Jump to content


[RESOLVED] My sister win xp desktop machine badly infected

Started By ProblemsRBad, Jul 03 2011 02:53 PM

  • You cannot start a new topic
  • You cannot reply to this topic
17 replies to this topic

#1 ProblemsRBad

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 02:53 PM

Hello, I am at my sisters house. Her Win XP desktop pc has Avast and I see a malware warning and rootkit pop ups coming. Her bf pc crashed so he added his HDD (e:) into her pc as slave. It could be infected as well. I have scans for you. Please help!
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7010

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/3/2011 9:39:06 AM
mbam-log-2011-07-03 (09-39-06).txt

Scan type: Quick scan
Objects scanned: 177624
Time elapsed: 1 hour(s), 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\v30701.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\windows\temp\xusf\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

=========================================================================================

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-03 10:12:06
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdePort1 Maxtor_6Y080M0 rev.YAR51HW0
Running: 411nd7sc.exe; Driver: C:\DOCUME~1\Amy\LOCALS~1\Temp\pxtdrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA492202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA4F8CB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA4B66C1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA49481C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA494874]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA49498A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA4B6075]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA494772]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA4948C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA4947C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA494938]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA492226]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA4B6D87]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA4B703D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA494C0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA4B6BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA4B6A5D]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA4F8D62]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA491FF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA49224A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA494D82]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA492CDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA49484C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA49489C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA4949B4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA4B63D1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA49479E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA494A46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA494904]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA4947F4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA494B2A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA494962]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA4F8DFA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA4B68D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA492BA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA4B672A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA501E48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA4B56E8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA49226E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA492292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA49204A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA492186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA4B6E8E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA492162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA4921AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA4922B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA50E902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 3A6 804E4C00 4 Bytes [E8, 56, 4B, AA]
PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP AA50BD5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 805766FB 4 Bytes CALL AA493335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058B9EC 7 Bytes JMP AA50E906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805AD1E0 5 Bytes JMP AA50A2BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF805EF80]
.text win32k.sys!EngFreeUserMem + 674 BF809922 5 Bytes JMP AA495CCE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF813911 5 Bytes JMP AA495BDA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 783B BF824157 5 Bytes JMP AA494F60 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + F9C BF828CE9 5 Bytes JMP AA495E38 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2C50 BF8316DA 5 Bytes JMP AA496040 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + B8F2 BF83A37C 5 Bytes JMP AA495B4A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 5F35 BF857E69 5 Bytes JMP AA494FD0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 348C BF866FF4 5 Bytes JMP AA4951AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3517 BF86707F 5 Bytes JMP AA495352 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3F47 BF867AAF 5 Bytes JMP AA494E84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + AAFC BF86E664 5 Bytes JMP AA495C04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnicodeToMultiByteN + 2ED7 BF871F85 5 Bytes JMP AA495F9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 411E BF88C9D8 5 Bytes JMP AA49532A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTextOut + 4149 BF8B0CBE 5 Bytes JMP AA494E9C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 2DBF BF8C26A3 5 Bytes JMP AA495D80 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 450 BF8C3048 5 Bytes JMP AA49506A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CB4AA 5 Bytes JMP AA4950DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CB72A 5 Bytes JMP AA495114 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8ED1B7 5 Bytes JMP AA494DB8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 19B2 BF913F1F 5 Bytes JMP AA494F1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2586 BF914AF3 5 Bytes JMP AA495034 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EE5 BF917452 5 Bytes JMP AA49546C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1924 BF945FB0 5 Bytes JMP AA495EF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchProtocolHost.exe[168] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\SearchProtocolHost.exe[168] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\smss.exe[396] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[424] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
.text C:\WINDOWS\system32\csrss.exe[444] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[444] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[468] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[468] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[468] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[468] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\winlogon.exe[468] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\services.exe[516] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[516] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[516] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[516] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\services.exe[516] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\services.exe[516] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\services.exe[516] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\services.exe[516] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\services.exe[516] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\services.exe[516] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\lsass.exe[528] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[528] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\lsass.exe[528] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\lsass.exe[528] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\lsass.exe[528] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\lsass.exe[528] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\lsass.exe[528] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\lsass.exe[528] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[688] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[688] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[688] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[688] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[688] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[688] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[688] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[688] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[756] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[756] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[756] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[756] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[756] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[756] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 007B0804
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 007B0A08
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 007B0600
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 007B01F8
.text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[772] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 007B03FC
.text C:\WINDOWS\System32\svchost.exe[836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0075000A
.text C:\WINDOWS\System32\svchost.exe[836] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\System32\svchost.exe[836] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0074000C
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1052] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1052] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1052] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1052] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1052] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\iPod\bin\iPodService.exe[1096] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\iPod\bin\iPodService.exe[1096] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\iPod\bin\iPodService.exe[1096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
.text C:\Program Files\iPod\bin\iPodService.exe[1096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
.text C:\Program Files\iPod\bin\iPodService.exe[1096] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
.text C:\Program Files\iPod\bin\iPodService.exe[1096] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
.text C:\Program Files\iPod\bin\iPodService.exe[1096] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1100] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1100] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1140] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1220] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1220] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1288] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
.text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000D01F8
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000D03FC
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00341014
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00340804
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00340A08
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00340C0C
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00340E10
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003401F8
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003403FC
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00340600
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00350804
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00350A08
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00350600
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003501F8
.text C:\WINDOWS\system32\SearchIndexer.exe[1484] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003503FC
.text C:\WINDOWS\Explorer.EXE[1544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\Explorer.EXE[1544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E5000A
.text C:\WINDOWS\Explorer.EXE[1544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
.text C:\WINDOWS\Explorer.EXE[1544] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
.text C:\WINDOWS\Explorer.EXE[1544] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
.text C:\WINDOWS\Explorer.EXE[1544] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
.text C:\WINDOWS\Explorer.EXE[1544] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
.text C:\WINDOWS\Explorer.EXE[1544] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
.text C:\WINDOWS\Explorer.EXE[1544] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
.text C:\WINDOWS\Explorer.EXE[1544] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 01861102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 01561014
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 01560804
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 01560A08
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 01560C0C
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 01560E10
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 015601F8
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 015603FC
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 01560600
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 01570804
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 01570A08
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 01570600
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 015701F8
.text C:\Program Files\Flip Video\FlipShare\FlipShareService.exe[1560] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 015703FC
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009F0804
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 009F0A08
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 009F0600
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 009F01F8
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 009F03FC
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00A01014
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00A00804
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00A00A08
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00A00C0C
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00A00E10
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00A001F8
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 00A003FC
.text C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe[1832] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00A00600
.text C:\WINDOWS\system32\spoolsv.exe[1960] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[1960] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1960] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[1960] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\spoolsv.exe[1960] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\spoolsv.exe[1960] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\spoolsv.exe[1960] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\spoolsv.exe[1960] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\spoolsv.exe[1960] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\spoolsv.exe[1960] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\Program Files\Zune\ZuneBusEnum.exe[2108] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Documents and Settings\Amy\Desktop\411nd7sc.exe[2152] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\Amy\Desktop\411nd7sc.exe[2152] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02B1000A
.text C:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02B2000A
.text C:\WINDOWS\system32\wuauclt.exe[2200] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 02B0000C
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
.text C:\WINDOWS\system32\wuauclt.exe[2200] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
.text C:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
.text C:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
.text C:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
.text C:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
.text C:\WINDOWS\system32\wuauclt.exe[2200] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\WINDOWS\system32\wbem\unsecapp.exe[2488] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2536] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\taskmgr.exe[2552] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\taskmgr.exe[2552] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\taskmgr.exe[2552] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\taskmgr.exe[2552] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F1014
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F0C0C
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0E10
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\taskmgr.exe[2552] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\taskmgr.exe[2552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\taskmgr.exe[2552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\taskmgr.exe[2552] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\taskmgr.exe[2552] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\taskmgr.exe[2552] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003003FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B1014
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B0C0C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0E10
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B03FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2560] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C03FC
.text C:\WINDOWS\System32\alg.exe[2880] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[2880] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2880] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[2880] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2880] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E0804
.text C:\WINDOWS\System32\alg.exe[2880] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0A08
.text C:\WINDOWS\System32\alg.exe[2880] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E0600
.text C:\WINDOWS\System32\alg.exe[2880] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E01F8
.text C:\WINDOWS\System32\alg.exe[2880] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E03FC
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F1014
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F0804
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0A08
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F0C0C
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0E10
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F01F8
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F03FC
.text C:\WINDOWS\System32\alg.exe[2880] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F0600
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00571014
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00570804
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00570A08
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00570C0C
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00570E10
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 005701F8
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 005703FC
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00570600
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00580804
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00580A08
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00580600
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 005801F8
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3148] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 005803FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B1014
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B0804
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0A08
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B0C0C
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0E10
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B01F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B03FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B0600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C0804
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0A08
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C0600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C01F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3208] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C03FC
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00450804
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00450A08
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00450600
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004501F8
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004503FC
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00461014
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00460804
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00460A08
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00460C0C
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00460E10
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004601F8
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004603FC
.text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3292] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00460600
.text C:\WINDOWS\system32\SearchFilterHost.exe[3312] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\SearchFilterHost.exe[3312] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[3344] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\hkcmd.exe[3344] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[3344] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\hkcmd.exe[3344] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[3344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\WINDOWS\system32\hkcmd.exe[3344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\WINDOWS\system32\hkcmd.exe[3344] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\WINDOWS\system32\hkcmd.exe[3344] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\WINDOWS\system32\hkcmd.exe[3344] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\WINDOWS\system32\hkcmd.exe[3344] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\WINDOWS\system32\igfxpers.exe[3352] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxpers.exe[3352] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[3352] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxpers.exe[3352] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[3352] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\WINDOWS\system32\igfxpers.exe[3352] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\WINDOWS\system32\igfxpers.exe[3352] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\WINDOWS\system32\igfxpers.exe[3352] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\WINDOWS\system32\igfxpers.exe[3352] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\WINDOWS\system32\igfxpers.exe[3352] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00311014
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00310804
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00310A08
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00310C0C
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00310E10
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003101F8
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003103FC
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00310600
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00320804
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00320A08
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00320600
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003201F8
.text C:\Program Files\Zune\ZuneLauncher.exe[3372] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003203FC
.text C:\WINDOWS\system32\igfxsrvc.exe[3412] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[3412] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C0804
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0A08
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C0600
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C01F8
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C03FC
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D1014
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D0804
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0A08
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D0C0C
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0E10
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D01F8
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D03FC
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[3452] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D1014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D0C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D03FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003E0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003E0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003E0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003E01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3568] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003E03FC
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
.text C:\Program Files\iTunes\iTunesHelper.exe[3628] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[3636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[3636] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[3708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[3708] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[3752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[3752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[3752] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[3752] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
.text C:\WINDOWS\system32\ctfmon.exe[3752] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
.text C:\WINDOWS\system32\ctfmon.exe[3752] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
.text C:\WINDOWS\system32\ctfmon.exe[3752] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
.text C:\WINDOWS\system32\ctfmon.exe[3752] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
.text C:\WINDOWS\system32\ctfmon.exe[3752] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
.text C:\WINDOWS\system32\ctfmon.exe[3752] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[516] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00610002
IAT C:\WINDOWS\system32\services.exe[516] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00610000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8234931B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8234931B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8234931B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8234931B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-17 8234931B

