Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msconfig Will Not Open


  • Please log in to reply
11 replies to this topic

#1 ekleist

ekleist

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 04 June 2007 - 01:45 PM

Hi - msconfig will not open for me. I have tried copying the file to a different location and running it with a different name and downloading a new copy of msconfig. Both of these solutions ended the same way - the mouse turned into the hourglass for a second and then nothing happened. I have run trend micros house call, mcafee, panda scanner, avg anti-spyware, spybot S&D, stinger, and adaware. All have found nothing other than tracking cookies. Here is my hijackthis log.



Logfile of HijackThis v1.99.1
Scan saved at 11:39:51 AM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\InnerSpace\InnerSpace.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\wscntfy.exe
C:\windows\System32\svchost.exe
C:\Program Files\Vanguard\bin\vgclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webauth.comcast.net/auth/login?url=...6CM.src%253Dtop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 Final Release\RivaTuner.exe" /S
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167986981281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://nthls-1.nthls.com/dwa7W.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\windows\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 09 June 2007 - 04:40 PM

Hi ekleist,

Welcome to Bleeping Computer. :thumbsup:

This log looks clean.

We may need to do some other scans to rule out rootkits and other sneaky stuff, but I would like you to do a few checks first. Or, if you have already done these checks, let me know.

Can you launch Task Manager (<Ctrl>-<Alt>-<Del> or Start-Run then type in Taskmgr)? What about the Registry Editor (Start-Run then type in Regedit)?

Most malware that targets MSConfig also takes out these other utilities as well, so the answer is an important clue as to whether this is malware at work.

Second question/request. Try to launch MSConfig in Safe Mode.

If you don't know how to boot into safe mode, see this tutorial.

After trying this test, reboot into normal mode.

Last question/request. If you can run Task Manager, use it to kill explorer.exe: start Task Manager, under the Processes tab navigate to Explorer.exe, select it, and click End Process). Then launch msconfig from Task Manager: under the Applications tab, click New task and browse to your msconfig.exe file. Since you have been moving it around already I assume you know where to find it. Select the file and click Open.

After trying to launch msconfig in this way, you will have to get your Explorer back. To do this, use Task Manager just as you did to launch msconfig. The location of Explorer is C:\Windows\explorer.exe.

Let me know what you find.

Dave

#3 ekleist

ekleist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 14 June 2007 - 08:59 PM

Can you launch Task Manager (<Ctrl>-<Alt>-<Del> or Start-Run then type in Taskmgr)? What about the Registry Editor (Start-Run then type in Regedit)?


Yes - I can run these without a problem.

Try to launch MSConfig in Safe Mode.


Does not run. Acts the same way.

Last question/request. If you can run Task Manager, use it to kill explorer.exe: start Task Manager, under the Processes tab navigate to Explorer.exe, select it, and click End Process). Then launch msconfig from Task Manager: under the Applications tab, click New task and browse to your msconfig.exe file. Since you have been moving it around already I assume you know where to find it. Select the file and click Open.

After trying to launch msconfig in this way, you will have to get your Explorer back. To do this, use Task Manager just as you did to launch msconfig. The location of Explorer is C:\Windows\explorer.exe.


After starting the task, nothing happened. After then re-running explorer.exe, msconfig was not present. No results.


Hope this helps! Thanks!

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 15 June 2007 - 09:14 AM

Hi again,

First off, until we can get your msconfig back, there's a partial substitute called Startup Control Panel available here. However, it does not give access to the services or .ini files.

At this point I think it's time to run a few scans just to rule out an infection.

First a rootkit scan:

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Then, a general scan that takes a deeper look at your system:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications, including any that are running minimized in your taskbar.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

I need to see all three logs: the Gmer log and both DSS logs. If they come out clean then I think we can rule out active malware.

Dave

#5 ekleist

ekleist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 15 June 2007 - 05:47 PM

gmer.txt
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2006-01-04 03:38:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT	\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys								   ZwOpenProcess
SSDT	\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys								   ZwTerminateProcess

Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwCreateFile
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwCreateKey
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwCreateProcess
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwDeleteKey
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwDeleteValueKey
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwMapViewOfSection
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwOpenKey
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwProtectVirtualMemory
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwRenameKey
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwSetValueKey
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwUnmapViewOfSection
Code	\SystemRoot\system32\drivers\mfehidk.sys													  ZwYieldExecution
Code	\SystemRoot\system32\drivers\mfehidk.sys													  NtCreateFile
Code	\SystemRoot\system32\drivers\mfehidk.sys													  NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text   ntkrnlpa.exe!ZwYieldExecution																 80503FC8 7 Bytes  JMP B4111304 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!NtCreateFile																	 80577ED2 5 Bytes  JMP B41112C1 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!NtMapViewOfSection															   805B0A7E 7 Bytes  JMP B411131A \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwUnmapViewOfSection															 805B188C 5 Bytes  JMP B4111330 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwProtectVirtualMemory														   805B6E52 7 Bytes  JMP B41112D5 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwCreateProcess																  805CFAD4 5 Bytes  JMP B41112F0 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwSetValueKey																	806207C4 7 Bytes  JMP B4111295 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwRenameKey																	  80621B2A 7 Bytes  JMP B4111269 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwCreateKey																	  80622104 5 Bytes  JMP B411123F \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwDeleteKey																	  80622594 7 Bytes  JMP B4111253 \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwDeleteValueKey																 80622764 7 Bytes  JMP B411127F \SystemRoot\system32\drivers\mfehidk.sys
PAGE	ntkrnlpa.exe!ZwOpenKey																		8062349A 5 Bytes  JMP B411122B \SystemRoot\system32\drivers\mfehidk.sys
?	   C:\windows\System32\DRIVERS\update.sys														

