SVCHOST trojan

**Scolabar** · 2012-03-15, 09:33

Hi musicalpulltoy,

I'll accept your answer this time, but in future I would appreciate it if you would answer any questions put to you openly and accurately.

Let's continue with the cleanup.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
OTL - Scan

Please download OTL by Old Timer. Save it to your Desktop.
Double-click on OTL.exe to launch the program. If you receive a UAC prompt, please allow it.
Under Output, ensure that the Standard Output option is selected.
Under the Extra Registry section, select the Use SafeList option.
Click the Scan All Users checkbox.
Tick the LOP Check and Purity Check checkboxes.
Note: Please leave the remaining selections on the default settings.
Click on the Run Scan button in the top left-hand corner of the program window.
When done, two Notepad files will automatically open:
- OTL.txt <-- Will be opened, maximized.
- Extras.txt <-- Will be minimized on task bar.
Please Copy and Paste the entire contents of both OTL.txt and Extras.txt files into your next reply.

Step 2:
Rootkit UnHooker (RkU)

Please download Rootkit UnHooker. Save it to your Desktop.
Please Note: The resulting log file can be very long. You may need to post it separately.

Double-click on the RKUnhookerLE.exe icon to run the program.
Click the Report tab, then click Scan.
Check the Drivers, Stealth Code, Files and Code Hooks options.
Uncheck the rest of the options. Then click on the OK button. (See the image below for reference.)

The scanning will toggle through the Checked items "tabs". This can take a while, so please be patient.
When the scanner is finished, select File > Save Report.
Save the file Report.txt to your Desktop.
Click on the Close button and then click the Yes button to confirm.
Copy and Paste the entire contents of the Report.txt file into your next reply.

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
OTL.txt.
Extras.txt.
Report.txt.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

**musicalpulltoy** · 2012-03-16, 01:05

happy thursday
first i ran the clean up on a past OTL so as to download latest.
OTL ran fine but during root uhkooker i got "error starting helper service during drive selection scan" clicked ok 2 time before it continued.
scotty popped up with "C:\WINDOWS\system32\89F5848D.exe" i clicked NO.
lately firefox has started a mild lag.

OTL logfile created on: 3/15/2012 4:07:14 PM - Run 1
OTL by OldTimer - Version 3.2.37.1 Folder = C:\Documents and Settings\DAD\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.62 Gb Available Physical Memory | 49.97% Memory free
4.22 Gb Paging File | 3.63 Gb Available in Paging File | 85.82% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.21 Gb Total Space | 10.93 Gb Free Space | 31.94% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 160.22 Gb Free Space | 68.80% Space Free | Partition Type: NTFS

Computer Name: DJJXF091 | User Name: DAD | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/15 16:05:34 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
PRC - [2012/01/24 17:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/11/09 20:05:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2011/11/09 20:01:38 | 000,073,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/11/03 07:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2011/11/03 07:44:24 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/18 08:45:28 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/03/16 15:32:59 | 000,325,000 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2010/10/26 23:10:00 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/12 15:14:42 | 001,527,808 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

========== Modules (No Company Name) ==========

MOD - [2010/10/26 23:10:01 | 001,018,840 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2010/03/29 13:02:48 | 000,520,234 | ---- | M] () -- C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll
MOD - [2007/09/14 10:27:14 | 000,024,576 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v3\CheckSessions.dll
MOD - [2007/09/12 15:14:42 | 001,527,808 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
MOD - [2006/12/15 11:30:38 | 000,966,765 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v3\acAuth.dll
MOD - [2006/05/16 18:35:00 | 000,049,152 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v3\WlanDll.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - File not found [Disabled | Stopped] -- C:/Program Files/Dragon Global/DirMon2/DirMon2.exe -- (DirMon2)
SRV - File not found [Auto | Stopped] -- C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe -- (DCService.exe)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2011/11/09 20:05:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/11/03 07:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/18 08:45:28 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/02/10 15:29:24 | 000,150,528 | ---- | M] (Avanquest Software) [On_Demand | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe -- (Sony Ericsson PCCompanion)
SRV - [2008/08/26 15:58:12 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Disabled | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2007/06/25 08:47:12 | 001,552,680 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\point32.sys -- (Point32)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ew_jubusenum.sys -- (huawei_enumerator)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbnet.sys -- (ewusbnet)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (bvrp_pci)
DRV - [2011/11/09 20:01:38 | 000,525,840 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2011/11/03 07:44:20 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/11 05:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/03/25 16:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdm.sys -- (s1018mdm)
DRV - [2009/03/25 16:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018unic.sys -- (s1018unic) Sony Ericsson Device 1018 USB Ethernet Emulation (WDM)
DRV - [2009/03/25 16:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mgmt.sys -- (s1018mgmt) Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM)
DRV - [2009/03/25 16:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018obex.sys -- (s1018obex)
DRV - [2009/03/25 16:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018bus.sys -- (s1018bus) Sony Ericsson Device 1018 driver (WDM)
DRV - [2009/03/25 16:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018nd5.sys -- (s1018nd5) Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS)
DRV - [2009/03/25 16:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV - [2008/04/14 00:26:08 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/14 00:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/14 00:15:34 | 000,011,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\scsiscan.sys -- (scsiscan)
DRV - [2008/03/11 15:58:56 | 000,059,776 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDUWWAN.sys -- (PTDUWWAN)
DRV - [2008/03/11 15:58:50 | 000,039,936 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDUVsp.sys -- (PTDUVsp)
DRV - [2008/03/11 15:58:48 | 000,041,344 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDUMdm.sys -- (PTDUMdm)
DRV - [2008/03/11 15:58:44 | 000,029,824 | ---- | M] (DEVGURU Co,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTDUBus.sys -- (PTDUBus)
DRV - [2007/06/25 08:47:12 | 000,038,440 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/06/25 08:47:12 | 000,036,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/06/25 08:47:12 | 000,016,040 | ---- | M] (Nero AG) [Recognizer | System | Unknown] -- C:\WINDOWS\System32\drivers\InCDrec.sys -- (InCDrec)
DRV - [2007/06/25 08:47:02 | 000,119,080 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2007/04/23 14:11:54 | 000,224,896 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wg111v3.sys -- (RTL8187B)
DRV - [2006/02/23 14:58:25 | 000,167,808 | R--- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2005/12/14 21:03:19 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2005/05/12 22:17:00 | 000,457,312 | R--- | M] (Atheros Communications, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\N3AB.sys -- (N3AB)
DRV - [2005/03/14 14:01:38 | 000,041,984 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp)
DRV - [2004/09/17 13:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/04 04:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 04:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2002/04/11 11:47:52 | 000,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/17 13:57:46 | 000,065,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\s3legacy.sys -- (s3legacy)
DRV - [2001/08/17 13:50:20 | 000,114,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\epstw2k.sys -- (epstw2k)
DRV - [2001/08/17 12:50:56 | 000,050,432 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SiSV.sys -- (SiSV)
DRV - [2001/08/17 12:50:34 | 000,166,720 | ---- | M] (S3 Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3m.sys -- (s3m)
DRV - [1999/05/28 14:53:30 | 000,150,872 | R--- | M] (Trident Microsystems Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\TridWnW.sys -- (TridWnW)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/...ch/search.html
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-19\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-20\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{9215ECFA-54BC-4C22-9CB5-2109EB6BB912}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{9C126488-C099-43C9-A00E-5A43495AC51F}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2645238
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/mb59/?search={searchTerms}&loc=search_box&u=92822879073603948
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{E8930232-4B31-4251-986C-98061BDC75B4}: "URL" = http://www.ant.com/web/{searchTerms}/
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "ZoneAlarm Security Customized Web Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912
FF - prefs.js..extensions.enabledItems: {29c4afe1-db19-4298-8785-fcc94d1d6c1d}:0.6.2009110501
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}:7.0
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:5.4
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.6.0.1
FF - prefs.js..extensions.enabledItems: {f36c6cd1-da73-491d-b290-8fc9115bfa55}:2.2.0
FF - prefs.js..extensions.enabledItems: jsdeobfuscator@adblockplus.org:1.5.7
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.10
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.7.3
FF - prefs.js..extensions.enabledItems: {91da5e8a-3318-4f8c-b67e-5964de3ab546}:3.8.0.8
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\DAD\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\DAD\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/01/31 13:21:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/03/09 07:58:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/18 08:27:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/08 20:38:57 | 000,000,000 | ---D | M]