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR1 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk1\DR1 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

=========================================================================================

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-07-03 10:12:31
-----------------------------
10:12:31.609 OS Version: Windows 5.1.2600 Service Pack 3
10:12:31.609 Number of processors: 2 586 0x304
10:12:31.609 ComputerName: AMYS UserName: Amy
10:12:32.312 Initialize success
10:12:33.906 AVAST engine defs: 11070300
10:12:38.546 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
10:12:38.546 Disk 0 Vendor: Maxtor_6Y160P0 YAR41BW0 Size: 156334MB BusType: 3
10:12:38.562 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
10:12:38.562 Disk 1 Vendor: Maxtor_6Y080M0 YAR51HW0 Size: 76293MB BusType: 3
10:12:38.562 Device \Driver\atapi -> DriverStartIo 8234931b
10:12:40.562 Disk 1 MBR read successfully
10:12:40.562 Disk 1 MBR scan
10:12:41.031 Disk 1 MBR:Alureon-G [Rtk]
10:12:41.031 Disk 1 TDL4@MBR code has been found
10:12:41.031 Disk 1 Windows XP default MBR code found via API
10:12:41.031 Disk 1 MBR hidden
10:12:41.031 Disk 1 MBR [TDL4] **ROOTKIT**
10:12:41.031 Disk 1 trace - called modules:
10:12:41.062 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823494d0]<<
10:12:41.062 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x823ddab8]
10:12:41.062 3 CLASSPNP.SYS[f8584fd7] -> nt!IofCallDriver -> [0x823008b8]
10:12:41.062 \Driver\atapi[0x823ca710] -> IRP_MJ_CREATE -> 0x823494d0
10:12:41.265 AVAST engine scan C:\WINDOWS
10:19:46.765 File: C:\WINDOWS\system32\trz26.tmp TDL3 **ROOTKIT** Win32:Malware-gen
10:20:20.437 AVAST engine scan C:\Documents and Settings\Amy
10:26:59.437 AVAST engine scan C:\Documents and Settings\All Users
10:27:25.953 Scan finished successfully
10:30:30.453 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Amy\Desktop\MBR.dat"
10:30:30.453 The log file has been saved successfully to "C:\Documents and Settings\Amy\Desktop\aswMBR.txt"

=========================================================================================

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Amy at 10:33:47 on 2011-07-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.130 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k bthsvc
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Zune\ZuneBusEnum.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Shop to Win 11: {67d688ec-87da-4a28-bfa5-c4db8be5c9ea} - c:\program files\shop to win 11\ShoppingBHO.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: XBTB03796 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\typobounty toolbar\tbcore3.dll
TB: TypoBounty ToolBar: {880ba763-29fc-d18d-da80-61b07252b067} - c:\program files\typobounty toolbar\tbcore3.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverMax_RESTART]
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\amy\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\amy\local settings\temp\{c3efcf4c-629f-40b5-a97c-e1767c0621ee}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Search - ?s=100000341&p=GRxdm2527DUS&si=PP4MDMQDH&a=Nn6V0DdNbUPLP8atu2NhYQ&n=2011021717
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: Interfaces\{015CD00F-CAF9-40F5-8B1F-EC72337BF308} : DhcpNameServer = 68.87.77.134 68.87.72.134
Notify: btwdlns - btwdiw32.dll
Notify: igfxcui - igfxdev.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\amy\application data\mozilla\firefox\profiles\sr7ob710.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox 4.0 beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {8E80A4ED-C600-4499-8D9B-832DFF130501} - c:\documents and settings\amy\local settings\application data\{8E80A4ED-C600-4499-8D9B-832DFF130501}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-10 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-10 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-10 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-10 42184]
R2 btwdlns;Bluetooth Services;c:\windows\system32\svchost.exe -k bthsvc [2008-4-14 14336]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-3 366640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-3 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-6 136176]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2008-4-14 14336]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2010-12-27 547744]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys --> c:\windows\system32\drivers\avfwim.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-6 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-03 13:41:18 54016 ----a-w- c:\windows\system32\drivers\tvnbfuff.sys
2011-07-03 12:10:30 -------- d-----w- c:\documents and settings\amy\application data\Malwarebytes
2011-07-03 12:09:12 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-03 12:09:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-03 12:08:59 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-03 12:08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-03 11:49:21 -------- d-----w- c:\windows\pss
2011-07-03 11:36:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-01 01:37:36 -------- d-s---w- C:\ComboFix
2011-07-01 00:13:54 -------- d-sha-r- C:\cmdcons
2011-07-01 00:06:33 98816 ----a-w- c:\windows\sed.exe
2011-07-01 00:06:33 518144 ----a-w- c:\windows\SWREG.exe
2011-07-01 00:06:33 256000 ----a-w- c:\windows\PEV.exe
2011-07-01 00:06:33 208896 ----a-w- c:\windows\MBR.exe
2011-06-30 22:04:30 -------- d-----w- c:\program files\Setup Support for ShopToWin
2011-06-30 22:03:30 218112 ----a-w- c:\windows\system32\bthsvw32.dll
2011-06-30 22:03:29 35328 ------w- c:\windows\system32\trz26.tmp
2011-06-30 22:03:28 -------- d-----w- c:\program files\Shop to Win 11
2011-06-30 22:02:59 0 ----a-w- c:\documents and settings\all users\application data\uqo.exe
2011-06-30 22:02:59 0 ----a-w- c:\documents and settings\all users\application data\nyi.exe
2011-06-30 22:02:59 0 ----a-w- c:\documents and settings\all users\application data\mbo.exe
2011-06-30 22:02:59 0 ----a-w- c:\documents and settings\all users\application data\kfv.exe
2011-06-30 22:02:59 0 ----a-w- c:\documents and settings\all users\application data\iyq.exe
2011-06-11 00:43:45 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-11 00:36:03 40112 ----a-w- c:\windows\avastSS.scr
2011-06-11 00:35:37 -------- d-----w- c:\program files\AVAST Software
2011-06-11 00:35:37 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-06-10 02:17:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-10 02:17:32 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-07 16:35:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-07 16:35:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-06-03 20:41:53 0 ----a-w- c:\windows\Rlayewusuyanamis.bin
2011-06-03 20:41:51 -------- d-----w- c:\documents and settings\amy\local settings\application data\{8E80A4ED-C600-4499-8D9B-832DFF130501}
.
==================== Find3M ====================
.
2011-06-30 22:24:47 0 ----a-w- c:\documents and settings\all users\application data\yjg.exe
2011-06-30 22:24:47 0 ----a-w- c:\documents and settings\all users\application data\wcf.exe
2011-06-30 22:24:47 0 ----a-w- c:\documents and settings\all users\application data\rfx.exe
2011-06-30 22:24:47 0 ----a-w- c:\documents and settings\all users\application data\rar.exe
2011-06-30 22:24:47 0 ----a-w- c:\documents and settings\all users\application data\hku.exe
2011-06-30 22:24:32 0 ----a-w- c:\documents and settings\all users\application data\vcm.exe
2011-06-30 22:24:32 0 ----a-w- c:\documents and settings\all users\application data\osk.exe
2011-06-30 22:24:32 0 ----a-w- c:\documents and settings\all users\application data\jcj.exe
2011-06-30 22:24:32 0 ----a-w- c:\documents and settings\all users\application data\gjt.exe
2011-06-30 22:24:32 0 ----a-w- c:\documents and settings\all users\application data\ctn.exe
2011-05-25 19:35:34 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-05-25 19:35:34 56 --sh--r- c:\windows\system32\C7416E2BB8.sys
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y080M0 rev.YAR51HW0 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823494D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8234f7f0]; MOV EAX, [0x8234f86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8234931B
user & kernel MBR OK
.
============= FINISH: 10:37:21.57 ===============

=========================================================================================