---- User code sections - GMER 1.0.12 ----

.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreateFileA								 7C801A24 5 Bytes  JMP 001B0000 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!VirtualProtectEx							7C801A5D 5 Bytes  JMP 001B009F 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!VirtualProtect							  7C801AD0 5 Bytes  JMP 001B008E 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!LoadLibraryExW							  7C801AF1 5 Bytes  JMP 001B0FB4 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!LoadLibraryExA							  7C801D4F 5 Bytes  JMP 001B007D 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!LoadLibraryA								7C801D77 5 Bytes  JMP 001B0047 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!GetStartupInfoW							 7C801E50 5 Bytes  JMP 001B00D2 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!GetStartupInfoA							 7C801EEE 5 Bytes  JMP 001B00C1 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreateProcessW							  7C802332 5 Bytes  JMP 001B0119 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreateProcessA							  7C802367 5 Bytes  JMP 001B00FE 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!GetProcAddress							  7C80ADA0 5 Bytes  JMP 001B0F5B 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!LoadLibraryW								7C80AE4B 5 Bytes  JMP 001B0058 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreateFileW								 7C810760 5 Bytes  JMP 001B0011 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreatePipe								  7C81E0C7 5 Bytes  JMP 001B00B0 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreateNamedPipeW							7C82F0D4 5 Bytes  JMP 001B0FDB 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!CreateNamedPipeA							7C85FC74 5 Bytes  JMP 001B002C 
.text   C:\WINDOWS\system32\wuauclt.exe[656] kernel32.dll!WinExec									 7C86136D 5 Bytes  JMP 001B00E3 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegOpenKeyExW							   77DD6A78 5 Bytes  JMP 002A0F9E 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegCreateKeyExW							 77DD7535 5 Bytes  JMP 002A0F5E 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegOpenKeyExA							   77DD761B 5 Bytes  JMP 002A0FAF 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegOpenKeyW								 77DD770F 5 Bytes  JMP 002A0FCA 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegCreateKeyExA							 77DDEAF4 5 Bytes  JMP 002A0F6F 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegCreateKeyW							   77DF8F7D 5 Bytes  JMP 002A001B 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegOpenKeyA								 77DFC41B 5 Bytes  JMP 002A0FE5 
.text   C:\WINDOWS\system32\wuauclt.exe[656] ADVAPI32.dll!RegCreateKeyA							   77DFD5BB 5 Bytes  JMP 002A000A 
.text   C:\WINDOWS\system32\wuauclt.exe[656] WS2_32.dll!socket										71AB3B91 5 Bytes  JMP 002C0000 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateFileA								7C801A24 5 Bytes  JMP 010A0000 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!VirtualProtectEx						   7C801A5D 5 Bytes  JMP 010A0086 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!VirtualProtect							 7C801AD0 5 Bytes  JMP 010A0F91 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExW							 7C801AF1 5 Bytes  JMP 010A0069 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryExA							 7C801D4F 5 Bytes  JMP 010A0FB6 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryA							   7C801D77 5 Bytes  JMP 010A0047 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetStartupInfoW							7C801E50 5 Bytes  JMP 010A0F76 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetStartupInfoA							7C801EEE 5 Bytes  JMP 010A00B2 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateProcessW							 7C802332 5 Bytes  JMP 010A0F39 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateProcessA							 7C802367 5 Bytes  JMP 010A0F54 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetProcAddress							 7C80ADA0 5 Bytes  JMP 010A00ED 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!LoadLibraryW							   7C80AE4B 5 Bytes  JMP 010A0058 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateFileW								7C810760 5 Bytes  JMP 010A0011 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreatePipe								 7C81E0C7 5 Bytes  JMP 010A00A1 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateNamedPipeW						   7C82F0D4 5 Bytes  JMP 010A0036 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!CreateNamedPipeA						   7C85FC74 5 Bytes  JMP 010A0FDB 
.text   C:\WINDOWS\system32\services.exe[740] kernel32.dll!WinExec									7C86136D 5 Bytes  JMP 010A0F65 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExW							  77DD6A78 5 Bytes  JMP 00960FB9 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW							77DD7535 1 Byte  [ E9 ]
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExW + 2						77DD7537 3 Bytes  [ 8A, B8, 88 ]
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyExA							  77DD761B 5 Bytes  JMP 00960FCA 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyW								77DD770F 5 Bytes  JMP 00960FEF 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyExA							77DDEAF4 5 Bytes  JMP 00960F7C 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyW							  77DF8F7D 5 Bytes  JMP 00960F97 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegOpenKeyA								77DFC41B 5 Bytes  JMP 0096000A 
.text   C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!RegCreateKeyA							  77DFD5BB 5 Bytes  JMP 00960FA8 
.text   C:\WINDOWS\system32\services.exe[740] WS2_32.dll!socket									   71AB3B91 5 Bytes  JMP 0093000A 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileA								 7C801A24 5 Bytes  JMP 001A0FEF 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtectEx							7C801A5D 5 Bytes  JMP 001A007B 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!VirtualProtect							  7C801AD0 5 Bytes  JMP 001A0F7C 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExW							  7C801AF1 5 Bytes  JMP 001A0F8D 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryExA							  7C801D4F 5 Bytes  JMP 001A0040 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryA								7C801D77 5 Bytes  JMP 001A0014 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoW							 7C801E50 5 Bytes  JMP 001A00A9 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetStartupInfoA							 7C801EEE 5 Bytes  JMP 001A0F61 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessW							  7C802332 5 Bytes  JMP 001A00E6 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateProcessA							  7C802367 5 Bytes  JMP 001A00CB 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetProcAddress							  7C80ADA0 5 Bytes  JMP 001A0F28 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!LoadLibraryW								7C80AE4B 5 Bytes  JMP 001A002F 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateFileW								 7C810760 5 Bytes  JMP 001A0FD4 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreatePipe								  7C81E0C7 5 Bytes  JMP 001A008C 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeW							7C82F0D4 5 Bytes  JMP 001A0FA8 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!CreateNamedPipeA							7C85FC74 5 Bytes  JMP 001A0FB9 
.text   C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!WinExec									 7C86136D 5 Bytes  JMP 001A00BA 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExW							   77DD6A78 5 Bytes  JMP 00280FB9 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExW							 77DD7535 5 Bytes  JMP 0028004A 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyExA							   77DD761B 5 Bytes  JMP 0028000A 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyW								 77DD770F 5 Bytes  JMP 00280FDE 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyExA							 77DDEAF4 5 Bytes  JMP 00280F83 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyW							   77DF8F7D 5 Bytes  JMP 00280FA8 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegOpenKeyA								 77DFC41B 5 Bytes  JMP 00280FEF 
.text   C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!RegCreateKeyA							   77DFD5BB 5 Bytes  JMP 0028002F 
.text   C:\WINDOWS\system32\svchost.exe[744] WS2_32.dll!socket										71AB3B91 5 Bytes  JMP 006D0000 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateFileA								   7C801A24 5 Bytes  JMP 00BB0FEF 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!VirtualProtectEx							  7C801A5D 5 Bytes  JMP 00BB007D 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!VirtualProtect								7C801AD0 5 Bytes  JMP 00BB006C 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExW								7C801AF1 5 Bytes  JMP 00BB0051 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryExA								7C801D4F 5 Bytes  JMP 00BB0F94 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryA								  7C801D77 5 Bytes  JMP 00BB0FAF 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetStartupInfoW							   7C801E50 5 Bytes  JMP 00BB0F3C 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetStartupInfoA							   7C801EEE 5 Bytes  JMP 00BB008E 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateProcessW								7C802332 5 Bytes  JMP 00BB0F1A 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateProcessA								7C802367 5 Bytes  JMP 00BB0F2B 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetProcAddress								7C80ADA0 5 Bytes  JMP 00BB00CE 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!LoadLibraryW								  7C80AE4B 5 Bytes  JMP 00BB002C 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateFileW								   7C810760 5 Bytes  JMP 00BB000A 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreatePipe									7C81E0C7 5 Bytes  JMP 00BB0F63 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeW							  7C82F0D4 5 Bytes  JMP 00BB0FC0 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!CreateNamedPipeA							  7C85FC74 5 Bytes  JMP 00BB001B 
.text   C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!WinExec									   7C86136D 5 Bytes  JMP 00BB00A9 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExW								 77DD6A78 5 Bytes  JMP 00BA002C 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExW							   77DD7535 5 Bytes  JMP 00BA0F91 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyExA								 77DD761B 5 Bytes  JMP 00BA0011 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyW								   77DD770F 5 Bytes  JMP 00BA0FE5 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyExA							   77DDEAF4 5 Bytes  JMP 00BA004E 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyW								 77DF8F7D 5 Bytes  JMP 00BA0FAC 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegOpenKeyA								   77DFC41B 5 Bytes  JMP 00BA0000 
.text   C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!RegCreateKeyA								 77DFD5BB 5 Bytes  JMP 00BA003D 
.text   C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!socket										  71AB3B91 5 Bytes  JMP 00B80FEF 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileA								 7C801A24 5 Bytes  JMP 00DD0000 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtectEx							7C801A5D 5 Bytes  JMP 00DD0F4B 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!VirtualProtect							  7C801AD0 5 Bytes  JMP 00DD0F66 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW							  7C801AF1 5 Bytes  JMP 00DD0F83 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExA							  7C801D4F 5 Bytes  JMP 00DD0F94 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryA								7C801D77 5 Bytes  JMP 00DD0FB6 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoW							 7C801E50 5 Bytes  JMP 00DD0F29 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetStartupInfoA							 7C801EEE 5 Bytes  JMP 00DD0065 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessW							  7C802332 5 Bytes  JMP 00DD00A0 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateProcessA							  7C802367 5 Bytes  JMP 00DD0EFD 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetProcAddress							  7C80ADA0 5 Bytes  JMP 00DD0EE2 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryW								7C80AE4B 5 Bytes  JMP 00DD0FA5 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateFileW								 7C810760 5 Bytes  JMP 00DD0011 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreatePipe								  7C81E0C7 5 Bytes  JMP 00DD0F3A 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeW							7C82F0D4 5 Bytes  JMP 00DD0FD1 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!CreateNamedPipeA							7C85FC74 5 Bytes  JMP 00DD0022 
.text   C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!WinExec									 7C86136D 5 Bytes  JMP 00DD0F0E 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExW							   77DD6A78 5 Bytes  JMP 00DC0022 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExW							 77DD7535 5 Bytes  JMP 00DC0058 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyExA							   77DD761B 5 Bytes  JMP 00DC0011 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyW								 77DD770F 5 Bytes  JMP 00DC0FDB 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyExA							 77DDEAF4 5 Bytes  JMP 00DC003D 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyW							   77DF8F7D 5 Bytes  JMP 00DC0F9B 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegOpenKeyA								 77DFC41B 5 Bytes  JMP 00DC0000 
.text   C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!RegCreateKeyA							   77DFD5BB 5 Bytes  JMP 00DC0FB6 
.text   C:\WINDOWS\system32\svchost.exe[908] WS2_32.dll!socket										71AB3B91 5 Bytes  JMP 00D80000 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileA								 7C801A24 5 Bytes  JMP 00AC0000 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtectEx							7C801A5D 5 Bytes  JMP 00AC0FAF 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!VirtualProtect							  7C801AD0 5 Bytes  JMP 00AC0FC0 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW							  7C801AF1 5 Bytes  JMP 00AC008E 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExA							  7C801D4F 5 Bytes  JMP 00AC0073 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryA								7C801D77 5 Bytes  JMP 00AC0047 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoW							 7C801E50 5 Bytes  JMP 00AC0F66 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetStartupInfoA							 7C801EEE 5 Bytes  JMP 00AC0F77 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW							  7C802332 5 Bytes  JMP 00AC00D3 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA							  7C802367 5 Bytes  JMP 00AC0F3A 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!GetProcAddress							  7C80ADA0 5 Bytes  JMP 00AC0F29 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryW								7C80AE4B 5 Bytes  JMP 00AC0058 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateFileW								 7C810760 5 Bytes  JMP 00AC0011 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreatePipe								  7C81E0C7 5 Bytes  JMP 00AC0F94 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeW							7C82F0D4 5 Bytes  JMP 00AC0FE5 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateNamedPipeA							7C85FC74 5 Bytes  JMP 00AC0036 