[2009/11/23 22:10:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Extensions
[2012/03/07 23:39:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions
[2010/11/07 10:53:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/14 16:22:47 | 000,000,000 | ---D | M] ("Split Browser") -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{29c4afe1-db19-4298-8785-fcc94d1d6c1d}
[2011/11/23 16:09:25 | 000,000,000 | ---D | M] (ZoneAlarm Security Community Toolbar) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
[2011/09/07 19:41:45 | 000,000,000 | ---D | M] (Tor-Proxy.NET Toolbar) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{9815d32d-08c2-42ca-a8c6-43e501a4512f}
[2011/07/31 18:11:47 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/09/07 23:43:07 | 000,000,000 | ---D | M] (Easy YouTube Video Downloader) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2011/08/18 08:34:41 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2011/09/27 00:14:34 | 000,000,000 | ---D | M] (WorldIP) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{f36c6cd1-da73-491d-b290-8fc9115bfa55}
[2011/07/13 05:36:08 | 000,000,000 | ---D | M] (Ant Video Downloader) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\anttoolbar@ant(2).com
[2011/09/27 02:18:16 | 000,000,000 | ---D | M] (Firebug) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\firebug@software.joehewitt.com
[2011/09/07 23:43:07 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\firefox@ghostery.com
[2011/07/13 05:36:10 | 000,000,000 | ---D | M] (FlashFirebug) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\flashfirebug@o-minds(2).com
[2011/09/27 02:14:47 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\inspector@mozilla.org
[2011/09/27 00:13:32 | 000,000,000 | ---D | M] (JavaScript Deobfuscator) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\jsdeobfuscator@adblockplus.org
[2011/03/23 20:42:20 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\conduit.xml
[2011/08/26 23:22:11 | 000,002,207 | ---- | M] () -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\MyStart Search.xml
[2012/03/07 23:39:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/08/18 08:46:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}
[2012/01/31 13:21:12 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2011/08/18 08:45:29 | 000,611,224 | ---- | M] (Oracle Corporation) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\Application\13.0.782.215\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome NaCl (Disabled) = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\Application\13.0.782.215\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\Application\13.0.782.215\pdf.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_1\plugins/avgnpss.dll
CHR - plugin: getPlusPlus for Adobe 162102 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: AVG Safe Search = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\
CHR - Extension: AVG Safe Search = C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\

O1 HOSTS File: ([2012/02/13 19:18:35 | 000,440,549 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15168 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [Task Catcher] C:\Program Files\BillP Studios\Task Catcher\TaskTrap.exe (BillP Studios)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SystemExplorerDisabled [2011/09/01 03:51:19 | 000,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\DAD\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsof...?1246219383859 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jin...ndows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jin...ndows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jin...ndows-i586.cab (Java Plug-in 1.7.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D3C8F517-0E02-41EF-88B6-50CFBAF7D6D0}: NameServer = 68.105.28.11,68.105.28.12,68.105.29.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/15 16:05:37 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
[2012/03/12 06:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2012/03/12 06:43:21 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\DAD\Desktop\MGADiag.exe
[2012/02/15 22:33:57 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/02/15 22:33:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/02/15 22:27:41 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\DAD\Desktop\erunt-setup.exe
[90 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/15 16:05:34 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
[2012/03/15 16:01:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/15 16:00:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/15 16:00:33 | 000,167,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/15 09:43:58 | 091,897,464 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/03/14 23:59:58 | 000,006,522 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\ALLLYRICSTODATE.RTF
[2012/03/13 15:59:50 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/12 06:44:12 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\DAD\Desktop\MGADiag.exe
[2012/03/10 19:08:25 | 000,879,700 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\SecurityCheck.exe
[2012/03/10 17:09:41 | 000,287,652 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/03/09 12:23:17 | 000,004,198 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\attach.zip
[2012/03/06 11:32:01 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/02/18 02:01:41 | 000,003,082 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\claimform.rtf
[2012/02/15 22:34:09 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\DAD\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/15 22:34:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\ERUNT.lnk
[2012/02/15 22:32:01 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\DAD\Desktop\erunt-setup.exe
[2012/02/14 18:07:40 | 000,463,932 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/14 18:07:40 | 000,079,208 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2012/03/10 19:08:14 | 000,879,700 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\SecurityCheck.exe
[2012/03/09 12:23:16 | 000,004,198 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\attach.zip
[2012/02/18 02:01:41 | 000,003,082 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\claimform.rtf
[2012/02/15 22:34:09 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\DAD\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/02/15 22:34:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\ERUNT.lnk
[2012/02/14 12:42:50 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/09 02:12:30 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/08/27 16:32:41 | 000,000,059 | ---- | C] () -- C:\WINDOWS\System32\everest_cpl.ini
[2011/05/28 00:47:06 | 000,037,540 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/04/30 11:53:26 | 000,166,400 | ---- | C] () -- C:\WINDOWS\System32\TridTray.exe
[2011/04/12 23:13:27 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/31 23:15:01 | 000,021,312 | ---- | C] () -- C:\WINDOWS\choice.exe

========== LOP Check ==========

[2011/04/21 18:54:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DJJXF091\Application Data\Program Files
[2011/04/21 18:16:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DJJXF091\Application Data\Windows Search
[2011/05/28 00:33:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ant.com
[2005/12/23 16:59:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Authentium
[2011/05/03 13:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avanquest
[2012/01/13 21:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/05/03 13:52:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011/05/14 20:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/04/01 00:15:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/03/29 04:57:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cricket Broadband EC1705
[2011/04/21 18:54:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DatacardService
[2011/09/23 14:43:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
[2011/04/02 02:38:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2009/11/30 16:35:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/03/30 16:32:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2012/03/15 09:44:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/04/01 22:33:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2011/04/01 22:33:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2006/08/14 20:55:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SnapStream
[2011/04/01 22:33:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/08/02 20:56:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SystemExplorer
[2011/04/21 12:51:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2010/10/31 12:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/03 17:17:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/08 20:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/04/01 00:25:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG10
[2012/01/13 18:41:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG2012
[2011/08/04 18:53:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Canon
[2011/03/31 00:30:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\CheckPoint
[2011/11/07 22:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\gtk-2.0
[2009/12/01 10:44:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IObit
[2006/01/01 18:20:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech
[2011/05/03 02:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MOBILedit
[2006/05/21 15:48:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller
[2011/03/29 04:53:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Program Files
[2005/12/23 19:01:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\QMCache
[2010/10/19 11:35:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Research In Motion
[2011/09/09 09:12:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Safer Networking
[2009/03/14 19:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Smith Micro
[2006/04/16 21:24:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Snapfish
[2011/05/03 15:31:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony
[2012/03/12 06:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\uTorrent
[2009/06/28 13:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Windows Desktop Search
[2009/07/03 18:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Windows Search
[2011/04/02 02:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\WinPatrol