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 2/24/2010 11:51:04 PM
System Uptime: 7/3/2011 9:53:12 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0G5611
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 23.095 GiB free.
D: is CDROM (UDF)
E: is FIXED (NTFS) - 153 GiB total, 36.162 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme 57xx Gigabit Controller
Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01791028&REV_01\4&1D7EFF9E&0&00E0
Manufacturer: Broadcom
Name: Broadcom NetXtreme 57xx Gigabit Controller
PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01791028&REV_01\4&1D7EFF9E&0&00E0
Service: b57w2k
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link WDA-1320 Desktop Adapter
Device ID: PCI\VEN_168C&DEV_001A&SUBSYS_3A1D1186&REV_01\4&10416D21&0&08F0
Manufacturer: D-Link
Name: D-Link WDA-1320 Desktop Adapter #2
PNP Device ID: PCI\VEN_168C&DEV_001A&SUBSYS_3A1D1186&REV_01\4&10416D21&0&08F0
Service: A3AB
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AvFw Packet Filter Miniport
Device ID: ROOT\AV_FLTDEV9MP\0000
Manufacturer: Avira
Name: Broadcom NetXtreme 57xx Gigabit Controller - AvFw Packet Filter Miniport
PNP Device ID: ROOT\AV_FLTDEV9MP\0000
Service: avfwim
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AvFw Packet Filter Miniport
Device ID: ROOT\AV_FLTDEV9MP\0001
Manufacturer: Avira
Name: WAN Miniport (IP) - AvFw Packet Filter Miniport
PNP Device ID: ROOT\AV_FLTDEV9MP\0001
Service: avfwim
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AvFw Packet Filter Miniport
Device ID: ROOT\AV_FLTDEV9MP\0002
Manufacturer: Avira
Name: D-Link WDA-1320 Desktop Adapter - AvFw Packet Filter Miniport
PNP Device ID: ROOT\AV_FLTDEV9MP\0002
Service: avfwim
.
==== System Restore Points ===================
.
RP253: 4/4/2011 7:47:47 AM - System Checkpoint
RP254: 4/5/2011 9:13:06 AM - System Checkpoint
RP255: 4/6/2011 9:33:54 AM - System Checkpoint
RP256: 4/7/2011 7:33:10 PM - System Checkpoint
RP257: 4/9/2011 9:14:18 PM - System Checkpoint
RP258: 4/11/2011 12:20:47 PM - System Checkpoint
RP259: 4/12/2011 3:38:35 PM - System Checkpoint
RP260: 4/13/2011 2:00:18 PM - Software Distribution Service 3.0
RP261: 4/15/2011 9:59:04 AM - System Checkpoint
RP262: 4/16/2011 11:11:54 AM - System Checkpoint
RP263: 4/17/2011 12:33:01 PM - System Checkpoint
RP264: 4/18/2011 12:40:23 PM - System Checkpoint
RP265: 4/19/2011 4:31:20 PM - System Checkpoint
RP266: 4/20/2011 5:30:14 PM - System Checkpoint
RP267: 4/21/2011 7:33:47 PM - System Checkpoint
RP268: 4/22/2011 8:22:28 PM - System Checkpoint
RP269: 4/23/2011 9:10:33 PM - System Checkpoint
RP270: 4/25/2011 2:39:30 AM - System Checkpoint
RP271: 4/26/2011 6:40:25 AM - System Checkpoint
RP272: 4/27/2011 7:40:24 AM - System Checkpoint
RP273: 4/27/2011 2:00:18 PM - Software Distribution Service 3.0
RP274: 4/28/2011 2:59:44 PM - System Checkpoint
RP275: 4/29/2011 3:59:43 PM - System Checkpoint
RP276: 4/30/2011 11:42:26 PM - System Checkpoint
RP277: 5/2/2011 12:24:01 AM - System Checkpoint
RP278: 5/3/2011 2:47:57 AM - System Checkpoint
RP279: 5/4/2011 9:46:30 AM - System Checkpoint
RP280: 5/5/2011 10:04:19 AM - System Checkpoint
RP281: 5/6/2011 4:50:47 PM - System Checkpoint
RP282: 5/7/2011 8:22:41 PM - System Checkpoint
RP283: 5/8/2011 9:33:03 PM - System Checkpoint
RP284: 5/10/2011 12:48:14 AM - System Checkpoint
RP285: 5/11/2011 3:17:08 AM - System Checkpoint
RP286: 5/12/2011 3:28:19 AM - System Checkpoint
RP287: 5/12/2011 2:00:14 PM - Software Distribution Service 3.0
RP288: 5/13/2011 4:04:30 PM - System Checkpoint
RP289: 5/14/2011 11:18:34 PM - System Checkpoint
RP290: 5/16/2011 2:09:32 AM - System Checkpoint
RP291: 5/16/2011 1:27:54 PM - Installed Virus Guard - powered by BitDefender
RP292: 5/17/2011 1:37:31 PM - System Checkpoint
RP293: 5/18/2011 4:35:35 PM - System Checkpoint
RP294: 5/19/2011 5:31:09 PM - System Checkpoint
RP295: 5/20/2011 6:27:04 PM - System Checkpoint
RP296: 5/21/2011 9:14:45 PM - System Checkpoint
RP297: 5/23/2011 12:22:53 AM - System Checkpoint
RP298: 5/24/2011 12:37:39 AM - System Checkpoint
RP299: 5/25/2011 7:53:53 AM - System Checkpoint
RP300: 5/25/2011 3:13:46 PM - Installed RGSS-RTP Standard
RP301: 5/25/2011 3:15:52 PM - Installed RPGXP
RP302: 5/26/2011 3:30:37 PM - System Checkpoint
RP303: 5/27/2011 4:51:19 PM - System Checkpoint
RP304: 5/28/2011 5:38:45 PM - System Checkpoint
RP305: 5/29/2011 6:38:45 PM - System Checkpoint
RP306: 5/30/2011 9:57:22 PM - System Checkpoint
RP307: 5/31/2011 10:05:40 PM - System Checkpoint
RP308: 6/2/2011 7:49:39 AM - System Checkpoint
RP309: 6/3/2011 8:46:50 AM - System Checkpoint
RP310: 6/5/2011 7:47:31 AM - System Checkpoint
RP311: 6/10/2011 1:51:30 PM - System Checkpoint
RP312: 6/10/2011 8:35:37 PM - avast! Free Antivirus Setup
RP313: 6/12/2011 8:05:20 PM - System Checkpoint
RP314: 6/13/2011 9:10:54 PM - System Checkpoint
RP315: 6/14/2011 10:02:44 PM - System Checkpoint
RP316: 6/15/2011 11:01:39 PM - System Checkpoint
RP317: 6/19/2011 10:17:09 AM - Removed RPGXP
RP318: 6/20/2011 10:27:03 AM - System Checkpoint
RP319: 6/21/2011 10:43:11 PM - System Checkpoint
RP320: 6/22/2011 11:30:05 PM - System Checkpoint
RP321: 6/24/2011 12:30:05 AM - System Checkpoint
RP322: 6/25/2011 12:44:36 AM - System Checkpoint
RP323: 6/26/2011 1:30:18 AM - System Checkpoint
RP324: 6/27/2011 2:30:05 AM - System Checkpoint
RP325: 6/28/2011 3:26:48 AM - System Checkpoint
RP326: 6/29/2011 4:26:48 AM - System Checkpoint
RP327: 6/30/2011 5:26:48 AM - System Checkpoint
RP328: 7/1/2011 9:26:31 AM - System Checkpoint
RP329: 7/2/2011 11:06:48 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
avast! Free Antivirus
Big Fish Games Client
BitTorrent
Bonjour
Buzz
Cake Mania 2
CCleaner
Color Scheme Editor
Cooking Academy 2 World Cuisine
County Fair
CSI-3 Dimensions of Murder 1.1
daHornet Version 1.34
DarkWave Studio 3.2.7
Dell Driver Download Manager
discoDSP Discovery Pro
EA Download Manager
ES DGenR8 VST 2.9.5
Farm Frenzy 2
FlipShare
GEAR 32bit Driver Installer
Google Earth Plug-in
Google Update Helper
HamsterFreeVideoConverter
Hospital Tycoon
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
IMEA Sequencer version 1.4
Intel® Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java™ 6 Update 22
LADSPA_plugins-win-0.4.15
Live 8.2.1
LiveSticks1.0.6
Logitech Gaming Software 5.10
Malwarebytes' Anti-Malware version 1.51.0.1200
MeldaProduction Free VST Effects
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WinUsb 1.0
MixMeister BPM Analyzer 1.0
MixMeister Studio Demo 7.4.4
Mozilla Firefox (3.6.13)
Mozilla Firefox 5.0 (x86 en-US)
Mystery Case Files: Prime Suspects ™
Naviextras Toolbox
Naviextras Toolbox Prerequesities
OhmForce Frohmage VST2
Psycle 1.8.8
QuickTime
RGSS-RTP Standard
RollerCoaster Tycoon 3
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Setup Support for ShopToWin 1.0
Shop to Win 11
The Sims™ 2 Best of Business Collection
The Sims™ 2 Double Deluxe
Thrillville™: '07
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
TypoBounty ToolBar
Unlocker 1.8.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Virus Guard - powered by BitDefender
VLC media player 1.0.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile Device Updater Component
Windows Search 4.0
WinRAR archiver
Zune
Zune Language Pack (DEU)
Zune Language Pack (ESP)
Zune Language Pack (FRA)
Zune Language Pack (ITA)
Zune Language Pack (NLD)
Zune Language Pack (PTB)
Zune Language Pack (PTG)
.
==== Event Viewer Messages From Past Week ========
.
7/3/2011 8:32:00 AM, error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2011 8:31:59 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the MBAMService service to connect.
7/3/2011 8:02:39 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
7/3/2011 8:02:39 AM, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
7/3/2011 8:02:31 AM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
7/3/2011 8:02:31 AM, error: Service Control Manager [7031] - The FlipShare Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
6/30/2011 8:49:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Zune Bus Enumerator service to connect.
6/30/2011 8:49:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the FlipShare Service service to connect.
6/30/2011 8:49:40 PM, error: Service Control Manager [7000] - The Zune Bus Enumerator service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2011 8:49:40 PM, error: Service Control Manager [7000] - The FlipShare Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2011 6:55:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/30/2011 6:41:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
6/30/2011 6:31:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSnx aswSP aswTdi Fips intelppm ssmdrv
6/30/2011 6:30:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/27/2011 5:23:23 PM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================

#2 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 02:56 PM

Good Morning :)

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===========================================================================================

Yes, it looks like a rootkit is there...

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Posted Image Posted Image


#3 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 03:04 PM

The TDSS Killer link will not download for me. It just open and loads forever.

EDIT* I have my laptop here, I will DL TDSS Killer onto a flash drive and get in into her infected desktop.