.text   C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!WinExec									 7C86136D 5 Bytes  JMP 00AC0F55 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW							   77DD6A78 5 Bytes  JMP 00AB0FCD 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW							 77DD7535 5 Bytes  JMP 00AB0F7C 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA							   77DD761B 5 Bytes  JMP 00AB0FDE 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW								 77DD770F 5 Bytes  JMP 00AB0FEF 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA							 77DDEAF4 5 Bytes  JMP 00AB0FA1 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW							   77DF8F7D 5 Bytes  JMP 00AB0FB2 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA								 77DFC41B 5 Bytes  JMP 00AB0000 
.text   C:\WINDOWS\system32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA							   77DFD5BB 5 Bytes  JMP 00AB0039 
.text   C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!socket										71AB3B91 5 Bytes  JMP 00A90FEF 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileA								7C801A24 5 Bytes  JMP 02080FEF 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx						   7C801A5D 5 Bytes  JMP 0208005B 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!VirtualProtect							 7C801AD0 5 Bytes  JMP 02080F66 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW							 7C801AF1 5 Bytes  JMP 02080F77 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA							 7C801D4F 5 Bytes  JMP 02080F9E 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA							   7C801D77 5 Bytes  JMP 02080FB9 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW							7C801E50 5 Bytes  JMP 02080F4B 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA							7C801EEE 5 Bytes  JMP 02080093 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessW							 7C802332 5 Bytes  JMP 02080F15 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateProcessA							 7C802367 5 Bytes  JMP 02080F26 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!GetProcAddress							 7C80ADA0 5 Bytes  JMP 02080F04 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW							   7C80AE4B 5 Bytes  JMP 02080040 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateFileW								7C810760 5 Bytes  JMP 0208000A 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreatePipe								 7C81E0C7 5 Bytes  JMP 02080076 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW						   7C82F0D4 5 Bytes  JMP 02080FCA 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA						   7C85FC74 5 Bytes  JMP 02080025 
.text   C:\WINDOWS\system32\svchost.exe[1084] kernel32.dll!WinExec									7C86136D 5 Bytes  JMP 020800A4 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW							  77DD6A78 5 Bytes  JMP 015C0FCA 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW							77DD7535 5 Bytes  JMP 015C006C 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA							  77DD761B 5 Bytes  JMP 015C0FE5 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW								77DD770F 5 Bytes  JMP 015C001B 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA							77DDEAF4 5 Bytes  JMP 015C0051 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW							  77DF8F7D 5 Bytes  JMP 015C0FAF 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA								77DFC41B 5 Bytes  JMP 015C0000 
.text   C:\WINDOWS\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA							  77DFD5BB 5 Bytes  JMP 015C0040 
.text   C:\WINDOWS\system32\svchost.exe[1084] WS2_32.dll!socket									   71AB3B91 5 Bytes  JMP 015A000A 
.text   C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenA							   42C2C869 5 Bytes  JMP 01590FE5 
.text   C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenW							   42C2CEA1 5 Bytes  JMP 01590FCA 
.text   C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlA							42C306DD 5 Bytes  JMP 01590FB9 
.text   C:\WINDOWS\system32\svchost.exe[1084] WININET.dll!InternetOpenUrlW							42C7A8B1 5 Bytes  JMP 0159000A 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileA								7C801A24 5 Bytes  JMP 00830FEF 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx						   7C801A5D 5 Bytes  JMP 00830F77 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtect							 7C801AD0 5 Bytes  JMP 0083006C 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW							 7C801AF1 5 Bytes  JMP 00830F94 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA							 7C801D4F 5 Bytes  JMP 00830051 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA							   7C801D77 5 Bytes  JMP 0083002C 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW							7C801E50 5 Bytes  JMP 00830F55 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA							7C801EEE 5 Bytes  JMP 0083009D 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessW							 7C802332 5 Bytes  JMP 00830F04 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessA							 7C802367 5 Bytes  JMP 00830F1F 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetProcAddress							 7C80ADA0 5 Bytes  JMP 008300AE 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW							   7C80AE4B 5 Bytes  JMP 00830FA5 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileW								7C810760 5 Bytes  JMP 0083000A 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreatePipe								 7C81E0C7 5 Bytes  JMP 00830F66 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW						   7C82F0D4 5 Bytes  JMP 00830FC0 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA						   7C85FC74 5 Bytes  JMP 0083001B 
.text   C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!WinExec									7C86136D 5 Bytes  JMP 00830F30 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW							  77DD6A78 5 Bytes  JMP 00820FDB 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW							77DD7535 5 Bytes  JMP 00820062 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA							  77DD761B 5 Bytes  JMP 0082002C 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW								77DD770F 5 Bytes  JMP 0082001B 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA							77DDEAF4 5 Bytes  JMP 00820FA5 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW							  77DF8F7D 5 Bytes  JMP 00820FC0 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA								77DFC41B 5 Bytes  JMP 0082000A 
.text   C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA							  77DFD5BB 5 Bytes  JMP 00820047 
.text   C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!socket									   71AB3B91 5 Bytes  JMP 00800FEF 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA								7C801A24 5 Bytes  JMP 00970FE5 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx						   7C801A5D 5 Bytes  JMP 00970F4B 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect							 7C801AD0 5 Bytes  JMP 00970F66 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW							 7C801AF1 5 Bytes  JMP 00970F77 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA							 7C801D4F 5 Bytes  JMP 00970040 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA							   7C801D77 5 Bytes  JMP 00970F9E 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW							7C801E50 5 Bytes  JMP 00970093 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA							7C801EEE 5 Bytes  JMP 00970076 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW							 7C802332 5 Bytes  JMP 00970F26 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA							 7C802367 5 Bytes  JMP 009700B5 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress							 7C80ADA0 5 Bytes  JMP 009700E4 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW							   7C80AE4B 5 Bytes  JMP 00970025 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW								7C810760 5 Bytes  JMP 00970FD4 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe								 7C81E0C7 5 Bytes  JMP 00970065 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW						   7C82F0D4 5 Bytes  JMP 0097000A 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA						   7C85FC74 5 Bytes  JMP 00970FB9 
.text   C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec									7C86136D 5 Bytes  JMP 009700A4 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW							  77DD6A78 5 Bytes  JMP 0072002F 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW							77DD7535 5 Bytes  JMP 0072008A 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA							  77DD761B 5 Bytes  JMP 00720014 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW								77DD770F 5 Bytes  JMP 00720FDE 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA							77DDEAF4 5 Bytes  JMP 00720079 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW							  77DF8F7D 5 Bytes  JMP 00720FCD 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA								77DFC41B 5 Bytes  JMP 00720FEF 
.text   C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA							  77DFD5BB 5 Bytes  JMP 0072004A 
.text   C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket									   71AB3B91 5 Bytes  JMP 00700FEF 
.text   C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenA							   42C2C869 5 Bytes  JMP 006F0FEF 
.text   C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenW							   42C2CEA1 5 Bytes  JMP 006F0FDE 
.text   C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenUrlA							42C306DD 5 Bytes  JMP 006F000A 
.text   C:\WINDOWS\system32\svchost.exe[1304] WININET.dll!InternetOpenUrlW							42C7A8B1 5 Bytes  JMP 006F0FB9 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreateFileA										7C801A24 5 Bytes  JMP 032F0000 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!VirtualProtectEx								   7C801A5D 5 Bytes  JMP 032F0091 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!VirtualProtect									 7C801AD0 5 Bytes  JMP 032F0080 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!LoadLibraryExW									 7C801AF1 5 Bytes  JMP 032F0065 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!LoadLibraryExA									 7C801D4F 5 Bytes  JMP 032F0FB2 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!LoadLibraryA									   7C801D77 5 Bytes  JMP 032F0039 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!GetStartupInfoW									7C801E50 5 Bytes  JMP 032F00EE 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!GetStartupInfoA									7C801EEE 5 Bytes  JMP 032F00D3 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreateProcessW									 7C802332 5 Bytes  JMP 032F0F55 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreateProcessA									 7C802367 5 Bytes  JMP 032F0F70 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!GetProcAddress									 7C80ADA0 5 Bytes  JMP 032F0F3A 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!LoadLibraryW									   7C80AE4B 5 Bytes  JMP 032F004A 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreateFileW										7C810760 5 Bytes  JMP 032F0FEF 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreatePipe										 7C81E0C7 5 Bytes  JMP 032F00B6 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreateNamedPipeW								   7C82F0D4 5 Bytes  JMP 032F0FCD 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!CreateNamedPipeA								   7C85FC74 5 Bytes  JMP 032F0FDE 
.text   C:\WINDOWS\explorer.exe[1776] kernel32.dll!WinExec											7C86136D 5 Bytes  JMP 032F0F81 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegOpenKeyExW									  77DD6A78 5 Bytes  JMP 032E0FC3 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegCreateKeyExW									77DD7535 5 Bytes  JMP 032E0F83 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegOpenKeyExA									  77DD761B 5 Bytes  JMP 032E0FD4 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegOpenKeyW										77DD770F 5 Bytes  JMP 032E0FEF 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegCreateKeyExA									77DDEAF4 5 Bytes  JMP 032E0F94 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegCreateKeyW									  77DF8F7D 5 Bytes  JMP 032E0036 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegOpenKeyA										77DFC41B 5 Bytes  JMP 032E000A 
.text   C:\WINDOWS\explorer.exe[1776] ADVAPI32.dll!RegCreateKeyA									  77DFD5BB 5 Bytes  JMP 032E0025 
.text   C:\WINDOWS\explorer.exe[1776] WININET.dll!InternetOpenA									   42C2C869 5 Bytes  JMP 02C70000 
.text   C:\WINDOWS\explorer.exe[1776] WININET.dll!InternetOpenW									   42C2CEA1 5 Bytes  JMP 02C70011 
.text   C:\WINDOWS\explorer.exe[1776] WININET.dll!InternetOpenUrlA									42C306DD 5 Bytes  JMP 02C70022 
.text   C:\WINDOWS\explorer.exe[1776] WININET.dll!InternetOpenUrlW									42C7A8B1 5 Bytes  JMP 02C7003D 
.text   C:\WINDOWS\explorer.exe[1776] WS2_32.dll!socket											   71AB3B91 5 Bytes  JMP 03280FEF 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateFileA								7C801A24 5 Bytes  JMP 008A0FE5 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!VirtualProtectEx						   7C801A5D 5 Bytes  JMP 008A0F83 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!VirtualProtect							 7C801AD0 5 Bytes  JMP 008A0F9E 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryExW							 7C801AF1 5 Bytes  JMP 008A0078 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryExA							 7C801D4F 5 Bytes  JMP 008A0FAF 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryA							   7C801D77 5 Bytes  JMP 008A0FC0 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!GetStartupInfoW							7C801E50 5 Bytes  JMP 008A0093 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!GetStartupInfoA							7C801EEE 5 Bytes  JMP 008A0F57 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateProcessW							 7C802332 5 Bytes  JMP 008A0F04 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateProcessA							 7C802367 5 Bytes  JMP 008A0F15 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!GetProcAddress							 7C80ADA0 5 Bytes  JMP 008A00C2 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryW							   7C80AE4B 5 Bytes  JMP 008A0047 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateFileW								7C810760 5 Bytes  JMP 008A0000 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreatePipe								 7C81E0C7 5 Bytes  JMP 008A0F68 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateNamedPipeW						   7C82F0D4 5 Bytes  JMP 008A002C 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateNamedPipeA						   7C85FC74 5 Bytes  JMP 008A0011 
.text   C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!WinExec									7C86136D 5 Bytes  JMP 008A0F3A 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyExW							  77DD6A78 5 Bytes  JMP 0089003D 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyExW							77DD7535 5 Bytes  JMP 00890FB6 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyExA							  77DD761B 5 Bytes  JMP 0089002C 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyW								77DD770F 5 Bytes  JMP 00890011 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyExA							77DDEAF4 5 Bytes  JMP 00890073 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyW							  77DF8F7D 5 Bytes  JMP 00890FD1 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyA								77DFC41B 5 Bytes  JMP 00890000 
.text   C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyA							  77DFD5BB 5 Bytes  JMP 00890058 