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 3/15/2012 4:07:14 PM - Run 1
OTL by OldTimer - Version 3.2.37.1 Folder = C:\Documents and Settings\DAD\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.62 Gb Available Physical Memory | 49.97% Memory free
4.22 Gb Paging File | 3.63 Gb Available in Paging File | 85.82% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.21 Gb Total Space | 10.93 Gb Free Space | 31.94% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 160.22 Gb Free Space | 68.80% Space Free | Partition Type: NTFS

Computer Name: DJJXF091 | User Name: DAD | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1723:TCP" = 1723:TCP:*:Enabled:@xpsp2res.dll,-22015
"1701:UDP" = 1701:UDP:*:Enabled:@xpsp2res.dll,-22016
"500:UDP" = 500:UDP:*:Enabled:@xpsp2res.dll,-22017

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

**musicalpulltoy** · 2012-03-16, 01:06

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007811BF-E310-4285-BFC6-55DB29B3EDDE}" = WinPatrol
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83217000FF}" = Java(TM) 7
"{296B2D8E-CE82-92AF-B2E8-937294733038}_is1" = NetAlyzer
"{2B120B1D-1908-4FB3-8C9D-72128A74E80A}" = ZoneAlarm Security
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{3134052E-B1F0-465C-B320-5042095B1033}" = Nero 7 Essentials
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}" = NETGEAR WG111v3 wireless USB 2.0 adapter
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69B02159-7622-4DBB-B9EE-F933039830AD}" = QuickBooks Pro 2006
"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{91120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99F0545E-D93D-481D-8088-7F50FD76DE55}" = Scrapbooks Plus Workshop
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A386CC19-1E79-4D4C-A54B-C8747871E4AD}" = ZoneAlarm Firewall
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C13AF9C7-8E06-4354-B629-DF6192CE4A66}" = PANTECH UM175 Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D403FFC3-DED7-36DB-AC5C-2967541F32A8}" = Google Talk Plugin
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E7E84E23-C5C0-4B15-B13A-C63149E59C98}" = AVG 2012
"{F09EF8F2-0976-42C1-8D9D-8DF78337C6E3}" = Sony Ericsson PC Companion 2.01.149
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"7-Zip" = 7-Zip 4.42
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG" = AVG 2012
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.20
"Halo" = Microsoft Halo
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{5396FBD8-8BD7-47F9-92AE-F62F13D5A11D}" = NETGEAR WG111v3 wireless USB 2.0 adapter
"LAME for Audacity_is1" = LAME v3.98.3 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer Basic
"Rosetta Stone 2.1.4.1A" = Rosetta Stone 2.1.4.1A
"System Explorer_is1" = System Explorer 3.0.4
"Task Catcher" = Task Catcher
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"ZoneAlarm Free" = ZoneAlarm Free
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar
"ZoneAlarm_Security Toolbar" = ZoneAlarm Security Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/21/2011 4:31:25 AM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application wg111v3.exe, version 3.6.28.314, faulting module
dnsapi.dll, version 5.1.2600.2180, fault address 0x00005b87.

Error - 8/25/2011 12:27:22 AM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18928, fault address 0x000ec345.

Error - 8/27/2011 11:04:35 PM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
chrome.dll, version 13.0.782.215, fault address 0x001123df.

Error - 8/29/2011 1:26:30 AM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application safari.exe, version 5.33.21.1, faulting module
objc.dll, version 1.435.16.1, fault address 0x000085f0.

Error - 8/30/2011 1:59:58 PM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application wg111v3.exe, version 3.6.28.314, faulting module
dnsapi.dll, version 5.1.2600.2180, fault address 0x000037bf.

Error - 9/5/2011 8:03:42 AM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application wg111v3.exe, version 3.6.28.314, faulting module
unknown, version 0.0.0.0, fault address 0x62206568.

Error - 9/5/2011 5:33:51 PM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application wg111v3.exe, version 3.6.28.314, faulting module
dnsapi.dll, version 5.1.2600.2180, fault address 0x00003ba8.

Error - 9/7/2011 2:02:02 PM | Computer Name = DJJXF091 | Source = crypt32 | ID = 131075
Description = Failed auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: This operation returned because the timeout period expired.

Error - 9/7/2011 11:44:02 PM | Computer Name = DJJXF091 | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 9/16/2011 10:02:53 PM | Computer Name = DJJXF091 | Source = Application Error | ID = 1000
Description = Faulting application wg111v3.exe, version 3.6.28.314, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

[ System Events ]
Error - 3/10/2012 12:39:08 AM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 3/10/2012 12:39:08 AM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 3/13/2012 4:35:10 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7034
Description = The Windows Image Acquisition (WIA) service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/13/2012 8:20:14 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1058

Error - 3/13/2012 8:20:14 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7000
Description = The DCService.exe service failed to start due to the following error:
%%2

Error - 3/13/2012 8:20:14 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7000
Description = The Microsoft Kernel Wave Audio Mixer service failed to start due
to the following error: %%1058

Error - 3/14/2012 9:27:12 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7034
Description = The HTTP SSL service terminated unexpectedly. It has done this 1
time(s).

Error - 3/15/2012 10:07:06 AM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7034
Description = The HTTP SSL service terminated unexpectedly. It has done this 2
time(s).

Error - 3/15/2012 7:01:21 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1058

Error - 3/15/2012 7:01:21 PM | Computer Name = DJJXF091 | Source = Service Control Manager | ID = 7000
Description = The DCService.exe service failed to start due to the following error:
%%2