#4 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 03:19 PM

Very well :)
Posted Image Posted Image


#5 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 03:34 PM

2011/07/03 11:27:59.0328 1256 TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/03 11:28:00.0515 1256 ================================================================================
2011/07/03 11:28:00.0515 1256 SystemInfo:
2011/07/03 11:28:00.0515 1256
2011/07/03 11:28:00.0515 1256 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/03 11:28:00.0515 1256 Product type: Workstation
2011/07/03 11:28:00.0515 1256 ComputerName: AMYS
2011/07/03 11:28:00.0515 1256 UserName: Amy
2011/07/03 11:28:00.0515 1256 Windows directory: C:\WINDOWS
2011/07/03 11:28:00.0515 1256 System windows directory: C:\WINDOWS
2011/07/03 11:28:00.0515 1256 Processor architecture: Intel x86
2011/07/03 11:28:00.0515 1256 Number of processors: 2
2011/07/03 11:28:00.0515 1256 Page size: 0x1000
2011/07/03 11:28:00.0515 1256 Boot type: Normal boot
2011/07/03 11:28:00.0515 1256 ================================================================================
2011/07/03 11:28:07.0062 1256 Initialize success
2011/07/03 11:28:17.0062 2100 ================================================================================
2011/07/03 11:28:17.0062 2100 Scan started
2011/07/03 11:28:17.0062 2100 Mode: Manual;
2011/07/03 11:28:17.0062 2100 ================================================================================
2011/07/03 11:28:19.0437 2100 A3AB (21af8e9c727c6d7643ad497268f55bf1) C:\WINDOWS\system32\DRIVERS\A3AB.sys
2011/07/03 11:28:19.0796 2100 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/07/03 11:28:20.0187 2100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/03 11:28:20.0312 2100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/03 11:28:20.0484 2100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/03 11:28:20.0703 2100 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/07/03 11:28:21.0203 2100 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/07/03 11:28:21.0328 2100 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/07/03 11:28:21.0453 2100 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/07/03 11:28:21.0703 2100 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/07/03 11:28:21.0906 2100 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/07/03 11:28:22.0093 2100 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/07/03 11:28:22.0156 2100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/03 11:28:22.0312 2100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/03 11:28:22.0484 2100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/03 11:28:22.0609 2100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/03 11:28:22.0859 2100 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/07/03 11:28:23.0000 2100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/03 11:28:23.0359 2100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/03 11:28:23.0546 2100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/03 11:28:23.0671 2100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/03 11:28:23.0812 2100 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/03 11:28:24.0343 2100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/03 11:28:24.0453 2100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/03 11:28:25.0234 2100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/03 11:28:25.0531 2100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/03 11:28:26.0125 2100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/03 11:28:26.0343 2100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/03 11:28:26.0968 2100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/03 11:28:27.0125 2100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/03 11:28:27.0234 2100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/03 11:28:27.0375 2100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/03 11:28:27.0765 2100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/03 11:28:27.0890 2100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/03 11:28:28.0031 2100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/03 11:28:28.0140 2100 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/07/03 11:28:28.0250 2100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/03 11:28:28.0375 2100 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/03 11:28:28.0796 2100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/03 11:28:29.0000 2100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/07/03 11:28:29.0203 2100 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/03 11:28:29.0421 2100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/03 11:28:29.0609 2100 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/03 11:28:29.0671 2100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/03 11:28:29.0750 2100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/03 11:28:29.0812 2100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/03 11:28:29.0859 2100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/03 11:28:29.0921 2100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/03 11:28:30.0015 2100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/03 11:28:30.0093 2100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/03 11:28:30.0187 2100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/03 11:28:30.0312 2100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/03 11:28:30.0375 2100 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/03 11:28:30.0500 2100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/03 11:28:30.0640 2100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/03 11:28:30.0750 2100 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
2011/07/03 11:28:31.0328 2100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/03 11:28:31.0625 2100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/03 11:28:31.0671 2100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/03 11:28:31.0750 2100 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/03 11:28:31.0812 2100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/03 11:28:31.0890 2100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/03 11:28:32.0046 2100 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/03 11:28:32.0140 2100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/03 11:28:32.0203 2100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/03 11:28:32.0234 2100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/03 11:28:32.0265 2100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/03 11:28:32.0328 2100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/03 11:28:32.0406 2100 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/03 11:28:32.0500 2100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/03 11:28:32.0625 2100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/03 11:28:32.0796 2100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/03 11:28:32.0906 2100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/03 11:28:33.0062 2100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/03 11:28:33.0156 2100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/03 11:28:33.0328 2100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/03 11:28:33.0531 2100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/03 11:28:33.0750 2100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/03 11:28:33.0859 2100 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/07/03 11:28:34.0187 2100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/03 11:28:34.0265 2100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/03 11:28:34.0343 2100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/03 11:28:34.0437 2100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/03 11:28:34.0546 2100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/03 11:28:34.0640 2100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/03 11:28:34.0734 2100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/03 11:28:34.0890 2100 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/07/03 11:28:35.0000 2100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/03 11:28:35.0343 2100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/03 11:28:35.0421 2100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/03 11:28:35.0515 2100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/03 11:28:35.0765 2100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/03 11:28:35.0859 2100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/03 11:28:35.0953 2100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/03 11:28:36.0015 2100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/03 11:28:36.0109 2100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/03 11:28:36.0187 2100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/03 11:28:36.0250 2100 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/03 11:28:36.0328 2100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/03 11:28:36.0468 2100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/03 11:28:36.0640 2100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/03 11:28:36.0750 2100 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/07/03 11:28:36.0843 2100 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/03 11:28:36.0937 2100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/03 11:28:37.0031 2100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/03 11:28:37.0156 2100 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/03 11:28:37.0218 2100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/03 11:28:37.0312 2100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/03 11:28:37.0390 2100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/03 11:28:37.0515 2100 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/07/03 11:28:37.0609 2100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/03 11:28:37.0671 2100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/03 11:28:37.0843 2100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/03 11:28:37.0953 2100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/03 11:28:38.0093 2100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/03 11:28:38.0156 2100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/03 11:28:38.0218 2100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/03 11:28:38.0343 2100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/03 11:28:38.0453 2100 UnlockerDriver5 (f365fa561c3ab455d8685770d208691a) C:\Program Files\Unlocker\UnlockerDriver5.sys
2011/07/03 11:28:38.0515 2100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/03 11:28:38.0593 2100 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/03 11:28:38.0640 2100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/03 11:28:38.0750 2100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/03 11:28:38.0812 2100 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/03 11:28:38.0843 2100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/03 11:28:38.0906 2100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/03 11:28:38.0984 2100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/03 11:28:39.0031 2100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/03 11:28:39.0093 2100 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/03 11:28:39.0187 2100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/03 11:28:39.0359 2100 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/07/03 11:28:39.0421 2100 WmBEnum (5d410936831f7fb58eff941eac3f6d3d) C:\WINDOWS\system32\drivers\WmBEnum.sys
2011/07/03 11:28:39.0515 2100 WmVirHid (6f04646bc690f8bbfc344be32a60796d) C:\WINDOWS\system32\drivers\WmVirHid.sys
2011/07/03 11:28:39.0562 2100 WmXlCore (1d6ca43d562333f4dfb40bcef2453f3a) C:\WINDOWS\system32\drivers\WmXlCore.sys
2011/07/03 11:28:39.0625 2100 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/07/03 11:28:39.0703 2100 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/03 11:28:39.0750 2100 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/03 11:28:39.0812 2100 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
2011/07/03 11:28:39.0859 2100 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/03 11:28:39.0890 2100 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk1\DR1
2011/07/03 11:28:39.0906 2100 \Device\Harddisk1\DR1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/03 11:28:39.0906 2100 Boot (0x1200) (66e83d5973380780728b6c5d99c4d6d0) \Device\Harddisk0\DR0\Partition0
2011/07/03 11:28:39.0921 2100 Boot (0x1200) (7b77f5a76ec588b501d161a93ab85675) \Device\Harddisk1\DR1\Partition0
2011/07/03 11:28:39.0953 2100 ================================================================================
2011/07/03 11:28:39.0953 2100 Scan finished
2011/07/03 11:28:39.0953 2100 ================================================================================
2011/07/03 11:28:39.0968 3104 Detected object count: 1
2011/07/03 11:28:39.0968 3104 Actual detected object count: 1
2011/07/03 11:28:45.0000 3104 \Device\Harddisk1\DR1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/03 11:28:45.0000 3104 \Device\Harddisk1\DR1 - ok
2011/07/03 11:28:45.0000 3104 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk1\DR1) - User select action: Cure
2011/07/03 11:29:10.0187 1324 Deinitialize success

#6 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 03:36 PM

Well done :)

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
Posted Image Posted Image


#7 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 03:41 PM

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Shadow
==============================================
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF8292000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1306624 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 929792 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF809A000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF8471000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF81D4000 C:\WINDOWS\system32\DRIVERS\A3AB.sys 548864 bytes (D-Link Corporation, Driver for D-Link Wireless Network Adapter)
0xF7F37000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xAA47F000 C:\WINDOWS\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
0xAA539000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7FA8000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAA66C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA9730000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xAA4EF000 C:\WINDOWS\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
0xBF15A000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA928A000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF8194000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF802E000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF85B5000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA9B70000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8444000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAA5D1000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAA61E000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF855F000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAA646000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF8170000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF825A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF814D000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAA5FC000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF8527000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8585000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF842A000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF8547000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xAA42E000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xAA0B8000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xF84FE000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF806F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAA2D7000 C:\WINDOWS\system32\DRIVERS\WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xA9D83000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF8086000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF827E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA6C5000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8515000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF85A4000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF805E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xAA446000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF86A4000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8684000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8674000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF86B4000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAA27F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8764000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF8714000 C:\WINDOWS\system32\drivers\WmXlCore.sys 61440 bytes (Logitech Inc., Logitech WingMan Translation Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF8734000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xF8644000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF86C4000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8624000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF86E4000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF87D4000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8694000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8614000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF86D4000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8724000 C:\WINDOWS\system32\DRIVERS\zumbus.sys 45056 bytes (Microsoft Corporation, Zune User-Mode Bus Enumerator)
0xF87A4000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
0xF8604000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8754000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8704000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA9820000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8634000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF87C4000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8664000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA9403000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF86F4000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF87B4000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF89E4000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF88C4000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF88D4000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF88FC000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF89BC000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF8884000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8904000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF8914000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF8964000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF896C000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF889C000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF88CC000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF89C4000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8A04000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xF8994000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF89D4000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF888C000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8944000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8954000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF8934000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF895C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF800A000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xAA5BD000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF8AE0000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAA2BB000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8AB0000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8AE4000 C:\WINDOWS\system32\drivers\WmBEnum.sys 16384 bytes (Logitech Inc., Logitech WingMan Virtual Bus Enumerator Driver)
0xAA5B9000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xF8A14000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAA5C9000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8AC4000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF801E000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8ABC000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF83D1000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA99D0000 C:\WINDOWS\system32\drivers\WmVirHid.sys 12288 bytes (Logitech Inc., Logitech WingMan Virtual Hid Device Driver)
0xF8B1E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8B0A000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8B34000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8B1A000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8B08000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8B04000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8B22000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8B24000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8B26000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8B10000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8B16000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8B06000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8CC2000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8CBA000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8D16000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8BCC000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

#8 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 03:42 PM

Perfect!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Posted Image Posted Image


#9 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 04:18 PM

ComboFix 11-07-02.03 - Amy 07/03/2011 11:50:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.246 [GMT -4:00]
Running from: c:\documents and settings\Amy\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\osk.exe
c:\documents and settings\Amy\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-03 13:41 . 2011-07-03 13:41 54016 ----a-w- c:\windows\system32\drivers\tvnbfuff.sys
2011-07-03 12:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-03 12:09 . 2011-07-03 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-03 12:08 . 2011-07-03 12:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-03 12:08 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-03 11:36 . 2011-07-03 11:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-03 03:59 . 2011-07-03 03:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\yjg.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\wcf.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\rfx.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\rar.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\hku.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\vcm.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\jcj.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\gjt.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\All Users\Application Data\ctn.exe
2011-06-30 22:04 . 2011-06-30 22:04 -------- d-----w- c:\program files\Setup Support for ShopToWin
2011-06-30 22:03 . 2011-06-30 22:03 218112 ----a-w- c:\windows\system32\bthsvw32.dll
2011-06-30 22:03 . 2011-06-30 22:03 35328 ------w- c:\windows\system32\trz26.tmp
2011-06-30 22:03 . 2011-06-30 22:03 -------- d-----w- c:\program files\Shop to Win 11
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\oxd.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\lxe.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\lvw.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\ist.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\All Users\Application Data\uqo.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\All Users\Application Data\nyi.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\All Users\Application Data\mbo.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\All Users\Application Data\kfv.exe
2011-06-30 22:02 . 2011-06-30 22:02 0 ----a-w- c:\documents and settings\All Users\Application Data\iyq.exe
2011-06-12 03:59 . 2011-06-12 03:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2011-06-11 15:40 . 2011-07-03 16:00 -------- d-----w- c:\documents and settings\Administrator
2011-06-11 00:43 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-06-11 00:43 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-11 00:43 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-06-11 00:43 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-06-11 00:43 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-11 00:43 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-06-11 00:43 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-06-11 00:43 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-06-11 00:36 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-06-11 00:36 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-11 00:35 . 2011-06-11 00:35 -------- d-----w- c:\program files\AVAST Software
2011-06-11 00:35 . 2011-06-11 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-10 02:17 . 2011-07-03 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-10 02:17 . 2011-07-03 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-08 09:38 . 2011-06-08 09:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-06-03 20:41 . 2011-06-10 02:09 0 ----a-w- c:\windows\Rlayewusuyanamis.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67D688EC-87DA-4A28-BFA5-C4DB8BE5C9EA}]
2011-06-30 22:03 682496 ----a-w- c:\program files\Shop to Win 11\ShoppingBHO.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{880BA763-29FC-D18D-DA80-61B07252B067}"= "c:\program files\TypoBounty ToolBar\tbcore3.dll" [2010-11-15 2543104]
.
[HKEY_CLASSES_ROOT\clsid\{880ba763-29fc-d18d-da80-61b07252b067}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{880BA763-29FC-D18D-DA80-61B07252B067}"= "c:\program files\TypoBounty ToolBar\tbcore3.dll" [2010-11-15 2543104]
.
[HKEY_CLASSES_ROOT\clsid\{880ba763-29fc-d18d-da80-61b07252b067}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/10/2011 8:43 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2011 8:43 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2011 8:43 PM 19544]
R2 btwdlns;Bluetooth Services;c:\windows\System32\svchost.exe -k bthsvc [4/14/2008 8:00 AM 14336]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/3/2011 8:09 AM 366640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2011 8:08 AM 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2011 1:25 AM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/27/2010 12:19 AM 547744]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys --> c:\windows\system32\DRIVERS\avfwim.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2011 1:25 AM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 8:00 AM 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
bthsvc REG_MULTI_SZ btwdlns
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-06 05:25]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-06 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 4.0 Beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {8E80A4ED-C600-4499-8D9B-832DFF130501} - c:\documents and settings\Amy\Local Settings\Application Data\{8E80A4ED-C600-4499-8D9B-832DFF130501}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DriverMax_RESTART - (no file)
Notify-btwdlns - btwdiw32.dll
Notify-itlntfy - itlnfw32.dll
Notify-SNCv - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0f,bb,1e,bb,69,f8,a9,83,e9,51,fd,c1,a6,d3,da,f5,9f,f2,85,da,52,12,3e,
58,9e,91,f5,84,5f,bb,f9,22,53,68,27,14,2e,bc,98,ea,ac,54,51,e1,11,03,75,01,\
"??"=hex:2c,0c,93,38,8c,f8,ed,12,85,b4,ff,4a,d5,1a,0d,a1
.
[HKEY_USERS\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\SecuROM\License information*]
"datasecu"=hex:50,4b,ea,4b,c7,85,9c,c7,b8,18,a1,7f,74,d9,09,91,c0,55,f1,07,ef,
c1,d9,4b,58,70,f1,6e,65,7a,08,92,ff,f0,50,ad,18,29,50,c3,fd,02,03,5b,a2,1d,\
"rkeysecu"=hex:14,9c,c9,a1,ec,c3,8a,03,1d,6a,22,d3,24,2e,8b,b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2920)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-03 12:11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-03 16:11
.
Pre-Run: 25,070,796,800 bytes free
Post-Run: 25,070,632,960 bytes free
.
- - End Of File - - 4CA42F994520E073E41F16A8B691BA26