---- Devices - GMER 1.0.12 ----

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_READ															8A3A1FAC
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE													8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE										 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE													 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ													  8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE													 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION										 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION										   8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA												  8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA													8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS											 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION								  8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION									8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL										 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL									   8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL											8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL								   8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN												  8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL											  8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP												   8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT										   8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY											8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY											  8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER													 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL											8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE											 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA											   8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA												 8A20BA38
Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP													   8A20BA38
Device  \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ												  89F7B93C
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE													8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE										 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE													 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ													  8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE													 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION										 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION										   8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA												  8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA													8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS											 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION								  8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION									8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL										 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL									   8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL											8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL								   8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN												  8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL											  8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP												   8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT										   8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY											8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY											  8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER													 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL											8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE											 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA											   8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA												 8A20BA38
Device  \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP													   8A20BA38
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE											  8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE								   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE											   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ												8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE											   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION								   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION									 8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA											8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA											  8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS									   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION							8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION							  8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL								   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL								 8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL									  8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL							 8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN											8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL										8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP											 8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT									 8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY									  8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY										8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER											   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL									  8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE									   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA										 8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA										   8A189008
Device  \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP												 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE											  8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE								   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE											   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ												8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE											   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION								   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION									 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA											8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA											  8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS									   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION							8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION							  8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL								   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL								 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL									  8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL							 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN											8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL										8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP											 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT									 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY									  8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY										8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER											   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL									  8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE									   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA										 8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA										   8A189008
Device  \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP												 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_CREATE									 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_CREATE_NAMED_PIPE						  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_CLOSE									  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_READ									   8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_WRITE									  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_QUERY_INFORMATION						  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SET_INFORMATION							8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_QUERY_EA								   8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SET_EA									 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_FLUSH_BUFFERS							  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_QUERY_VOLUME_INFORMATION				   8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SET_VOLUME_INFORMATION					 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_DIRECTORY_CONTROL						  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_FILE_SYSTEM_CONTROL						8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_DEVICE_CONTROL							 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_INTERNAL_DEVICE_CONTROL					8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SHUTDOWN								   8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_LOCK_CONTROL							   8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_CLEANUP									8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_CREATE_MAILSLOT							8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_QUERY_SECURITY							 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SET_SECURITY							   8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_POWER									  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SYSTEM_CONTROL							 8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_DEVICE_CHANGE							  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_QUERY_QUOTA								8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_SET_QUOTA								  8A189008
Device  \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 IRP_MJ_PNP										8A189008
Device  \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ											  89A0B27C
Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ								 89F45A14
Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ									   89F45A14
Device  \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ												89F91C54
Device  \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ												 89F7FA8C
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_CREATE										 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_CREATE_NAMED_PIPE							  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_CLOSE										  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_READ										   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_WRITE										  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_QUERY_INFORMATION							  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SET_INFORMATION								8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_QUERY_EA									   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SET_EA										 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_FLUSH_BUFFERS								  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_QUERY_VOLUME_INFORMATION					   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SET_VOLUME_INFORMATION						 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_DIRECTORY_CONTROL							  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_FILE_SYSTEM_CONTROL							8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_DEVICE_CONTROL								 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL						8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SHUTDOWN									   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_LOCK_CONTROL								   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_CLEANUP										8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_CREATE_MAILSLOT								8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_QUERY_SECURITY								 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SET_SECURITY								   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_POWER										  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SYSTEM_CONTROL								 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_DEVICE_CHANGE								  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_QUERY_QUOTA									8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_SET_QUOTA									  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1 IRP_MJ_PNP											8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_CREATE					8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE		 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_CLOSE					 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_READ					  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_WRITE					 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION		 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SET_INFORMATION		   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_QUERY_EA				  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SET_EA					8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS			 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION	8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL		 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL	   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL			8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SHUTDOWN				  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_LOCK_CONTROL			  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_CLEANUP				   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT		   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_QUERY_SECURITY			8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SET_SECURITY			  8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_POWER					 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL			8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE			 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_QUERY_QUOTA			   8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_SET_QUOTA				 8A165950
Device  \Driver\xmasscsi \Device\Scsi\xmasscsi1Port5Path0Target0Lun0 IRP_MJ_PNP					   8A165950
Device  \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ								89F8F894
Device  \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ								 89F8F894
Device  \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ									 89F8F894
Device  \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ								  89F8F894
Device  \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ								 89F8F894
Device  \FileSystem\Cdfs \Cdfs IRP_MJ_READ															89DB554C

---- Modules - GMER 1.0.12 ----

Module  _________																					 B9ED3000-B9EEB000 (98304 bytes)

---- EOF - GMER 1.0.12 ----

main.txt
Deckard's System Scanner v20070611.50
Run by User on 2006-01-04 at 03:40:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x0000000F


-- Last 5 Restore Point(s) --
164: 2006-01-04 11:40:35 UTC - RP321 - Deckard's System Scanner Restore Point
163: 2006-01-03 15:13:58 UTC - RP320 - System Checkpoint
162: 2006-01-02 11:17:12 UTC - RP319 - System Checkpoint
161: 2006-01-01 07:18:21 UTC - RP318 - System Checkpoint
160: 2007-06-09 17:55:54 UTC - RP317 - System Checkpoint


-- First Restore Point -- 
1: 2007-01-28 00:22:57 UTC - RP158 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:41:14 AM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\windows\system32\wscntfy.exe
C:\windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\HJT\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webauth.comcast.net/auth/login?url=http%253A%252F%252Fwww.comcast.net%252Fqry%252Fgoto%253Fapp%253Dmail%2526CM.src%253Dtop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 Final Release\RivaTuner.exe" /S
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167986981281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://nthls-1.nthls.com/dwa7W.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/boardid/BoardID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\windows\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20070530-182331-358 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070530-182331-528 O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
backup-20070530-182331-725 O20 - Winlogon Notify: igfxcui - igfxdev.dll (file missing)
backup-20070530-182331-738 O4 - HKLM\..\Run: [CTFMon] C:\Program Files\Keylogger\CTF\ctfmon.exe
backup-20070530-182331-748 O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
backup-20070530-182331-769 O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
backup-20070530-182331-923 O4 - HKLM\..\Run: [LayoutM] KLayMgr.exe
backup-20070530-182331-931 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20070530-183936-278 O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
backup-20070530-183936-310 O11 - Options group: [INTERNATIONAL] International*
backup-20070530-183936-488 O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
backup-20070530-183936-498 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
backup-20070530-183936-673 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070530-183936-988 O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

-- File Associations -----------------------------------------------------------

[COLOR=red].js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2[/COLOR]
[COLOR=red].js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"[/COLOR]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 xmasbus - c:\windows\system32\drivers\xmasbus.sys
R0 xmasscsi - c:\windows\system32\drivers\xmasscsi.sys
R3 RivaTuner32 - c:\program files\rivatuner v2.0 final release\rivatuner32.sys

S3 e1express (Intel(R) PRO/1000 PCI Express Network Connection Driver) - c:\windows\system32\drivers\e1e5132.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 HPKBCCID (HP Keyboard Smart Card Driver) - c:\windows\system32\drivers\hpkbccid.sys (file missing)
S3 ialm - c:\windows\system32\drivers\igxpmp32.sys (file missing)
S3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - c:\windows\system32\drivers\rtkhdaud.sys (file missing)
S3 STC2DFU (STCII DFU Adapter) - c:\windows\system32\drivers\stc2dfu.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-01 00:00:06	   350 --a------ C:\windows\Tasks\McQcTask.job
2007-04-15 00:23:16	   348 --a------ C:\windows\Tasks\McDefragTask.job