< End of report >

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9DD2000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xB9C15000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB1651000 C:\WINDOWS\System32\vsdatant.sys 520192 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xB14FB000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9AEF000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB18DA000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB185B000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 290816 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xB030A000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9D0F000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xB18A2000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xB14BA000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 225280 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB16F8000 C:\WINDOWS\system32\DRIVERS\wg111v3.sys 225280 bytes (Realtek Semiconductor Corporation , NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter NDIS Driver)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF7419000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB156B000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB16D0000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9D63000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel(R) PRO/100 Adapter NDIS 5.1 driver)
0xB17F7000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9CEB000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9D9A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9CC8000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB15B8000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xB1596000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB06BB000 C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys 131072 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xF7482000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB1946000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)
0xF787D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74A2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB12CC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7459000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9BFE000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0CDE000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xB0A71000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9D4F000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9DBE000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB1933000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7446000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7470000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9BED000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBFF40000 C:\WINDOWS\System32\s3legacy.dll 69632 bytes (Microsoft Corporation, S3 Display Driver)
0xB9D89000 C:\WINDOWS\system32\DRIVERS\s3legacy.sys 69632 bytes (Microsoft Corporation, s3 Miniport Driver)
0xF76B7000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA71F000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB9B7D000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xBA73F000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB9BDD000 C:\WINDOWS\System32\Drivers\DgiVecp.sys 61440 bytes (DeviceGuys, Inc., Windows NT 4.0 IEEE-1284 parallel class driver for ECP, Byte, and Nibble modes)
0xBA6FF000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB0BC6000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xB0AAE000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF7557000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 53248 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA74F000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7667000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7687000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB9BCD000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA72F000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7677000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76D7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB074B000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7567000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA70F000 C:\WINDOWS\system32\drivers\InCDRm.sys 36864 bytes (Nero AG, Nero MRW Filter Driver)
0xBA75F000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7547000 C:\WINDOWS\system32\drivers\ip6fw.sys 36864 bytes (Microsoft Corporation, IPv6 Windows Firewall Driver)
0xF7697000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA76F000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7647000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7537000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB9FD6000 C:\WINDOWS\system32\drivers\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xF775F000 C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 32768 bytes (Check Point Software Technologies, ZoneAlarm Browser Security)
0xF7777000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB9FF6000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7717000 avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xB9FEE000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7757000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB9FDE000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB9FE6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7747000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF778F000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xB9FFE000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7767000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF780F000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xF776F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7737000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF773F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xB9FCE000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77E7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789B000 AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xBA7E0000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB0E00000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA7F8000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB0B92000 C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys 12288 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB1350000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA7B0000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA7B8000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xBA57B000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xB0AA6000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA55B000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA7F0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA577000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA7FC000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0xF79E5000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xF79B3000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79B1000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B5000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79B7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79A9000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79AB000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A88000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7AA6000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A97000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [adpu160m.sys]
WARNING: Virus alike driver modification [ipfilter.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [amsint.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [aha154x.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [dac960nt.sys]
WARNING: Virus alike driver modification [asc3550.sys]
WARNING: Virus alike driver modification [cpqarray.sys]
WARNING: Virus alike driver modification [ini910u.sys]
WARNING: Virus alike driver modification [symc810.sys]
WARNING: Virus alike driver modification [mraid35x.sys]
WARNING: Virus alike driver modification [dac2w2k.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [sparrow.sys]
WARNING: Virus alike driver modification [iqvw32.sys]
WARNING: Virus alike driver modification [dpti2o.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [asc3350p.sys]
WARNING: Virus alike driver modification [ABP480N5.SYS]
WARNING: Virus alike driver modification [hpn.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [asc.sys]
WARNING: Virus alike driver modification [perc2.sys]
WARNING: Virus alike driver modification [sym_hi.sys]
WARNING: Virus alike driver modification [PTDUBus.sys]
WARNING: Virus alike driver modification [sym_u3.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [symc8xx.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [ql10wnt.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [ultra.sys]
WARNING: Virus alike driver modification [StMp3Rec.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [PTDUVsp.sys]
WARNING: Virus alike driver modification [ql1080.sys]
WARNING: Virus alike driver modification [ql1240.sys]
WARNING: Virus alike driver modification [PTDUMdm.sys]
WARNING: Virus alike driver modification [ql12160.sys]
WARNING: Virus alike driver modification [ql1280.sys]
WARNING: Virus alike driver modification [toside.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [aliide.sys]
WARNING: Virus alike driver modification [perc2hib.sys]
WARNING: Virus alike driver modification [aic78u2.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [aic78xx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [PTDUWWAN.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [cmdide.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [cd20xrnt.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA94, Type: Inline - RelativeJump 0x804E2A94-->804E2A59 [ntoskrnl.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xB1919428-->B1677A3E [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xB1919454-->B167724C [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xB1919460-->B16773F6 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF753CB4C-->B1677A3E [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF753CB1C-->B16759A6 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF753CB3C-->B167724C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF753CB28-->B16773F6 [vsdatant.sys]
[1372]winlogon.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1372]winlogon.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1372]winlogon.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1372]winlogon.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1372]winlogon.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1372]winlogon.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1372]winlogon.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1372]winlogon.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1372]winlogon.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1420]services.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1420]services.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1420]services.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1420]services.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1420]services.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1420]services.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1420]services.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1420]services.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1420]services.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1432]lsass.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1432]lsass.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1432]lsass.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1432]lsass.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1432]lsass.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1432]lsass.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1432]lsass.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1432]lsass.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1592]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1592]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1592]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1592]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1592]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1592]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1592]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1592]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1592]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1680]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1680]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1680]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1680]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1680]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1680]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1680]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1680]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1680]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1860]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1860]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1860]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1860]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1860]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1860]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1860]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1860]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1860]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1904]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1904]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1904]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1904]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1904]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1904]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1904]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1904]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1904]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1948]searchindexer.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1948]searchindexer.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1948]searchindexer.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1948]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump 0x7C810E27-->00585C0C [mssrch.dll]
[1948]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2C [unknown_code_page]
[1948]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2D [unknown_code_page]
[1948]searchindexer.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1948]searchindexer.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1948]searchindexer.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1948]searchindexer.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1948]searchindexer.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1948]searchindexer.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[200]notepad.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[200]notepad.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[200]notepad.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[200]notepad.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[200]notepad.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[200]notepad.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[200]notepad.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[200]notepad.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[200]notepad.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[2164]WinPatrol.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[2164]WinPatrol.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[2164]WinPatrol.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[2164]WinPatrol.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[2164]WinPatrol.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[2164]WinPatrol.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[2164]WinPatrol.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[2164]WinPatrol.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[2164]WinPatrol.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[2240]ctfmon.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[2240]ctfmon.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[2240]ctfmon.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[2240]ctfmon.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[2240]ctfmon.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[2240]ctfmon.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[2240]ctfmon.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[2240]ctfmon.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[2240]ctfmon.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[2264]WG111v3.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[2264]WG111v3.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[2264]WG111v3.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[2264]WG111v3.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[2264]WG111v3.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[2264]WG111v3.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[2264]WG111v3.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[2264]WG111v3.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[2264]WG111v3.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[2300]taskmgr.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[2300]taskmgr.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[2300]taskmgr.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[2300]taskmgr.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[2300]taskmgr.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[2300]taskmgr.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[2300]taskmgr.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[2300]taskmgr.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[2300]taskmgr.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[256]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[256]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[256]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[256]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[256]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[256]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[256]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[256]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[256]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[2888]alg.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[2888]alg.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[2888]alg.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[2888]alg.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[2888]alg.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[2888]alg.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[2888]alg.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[2888]alg.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[2888]alg.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[312]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[312]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[312]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[312]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[312]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[312]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[312]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[312]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[312]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[3196]notepad.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[3196]notepad.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[3196]notepad.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[3196]notepad.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[3196]notepad.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[3196]notepad.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[3196]notepad.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[3196]notepad.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[3196]notepad.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[428]ForceField.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[428]ForceField.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[428]ForceField.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[428]ForceField.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - RelativeJump 0x7C84495D-->209F37DD [ISWDMP.dll]
[428]ForceField.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[428]ForceField.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[428]ForceField.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[428]ForceField.exe-->user32.dll+0x000142A8, Type: Inline - RelativeJump 0x7E4242A8-->20CB9270 [ISWSHEX.dll]
[428]ForceField.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[460]notepad.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[460]notepad.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[460]notepad.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[460]notepad.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[460]notepad.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[460]notepad.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[460]notepad.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[460]notepad.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[460]notepad.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[716]explorer.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[716]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[716]explorer.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[716]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[716]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[716]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[716]explorer.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[716]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[716]explorer.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[716]explorer.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[716]explorer.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[716]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[716]explorer.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[716]explorer.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[716]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[716]explorer.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[716]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[716]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[736]jqs.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[736]jqs.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[736]jqs.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[736]jqs.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[736]jqs.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[736]jqs.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[736]jqs.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[736]jqs.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[736]jqs.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[924]mdm.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[924]mdm.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[924]mdm.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[924]mdm.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[924]mdm.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[924]mdm.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[924]mdm.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[924]mdm.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[924]mdm.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[984]ISWSVC.exe-->advapi32.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x77DD10CC-->10009EF0 [vsinit.dll]
[984]ISWSVC.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->100020F0 [vsinit.dll]
[984]ISWSVC.exe-->kernel32.dll+0x00002804, Type: Code Mismatch 0x7C802804 + 10244 [F8 41 08]
[984]ISWSVC.exe-->kernel32.dll+0x00002C2C, Type: Code Mismatch 0x7C802C2C + 11308 [EE 41 08]
[984]ISWSVC.exe-->kernel32.dll+0x00002C38, Type: Code Mismatch 0x7C802C38 + 11320 [F3 41 08]
[984]ISWSVC.exe-->kernel32.dll+0x00003330, Type: Inline - RelativeJump 0x7C803330-->18803B76 [unknown_code_page]
[984]ISWSVC.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[984]ISWSVC.exe-->user32.dll+0x000142A8, Type: Inline - RelativeJump 0x7E4242A8-->20CB9270 [ISWSHEX.dll]
[984]ISWSVC.exe-->wininet.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x3D931370-->7C8841F8 [kernel32.dll]
[984]ISWSVC.exe-->wininet.dll-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x3D9313DC-->7C8841EE [kernel32.dll]
[984]ISWSVC.exe-->wininet.dll-->kernel32.dll-->GetModuleHandleW, Type: IAT modification 0x3D9313E4-->7C8841F3 [kernel32.dll]
[984]ISWSVC.exe-->wininet.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x3D931444-->7C8841E9 [kernel32.dll]
[984]ISWSVC.exe-->ws2_32.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x71AB10AC-->7C8841F8 [kernel32.dll]
[984]ISWSVC.exe-->ws2_32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x71AB10DC-->7C8841E9 [kernel32.dll]