#10 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 04:27 PM

Uninstall Setup Support for ShopToWin 1.0, Shop to Win 11 and TypoBounty ToolBar.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\tvnbfuff.sys
c:\documents and settings\All Users\Application Data\ctn.exe
c:\documents and settings\All Users\Application Data\gjt.exe
c:\documents and settings\All Users\Application Data\jcj.exe
c:\documents and settings\All Users\Application Data\vcm.exe
c:\documents and settings\All Users\Application Data\hku.exe
c:\documents and settings\All Users\Application Data\rar.exe
c:\documents and settings\All Users\Application Data\rfx.exe
c:\documents and settings\All Users\Application Data\wcf.exe
c:\documents and settings\All Users\Application Data\yjg.exe
c:\documents and settings\All Users\Application Data\iyq.exe
c:\documents and settings\All Users\Application Data\kfv.exe
c:\documents and settings\All Users\Application Data\mbo.exe
c:\documents and settings\All Users\Application Data\nyi.exe
c:\documents and settings\All Users\Application Data\uqo.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\ist.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lvw.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lxe.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\oxd.exe
c:\windows\Rlayewusuyanamis.bin


Driver::
btwdlns


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt






Posted Image Posted Image


#11 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 05:13 PM

ComboFix 11-07-02.03 - Amy 07/03/2011 12:42:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.201 [GMT -4:00]
Running from: c:\documents and settings\Amy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amy\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\All Users\Application Data\ctn.exe"
"c:\documents and settings\All Users\Application Data\gjt.exe"
"c:\documents and settings\All Users\Application Data\hku.exe"
"c:\documents and settings\All Users\Application Data\iyq.exe"
"c:\documents and settings\All Users\Application Data\jcj.exe"
"c:\documents and settings\All Users\Application Data\kfv.exe"
"c:\documents and settings\All Users\Application Data\mbo.exe"
"c:\documents and settings\All Users\Application Data\nyi.exe"
"c:\documents and settings\All Users\Application Data\rar.exe"
"c:\documents and settings\All Users\Application Data\rfx.exe"
"c:\documents and settings\All Users\Application Data\uqo.exe"
"c:\documents and settings\All Users\Application Data\vcm.exe"
"c:\documents and settings\All Users\Application Data\wcf.exe"
"c:\documents and settings\All Users\Application Data\yjg.exe"
"c:\documents and settings\NetworkService\Local Settings\Application Data\ist.exe"
"c:\documents and settings\NetworkService\Local Settings\Application Data\lvw.exe"
"c:\documents and settings\NetworkService\Local Settings\Application Data\lxe.exe"
"c:\documents and settings\NetworkService\Local Settings\Application Data\oxd.exe"
"c:\windows\Rlayewusuyanamis.bin"
"c:\windows\system32\drivers\tvnbfuff.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ctn.exe
c:\documents and settings\All Users\Application Data\gjt.exe
c:\documents and settings\All Users\Application Data\hku.exe
c:\documents and settings\All Users\Application Data\iyq.exe
c:\documents and settings\All Users\Application Data\jcj.exe
c:\documents and settings\All Users\Application Data\kfv.exe
c:\documents and settings\All Users\Application Data\mbo.exe
c:\documents and settings\All Users\Application Data\nyi.exe
c:\documents and settings\All Users\Application Data\rar.exe
c:\documents and settings\All Users\Application Data\rfx.exe
c:\documents and settings\All Users\Application Data\uqo.exe
c:\documents and settings\All Users\Application Data\vcm.exe
c:\documents and settings\All Users\Application Data\wcf.exe
c:\documents and settings\All Users\Application Data\yjg.exe
c:\documents and settings\Amy\Local Settings\Application Data\{8E80A4ED-C600-4499-8D9B-832DFF130501}
c:\documents and settings\Amy\Local Settings\Application Data\{8E80A4ED-C600-4499-8D9B-832DFF130501}\chrome.manifest
c:\documents and settings\Amy\Local Settings\Application Data\{8E80A4ED-C600-4499-8D9B-832DFF130501}\chrome\content\_cfg.js
c:\documents and settings\Amy\Local Settings\Application Data\{8E80A4ED-C600-4499-8D9B-832DFF130501}\chrome\content\overlay.xul
c:\documents and settings\Amy\Local Settings\Application Data\{8E80A4ED-C600-4499-8D9B-832DFF130501}\install.rdf
c:\documents and settings\NetworkService\Local Settings\Application Data\ist.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lvw.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lxe.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\oxd.exe
c:\windows\Rlayewusuyanamis.bin
c:\windows\system32\drivers\tvnbfuff.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BTWDLNS
-------\Service_btwdlns
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-03 12:10 . 2011-07-03 12:10 -------- d-----w- c:\documents and settings\Amy\Application Data\Malwarebytes
2011-07-03 12:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-03 12:09 . 2011-07-03 12:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-03 12:08 . 2011-07-03 12:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-03 12:08 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-03 11:36 . 2011-07-03 11:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-03 03:59 . 2011-07-03 03:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\tnt.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\rox.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\pfs.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\ocr.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\qat.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\ibe.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\ecm.exe
2011-06-30 22:24 . 2011-06-30 22:24 0 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\cil.exe
2011-06-30 22:03 . 2011-06-30 22:03 218112 ----a-w- c:\windows\system32\bthsvw32.dll
2011-06-30 22:03 . 2011-06-30 22:03 35328 ------w- c:\windows\system32\trz26.tmp
2011-06-30 22:03 . 2011-07-03 16:36 -------- d-----w- c:\program files\Shop to Win 11
2011-06-12 03:59 . 2011-06-12 03:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2011-06-11 15:40 . 2011-07-03 16:00 -------- d-----w- c:\documents and settings\Administrator
2011-06-11 00:43 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-06-11 00:43 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-11 00:43 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-06-11 00:43 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-06-11 00:43 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-11 00:43 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-06-11 00:43 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-06-11 00:43 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-06-11 00:36 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-06-11 00:36 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-11 00:35 . 2011-06-11 00:35 -------- d-----w- c:\program files\AVAST Software
2011-06-11 00:35 . 2011-06-11 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-10 02:17 . 2011-07-03 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-10 02:17 . 2011-07-03 11:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-08 09:38 . 2011-06-08 09:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-03_16.05.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-03 16:54 . 2011-07-03 16:54 16384 c:\windows\Temp\Perflib_Perfdata_5c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{880BA763-29FC-D18D-DA80-61B07252B067}"= "c:\program files\TypoBounty ToolBar\tbcore3.dll" [2010-11-15 2543104]
.
[HKEY_CLASSES_ROOT\clsid\{880ba763-29fc-d18d-da80-61b07252b067}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{880BA763-29FC-D18D-DA80-61B07252B067}"= "c:\program files\TypoBounty ToolBar\tbcore3.dll" [2010-11-15 2543104]
.
[HKEY_CLASSES_ROOT\clsid\{880ba763-29fc-d18d-da80-61b07252b067}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\XBTB03796.XBTB03796]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 153672]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Amy\Start Menu\Programs\Startup\
RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Amy\Local Settings\Temp\{C3EFCF4C-629F-40B5-A97C-E1767C0621EE}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/10/2011 8:43 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2011 8:43 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2011 8:43 PM 19544]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/3/2011 8:09 AM 366640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/3/2011 8:08 AM 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2011 1:25 AM 136176]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/27/2010 12:19 AM 547744]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys --> c:\windows\system32\DRIVERS\avfwim.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2011 1:25 AM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 8:00 AM 14336]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
bthsvc REG_MULTI_SZ btwdlns
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-06 05:25]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-06 05:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox 4.0 Beta 8\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 12:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0f,bb,1e,bb,69,f8,a9,83,e9,51,fd,c1,a6,d3,da,f5,9f,f2,85,da,52,12,3e,
58,9e,91,f5,84,5f,bb,f9,22,53,68,27,14,2e,bc,98,ea,ac,54,51,e1,11,03,75,01,\
"??"=hex:2c,0c,93,38,8c,f8,ed,12,85,b4,ff,4a,d5,1a,0d,a1
.
[HKEY_USERS\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\SecuROM\License information*]
"datasecu"=hex:50,4b,ea,4b,c7,85,9c,c7,b8,18,a1,7f,74,d9,09,91,c0,55,f1,07,ef,
c1,d9,4b,58,70,f1,6e,65,7a,08,92,ff,f0,50,ad,18,29,50,c3,fd,02,03,5b,a2,1d,\
"rkeysecu"=hex:14,9c,c9,a1,ec,c3,8a,03,1d,6a,22,d3,24,2e,8b,b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(416)
c:\windows\System32\dimsntfy.dll
.
- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-03 13:01:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-03 17:01
ComboFix2.txt 2011-07-03 16:11
.
Pre-Run: 24,959,143,936 bytes free
Post-Run: 24,945,160,192 bytes free
.
- - End Of File - - 07AB25ED8E7876017C75828AB57803D0

#12 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 05:18 PM

How is computer doing?

You didn't:
Uninstall Setup Support for ShopToWin 1.0, Shop to Win 11 and TypoBounty ToolBar.
Please follow ALL of my instructions.
Uninstall mentioned programs now.

Then....

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Posted Image Posted Image


#13 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 03 July 2011 - 05:46 PM

It's running a LOT better now!

I though I uninstalled Setup Support for ShopToWin 1.0, Shop to Win 11 and TypoBounty ToolBar. But after doing so Add/Remove programs froze up. So I used CCleaners Uninstaller. The onlt one left that I uninstalled was TypoBounty ToolBar, again the Add/Remove programs froze. I think TypoBounty ToolBar was uninstalled.