-- Files created between 2005-12-04 and 2006-01-04 -----------------------------

2007-05-30 18:54:09		 0 d-------- C:\Documents and Settings\User\Application Data\acccore
2007-05-30 18:53:44		 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-05-30 18:53:42		 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-05-30 18:53:08		 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-05-30 18:53:07		 0 d-------- C:\Program Files\Viewpoint
2007-05-30 18:52:46		 0 d-------- C:\Program Files\Common Files\AOL
2007-05-30 18:52:27		 0 d-------- C:\Program Files\AIM6
2007-05-30 18:51:36		 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-05-30 14:28:49		 0 d-------- C:\Program Files\Music Rescue
2007-05-30 14:05:05		 0 d-------- C:\HJT
2007-05-30 13:55:12		 0 d-------- C:\windows\system32\ActiveScan
2007-05-28 23:01:50		 0 d-------- C:\Program Files\InnerSpace
2007-05-28 11:02:55		 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-28 11:01:03		 0 d-------- C:\Program Files\MSXML 6.0
2007-05-27 16:51:45		 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft
2007-05-27 16:51:03		 0 d-------- C:\Program Files\Lavasoft
2007-05-27 00:54:52		 0 d-------- C:\Documents and Settings\User\.housecall6.6
2007-05-23 17:07:01	  1156 --a------ C:\windows\mozver.dat
2007-05-23 16:53:41	   335 --a------ C:\windows\nsreg.dat
2007-05-23 16:53:37		 0 d-------- C:\Documents and Settings\User\Application Data\Mozilla
2007-05-19 13:25:58		 0 d-------- C:\Program Files\Macrocrafter
2007-05-03 17:42:51		 0 d-------- C:\Documents and Settings\User\Application Data\Ventrilo
2007-05-03 17:42:46		 0 d-------- C:\Program Files\Ventrilo
2007-05-03 17:42:36		 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-19 18:11:13		 0 d-------- C:\Program Files\directx
2007-03-19 18:09:56	307200 --a------ C:\windows\vidcap32.exe <Not Verified; Microsoft Corporation; Microsoft Windows>
2007-03-19 18:09:56	 53248 --a------ C:\windows\amcap.exe <Not Verified; Microsoft Corporation; DirectX 8.0 Sample>
2007-03-19 18:03:07	120873 --a------ C:\windows\usndp202.exe
2007-03-08 17:34:16		20 --a------ C:\sccfg.sys
2007-03-08 17:34:13	 77824 --a------ C:\windows\system32\FLKill.exe <Not Verified; USPTO; Project1>
2007-03-08 17:34:12		 0 d-------- C:\Program Files\Folder Lock
2007-03-02 13:16:55		 0 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2007-03-02 13:00:31		 0 d-------- C:\Program Files\Audacity
2007-03-02 12:27:18		 0 d-------- C:\Program Files\Deskshare
2007-02-27 15:08:21		 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Templates
2007-02-27 15:08:21		 0 dr------- C:\Documents and Settings\LogMeInRemoteUser\Start Menu
2007-02-27 15:08:21		 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\SendTo
2007-02-27 15:08:21		 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Recent
2007-02-27 15:08:21		 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\PrintHood
2007-02-27 15:08:21	229376 --ah----- C:\Documents and Settings\LogMeInRemoteUser\NTUSER.DAT
2007-02-27 15:08:21		 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\NetHood
2007-02-27 15:08:21		 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\My Documents
2007-02-27 15:08:21		 0 d--h----- C:\Documents and Settings\LogMeInRemoteUser\Local Settings
2007-02-27 15:08:21		 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Favorites
2007-02-27 15:08:21		 0 d-------- C:\Documents and Settings\LogMeInRemoteUser\Desktop
2007-02-27 15:08:21		 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Cookies
2007-02-27 15:08:21		 0 dr-h----- C:\Documents and Settings\LogMeInRemoteUser\Application Data
2007-02-27 15:08:21		 0 d---s---- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Microsoft
2007-02-27 14:59:21		 0 d-------- C:\Program Files\LogMeIn
2007-02-24 15:24:40		 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-02-24 15:20:40		 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-02-24 15:17:45	  5504 --a------ C:\windows\system32\drivers\xmasscsi.sys
2007-02-24 15:17:45	140800 --a------ C:\windows\system32\drivers\xmasbus.sys
2007-02-24 15:17:44		 0 d-------- C:\Program Files\Alcohol Soft
2007-02-18 20:19:27		 0 d-------- C:\Documents and Settings\User\Application Data\uTorrent
2007-02-18 19:46:16		 0 d-------- C:\Program Files\ElcomSoft
2007-02-12 09:06:28		 0 d-------- C:\Documents and Settings\User\Application Data\Apple Computer
2007-02-12 09:06:19		 0 d-------- C:\Program Files\iPod
2007-02-12 09:06:17		 0 d-------- C:\Program Files\iTunes
2007-02-12 09:05:51		 0 d-------- C:\Program Files\QuickTime
2007-02-06 14:15:13		 0 d-------- C:\Program Files\Common Files\Ahead
2007-02-06 14:15:13		 0 d-------- C:\Program Files\Ahead
2007-02-05 16:52:41		 0 d-------- C:\Documents and Settings\User\Application Data\teamspeak2
2007-02-05 16:45:39		 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-02-04 21:22:19		 0 d-------- C:\Program Files\MSBuild
2007-02-04 21:19:55		 0 d-------- C:\windows\system32\XPSViewer
2007-02-04 21:19:33		 0 d-------- C:\Program Files\Reference Assemblies
2007-02-02 19:28:23		 0 d-------- C:\windows\Sun
2007-02-02 19:28:22		 0 d-------- C:\Documents and Settings\User\Application Data\Sun
2007-01-30 22:12:49		 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-01-28 17:45:01		 0 d-------- C:\Documents and Settings\User\Application Data\Ulead Systems
2007-01-28 17:39:14		 0 d-------- C:\Program Files\SmartSound Software
2007-01-28 17:39:14		 0 d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2007-01-28 17:39:03		 0 d-------- C:\windows\system32\windows media
2007-01-28 17:38:29		 0 d-------- C:\Program Files\Windows Media Components
2007-01-28 17:38:22		 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-01-28 17:38:21		 0 d-------- C:\Program Files\Ulead Systems
2007-01-28 17:38:21		 0 d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-01-28 09:12:30		 0 d-------- C:\Program Files\Common Files\Macromedia Shared
2007-01-28 09:11:58		 0 d-------- C:\Program Files\Common Files\Macromedia
2007-01-28 09:11:24		 0 d-------- C:\Program Files\Macromedia
2007-01-28 09:08:30		 0 d-------- C:\windows\ShellNew
2007-01-28 09:08:13		 0 d-------- C:\Documents and Settings\User\Application Data\Microsoft Web Folders
2007-01-28 09:07:42		 0 d--hs---- C:\windows\Installer
2007-01-26 02:23:50		 0 d-------- C:\windows\WinSxS
2007-01-26 02:23:50		 0 dr------- C:\windows\Web
2007-01-26 02:23:50		 0 d-------- C:\windows\twain_32
2007-01-26 02:23:49		 0 d---s---- C:\windows\Tasks
2007-01-26 02:23:49		 0 d-------- C:\windows\system32\xircom
2007-01-26 02:23:46		 0 d-------- C:\windows\system32\wins
2007-01-26 02:23:41		 0 d-------- C:\windows\system32\wbem
2007-01-26 02:23:40		 0 d-------- C:\windows\system32\usmt
2007-01-26 02:23:39		 0 d-------- C:\windows\system32\URTTemp
2007-01-26 02:23:37		 0 d-------- C:\windows\system32\spool
2007-01-26 02:23:36		 0 d-------- C:\windows\system32\ShellExt
2007-01-26 02:23:35		 0 d-------- C:\windows\system32\Setup
2007-01-26 02:23:33		 0 d-------- C:\windows\system32\Restore
2007-01-26 02:23:32		 0 d-------- C:\windows\system32\ReinstallBackups
2007-01-26 02:23:32		 0 d-------- C:\windows\system32\ras
2007-01-26 02:23:31		 0 d-------- C:\windows\system32\PreInstall
2007-01-26 02:23:28		 0 d-------- C:\windows\system32\oobe
2007-01-26 02:23:23		 0 d-------- C:\windows\system32\NtmsData
2007-01-26 02:23:23		 0 d-------- C:\windows\system32\npp
2007-01-26 02:23:20		 0 d-------- C:\windows\system32\mui
2007-01-26 02:23:17		 0 d-------- C:\windows\system32\MsDtc
2007-01-26 02:23:14		 0 d---s---- C:\windows\system32\Microsoft
2007-01-26 02:23:14		 0 d-------- C:\windows\system32\Macromed
2007-01-26 02:23:13		 0 d-------- C:\windows\system32\LogFiles
2007-01-26 02:23:10		 0 d-------- C:\windows\system32\inetsrv
2007-01-26 02:23:09		 0 d-------- C:\windows\system32\IME
2007-01-26 02:23:09		 0 d-------- C:\windows\system32\icsxml
2007-01-26 02:23:08		 0 d-------- C:\windows\system32\ias
2007-01-26 02:23:07		 0 d-------- C:\windows\system32\Futuremark
2007-01-26 02:23:06		 0 d-------- C:\windows\system32\export
2007-01-26 02:23:04		 0 d-------- C:\windows\system32\DRVSTORE
2007-01-26 02:23:04		 0 d-------- C:\windows\system32\DRM
2007-01-26 02:23:04		 0 d-------- C:\windows\system32\drivers\UMDF
2007-01-26 02:23:00		 0 d-------- C:\windows\system32\drivers\etc
2007-01-26 02:23:00		 0 d-------- C:\windows\system32\drivers\disdn
2007-01-26 02:22:59		 0 d-------- C:\windows\system32\drivers
2007-01-26 02:22:35		 0 dr-hs---- C:\windows\system32\dllcache
2007-01-26 02:22:32		 0 d-------- C:\windows\system32\DirectX
2007-01-26 02:22:32		 0 d-------- C:\windows\system32\dhcp
2007-01-26 02:22:27		 0 d-------- C:\windows\system32\config
2007-01-26 02:22:26		 0 d-------- C:\windows\system32\Com
2007-01-26 02:22:25		 0 d-------- C:\windows\system32\CatRoot2
2007-01-26 02:22:24		 0 d-------- C:\windows\system32\CatRoot
2007-01-26 02:22:24		 0 d-------- C:\windows\system32\bits
2007-01-26 02:22:23		 0 d-------- C:\windows\system32\appmgmt
2007-01-26 02:22:22		 0 d-------- C:\windows\system32
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\3com_dmi
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\3076
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\2052
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1054
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1042
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1041
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1037
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1033
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1031
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1028
2007-01-26 02:22:22		 0 d-------- C:\windows\system32\1025
2007-01-26 02:22:22		 0 d-------- C:\windows\system
2007-01-26 02:22:21		 0 d-------- C:\windows\srchasst
2007-01-26 02:22:17		 0 d-------- C:\windows\SoftwareDistribution
2007-01-26 02:21:23		 0 d-------- C:\windows\ServicePackFiles
2007-01-26 02:21:23		 0 d-------- C:\windows\security
2007-01-26 02:21:22		 0 d-------- C:\windows\Resources
2007-01-26 02:21:20		 0 d-------- C:\windows\repair
2007-01-26 02:21:20		 0 d-------- C:\windows\Registration
2007-01-26 02:21:15		 0 d-------- C:\windows\RegisteredPackages
2007-01-26 02:21:14		 0 d-------- C:\windows\pss
2007-01-26 02:21:14		 0 d-------- C:\windows\provisioning
2007-01-26 02:21:14		 0 d-------- C:\windows\Prefetch
2007-01-26 02:21:14		 0 d-------- C:\windows\peernet
2007-01-26 02:21:06		 0 d-------- C:\windows\PCHealth
2007-01-26 02:21:06		 0 dr------- C:\windows\Offline Web Pages
2007-01-26 02:21:06		 0 d-------- C:\windows\nview
2007-01-26 02:21:06		 0 d-------- C:\windows\network diagnostic
2007-01-26 02:21:06		 0 d-------- C:\windows\mui
2007-01-26 02:21:06		 0 d--h----- C:\windows\msdownld.tmp
2007-01-26 02:21:06		 0 d-------- C:\windows\msapps
2007-01-26 02:21:05		 0 d-------- C:\windows\msagent
2007-01-26 02:20:48		 0 d-------- C:\windows\Media
2007-01-26 02:20:38		 0 d-------- C:\windows\java
2007-01-26 02:20:20		 0 d--h----- C:\windows\inf
2007-01-26 02:20:20		 0 d-------- C:\windows\ime
2007-01-26 02:20:07		 0 d-------- C:\windows\Help
2007-01-26 02:20:05		 0 dr--s---- C:\windows\Fonts
2007-01-26 02:20:05		 0 d-------- C:\windows\EHome
2007-01-26 02:19:56		 0 d-------- C:\windows\Driver Cache
2007-01-26 02:19:56		 0 d---s---- C:\windows\Downloaded Program Files
2007-01-26 02:19:56		 0 d-------- C:\windows\Downloaded Installations
2007-01-26 02:19:55		 0 d-------- C:\windows\Debug
2007-01-26 02:19:54		 0 d-------- C:\windows\Cursors
2007-01-26 02:19:54		 0 d--hs---- C:\windows\CSC
2007-01-26 02:19:54		 0 d-------- C:\windows\Connection Wizard
2007-01-26 02:19:54		 0 d-------- C:\windows\Config
2007-01-26 02:19:53		 0 d-------- C:\windows\ASUSInstAll
2007-01-26 02:19:37		 0 d-------- C:\windows\AppPatch
2007-01-26 02:19:37		 0 d-------- C:\windows\addins
2007-01-26 02:17:59		 0 d-------- C:\WINDOWS
2007-01-26 02:17:59		 0 d--h----- C:\windows\$hf_mig$
2007-01-26 02:15:39		 0 d-------- C:\swsetup
2007-01-26 02:07:52		 0 d-------- C:\Program Files\World of Warcraft