**Scolabar** · 2012-03-17, 06:07

Hi musicalpulltoy,

Thank you for the logs and feedback.

I think the active security tools may have caused the Rootkit UnHooker tool to produce false results.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
Temporarily Disable Active Security Tools

Please can you temporarily disable WinPatrol and Zone Alarm. If required, please refer to the following reference to achieve this:

Disable WinPatrol

Right-click on the WinPatrol (Scotty the dog) icon in the sytem tray.
Then select Exit Program.

Disable ZoneAlarm

Right-click on the ZoneAlarm icon in the sytem tray and select Shutdown ZoneAlarm.
An pop-up ZoneAlarm alert window will appear. Click on the Yes button to confirm the closure of the ZoneAlarm program

Note: Don't forget to re-enable WinPatrol and ZoneAlarm afterwards. To do this, simply relaunch the both of the programs or restart the computer.

Step 2:
Rootkit UnHooker

Then run the Rootkit UnHooker tool again and post back the contents of the log file.

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
Report.txt.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

**musicalpulltoy** · 2012-03-17, 09:48

hiya
had exit both ZA dont have a shutdown option.
AVG has no resident shield and popped up with "spr/tool.xooba.a" moved it to vault.
supose i have to do it again?

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9F0F000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xB9D52000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB188C000 C:\WINDOWS\System32\vsdatant.sys 520192 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xB168F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9C2C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB1A3E000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB19BF000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 290816 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xB0089000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9E4C000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xB1A06000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xB12C4000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 225280 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB1AE6000 C:\WINDOWS\system32\DRIVERS\wg111v3.sys 225280 bytes (Realtek Semiconductor Corporation , NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter NDIS Driver)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF7419000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB16FF000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB190B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9EA0000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel(R) PRO/100 Adapter NDIS 5.1 driver)
0xB1999000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9E28000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9ED7000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9E05000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB174C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xB172A000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB0412000 C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys 131072 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xF7482000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB1AAA000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)
0xF787D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74A2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB1073000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7459000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9D3B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0A85000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xB0818000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9E8C000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9EFB000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB1A97000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7446000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7470000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9D2A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBFF40000 C:\WINDOWS\System32\s3legacy.dll 69632 bytes (Microsoft Corporation, S3 Display Driver)
0xB9EC6000 C:\WINDOWS\system32\DRIVERS\s3legacy.sys 69632 bytes (Microsoft Corporation, s3 Miniport Driver)
0xB9C9A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA6FA000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB9CEA000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xBA71A000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7557000 C:\WINDOWS\System32\Drivers\DgiVecp.sys 61440 bytes (DeviceGuys, Inc., Windows NT 4.0 IEEE-1284 parallel class driver for ECP, Byte, and Nibble modes)
0xBA6DA000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB17C7000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xB07AA000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF7587000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 53248 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA72A000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7667000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7687000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7507000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA70A000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7677000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76B7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB0011000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA6EA000 C:\WINDOWS\system32\drivers\InCDRm.sys 36864 bytes (Nero AG, Nero MRW Filter Driver)
0xBA73A000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7577000 C:\WINDOWS\system32\drivers\ip6fw.sys 36864 bytes (Microsoft Corporation, IPv6 Windows Firewall Driver)
0xF7697000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7527000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7647000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7567000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA05F000 C:\WINDOWS\system32\drivers\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xF774F000 C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys 32768 bytes (Check Point Software Technologies, ZoneAlarm Browser Security)
0xF777F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA07F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7717000 avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xBA077000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF775F000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA067000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA06F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7747000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7787000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA087000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF776F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF781F000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF772F000 C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xF7777000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7737000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF773F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA057000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77EF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789B000 AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xBA7DC000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB0BAF000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA7F4000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB091D000 C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys 12288 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB9C1C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA574000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA7B4000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xBA56C000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xB092D000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7927000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA7EC000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA568000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA7FC000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0xF79F7000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xF79B9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7997000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79B7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79BB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79BD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79AF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79B5000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A98000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB12B2000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA260000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [adpu160m.sys]
WARNING: Virus alike driver modification [ipfilter.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [amsint.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [aha154x.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [dac960nt.sys]
WARNING: Virus alike driver modification [asc3550.sys]
WARNING: Virus alike driver modification [cpqarray.sys]
WARNING: Virus alike driver modification [ini910u.sys]
WARNING: Virus alike driver modification [symc810.sys]
WARNING: Virus alike driver modification [mraid35x.sys]
WARNING: Virus alike driver modification [dac2w2k.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [sparrow.sys]
WARNING: Virus alike driver modification [iqvw32.sys]
WARNING: Virus alike driver modification [dpti2o.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [asc3350p.sys]
WARNING: Virus alike driver modification [ABP480N5.SYS]
WARNING: Virus alike driver modification [hpn.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [asc.sys]
WARNING: Virus alike driver modification [perc2.sys]
WARNING: Virus alike driver modification [sym_hi.sys]
WARNING: Virus alike driver modification [PTDUBus.sys]
WARNING: Virus alike driver modification [sym_u3.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [symc8xx.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [ql10wnt.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [ultra.sys]
WARNING: Virus alike driver modification [StMp3Rec.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [PTDUVsp.sys]
WARNING: Virus alike driver modification [ql1080.sys]
WARNING: Virus alike driver modification [ql1240.sys]
WARNING: Virus alike driver modification [PTDUMdm.sys]
WARNING: Virus alike driver modification [ql12160.sys]
WARNING: Virus alike driver modification [ql1280.sys]
WARNING: Virus alike driver modification [toside.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [aliide.sys]
WARNING: Virus alike driver modification [perc2hib.sys]
WARNING: Virus alike driver modification [aic78u2.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [aic78xx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [PTDUWWAN.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [cmdide.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [cd20xrnt.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B888, Type: Inline - RelativeJump 0x804E2888-->804E2818 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BA94, Type: Inline - RelativeJump 0x804E2A94-->804E2B09 [ntoskrnl.exe]
ntoskrnl.exe-->KeFindConfigurationEntry, Type: Inline - RelativeJump 0x806C5F1A-->806C5F8D [ntoskrnl.exe]
ntoskrnl.exe-->KeFindConfigurationEntry, Type: Inline - RelativeCall 0x806C5F22-->F76C5F34 [unknown_code_page]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xB1A7D428-->B18B2A3E [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xB1A7D454-->B18B224C [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xB1A7D460-->B18B23F6 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF756CB4C-->B18B2A3E [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF756CB1C-->B18B09A6 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF756CB3C-->B18B224C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF756CB28-->B18B23F6 [vsdatant.sys]
