\Doug Fisher\Recent\energy.sys
c:\documents and settings\Doug Fisher\Recent\exec.sys
c:\documents and settings\Doug Fisher\Recent\fan.exe
c:\documents and settings\Doug Fisher\Recent\FW.sys
c:\documents and settings\Doug Fisher\Recent\gid.sys
c:\documents and settings\Doug Fisher\Recent\hymt.tmp
c:\documents and settings\Doug Fisher\Recent\kernel32.exe
c:\documents and settings\Doug Fisher\Recent\PE.drv
c:\documents and settings\Doug Fisher\Recent\ppal.drv
c:\documents and settings\Doug Fisher\Recent\ppal.sys
c:\documents and settings\Doug Fisher\Recent\SICKBOY.tmp
c:\documents and settings\Doug Fisher\Recent\sld.sys
c:\documents and settings\Doug Fisher\Recent\SM.exe
c:\documents and settings\Doug Fisher\Recent\tjd.tmp
c:\documents and settings\Doug Fisher\System
c:\documents and settings\Doug Fisher\System\win_qs7.jqx
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\msyuv.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-05 02:57 . 2010-08-05 02:58 -------- d-----w- c:\documents and settings\Doug Fisher\Application Data\American Airlines DealFinder
2010-08-01 02:55 . 2010-08-01 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-01 02:49 . 2010-08-01 02:49 -------- d-----w- c:\program files\Apple Software Update
2010-08-01 02:46 . 2010-08-01 02:46 -------- d-----w- c:\program files\Bonjour
2010-07-15 00:00 . 2010-08-09 00:07 -------- d-----w- c:\program files\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 21:10 . 2008-05-06 02:35 -------- d-----w- c:\documents and settings\Doug Fisher\Application Data\LimeWire
2010-08-03 02:00 . 2008-01-25 19:20 -------- d-----w- c:\program files\iPod
2010-08-03 02:00 . 2008-08-29 01:21 -------- d-----w- c:\program files\Common Files\Apple
2010-08-03 01:59 . 2006-02-03 04:23 -------- d-----w- c:\program files\QuickTime
2010-08-03 01:59 . 2006-02-03 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-31 03:29 . 2010-07-31 03:29 388096 ----a-r- c:\documents and settings\Doug Fisher\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-21 20:30 . 2010-07-21 20:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-01 13:06 . 2010-01-17 23:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-29 16:37 . 2010-06-29 16:37 -------- d-----w- c:\program files\AviSynth 2.5
2010-06-14 14:30 . 2003-12-02 01:34 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-13 22:56 . 2009-12-20 02:40 63176 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-08 17:54 . 2009-04-20 01:18 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-06 00:27 . 2004-04-07 03:13 78888 -c--a-w- c:\documents and settings\Doug Fisher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 16:17 . 2010-05-24 16:17 503808 ----a-w- c:\documents and settings\Doug Fisher\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-40ad0d80-n\msvcp71.dll
2010-05-24 16:17 . 2010-05-24 16:17 499712 ----a-w- c:\documents and settings\Doug Fisher\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-40ad0d80-n\jmc.dll
2010-05-24 16:17 . 2010-05-24 16:17 348160 ----a-w- c:\documents and settings\Doug Fisher\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-40ad0d80-n\msvcr71.dll
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-19 2017280]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"American Airlines DealFinder"="null" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 88363]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-24 1409024]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2004-3-2 229376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-07 17:24 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=c:\windows\pss\Timer Recording Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 18:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWUTOOLBOX]
2005-07-23 07:18 352256 ----a-w- c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWU_MPM_Agent]
2005-07-23 07:18 106496 ----a-w- c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\mpm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- d:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- d:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-05 17:54 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-12-21 05:45 39424 ----a-w- d:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-MusicServer-AppServer"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-MusicServer-UPnP"=2 (0x2)
"wuauserv"=2 (0x2)
"CCALib8"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Giga Pocket\\gps.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\realplay.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe"= d:\program files\American Airlines DealFinder\American_Airlines_DealFinder.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"22837:TCP"= 22837:TCP:BitComet 22837 TCP
"22837:UDP"= 22837:UDP:BitComet 22837 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/7/2009 6:58 PM 64160]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 4:06 PM 12872]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 68168]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [8/14/2009 10:57 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [8/14/2009 10:33 PM 108289]
R2 SbPF.Launcher;SbPF.Launcher;d:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SDPASVC;SDPAUMS server service;c:\windows\system32\sdpasvc.exe -service --> c:\windows\system32\sdpasvc.exe -service [?]
R2 SPF4;Sunbelt Personal Firewall 4;d:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [8/14/2009 10:57 PM 65576]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\documents and settings\Doug Fisher\Application Data\Mozilla\Firefox\Profiles\8n404p8s.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - component: d:\program files\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Doug Fisher\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Doug Fisher\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: d:\program files\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-PC Suite Tray - d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 20:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2386598982-814884606-4127854664-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Sony\Giga Pocket\shwserv.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\sdpasvc.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
d:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\windows\AGRSMMSG.exe
c:\program files\Sony\Giga Pocket\RM_SV.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-08 20:25:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 00:24
ComboFix2.txt 2009-08-12 00:41