2007-01-26 02:07:51		 0 d--h----- C:\Program Files\WindowsUpdate
2007-01-26 02:07:51		 0 d-------- C:\Program Files\Windows NT
2007-01-26 02:07:49		 0 d-------- C:\Program Files\Windows Media Connect 2
2007-01-26 01:49:31		 0 d-------- C:\Program Files\Vanguard
2007-01-26 01:49:31		 0 d-------- C:\Program Files\Support
2007-01-26 01:49:29		 0 d-------- C:\Program Files\Sony
2007-01-26 01:49:20		 0 d-------- C:\Program Files\RivaTuner v2.0 Final Release
2007-01-26 01:49:20		 0 d-------- C:\Program Files\Online Services
2007-01-26 01:49:17		 0 d-------- C:\Program Files\MSN Gaming Zone
2007-01-26 01:49:15		 0 d-------- C:\Program Files\Movie Maker
2007-01-26 01:49:15		 0 d-------- C:\Program Files\microsoft frontpage
2007-01-26 01:49:15		 0 d-------- C:\Program Files\Messenger
2007-01-26 01:49:15		 0 d-------- C:\Program Files\McAfee.com
2007-01-26 01:49:11		 0 d-------- C:\Program Files\McAfee
2007-01-26 01:49:10		 0 d-------- C:\Program Files\Maxtor
2007-01-26 01:49:10		 0 d-------- C:\Program Files\Marvell
2007-01-26 01:49:08		 0 d-------- C:\Program Files\LimeWire
2007-01-26 01:48:56		 0 d-------- C:\Program Files\Java
2007-01-26 01:48:55		 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-01-26 01:48:55		 0 d-------- C:\Program Files\Futuremark
2007-01-26 01:48:55		 0 d-------- C:\Program Files\FlexibleSoft
2007-01-26 01:48:55		 0 d-------- C:\Program Files\Driver Validation
2007-01-26 01:48:55		 0 d-------- C:\Program Files\Driver Magician
2007-01-26 01:48:52		 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-01-26 01:48:52		 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-01-26 01:48:52		 0 d-------- C:\Program Files\Common Files\ODBC
2007-01-26 01:48:52		 0 d-------- C:\Program Files\Common Files\MSSoap
2007-01-26 01:48:50		 0 d-------- C:\Program Files\Common Files\McAfee
2007-01-26 01:48:48		 0 d-------- C:\Program Files\Common Files\Java
2007-01-26 01:48:47		 0 d-------- C:\Program Files\Common Files\InstallShield
2007-01-26 01:48:44		 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-26 01:48:44		 0 d-------- C:\Program Files\Asus
2007-01-26 01:48:43		 0 d-------- C:\Program Files\Analog Devices
2007-01-26 01:48:36		 0 dr------- C:\Program Files
2007-01-26 01:48:32		 0 d-------- C:\NVIDIA
2007-01-26 01:48:32		 0 d--hs---- C:\Documents and Settings\User\UserData
2007-01-26 01:48:32		 0 d--h----- C:\Documents and Settings\User\Templates
2007-01-26 01:48:32		 0 dr------- C:\Documents and Settings\User\Start Menu
2007-01-26 01:48:30		 0 d-------- C:\Documents and Settings\User\Shared
2007-01-26 01:48:30		 0 dr-h----- C:\Documents and Settings\User\SendTo
2007-01-26 01:48:30		 0 dr-h----- C:\Documents and Settings\User\Recent
2007-01-26 01:48:30		 0 d--h----- C:\Documents and Settings\User\PrintHood
2007-01-26 01:48:30   4456448 --a------ C:\Documents and Settings\User\NTUSER.DAT
2007-01-26 01:48:29		 0 d--h----- C:\Documents and Settings\User\NetHood
2007-01-26 01:37:22		 0 dr------- C:\Documents and Settings\User\My Documents
2007-01-26 01:33:25		 0 d--h----- C:\Documents and Settings\User\Local Settings
2007-01-26 01:33:25		 0 d-------- C:\Documents and Settings\User\Incomplete
2007-01-26 01:33:25		 0 dr------- C:\Documents and Settings\User\Favorites
2007-01-26 01:33:25		 0 d-------- C:\Documents and Settings\User\Desktop
2007-01-26 01:33:24		 0 d--hs---- C:\Documents and Settings\User\Cookies
2007-01-26 01:33:24		 0 dr-h----- C:\Documents and Settings\User\Application Data
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\WinRAR
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\WholeSecurity
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\Symantec
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\Macromedia
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\Identities
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\Flexiblesoft
2007-01-26 01:33:24		 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2007-01-26 01:33:23		 0 d-------- C:\Documents and Settings\User\.limewire
2007-01-26 01:33:23	786432 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-01-26 01:33:23		 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-01-26 01:33:23		 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2007-01-26 01:33:23		 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-01-26 01:33:23		 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-01-26 01:33:23		 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-01-26 01:33:22	786432 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2007-01-26 01:33:20		 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-01-26 01:33:20		 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-01-26 01:33:20		 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-01-26 01:33:20		 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-01-26 01:33:20		 0 d--h----- C:\Documents and Settings\Default User\Templates
2007-01-26 01:33:20		 0 dr------- C:\Documents and Settings\Default User\Start Menu
2007-01-26 01:33:20		 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2007-01-26 01:33:20		 0 d--h----- C:\Documents and Settings\Default User\Recent
2007-01-26 01:33:20		 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2007-01-26 01:33:20		 0 d--h----- C:\Documents and Settings\Default User\NetHood
2007-01-26 01:33:20		 0 d-------- C:\Documents and Settings\Default User\My Documents
2007-01-26 01:33:18		 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2007-01-26 01:33:18		 0 d-------- C:\Documents and Settings\Default User\Favorites
2007-01-26 01:33:18		 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-01-26 01:33:18		 0 d---s---- C:\Documents and Settings\Default User\Cookies
2007-01-26 01:33:18		 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2007-01-26 01:33:18		 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-01-26 01:33:18		 0 d--h----- C:\Documents and Settings\All Users\Templates
2007-01-26 01:33:17		 0 dr------- C:\Documents and Settings\All Users\Start Menu
2007-01-26 01:33:17		 0 d-------- C:\Documents and Settings\All Users\Favorites
2007-01-26 01:33:17		 0 d--hs---- C:\Documents and Settings\All Users\DRM
2007-01-26 01:33:17		 0 dr------- C:\Documents and Settings\All Users\Documents
2007-01-26 01:33:17		 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-01-26 01:33:17		 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-01-26 01:33:17		 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-01-26 01:33:17		 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-01-26 01:33:15		 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-01-26 01:33:01		 0 d-------- C:\Documents and Settings
2007-01-26 01:33:01		 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2007-01-26 01:33:01		 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-01-26 01:33:01		 0 d-------- C:\Documents and Settings\All Users\Application Data\Flexiblesoft
2007-01-26 01:33:01		 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-01-26 01:23:03		 0 d--hs---- C:\System Volume Information
2007-01-25 17:33:16   4588454 --a------ C:\Program Files\setup.exe <Not Verified; Symantec; Norton Ghost 10.0>
2007-01-17 13:31:56	 53248 --a------ C:\windows\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2007-01-17 13:31:55   1285632 --a------ C:\windows\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2007-01-17 13:31:52	 49152 --a------ C:\windows\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2007-01-17 13:31:52	 45056 --a------ C:\windows\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2007-01-17 13:27:30	486400 -ra------ C:\windows\system32\AsusSetup.exe <Not Verified; ASUS; AsusSetup>
2007-01-17 13:16:54	  5824 --a------ C:\windows\system32\drivers\ASUSHWIO.SYS
2007-01-15 16:45:14	143360 --a------ C:\windows\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2007-01-06 20:32:31	   664 --a------ C:\windows\system32\d3d9caps.dat
2007-01-05 17:21:03	262144 --a------ C:\windows\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-01-05 17:21:03	 86016 --a------ C:\windows\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-01-05 17:04:48	  3972 --a------ C:\windows\system32\drivers\PciBus.sys
2007-01-05 17:04:48	  5632 --a------ C:\windows\system32\drivers\Entech64.sys <Not Verified; EnTech Taiwan; EnTech.sys>
2007-01-05 17:04:48	 21664 --a------ C:\windows\system32\drivers\Entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
2007-01-05 13:36:20	356352 --a------ C:\windows\system32\heciudlg.exe <Not Verified; Intel(R) Corporation; Intel(R) Management Engine Interface>
2007-01-05 13:32:46	 50520 --a------ C:\windows\system32\SP32395.SYS <Not Verified; Compaq Computer Corporation; Client Management Device Driver>
2007-01-05 10:38:17	155648 --a------ C:\windows\system32\igfxres.dll <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2007-01-05 10:35:29	309760 --a------ C:\windows\system32\difxapi.dll <Not Verified; Microsoft Corporation; Driver Install Frameworks API (DIFxAPI)>
2007-01-05 10:35:29	312320 --a------ C:\windows\system32\difx32.dll <Not Verified; Microsoft Corporation; Driver Install Frameworks API (DIFxAPI)>
2007-01-05 00:21:42	   552 --a------ C:\windows\system32\d3d8caps.dat
2007-01-05 00:17:54	229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-01-05 00:17:48		 0 -rahs---- C:\MSDOS.SYS
2007-01-05 00:17:48		 0 -rahs---- C:\IO.SYS
2007-01-05 00:17:48		 0 -----n--- C:\CONFIG.SYS
2007-01-05 00:17:48		 0 -----n--- C:\AUTOEXEC.BAT
2007-01-05 00:14:52	 21640 --a------ C:\windows\system32\emptyregdb.dat
2007-01-04 23:49:48	262144 -----n--- C:\Documents and Settings\All Users\ntuser.dat
2007-01-04 23:30:13	 26112 --a------ C:\windows\system32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-01-04 23:29:19	171280 --a------ C:\windows\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:19	139536 --a------ C:\windows\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:19	 46352 --a------ C:\windows\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:18	313856 --a------ C:\windows\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2007-01-04 23:29:18	  6550 --a------ C:\windows\jautoexp.dat
2007-01-04 23:29:15	   113 --a------ C:\windows\system32\zonedon.reg
2007-01-04 23:29:15	   113 --a------ C:\windows\system32\zonedoff.reg
2007-01-04 23:29:15	171792 --a------ C:\windows\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:15	286992 --a------ C:\windows\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:14	 21264 --a------ C:\windows\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:14	947472 --a------ C:\windows\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:14	154384 --a------ C:\windows\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:13	172304 --a------ C:\windows\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:13	 15120 --a------ C:\windows\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:13	404752 --a------ C:\windows\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:13	 63248 --a------ C:\windows\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:13	187152 --a------ C:\windows\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2007-01-04 23:29:12	 49424 --a------ C:\windows\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2006-10-30 03:33:58	 83968 --a------ C:\windows\system32\infocardapi.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2006-10-22 12:22:00   1622016 --a------ C:\windows\system32\nwiz.exe
2006-10-22 12:22:00   1019904 --a------ C:\windows\system32\nvwimg.dll
2006-10-22 12:22:00   1662976 --a------ C:\windows\system32\nvwdmcpl.dll
2006-10-22 12:22:00	466944 --a------ C:\windows\system32\nvshell.dll
2006-10-22 12:22:00   1470464 --a------ C:\windows\system32\nview.dll
2006-10-22 12:22:00   1339392 --a------ C:\windows\system32\nvdspsch.exe
2006-10-22 12:22:00	442368 --a------ C:\windows\system32\nvappbar.exe
2006-10-22 12:22:00	425984 --a------ C:\windows\system32\keystone.exe
2006-10-14 16:43:38	124928 -----n--- C:\windows\system32\prntvpt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Find3M Report ---------------------------------------------------------------