[1276]mdm.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1276]mdm.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1276]mdm.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1276]mdm.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1276]mdm.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1276]mdm.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1276]mdm.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1276]mdm.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1276]mdm.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1364]winlogon.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1364]winlogon.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1364]winlogon.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1364]winlogon.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1364]winlogon.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1364]winlogon.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1364]winlogon.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1364]winlogon.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1364]winlogon.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1412]services.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1412]services.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1412]services.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1412]services.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1412]services.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1412]services.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1412]services.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1412]services.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1412]services.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1424]lsass.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1424]lsass.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1424]lsass.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1424]lsass.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1424]lsass.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1424]lsass.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1424]lsass.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1424]lsass.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1592]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1592]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1592]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1592]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1592]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1592]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1592]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1592]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1592]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1648]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1648]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1648]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1648]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1648]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1648]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1648]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1648]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1648]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1744]searchindexer.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1744]searchindexer.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1744]searchindexer.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1744]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump 0x7C810E27-->00585C0C [mssrch.dll]
[1744]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2C [unknown_code_page]
[1744]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2D [unknown_code_page]
[1744]searchindexer.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1744]searchindexer.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1744]searchindexer.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1744]searchindexer.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1744]searchindexer.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1744]searchindexer.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1776]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1776]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1776]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1776]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1776]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1776]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1776]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1776]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1776]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1816]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1816]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1816]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1816]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1816]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1816]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1816]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1816]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1816]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[1852]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[1852]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[1852]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[1852]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[1852]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[1852]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[1852]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[1852]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[1852]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[212]ctfmon.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[212]ctfmon.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[212]ctfmon.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[212]ctfmon.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[212]ctfmon.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[212]ctfmon.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[212]ctfmon.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[212]ctfmon.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[212]ctfmon.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[2184]taskmgr.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[2184]taskmgr.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[2184]taskmgr.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[2184]taskmgr.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[2184]taskmgr.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[2184]taskmgr.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[2184]taskmgr.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[2184]taskmgr.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[2184]taskmgr.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[220]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[220]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[220]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[220]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[220]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[220]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[220]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[220]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[220]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[308]svchost.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[308]svchost.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[308]svchost.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[308]svchost.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[308]svchost.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[308]svchost.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[308]svchost.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[308]svchost.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[308]svchost.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[3092]WG111v3.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[3092]WG111v3.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[3092]WG111v3.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[3092]WG111v3.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[3092]WG111v3.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[3092]WG111v3.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[3092]WG111v3.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[3092]WG111v3.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[3092]WG111v3.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[648]explorer.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[648]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[648]explorer.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[648]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[648]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[648]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[648]explorer.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[648]explorer.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[648]explorer.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[648]explorer.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[648]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[648]explorer.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[648]explorer.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[648]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[648]explorer.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[648]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[648]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[768]jqs.exe-->advapi32.dll-->ImpersonateNamedPipeClient, Type: Inline - RelativeJump 0x77DD7426-->20CB8E5D [ISWSHEX.dll]
[768]jqs.exe-->advapi32.dll-->SetThreadToken, Type: Inline - RelativeJump 0x77DDF193-->20CB9036 [ISWSHEX.dll]
[768]jqs.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[768]jqs.exe-->ntdll.dll-->NtAccessCheckByType, Type: Inline - RelativeJump 0x7C90CE8E-->20CB8791 [ISWSHEX.dll]
[768]jqs.exe-->ntdll.dll-->NtImpersonateClientOfPort, Type: Inline - RelativeJump 0x7C90D3FE-->20CB8D58 [ISWSHEX.dll]
[768]jqs.exe-->ntdll.dll-->NtSetInformationProcess, Type: Inline - RelativeJump 0x7C90DC9E-->20CB89AB [ISWSHEX.dll]
[768]jqs.exe-->user32.dll-->FindWindowA, Type: Inline - RelativeJump 0x7E4282E1-->20CB828F [ISWSHEX.dll]
[768]jqs.exe-->user32.dll-->FindWindowW, Type: Inline - RelativeJump 0x7E42C9C3-->20CB825A [ISWSHEX.dll]
[768]jqs.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->20CB835C [ISWSHEX.dll]
[972]ISWSVC.exe-->advapi32.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x77DD10CC-->10009EF0 [vsinit.dll]
[972]ISWSVC.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->100020F0 [vsinit.dll]
[972]ISWSVC.exe-->kernel32.dll+0x00002804, Type: Code Mismatch 0x7C802804 + 10244 [F8 41 08]
[972]ISWSVC.exe-->kernel32.dll+0x00002C2C, Type: Code Mismatch 0x7C802C2C + 11308 [EE 41 08]
[972]ISWSVC.exe-->kernel32.dll+0x00002C38, Type: Code Mismatch 0x7C802C38 + 11320 [F3 41 08]
[972]ISWSVC.exe-->kernel32.dll+0x00003330, Type: Inline - RelativeJump 0x7C803330-->18803B76 [unknown_code_page]
[972]ISWSVC.exe-->kernel32.dll-->OpenProcess, Type: Inline - RelativeJump 0x7C8309E9-->20CB846C [ISWSHEX.dll]
[972]ISWSVC.exe-->mswsock.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x71A51160-->7C8841F8 [kernel32.dll]
[972]ISWSVC.exe-->mswsock.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x71A510BC-->7C8841E9 [kernel32.dll]
[972]ISWSVC.exe-->user32.dll+0x000142A8, Type: Inline - RelativeJump 0x7E4242A8-->20CB9270 [ISWSHEX.dll]
[972]ISWSVC.exe-->wininet.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x3D931370-->7C8841F8 [kernel32.dll]
[972]ISWSVC.exe-->wininet.dll-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x3D9313DC-->7C8841EE [kernel32.dll]
[972]ISWSVC.exe-->wininet.dll-->kernel32.dll-->GetModuleHandleW, Type: IAT modification 0x3D9313E4-->7C8841F3 [kernel32.dll]
[972]ISWSVC.exe-->wininet.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x3D931444-->7C8841E9 [kernel32.dll]
[972]ISWSVC.exe-->ws2_32.dll-->kernel32.dll-->CreateThread, Type: IAT modification 0x71AB10AC-->7C8841F8 [kernel32.dll]
[972]ISWSVC.exe-->ws2_32.dll-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x71AB10DC-->7C8841E9 [kernel32.dll]