OTL logfile created on: 7/3/2011 1:28:27 PM - Run 1
OTL by OldTimer - Version 3.2.25.0 Folder = C:\Documents and Settings\Amy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 200.29 Mb Available Physical Memory | 39.89% Memory free
1.20 Gb Paging File | 0.79 Gb Available in Paging File | 65.59% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 23.26 Gb Free Space | 31.22% Space Free | Partition Type: NTFS
Drive D: | 2.56 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 152.66 Gb Total Space | 36.16 Gb Free Space | 23.69% Space Free | Partition Type: NTFS

Computer Name: AMYS | User Name: Amy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/03 13:26:33 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amy\Desktop\OTL.exe
PRC - [2011/05/29 09:11:28 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/05/10 08:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/05/10 08:10:57 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/12/15 13:22:42 | 001,085,440 | ---- | M] () -- C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
PRC - [2010/11/12 17:06:50 | 000,197,632 | ---- | M] () -- C:\Program Files\TypoBounty ToolBar\TbHelper2.exe
PRC - [2010/11/11 14:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneBusEnum.exe
PRC - [2010/11/11 14:55:46 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/08/24 05:38:18 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2010/06/14 19:10:30 | 000,153,672 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Gaming Software\LWEMon.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/07/03 13:26:33 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amy\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/05/10 08:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/12/15 13:22:42 | 001,085,440 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe -- (FlipShareServer)
SRV - [2010/11/11 14:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 14:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 14:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 14:55:56 | 000,057,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/08/24 05:38:18 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/05/10 08:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/05/10 08:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/05/10 08:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/05/10 08:02:25 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/05/10 07:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/05/10 07:59:37 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/05/10 07:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/04/27 19:57:28 | 000,066,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2010/04/27 19:57:28 | 000,015,048 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2010/04/27 19:57:22 | 000,022,856 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2007/05/23 05:15:00 | 000,547,744 | ---- | M] (D-Link Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\A3AB.sys -- (A3AB) D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/07/14 11:45:20 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {6e84150a-d526-41f1-a480-a67d3fed910d}:1.4.5.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.7
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: compatibility@addons.mozilla.org:0.8.2
FF - prefs.js..extensions.enabledItems: wrc@avast.com:20110101

FF - HKLM\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/06/10 20:36:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/02 04:17:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/03 07:37:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox 4.0 Beta 8\components [2011/05/30 07:56:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox 4.0 Beta 8\plugins

[2010/12/28 02:30:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Extensions
[2010/12/28 02:30:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Extensions\home2@tomtom.com
[2011/07/03 10:55:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions
[2011/01/12 07:56:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/26 19:00:37 | 000,000,000 | ---D | M] (IE View) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
[2011/06/30 18:18:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/06/30 18:18:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\compatibility@addons.mozilla.org
[2011/01/02 20:20:08 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com
[2010/02/26 18:55:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/10 20:36:11 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2011/01/10 02:26:55 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2011/07/03 12:56:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Amy\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} http://xserv.dell.co.../DellSystem.CAB (DellSystem.Scanner)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Amy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Amy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/25 00:47:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/08/28 18:18:23 | 000,000,000 | R--D | M] - D:\AutoRun -- [ UDF ]
O32 - AutoRun File - [2009/08/28 18:23:36 | 000,703,552 | R--- | M] (Electronic Arts Inc.) - D:\AutoRun.exe -- [ UDF ]
O32 - AutoRun File - [2009/08/28 18:23:37 | 000,715,840 | R--- | M] (Electronic Arts Inc.) - D:\AutoRunGUI.dll -- [ UDF ]
O32 - AutoRun File - [2009/08/28 18:23:31 | 000,000,180 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2009/12/26 17:36:09 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1645522239-1682526488-1644491937-1003\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/07/03 13:26:21 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Amy\Desktop\OTL.exe
[2011/07/03 11:45:05 | 004,130,135 | R--- | C] (Swearware) -- C:\Documents and Settings\Amy\Desktop\ComboFix.exe
[2011/07/03 11:26:25 | 001,448,752 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Amy\Desktop\tdsskiller.exe
[2011/07/03 08:54:24 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Amy\Desktop\dds.scr
[2011/07/03 08:49:42 | 001,904,128 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Amy\Desktop\aswMBR.exe
[2011/07/03 08:10:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Amy\Application Data\Malwarebytes
[2011/07/03 08:09:12 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/03 08:09:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/03 08:09:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/07/03 08:08:59 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/03 08:08:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/03 07:49:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/07/03 07:37:24 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/06/30 20:13:54 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/06/30 20:06:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/06/30 20:06:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/06/30 20:06:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/06/30 20:06:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/06/30 20:05:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/06/30 20:02:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/06/30 18:03:28 | 000,000,000 | ---D | C] -- C:\Program Files\Shop to Win 11
[2011/06/13 16:08:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Amy\Recent
[2011/06/12 10:48:19 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/06/11 23:59:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2011/06/10 20:43:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/06/10 20:43:52 | 000,307,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/06/10 20:43:52 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/06/10 20:43:47 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/06/10 20:43:46 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/06/10 20:43:45 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/06/10 20:43:43 | 000,102,616 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/06/10 20:43:43 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/06/10 20:43:43 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/06/10 20:36:03 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/06/10 20:36:02 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/06/10 20:35:37 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/06/10 20:35:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/06/09 22:17:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/06/09 22:17:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/06/09 22:17:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/06/08 05:38:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2011/06/04 12:53:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/06/03 16:50:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/06/03 16:50:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/03 13:26:33 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amy\Desktop\OTL.exe
[2011/07/03 12:56:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/07/03 12:55:55 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/03 12:55:49 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/03 12:54:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/03 11:45:18 | 004,130,135 | R--- | M] (Swearware) -- C:\Documents and Settings\Amy\Desktop\ComboFix.exe
[2011/07/03 11:41:01 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/03 11:37:49 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\RKUnhookerLE.EXE
[2011/07/03 11:26:59 | 001,448,752 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Amy\Desktop\tdsskiller.exe
[2011/07/03 10:30:30 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\MBR.dat
[2011/07/03 08:55:52 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Amy\Desktop\dds.scr
[2011/07/03 08:50:34 | 001,904,128 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Amy\Desktop\aswMBR.exe
[2011/07/03 08:37:22 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\411nd7sc.exe
[2011/07/03 08:09:20 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/03 07:39:27 | 000,000,619 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\TomTom HOME 2.lnk
[2011/07/03 07:38:00 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/07/02 23:59:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/06/30 20:14:04 | 000,000,355 | RHS- | M] () -- C:\boot.ini
[2011/06/30 19:17:19 | 000,000,245 | ---- | M] () -- C:\Boot.bak
[2011/06/30 18:32:53 | 000,013,154 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\7727v7t7ol15v
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\tnt.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\rox.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\pfs.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ocr.exe
[2011/06/30 18:24:32 | 000,000,000 | -HS- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\7727v7t7ol15v
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\qat.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ibe.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ecm.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\cil.exe
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2011/06/19 09:39:09 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2011/06/11 14:28:36 | 009,869,235 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\ADROA - Swamp Bass ( Frog step ).mp3
[2011/06/11 14:28:06 | 025,247,046 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\Not Recognized-Track1.mp3
[2011/06/11 14:27:59 | 009,159,644 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\Rastah.Mouse - Gorillaz - Feel Good Inc (Dont Get Sleep Remix).mp3
[2011/06/11 14:27:52 | 009,778,767 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\Adele - Rolling in the Deep (Telmini Remix).mp3
[2011/06/11 14:26:39 | 008,505,513 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\Ghosts Of Paraguay - Needing You (Kaiori Breathe Remix).mp3
[2011/06/11 14:22:09 | 012,236,318 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\Psychopath (Bassex Rmx).mp3
[2011/06/11 14:20:49 | 013,694,635 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\Document 1 - Breakdown [ Ash Howell Rework ].mp3
[2011/06/11 14:18:05 | 014,551,096 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\DJ Bonz - Drum & Bass (Mega Mix).mp3
[2011/06/11 12:39:49 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/10 20:43:54 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/06/10 20:43:44 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/10 20:32:30 | 058,064,040 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\setup_av_free.exe
[2011/06/10 20:24:02 | 000,014,188 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/06/10 09:18:06 | 000,005,303 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/06/09 08:08:03 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\Shortcut to procexp.lnk
[2011/06/07 23:36:23 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Equfinubesidacib.dat
[2011/06/04 13:12:07 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/03 11:37:06 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Amy\Desktop\RKUnhookerLE.EXE
[2011/07/03 10:30:30 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Amy\Desktop\MBR.dat
[2011/07/03 08:35:41 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Amy\Desktop\411nd7sc.exe
[2011/07/03 08:09:20 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/03 07:39:27 | 000,000,619 | ---- | C] () -- C:\Documents and Settings\Amy\Desktop\TomTom HOME 2.lnk
[2011/06/30 20:14:04 | 000,000,245 | ---- | C] () -- C:\Boot.bak
[2011/06/30 20:13:56 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/06/30 20:06:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/06/30 20:06:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/06/30 20:06:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/06/30 20:06:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/06/30 20:06:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\tnt.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\rox.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\pfs.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ocr.exe
[2011/06/30 18:24:32 | 000,000,000 | -HS- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\7727v7t7ol15v
[2011/06/30 18:24:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\qat.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ibe.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ecm.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\cil.exe
[2011/06/30 18:02:59 | 000,013,162 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\7727v7t7ol15v
[2011/06/30 18:02:59 | 000,013,154 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\7727v7t7ol15v
[2011/06/11 14:23:12 | 009,869,235 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\ADROA - Swamp Bass ( Frog step ).mp3
[2011/06/11 14:22:38 | 009,159,644 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\Rastah.Mouse - Gorillaz - Feel Good Inc (Dont Get Sleep Remix).mp3
[2011/06/11 14:22:22 | 009,778,767 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\Adele - Rolling in the Deep (Telmini Remix).mp3
[2011/06/11 14:22:05 | 008,505,513 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\Ghosts Of Paraguay - Needing You (Kaiori Breathe Remix).mp3
[2011/06/11 14:17:48 | 012,236,318 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\Psychopath (Bassex Rmx).mp3
[2011/06/11 14:17:02 | 025,247,046 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\Not Recognized-Track1.mp3
[2011/06/11 14:16:00 | 013,694,635 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\Document 1 - Breakdown [ Ash Howell Rework ].mp3
[2011/06/11 14:14:13 | 014,551,096 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\DJ Bonz - Drum & Bass (Mega Mix).mp3
[2011/06/10 20:43:54 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/06/10 20:26:53 | 058,064,040 | ---- | C] () -- C:\Documents and Settings\Amy\My Documents\setup_av_free.exe
[2011/06/10 09:16:48 | 000,005,303 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/06/09 08:08:09 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\Amy\Desktop\Shortcut to procexp.lnk
[2011/06/03 16:41:53 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Equfinubesidacib.dat
[2011/05/25 15:16:29 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\C7416E2BB8.sys
[2011/05/25 15:16:27 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2011/03/28 18:21:55 | 000,318,456 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1645522239-1682526488-1644491937-1003-0.dat
[2011/03/28 18:21:51 | 000,089,914 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/02/18 23:40:13 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/02/15 23:53:24 | 000,191,692 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MAnalyzerpresets.xml
[2011/02/15 23:53:24 | 000,013,964 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MFlangerpresets.xml
[2011/02/15 23:53:24 | 000,009,119 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MFreqShifterpresets.xml
[2011/02/15 23:53:24 | 000,007,130 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MEqualizerpresets.xml
[2011/02/15 23:53:24 | 000,006,444 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MCompressorpresets.xml
[2011/02/15 23:53:24 | 000,005,138 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MWaveShaperpresets.xml
[2011/02/15 23:53:24 | 000,004,362 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MPhaserpresets.xml
[2011/02/15 23:53:24 | 000,003,771 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MRingModulatorpresets.xml
[2011/02/15 23:53:24 | 000,002,775 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MStereoExpanderpresets.xml
[2011/02/15 23:53:24 | 000,002,666 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MVibratopresets.xml
[2011/02/15 23:53:24 | 000,002,366 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MTremolopresets.xml
[2011/02/15 23:53:24 | 000,001,907 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MAutopanpresets.xml
[2011/02/15 23:53:24 | 000,001,381 | ---- | C] () -- C:\Documents and Settings\Amy\Application Data\MLimiterpresets.xml
[2011/01/15 14:31:56 | 000,000,000 | ---- | C] () -- C:\Program Files\temp01
[2011/01/11 14:51:23 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/02 04:23:32 | 000,014,188 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/26 23:22:39 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/28 22:03:03 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2010/02/26 18:56:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/02/25 00:51:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/02/25 00:42:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/02/24 19:28:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/02/24 19:26:13 | 000,099,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 22:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 22:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,502,352 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,086,244 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/08/30 00:00:00 | 000,781,312 | ---- | C] () -- C:\WINDOWS\System32\RGSS102J.dll
[2005/08/30 00:00:00 | 000,778,752 | ---- | C] () -- C:\WINDOWS\System32\RGSS102E.dll
[2005/08/30 00:00:00 | 000,771,584 | ---- | C] () -- C:\WINDOWS\System32\RGSS100J.dll