2007-05-30 14:34:04	392673 --a------ C:\Documents and Settings\User\Application Data\com.kennettnet.MusicRescueProfiles.plist
2007-01-04 16:08:44		62 ---hs---- C:\Documents and Settings\User\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}	C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}	c:\program files\mcafee\virusscan\scriptcl.dll
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}	c:\program files\mcafee\mps\mcpopup.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"RivaTunerStartupDaemon"="\"C:\\Program Files\\RivaTuner v2.0 Final Release\\RivaTuner.exe\" /S"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages	REG_MULTI_SZ   	msv1_0\0\0
   Security Packages	REG_MULTI_SZ   	kerberos\0msv1_0\0schannel\0wdigest\0\0
   Notification Packages	REG_MULTI_SZ   	scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	REG_MULTI_SZ   	Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ   	DnsCache\0\0
rpcss	REG_MULTI_SZ   	RpcSs\0\0
imgsvc	REG_MULTI_SZ   	StiSvc\0\0
termsvcs	REG_MULTI_SZ   	TermService\0\0
HTTPFilter	REG_MULTI_SZ   	HTTPFilter\0\0
DcomLaunch	REG_MULTI_SZ   	DcomLaunch\0TermService\0\0
WudfServiceGroup	REG_MULTI_SZ   	WUDFSvc\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 mpa.one.microsoft.com


-- End of Deckard's System Scanner: finished at 2006-01-04 at 03:42:19 ---------

extra.txt
Deckard's System Scanner v20070611.50
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 CPU		  6300  @ 1.86GHz
CPU 1: Intel(R) Core(TM)2 CPU		  6300  @ 1.86GHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 2046.47 MiB / 1404.32 MiB
Pagefile Memory (total/avail): 1893.07 MiB / 1481.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1963.52 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.06 GiB total, 106.74 GiB free. 
D: is CDROM (No Media)
E: is CDROM (CDFS)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\User\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\User\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=EVAN-RN6P8IAL26
ComSpec=C:\windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\EVAN-RN6P8IAL26
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\windows
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=EVAN-RN6P8IAL26
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\windows


-- User Profiles ---------------------------------------------------------------

User [I](admin)[/I]
LogMeInRemoteUser [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Alcohol 120% --> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
AsusUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9 
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\windows\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Intel(R) Management Engine Interface --> C:\WINDOWS\system32\heciudlg.exe -uninstall
ISXVG 20070511.0014 --> C:\Program Files\InnerSpace\Uninstall-ISXVG.exe
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Keyboard Layout Management Application --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79770F05-E3B8-4DAA-BEDB-9EBF29EAF527}\Setup.exe" -l0x9 
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
LogMeIn --> MsiExec.exe /I{BA2D4D22-0B99-4D63-BCEE-D2EA4736F27F}
Macromedia Dreamweaver MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
MaxBlast 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\Setup.exe" 
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Music Rescue 3.1.2 --> "C:\Program Files\Music Rescue\unins000.exe"
Nero Fast CD-Burning Plug-in --> C:\windows\UnWMPBurn.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvuide.exe UninstallGUI
Panda ActiveScan --> C:\windows\system32\ASUninst.exe Panda ActiveScan
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RivaTuner v2.0 Final Release --> "C:\Program Files\RivaTuner v2.0 Final Release\uninstall.exe"
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E} 
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9  -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Ulead VideoStudio 8.0 Trial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4F1DA6BF-3614-48A1-9970-9E90F646789E}\setup.exe" -l0x9 
Vanguard: Saga of Heroes --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42B80790-B68D-40D1-A5A0-531A7DD27D9E}\setup.exe" -l0x9  -removeonly
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\windows\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 --> 


-- End of Deckard's System Scanner: finished at 2006-01-04 at 03:42:19 ---------


#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 15 June 2007 - 09:50 PM

Hi again,

Not much showing in these new scans. Did find one questionable file:

C:\windows\usndp202.exe

Please submit this file for analysis.

To submit, go to this webpage:

Virustotal

Near the top of the webpage there is a white text box with a Browse button, just click it and navigate to the file, select it, click Open, then back on the web page, click Send.

Virustotal puts the file in a queue and will estimate how long it should take before your file is analyzed. During the analysis you will see the report grow as the file is scanned by each of the programs.

To save the report, highlight the relevant block of text on the web page, then press <Ctrl> - C. Open Notepad and press <Ctrl> - V. Give the file a catchy name like Virustotal.txt and save it to your desktop. I need to see it.


Please download Regsearch by Bobbi Flekman and save it to your desktop. This is a zip file. Right click the file icon, a menu will open, select Extract all. The Extraction Wizard will open, click Next, Next, then Finish. You should see the contents of the Regsearch folder on your desktop. Double click the Regsearch.exe icon to run the program.

The top section of the program window contains a text box with four lines. It is labeled "Enter search strings (case independent) and click OK..."

In the first line of that text box, type msconfig.

In the second line of that text box, type msconfig.exe.

Leave the bottom section, with the text box marked "Enter string to exclude from results (optional)" empty. Leave the Search boxes alone -- all should be checked. Click OK.

Regsearch will run. After a few minutes it will open a log file, Regsearch.txt on your desktop.

Copy and paste the contents of that file, along with the Virustotal report, to a reply here.

Dave

#7 ekleist

ekleist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 16 June 2007 - 12:31 AM

RegSearch.txt
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 1/4/2006 10:23:38 AM for strings:
;  'msconfig'
;  'msconfig.exe'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{81AF8873-6012-4999-AC64-153EA4F6451F}]
@="ILaunchMsConfigElevated"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE]
@="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\msconfig.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\msconfig.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\msconfig.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"i"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"c"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"b"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe\\1"
"e"="msconfig\\1"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"="System Configuration Utility"

; End Of The Log...