**Scolabar** · 2012-03-18, 08:14

Hi musicalpulltoy,

OK, let's try a different tack.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
MBRCheck - Scan

Let's see if we can get some more information on this MBR infection.

Please download MBRCheck.exe © a_d_13 to your Desktop.
Alternate links: Link 2 or Link 3
Double-click on MBRCheck.exe to launch the program.
A small black window will open with some information. Please do not fix anything (- if it gives you an option).
If an unknown boot code is detected additional options will be presented. At this time press N then press Enter twice to continue.
When the scan has completed you should see the message Done! Press ENTER to exit... Press Enter to exit the program.
A file named MBRCheck_mm.dd.yy_hh.mm.ss.txt will appear on your Desktop.
Please Copy and Paste the entire contents of the MBRCheck_mm.dd.yy_hh.mm.ss.txt file into your next reply.

Step 2:
GMER

Please Note: The downloaded file will have a random filename. This prevents malware from detecting and blocking it.

Please download GMER ... random named.exe by GMER. An alternative (zip file) download is available here.
IMPORTANT: Do not run any programs while GMER is running.
CAUTION: Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

Double click on the random named.exe to execute. If asked, allow the gmer.sys driver to load.
If it gives you a warning about rootkit activity and asks if you want to run a scan click on NO. <--- Important!
On the right side panel, several boxes have been checked. Please UNCHECK the following: (See image below.)
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C: drive)
- Show All <-- don't miss this one
Click on image to enlarge
If you don't get a warning, then click on the Rootkit/Malware tab at the top of the GMER window.
Click on the Scan button.
Once the scan has finished, click on Save. The Save window will open.
Save the scan results as ark.txt to your Desktop.
Double-click on the ark.txt file on the Desktop to open it in Notepad.
Copy and Paste the entire contents of ark.txt into your next reply.

Step 3:
Include in Next Post

Did you have any problems carrying out the instructions?
MBRCheck_mm.dd.yy_hh.mm.ss.txt.
ark.txt.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

**musicalpulltoy** · 2012-03-18, 12:30

howdy
no problems.
maybe this helps "C:\WINDOWS\system32\01BA7819.exe" is what scotty said wanted to be a start up program more then once.
its in the vault now.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000034

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7607000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF74A2000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7482000 fltmgr.sys
0xF7470000 sr.sys
0xF7647000 PxHelp20.sys
0xF7459000 KSecDD.sys
0xF7446000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF7419000 NDIS.sys
0xF787D000 Mup.sys
0xF7717000 avgrkx86.sys
0xF789B000 AVGIDSEH.Sys
0xBA7FC000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xBA73A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9F0F000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9EFB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA087000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9ED7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA07F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9EC6000 \SystemRoot\system32\DRIVERS\s3legacy.sys
0xB9EA0000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xBA077000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA72A000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA06F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA71A000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA7F4000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9E8C000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA70A000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA6FA000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA067000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA05F000 \SystemRoot\system32\drivers\InCDPass.sys
0xBA6EA000 \SystemRoot\system32\drivers\InCDRm.sys
0xB9E4C000 \SystemRoot\system32\drivers\smwdm.sys
0xB9E28000 \SystemRoot\system32\drivers\portcls.sys
0xBA6DA000 \SystemRoot\system32\drivers\drmk.sys
0xB9E05000 \SystemRoot\system32\drivers\ks.sys
0xB9D52000 \SystemRoot\system32\drivers\senfilt.sys
0xF7A98000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7667000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7EC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9D3B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7677000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7687000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA057000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9D2A000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7697000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7737000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF773F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7747000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79AF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9C2C000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7DC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76B7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76C7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79B5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA7B4000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA574000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF775F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB1AE6000 \SystemRoot\system32\DRIVERS\wg111v3.sys
0xF7587000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xF79B7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA260000 \SystemRoot\System32\Drivers\Null.SYS
0xF79B9000 \SystemRoot\System32\Drivers\Beep.SYS
0xF776F000 \SystemRoot\System32\drivers\vga.sys
0xF79BB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79BD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA56C000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xB1AAA000 \SystemRoot\system32\drivers\InCDFs.sys
0xF7777000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF777F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA568000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1A97000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1A3E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1A06000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xB19BF000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xB1999000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7577000 \SystemRoot\system32\drivers\ip6fw.sys
0xF7567000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB190B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB188C000 \SystemRoot\System32\vsdatant.sys
0xF7927000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB174C000 \SystemRoot\System32\drivers\afd.sys
0xF7527000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB172A000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7787000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB16FF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB168F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7507000 \SystemRoot\System32\Drivers\Fips.SYS
0xB12C4000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xB9C9A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1073000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7997000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9C1C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77EF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB12B2000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF40000 \SystemRoot\System32\s3legacy.dll
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBF159000 \SystemRoot\System32\ATMFD.DLL
0xF781F000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB0A85000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xB9CEA000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xB0BAF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF774F000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xB0818000 \SystemRoot\system32\drivers\wdmaud.sys
0xB17C7000 \SystemRoot\system32\drivers\sysaudio.sys
0xF79F7000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xB091D000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xF7557000 \SystemRoot\System32\Drivers\DgiVecp.sys
0xB092D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB07AA000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xF772F000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xB0412000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xB0089000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
1044 C:\WINDOWS\system32\smss.exe
1108 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
1140 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
1340 csrss.exe
1364 C:\WINDOWS\system32\winlogon.exe
1412 C:\WINDOWS\system32\services.exe
1424 C:\WINDOWS\system32\lsass.exe
1592 C:\WINDOWS\system32\svchost.exe
1648 svchost.exe
1816 C:\WINDOWS\system32\svchost.exe
1852 C:\WINDOWS\system32\svchost.exe
220 svchost.exe
308 svchost.exe
972 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
648 C:\WINDOWS\explorer.exe
684 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
768 C:\Program Files\Java\jre7\bin\jqs.exe
1276 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
132 C:\Program Files\AVG\AVG2012\avgnsx.exe
1744 C:\WINDOWS\system32\searchindexer.exe
152 C:\Program Files\AVG\AVG2012\avgtray.exe
212 C:\WINDOWS\system32\ctfmon.exe
820 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
2184 C:\WINDOWS\system32\taskmgr.exe
3092 C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
3772 C:\Program Files\Mozilla Firefox\firefox.exe
3308 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
3012 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
1788 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
2828 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
628 C:\Program Files\Internet Explorer\iexplore.exe
3336 C:\Program Files\Internet Explorer\iexplore.exe
2464 C:\Program Files\Windows NT\Accessories\wordpad.exe
1332 C:\WINDOWS\system32\charmap.exe
3936 C:\Documents and Settings\DAD\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST340014A, Rev: 8.16
PhysicalDrive1 Model Number: ST3250824A, Rev: 3.AAE