========== LOP Check ==========

[2011/06/30 18:55:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2011/02/08 17:20:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ableton
[2011/01/26 09:57:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2011/06/10 20:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2010/12/27 01:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2010/12/25 11:44:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FarmFrenzy2
[2011/04/29 20:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/03/29 18:37:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fugazo
[2010/12/27 11:05:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
[2011/02/15 23:53:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MTexturedStyles
[2010/12/13 14:53:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2011/01/28 19:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/12/28 02:31:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2011/01/02 04:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/12/26 23:23:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
[2011/02/08 17:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Ableton
[2010/02/28 12:53:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Atari
[2011/06/04 13:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\BitTorrent
[2011/02/14 23:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Blue Cat Audio
[2011/04/29 21:46:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Flip Video
[2011/01/02 20:24:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\HamsterSoft
[2010/12/26 23:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\ImgBurn
[2011/02/05 18:40:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Jeskola
[2010/02/28 12:50:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Leadertech
[2011/02/15 23:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\LiveSticks
[2011/02/15 23:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\mfreevsteffects_4_02_setup
[2011/02/15 23:57:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\MSPS
[2010/12/28 15:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Naviextras
[2010/12/28 02:30:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\TomTom
[2010/12/27 01:07:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Windows Desktop Search
[2010/12/27 03:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Amy\Application Data\Windows Search
[2011/04/29 21:40:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Flip Video

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/12/26 21:03:23 | 000,378,857 | ---- | M] () -- C:\AnalysisLog.sr0
[2010/02/25 00:47:02 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2011/06/30 19:17:19 | 000,000,245 | ---- | M] () -- C:\Boot.bak
[2011/06/30 20:14:04 | 000,000,355 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/07/03 13:02:00 | 000,019,097 | ---- | M] () -- C:\ComboFix.txt
[2010/02/25 00:47:02 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/04/29 21:32:16 | 000,000,000 | ---- | M] () -- C:\foo.txt
[2010/02/25 00:47:02 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/04/29 20:56:12 | 000,001,015 | R--- | M] () -- C:\logFile.xsl
[2010/02/25 00:47:02 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/07/03 12:54:21 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
[2011/02/14 22:19:43 | 000,001,396 | ---- | M] () -- C:\SpnrLE.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/02/25 00:46:34 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2011/05/10 08:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2010/11/13 10:34:34 | 000,001,738 | -H-- | M] () -- C:\Documents and Settings\Amy\Application Data\Microsoft\LastFlashConfig.WFC

< %PROGRAMFILES%\*.* >
[2011/01/15 14:31:56 | 000,000,000 | ---- | M] () -- C:\Program Files\temp01

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/02/24 19:25:42 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2010/02/24 19:25:42 | 001,089,536 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2010/02/24 19:25:42 | 000,921,600 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/02/25 00:47:09 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/02/25 01:01:40 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Amy\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/02/25 01:01:39 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Amy\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2011/07/03 08:37:22 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\411nd7sc.exe
[2011/07/03 08:50:34 | 001,904,128 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Amy\Desktop\aswMBR.exe
[2011/07/03 11:45:18 | 004,130,135 | R--- | M] (Swearware) -- C:\Documents and Settings\Amy\Desktop\ComboFix.exe
[2011/07/03 13:26:33 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Amy\Desktop\OTL.exe
[2011/07/03 11:37:49 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Amy\Desktop\RKUnhookerLE.EXE
[2011/07/03 11:26:59 | 001,448,752 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Amy\Desktop\tdsskiller.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >
[2010/12/27 12:06:22 | 000,561,778 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\GX280A08.EXE
[2010/12/27 12:06:52 | 003,573,632 | ---- | M] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\Amy\My Documents\R121089.EXE
[2010/12/27 12:06:49 | 003,157,552 | ---- | M] (Xceed Software Inc. 1-450-442-2626 info@xceedsoft.com www.xceedsoft.com) -- C:\Documents and Settings\Amy\My Documents\R79695.EXE
[2011/06/10 20:32:30 | 058,064,040 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\setup_av_free.exe
[2011/06/12 22:14:12 | 000,956,288 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Amy\My Documents\SMS2003-SP3-KB937882-X86-ENU.exe
[2011/01/24 18:55:12 | 019,985,265 | ---- | M] () -- C:\Documents and Settings\Amy\My Documents\vlc-1.1.5-win32.exe

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/02/25 01:01:39 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Amy\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011/07/03 13:25:47 | 000,114,688 | ---- | M] () -- C:\Documents and Settings\Amy\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 23:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-12 18:02:38


========== Alternate Data Streams ==========

@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:78E0DF72
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9857FAE3
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1740DC47

< End of report >

======================================================================================================================================================

OTL Extras logfile created on: 7/3/2011 1:28:27 PM - Run 1
OTL by OldTimer - Version 3.2.25.0 Folder = C:\Documents and Settings\Amy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 200.29 Mb Available Physical Memory | 39.89% Memory free
1.20 Gb Paging File | 0.79 Gb Available in Paging File | 65.59% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 23.26 Gb Free Space | 31.22% Space Free | Partition Type: NTFS
Drive D: | 2.56 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 152.66 Gb Total Space | 36.16 Gb Free Space | 23.69% Space Free | Partition Type: NTFS

Computer Name: AMYS | User Name: Amy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"24726:TCP" = 24726:TCP:*:Enabled:FlipShareServer
"24727:TCP" = 24727:TCP:*:Enabled:FlipShareServer

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06B4468E-BFCE-49F2-94C1-F84219E8ED6E}" = Color Scheme Editor
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{297360EC-FAD7-4031-8FB5-3A7981BCA30B}_is1" = IMEA Sequencer version 1.4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{3BC8D2F1-8CA2-4AF9-99C7-8598AFFDEF8F}" = Thrillville™: '07
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{420DFB63-8AE7-F7D6-E4B4-AB6D140221F4}" = FlipShare
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{537575D6-3B96-474C-BD8F-DFF667363DBD}" = Naviextras Toolbox Prerequesities
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}" = RGSS-RTP Standard
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{60D32CDC-E3BE-4578-BA10-29322307CDDC}" = Logitech Gaming Software 5.10
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
"{6CB35178-9E25-48fb-9F86-E40ADC7043B6}" = The Sims™ 2 Best of Business Collection
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8E7D0A7F-B85F-44DC-8C1C-2A2C27BAEA0B}_is1" = Psycle 1.8.8
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon 3
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D77A09-10EA-4574-8C09-9B6E1A21C95F}" = Virus Guard - powered by BitDefender
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C22E50B4-B9D0-4a07-B1F3-12362514FEA7}" = The Sims™ 2 Double Deluxe
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E89B484C-B913-49A0-959B-89E836001658}" = GEAR 32bit Driver Installer
"{F2CB8C3C-9C9E-4FAB-9067-655601C5F748}" = Windows Mobile Device Updater Component
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"avast" = avast! Free Antivirus
"BFGC" = Big Fish Games Client
"BFG-Mystery Case Files - Prime Suspects" = Mystery Case Files: Prime Suspects ™
"BitTorrent" = BitTorrent
"Buzz_is1" = Buzz
"Cake Mania 2_is1" = Cake Mania 2
"CCleaner" = CCleaner
"Cooking Academy 2 World Cuisine1.0.1" = Cooking Academy 2 World Cuisine
"County Fair1.0.10" = County Fair
"CSI-3 Dimensions of Murder" = CSI-3 Dimensions of Murder 1.1
"daHornet VSTi V1.34_is1" = daHornet Version 1.34
"DarkWave Studio" = DarkWave Studio 3.2.7
"DDDP_is1" = discoDSP Discovery Pro
"EADM" = EA Download Manager
"ES DGenR8 VST" = ES DGenR8 VST 2.9.5
"Farm Frenzy 2" = Farm Frenzy 2
"Frohmage VST2" = OhmForce Frohmage VST2
"Hamster Free Video Converter_is1" = HamsterFreeVideoConverter
"HospitalTycoon" = Hospital Tycoon
"ie8" = Windows Internet Explorer 8
"InstallShield_{3BC8D2F1-8CA2-4AF9-99C7-8598AFFDEF8F}" = Thrillville™: '07
"LADSPA_plugins-win_is1" = LADSPA_plugins-win-0.4.15
"Live 8.2.1" = Live 8.2.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"MeldaProduction Free VST Effects" = MeldaProduction Free VST Effects
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MixMeister BPM Analyzer_is1" = MixMeister BPM Analyzer 1.0
"mmssetup_is1" = MixMeister Studio Demo 7.4.4
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Naviextras Toolbox" = Naviextras Toolbox
"TomTom HOME" = TomTom HOME 2.7.6.2056
"TRIP LiveSticks1.0.6" = LiveSticks1.0.6
"Unlocker" = Unlocker 1.8.8
"VLC media player" = VLC media player 1.0.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1645522239-1682526488-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/19/2011 9:30:11 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: 403 (HTTP Response Status)

Error - 6/19/2011 9:30:12 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/19/2011 9:40:43 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/19/2011 9:40:44 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/30/2011 5:58:08 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 5:58:17 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 6:11:22 PM | Computer Name = AMYS | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/30/2011 8:49:43 PM | Computer Name = AMYS | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/30/2011 10:00:38 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 10:00:43 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ Application Events ]
Error - 6/19/2011 9:30:11 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: 403 (HTTP Response Status)

Error - 6/19/2011 9:30:12 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/19/2011 9:40:43 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/19/2011 9:40:44 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/30/2011 5:58:08 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 5:58:17 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 6:11:22 PM | Computer Name = AMYS | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/30/2011 8:49:43 PM | Computer Name = AMYS | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/30/2011 10:00:38 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 10:00:43 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ Application Events ]
Error - 6/19/2011 9:30:11 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: 403 (HTTP Response Status)

Error - 6/19/2011 9:30:12 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/19/2011 9:40:43 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/19/2011 9:40:44 AM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/30/2011 5:58:08 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 5:58:17 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 6:11:22 PM | Computer Name = AMYS | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 6/30/2011 8:49:43 PM | Computer Name = AMYS | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 6/30/2011 10:00:38 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/30/2011 10:00:43 PM | Computer Name = AMYS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 7/3/2011 10:43:38 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 7/3/2011 11:24:44 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the FlipShare Service service
to connect.