Pre-Run: 1,503,477,760 bytes free
Post-Run: 1,662,726,144 bytes free

- - End Of File - - 19CB51CAF76C2DFD203A1A3679CE63BA


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 09 August 2010 - 04:30 AM

Hi,

ComboFix took care of a couple of suspicious files. Are you still getting the warnings? If so please give me the name and location of the files that are being detected.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 09 August 2010 - 07:57 AM

Hi Myrti,

Thanks for being so ressponsive. I was never getting warnings - except during the gmer scan. I was being redirected for any search I did in IE or Firefox. Also, I was getting all kinds of popups - which were opening in new browser windows. After the combofix scan things seem to be better - so far! :-)

Thanks.
Doug

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 09 August 2010 - 08:16 AM

Hi,

you were infected by a DNS hijacker that was redirecting all your traffic into the ukraine. This should be fixed.

Could you please run a scan with Malwarebytes next:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 09 August 2010 - 08:22 AM

Thanks Myrti,

I won't be able to run the scan until this evening - at work right now. I'll send you the reports then.
Wow-all traffic to the Ukraine!!! How does that happen? Of greater concern is - Is my personal data at risk i.e. online banking, bill paying etc.?

Thanks.
Doug

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 09 August 2010 - 08:42 AM

Hi,

not sure how much you know of DNS? Basically the internet does not function with web addresses, but with IPs. So when you enter google.com into your browser it gets translated into an IP (something like 123.123.123.123 (this is an example IP, not the IP of google)) that will direct you to the correct place. This is usually done by your ISP, but there are other institutions offering these services.

What happened on your PC was that the infection set your PC up in a why that this resolution was done by a server in the ukraine. That server can send you anywhere it wants. If it were to resolve the entered web address not to 123.123.123 but to 146.123.265.23 you would end up on completely different site than the one you intended to be. This will either be a site that does "phishing", namely it will look exactly like the online banking site you were trying to reach. so that you are fooled into entering your credentials into it. Or will just randomly redirect you to sites that want more traffic.
Many browsers block phishing sites, plus you would have to notice that you tried logging in but got a wrong password message or nothing happened or something.

In theory however, as long as they did not fool you and made you enter your passwords in one of those fake sites, they should not have been able to read your passwords, cause these will be sent to the website encrypted and can not be so easily intercepted. Nevertheless there is a risk of compromisation, although I do not judge it to be very high.

If you want to be absolutely safe, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those financial institutions to apprise them of your situation. They will know if and what further steps to take.

If you do not have access to a known clean computer, you will still need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 09 August 2010 - 08:54 AM

Hi Myrti,

Great explanation! Thanks. So, if I am to understand you correctly, since I was not prompted to change a password, nor did I receive an incorrect password message while logging in I "should" be OK. I noticed during this time that even though I've been redirected while searching google, yahoo etc., I had no problems getting to a desired site by using my favorites. Does that sound right to you? Also, just wondering, is there anything in these logs that would indicate where I got this infection from?

Thanks again,
Doug

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:48 PM

Posted 09 August 2010 - 09:05 AM

Hi,

it is usually very difficult to impossible to retrospectly determine what caused the infection. From the infected html warning from Avira I would expect that you had the misfortune to visit an infected website and have an vulnerable browser or other program.

From the logs this:
QUOTE
[2010/07/28 18:14:59 | 000,000,300 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2010/07/28 18:14:48 | 000,000,258 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/07/28 18:14:44 | 000,000,292 | -H-- | C] () -- C:\WINDOWS\tasks\339a61fd.job

would suggest that you get infected on the 28th july at quarter past six. maybe you remember what you were doing.

Also it is quite possible that these files still exist which is why I was asking for malwarebytes log and probably an OTL log after that. wink.gif

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 montfish

montfish
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 09 August 2010 - 09:09 AM

Hi Myrti,

Got it! Thanks so much! I'll send those logs later today. In the meantime - have a great day.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users