Virustotal
Complete scanning result of "usndp202.exe", received in VirusTotal at 06.16.2007, 07:22:41 (CET).

Antivirus Version Update Result 
AhnLab-V3 2007.6.16.0 06.15.2007  no virus found 
AntiVir 7.4.0.32 06.15.2007  no virus found 
Authentium 4.93.8 06.16.2007  no virus found 
Avast 4.7.997.0 06.15.2007  no virus found 
AVG 7.5.0.467 06.15.2007  no virus found 
BitDefender 7.2 06.16.2007  no virus found 
CAT-QuickHeal 9.00 06.15.2007  no virus found 
ClamAV devel-20070416 06.16.2007  no virus found 
DrWeb 4.33 06.15.2007  no virus found 
eSafe 7.0.15.0 06.14.2007  no virus found 
eTrust-Vet 30.7.3721 06.15.2007  no virus found 
Ewido 4.0 06.15.2007  no virus found 
FileAdvisor 1 06.16.2007  no virus found 
Fortinet 2.85.0.0 06.16.2007  no virus found 
F-Prot 4.3.2.48 06.15.2007  no virus found 
F-Secure 6.70.13030.0 06.15.2007  no virus found 
Ikarus T3.1.1.8 06.16.2007  no virus found 
Kaspersky 4.0.2.24 06.16.2007  no virus found 
McAfee 5054 06.15.2007  no virus found 
Microsoft 1.2607 06.16.2007  no virus found 
Norman 5.80.02 06.15.2007  no virus found 
Panda 9.0.0.4 06.16.2007  no virus found 
Prevx1 V2 06.16.2007  no virus found 
Sophos 4.18.0 06.12.2007  no virus found 
Sunbelt 2.2.907.0 06.16.2007  no virus found 
Symantec 10 06.16.2007  no virus found 
TheHacker 6.1.6.133 06.15.2007  no virus found 
VBA32 3.12.0.2 06.15.2007  no virus found 
VirusBuster 4.3.23:9 06.15.2007  no virus found 
Webwasher-Gateway 6.0.1 06.16.2007 no virus found 


Aditional Information 
File size: 120873 bytes 
MD5: b3db7f2beb07c3a317e9d9ff2fe6a0bf 
SHA1: fed9e209f7c8eeed8c88fa8e8abd52e706800bc8 
packers: ZIP, nameless


#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 16 June 2007 - 11:34 AM

I don't see anything here that explains your problems with msconfig. Let me ponder on it a little and ask for help.

I do see that you have some old versions of Java that need to be removed. They have security vulnerabilities.

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8

You can uninstall these from the "Add or Remove Programs" list in your Control Panel. If you need detailed instructions, just ask.

You seem to have the old Microsoft Java VM installed. That also needs to go.

The easiest way to accomplish this is to download and run this tool.

Viewpoint is considered foistware rather than malware, it does not do anything bad but it is often installed without the user's consent. If you don't use it, you can remove that as well.

I also see that you have Limewire installed. P2P programs are intrinsically dangerous. Consider whether the use of these programs is worth the risk. Please read this article for more information.

Dave

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 16 June 2007 - 03:45 PM

Hi again,

Another question. Have you had a power outage recently, or some other event that caused your system to lose power? For example, disconnecting the power cord or the surge protector from the outlet?

Reason I ask -- it appears your system clock is wrong, it looks like it was reset back to January 2006. This might be your BIOS default, and sometimes, if your motherboard battery is weak, a power loss will cause the BIOS to lose its settings and revert to its defaults.

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 1/4/2006 10:23:38 AM for strings:
; 'msconfig'
; 'msconfig.exe'


color added for emphasis.

This does not explain your MSConfig problem, which obviously started before the clock was reset. The date on your original HJT log is apparently correct. But it's something that needs to be looked into, and it might explain why DSS was unable to set a restore point.

#10 ekleist

ekleist
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 16 June 2007 - 06:46 PM

Hi again. First, when trying to remove the Javas, I get the error "Error Applying Transforms. Verify that the specified transform paths are valid." after clicking remove or change.

I removed MSJVM.

I removed Viewpoint.

As for the power failure, I am not certain. I did notice just a few days ago (after i can HJT, i think) that my clock was about 40 minutes behind, so I adjusted the time to be correct. I did not notice that the date was off. I adjusted the date on the clock now.

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 17 June 2007 - 02:51 PM

Hi again ekleist,

First thing I have to advise you about is this recent clock reset. Unless someone deliberately unplugged the surge strip or power cord (Q- do you have children?), It most likely was caused by a power loss in your home, although it could also have been caused by a power surge, or by a malfunction of your computer power supply. In any case you need to do two things:

First, be on the alert. Watch for this in case it happens again. If it does, be ready for it. If a power problem has caused you to lose your BIOS settings (this includes the system clock) you will see some sort of message when you first turn the computer on. On my machine it says something like "CMOS checksum error, press <Del> to enter setup." Do it. Don't let the computer boot into Windows until you have reset the clock and other critical BIOS settings. Note that on some computers there may be another key you need to press to get into BIOS setup. The manual should tell you.

This means of course that you need to go into your BIOS ahead of time and write down the settings. Defaults are usually okay for most things but you should consult your motherboard or computer manual. They should have a section explaining the various settings, with recommendations.

The second thing is, assuming this was caused by a power interruption, the reset should not have happened. There is a battery on your motherboard that is supposed to supply power to the BIOS memory, so that it does not lose its settings, even when the power is disconnected. That battery may be failing. Check your manual for the model number and get a new battery. If you have another power failure, replace the battery before you power the computer back on. Note that you will then have to go into Setup to reset the clock and any other non-default settings in the BIOS.

Now, as to the old Java versions: we are going to have to do a manual uninstall. In order to do this, we are going to need to edit your registry. Have you ever done this before?

If you feel uncomfortable about editing the registry, I can write you a REG file that will automate the process so that you don't have to do any hands-on editing. If you feel okay about it, I can just give you some instructions on which subkeys to delete. However, either way, I will need to see a part of your registry. Click Start, Run and type in regedit. This will open Registry Editor.

Don't worry, you are not going to make any changes. You are just going to copy a bit of it.

When Registry Editor opens, You should see a single entry on the left, My Computer. Click the "+" sign in the box next to this line. That will expand the tree one level so you see the five major keys. Click the "+" box next to HKEY_LOCAL_MACHINE to expand it.

Similarly, expand the subkey SOFTWARE, then scroll down to the subkey Javasoft. Right click the Javasoft folder icon. On the menu that opens, select Export.

An Export Registry File Window will open, Similar to a Save As window for a text editing program like Notepad. At the top, in the Save In box, navigate to and select your Desktop. Down at the bottom, in the File name box, type in Javasoft. Leave the File type set to Registration files (.reg), and make sure the Export Range radio button below that is set to Selected Branch. Then click Save. Close up the subkeys you expanded, then close the Registry Editor.

On your desktop, right click the Javasoft.reg file and select Edit. The file will open in Notepad. Click <Ctrl>-<A>, then <Ctrl>-<C> to copy the contents, then post them in a reply here by clicking <Ctrl>-<V>.

One other thing I would like you to do, now that your clock is reset properly, is to see if you can get your system restore working again. To do this, you need to disable System Restore, reboot the computer, then re-enable it.

Please see this tutorial for details:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Please let me know how this goes.

I have asked for some help with your MSConfig.exe problem. I am also going over your logs again, and I may have to ask for more scans in an effort to track this down. Please be patient on this, there are some very experienced and knowledgable people on the staff here at BC.

Two suggestions have already come in:

(1) Also, you can use Doug Knox's xp_emegencyutil.exe (Emergency MSConfig, Regedit, Task Manager utility):

http://www.dougknox.com/xp/utils/xp_emerutils.htm

Download the tool from the webpage, and follow the instructions Doug gives there.

(Thanks to Aaflac for this suggestion)

(2) msconfig.exe *should* be in

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries, and should be 154 kB in size.

If the file is the full, Microsoft file (check properties to see if it is), copy it to My Documents and rename it msconfig.com and try to run it directly.

If it won't run the file could be corrupt:

Open a command prompt window. Insert the XP CD into the drive and enter the following command:

EXPAND -R X:\I386\MSCONFIG.EX_ Z:\WINDOWS\PCHEALTH\HELPCTR\BINARIES (This will extract a new copy of the MSCONFIG.EXE from the CD).

Note: in the above line, X should be changed to the actual drive letter of your CDROM drive, and Z to your system hard drive letter (usually C).

Also you can run regedit and navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSConfig.exe

In the right hand pane, double click on default, and an Edit String window will open.

check that Value data is set to C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe

If it isn't, change it so it is.

(Thanks to Amateur for this suggestion).

I know you have tried some similar things already, but please try these anyway. Let me know what happens.


Good luck,

Dave

#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:01:07 AM

Posted 18 June 2007 - 10:49 AM

Hi again,

Something else I want you to check. It's a long shot, but I think it's worth a look.

Download Dependency Walker from this webpage. The download links are at the bottom of the page; the one you want is Version 2.2 for x86. Download the file to your desktop.

Right click the file icon (It's a zip file, the icon looks like a folder with a zipper) and select Extract All. The extraction wizard will open, click Next, then Next again, then Finish. You will see the contents of the Depends22_x86 folder open on your desktop. Double click Depends.exe.

On the Dependency Walker menu bar, click File, then select Open. In the Look in: box, click the arrow and navigate to your msgonfig.exe file. Highlight it, and click Open.

When the dependency tree appears, click File again, then click Save as... When the Save As window opens, click the arrow to the right of the Save in text box, and navigate to and select your desktop. At the bottom of the window, in the Save as type box, click the arrow and select Text (.txt). The default filename is okay, so click Save.

Post the contents of that report file (msconfig.txt) to your next reply, along with the other information I have already asked for.

If Dependency Walker cannot open Msconfig.exe, please note any error message it gives you, and post that.

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users