Error - 7/3/2011 11:24:44 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7000
Description = The FlipShare Service service failed to start due to the following
error: %%1053

Error - 7/3/2011 11:24:44 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 7/3/2011 11:32:25 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the FlipShare Service service
to connect.

Error - 7/3/2011 11:32:25 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7000
Description = The FlipShare Service service failed to start due to the following
error: %%1053

Error - 7/3/2011 11:32:25 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 7/3/2011 12:02:06 PM | Computer Name = AMYS | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system
without first being prepared for removal.

Error - 7/3/2011 12:14:56 PM | Computer Name = AMYS | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0015E9B75785. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 7/3/2011 12:20:06 PM | Computer Name = AMYS | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0015E9B75785. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

[ System Events ]
Error - 7/3/2011 10:43:38 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 7/3/2011 11:24:44 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the FlipShare Service service
to connect.

Error - 7/3/2011 11:24:44 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7000
Description = The FlipShare Service service failed to start due to the following
error: %%1053

Error - 7/3/2011 11:24:44 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 7/3/2011 11:32:25 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the FlipShare Service service
to connect.

Error - 7/3/2011 11:32:25 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7000
Description = The FlipShare Service service failed to start due to the following
error: %%1053

Error - 7/3/2011 11:32:25 AM | Computer Name = AMYS | Source = Service Control Manager | ID = 7023
Description = The Intel CPU service terminated with the following error: %%126

Error - 7/3/2011 12:02:06 PM | Computer Name = AMYS | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_UNLOCKERDRIVER5\0000 disappeared from the system
without first being prepared for removal.

Error - 7/3/2011 12:14:56 PM | Computer Name = AMYS | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0015E9B75785. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 7/3/2011 12:20:06 PM | Computer Name = AMYS | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 0015E9B75785. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.


< End of report >

#14 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 03 July 2011 - 05:55 PM

Very well. We'll remove leftovers manually with OTL fix.

1. Update your Java version here: http://www.java.com/...d/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

===============================================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - [2010/11/12 17:06:50 | 000,197,632 | ---- | M] () -- C:\Program Files\TypoBounty ToolBar\TbHelper2.exe
[2011/01/02 20:20:08 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com
O4 - Startup: C:\Documents and Settings\Amy\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk = File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
[2011/06/30 18:03:28 | 000,000,000 | ---D | C] -- C:\Program Files\Shop to Win 11
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/06/30 18:32:53 | 000,013,154 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\7727v7t7ol15v
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\tnt.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\rox.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\pfs.exe
[2011/06/30 18:24:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ocr.exe
[2011/06/30 18:24:32 | 000,000,000 | -HS- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\7727v7t7ol15v
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\qat.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ibe.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\ecm.exe
[2011/06/30 18:24:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Amy\Local Settings\Application Data\cil.exe
[2011/06/07 23:36:23 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Equfinubesidacib.dat
[2011/06/30 18:02:59 | 000,013,162 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\7727v7t7ol15v
[2011/06/30 18:02:59 | 000,013,154 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\7727v7t7ol15v
[2011/05/25 15:16:29 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\C7416E2BB8.sys
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:78E0DF72
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9857FAE3
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1740DC47


:Services

:Reg

:Files
C:\Program Files\TypoBounty ToolBar


:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

======================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.

Posted Image Posted Image


#15 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 05 July 2011 - 12:22 PM

After running otl the system froze up for about 5-6 hours. I ended up having to push the power button to power down the system. After booting back in I see otl made a log. I ran securitycheck/tfc and after finish each when I went to reboot the system hung at the windows shutdown for 5-6 hours. I ended up pushing the button to power down the system. After booting up I see sc/tfc made logs. Eset found 53 viruses.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jul 03 14:14:04 2011

Found and removed: C:\Documents and Settings\Amy\Application Data\Sun\Java\jre1.6.0_22

Found and removed: Applications\java.exe

Found and removed: Applications\javaw.exe

Found and removed: JavaPlugin.FamilyVersionSupport

Found and removed: CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0017-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0020-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0024-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0027-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0021-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0015-0000-0030-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}

Found and removed: CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}

Found and removed: JavaScript

Found and removed: JavaScript Author

Found and removed: JavaScript1.1

Found and removed: JavaScript1.1 Author

Found and removed: JavaScript1.2

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}

Found and removed: Software\JavaSoft\Java Update

Found and removed: SOFTWARE\Classes\JavaPlugin

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.1

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.2

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.1.3

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.2

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.2.1

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.3

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.3.1

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4.1

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.4.2

Found and removed: SOFTWARE\MozillaPlugins\@java.com/JavaPlugin\MimeTypes\application/x-java-applet;version=1.5

------------------------------------

Finished reporting.



==================================================================================================================================================

All processes killed
========== OTL ==========
No active process named TbHelper2.exe was found!
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com\defaults\preferences folder moved successfully.
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com\defaults folder moved successfully.
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com\components folder moved successfully.
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com\chrome\skin folder moved successfully.
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com\chrome\content folder moved successfully.
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com\chrome folder moved successfully.
C:\Documents and Settings\Amy\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\extensions\searchtoolbar@zugo.com folder moved successfully.
C:\Documents and Settings\Amy\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
C:\Program Files\Shop to Win 11\%APPDATA%\FCSB000063127\Toolbar\%APPDATA%\FCSB000063127\Toolbar folder moved successfully.
C:\Program Files\Shop to Win 11\%APPDATA%\FCSB000063127\Toolbar\%APPDATA%\FCSB000063127 folder moved successfully.
C:\Program Files\Shop to Win 11\%APPDATA%\FCSB000063127\Toolbar\%APPDATA% folder moved successfully.
C:\Program Files\Shop to Win 11\%APPDATA%\FCSB000063127\Toolbar folder moved successfully.
C:\Program Files\Shop to Win 11\%APPDATA%\FCSB000063127 folder moved successfully.
C:\Program Files\Shop to Win 11\%APPDATA% folder moved successfully.
C:\Program Files\Shop to Win 11 folder moved successfully.
C:\WINDOWS\invcol.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\trz26.tmp deleted successfully.
C:\Documents and Settings\All Users\Application Data\7727v7t7ol15v moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\tnt.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\rox.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\pfs.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\ocr.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\7727v7t7ol15v moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\qat.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\ibe.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\ecm.exe moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\cil.exe moved successfully.
C:\WINDOWS\Equfinubesidacib.dat moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\7727v7t7ol15v moved successfully.
File C:\Documents and Settings\All Users\Application Data\7727v7t7ol15v not found.
C:\WINDOWS\system32\C7416E2BB8.sys moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:78E0DF72 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9857FAE3 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1740DC47 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\Program Files\TypoBounty ToolBar not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 19253817 bytes
->Flash cache emptied: 56958 bytes

User: All Users

User: Amy
->Temp folder emptied: 10188808 bytes
->Temporary Internet Files folder emptied: 8873252 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 50794532 bytes
->Apple Safari cache emptied: 21179392 bytes
->Flash cache emptied: 1956094 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 4030598 bytes
->Flash cache emptied: 2899 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 19920 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21875 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15007470 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 336944 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 126.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Amy
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.25.0 log created on 07032011_141730

Files\Folders moved on Reboot...
C:\Documents and Settings\Amy\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Amy\Local Settings\Application Data\Mozilla\Firefox\Profiles\sr7ob710.default\urlclassifier3.sqlite moved successfully.
C:\WINDOWS\System32\config\systemprofile\Local Settings\Temp\Microsoft .NET Framework 2.0-KB2478658_20110703_181633125-Msi0.txt moved successfully.

Registry entries deleted on Reboot...

==================================================================================================================================================

Eset log
C:\Program Installers\unlocker1.8.8.exe Win32/Adware.ADON application
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0032721.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033705.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033734.scr Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033735.DLL Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033738.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033739.DLL a variant of Win32/Toolbar.MyWebSearch.K application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033740.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033741.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033743.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033744.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033745.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033746.DLL Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033747.DLL Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033748.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033749.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033750.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033751.SCR Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033752.DLL Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033753.DLL Win32/Toolbar.MyWebSearch.D application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033754.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033755.EXE Win32/Adware.FunWeb application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033756.DLL Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033758.DLL Win32/Toolbar.MyWebSearch.H application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033759.DLL a variant of Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033760.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033761.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033762.DLL Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033763.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033764.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033765.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033766.DLL Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033767.DLL a variant of Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033768.DLL Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033769.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033770.EXE Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033771.EXE Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033772.DLL a variant of Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033773.DLL a variant of Win32/Toolbar.MyWebSearch.K application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033774.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033775.DLL Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033776.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033777.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033778.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033779.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP310\A0033780.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP327\A0038331.exe a variant of Win32/Kryptik.PUI trojan
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP327\A0038332.exe a variant of Win32/Kryptik.PUI trojan
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP327\A0038333.exe a variant of Win32/Kryptik.PUI trojan
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP327\A0038334.exe a variant of Win32/Kryptik.PUI trojan
C:\System Volume Information\_restore{7C09CE54-DC91-428F-AF17-F6509C732F2F}\RP329\A0041061.dll Win32/Toolbar.Zugo application
E:\Program Installers\unlocker1.8.8.exe Win32/Adware.ADON application

#16 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 05 July 2011 - 06:33 PM

All entries from Eset scan will be removed through our last steps....

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/v...ning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingc.../topic2520.html

12. Please, let me know, how your computer is doing.
Posted Image Posted Image


#17 ProblemsRBad Re: [RESOLVED] My sister win xp desktop machine badly infected

    Member

  • 161 posts
  • Joined: June 23, 2011
  • 15 topics
  • Skin: IP.Board
  • Local time: 07:56 PM
  • Zodiac:Aries
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 3d 20h 16m 27s

Posted 06 July 2011 - 04:01 PM

Seems to be running a lot better now! Thank for your help! My friend just drop off his laptop to me its badly infected too, but I am about to go fishing for the day I will make a new topic about it tomorrow.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Amy
->Temp folder emptied: 7519 bytes
->Temporary Internet Files folder emptied: 327974 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 97158048 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 615 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33264 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 18793086 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 111.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Amy
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.25.0 log created on 07062011_114634

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#18 Broni Re: [RESOLVED] My sister win xp desktop machine badly infected

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 05:56 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 9h 20m 43s

Posted 06 July 2011 - 11:07 PM

Way to go!! Posted Image
Good luck and stay safe :)
Posted Image Posted Image


Back to Virus, Spyware and Malware Removal · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


This topic has been visited by 0 user(s)


  1. Smartest Computing
  2. > Security
  3. > Virus, Spyware and Malware Removal
  4. SmartestComputing rules