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-18 03:56:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST340014A rev.8.16
Running: tttbrg75.exe; Driver: C:\DOCUME~1\DAD\LOCALS~1\Temp\kxlyapog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB18AD2F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB18A75CA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB18C658A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB18ADA80]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB18ADBB6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB18A81E0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB18C7E3C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB18C77B2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB18C8794]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB18C899C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB18A7DF2]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB091DF3C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB18C972A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB18C9060]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB18ACEC4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB18CA0FC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB18A85A4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB18C9C6A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB18C6F72]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB091DFE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB091E080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB091E11C]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9DD6F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\ctfmon.exe[212] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\ctfmon.exe[212] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[308] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\Explorer.EXE[648] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] user32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Java\jre7\bin\jqs.exe[768] user32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[972] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[972] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20CB9270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1276] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\winlogon.exe[1364] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\services.exe[1412] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\lsass.exe[1424] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1648] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\SearchIndexer.exe[1744] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\System32\svchost.exe[1816] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\WINDOWS\system32\svchost.exe[1852] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3092] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] ntdll.dll!NtAccessCheckByType 7C90CE8E 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] ntdll.dll!NtImpersonateClientOfPort 7C90D3FE 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] USER32.dll!FindWindowA 7E4282E1 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] USER32.dll!FindWindowW 7E42C9C3 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] ADVAPI32.dll!ImpersonateNamedPipeClient 77DD7426 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Documents and Settings\DAD\Desktop\tttbrg75.exe[3952] ADVAPI32.dll!SetThreadToken 77DDF193 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat AF920D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----

**Scolabar** · 2012-03-19, 12:12

Hi musicalpulltoy,

Thank you for the logs and feedback.

C:\WINDOWS\system32\89F5848D.exe and C:\WINDOWS\system32\01BA7819.exe are legitimate files created by Rootkit UnHooker when you ran the tool.
If you run the tool again another such file will be created and an alert to allow the associated service will pop-up. There's no harm done, though.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
ERUNT - Emergency Recovery Utility NT

I notice you already have ERUNT installed on your system. Let's backup the Registry before we go any further.

Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
ERUNT (Emergency Recovery Utility NT) by Lars Hederer is a free program that allows you to create a complete backup of your registry and restore it when needed.

Double-click on the ERUNT desktop icon to run the program.
Click on the OK button in the Welcome! screen.
Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
under Backup options make sure both of the first two options: System registry and Current user registry are checked.
Click on the Yes button to allow the folder to be created.
After a short duration the Registry backup is complete! pop-up message will appear.
Now click on OK. A registry backup has now been created.

< STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

Step 2:
Uninstall Programs

Select Start > Control Panel > Add/Remove Programs.
Scroll down the list of installed programs and select the following program:

ZoneAlarm Security Toolbar
Click on the Remove button to uninstall the program.
Click on the Yes button at the prompt.
Close the Add/Remove Programs control panel when the removal has been completed.

Step 3:
Temporarily Disable Active Security Tools

Please temporarily disable your real-time security protection using the instructions provided previously before continuing.

Step 4:
OTL - Script

Double-click on OTL.exe. If you receive a UAC prompt, please allow it.

Copy and Paste the following code into the

textbox. Do not include the word Code.

Code:

:otl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/...ch/search.html
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-19\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-20\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2645238
IE - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/mb59/?search={searchTerms}&loc=search_box&u=92822879073603948
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}:7.0
FF - prefs.js..extensions.enabledItems: {91da5e8a-3318-4f8c-b67e-5964de3ab546}:3.8.0.8
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
[2011/11/23 16:09:25 | 000,000,000 | ---D | M] (ZoneAlarm Security Community Toolbar) -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
[2011/03/23 20:42:20 | 000,000,939 | ---- | M] () -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\conduit.xml
[2011/08/26 23:22:11 | 000,002,207 | ---- | M] () -- C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\MyStart Search.xml
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1668751319-4250827956-263943839-1006\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll (Conduit Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SystemExplorerDisabled [2011/09/01 03:51:19 | 000,000,000 | ---D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

:files
C:\Documents and Settings\All Users\Application Data\Authentium
C:\Documents and Settings\All Users\Application Data\IObit
C:\Documents and Settings\All Users\Application Data\PC-Doctor
C:\Documents and Settings\All Users\Application Data\PCDr
C:\Documents and Settings\DAD\Application Data\AVG10
C:\Documents and Settings\DAD\Application Data\IObit
C:\Documents and Settings\DAD\Application Data\uTorrent

:commands
[PURITY]
[EMPTYTEMP]
[CREATERESTOREPOINT]
[REBOOT]

Then click the Run Fix button at the top.
Click .
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Step 5:
Include in Next Post

Did you have any problems carrying out the instructions?
OTL Fix Log.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

**musicalpulltoy** · 2012-03-19, 19:58

helllo
no problems encountered.
will this put me in control of iexplorer now? (flashplayer will not instal)
that must have reset firefox too.

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\CustomSearch| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry value HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{91da5e8a-3318-4f8c-b67e-5964de3ab546} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ not found.
File C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll not found.
Registry key HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}\ not found.
Prefs.js: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}:7.0 removed from extensions.enabledItems
Prefs.js: {91da5e8a-3318-4f8c-b67e-5964de3ab546}:3.8.0.8 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\searchplugin folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\modules folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\META-INF folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\defaults folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\chrome folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546} folder moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\conduit.xml moved successfully.
C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\MyStart Search.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ not found.
File C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{91da5e8a-3318-4f8c-b67e-5964de3ab546} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ not found.
File C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll not found.
Registry value HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1668751319-4250827956-263943839-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91DA5E8A-3318-4F8C-B67E-5964DE3AB546} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}\ not found.
File C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll not found.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SystemExplorerDisabled folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq44.tmp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq43.tmp\root\magnet10 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq43.tmp\root folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq43.tmp\.NetworkShare folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppq43.tmp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Authentium folder moved successfully.
C:\Documents and Settings\All Users\Application Data\IObit\IObit Security 360 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\IObit folder moved successfully.
C:\Documents and Settings\All Users\Application Data\PC-Doctor\certs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\PC-Doctor folder moved successfully.
C:\Documents and Settings\All Users\Application Data\PCDr folder moved successfully.
C:\Documents and Settings\DAD\Application Data\AVG10\cfgall folder moved successfully.
C:\Documents and Settings\DAD\Application Data\AVG10 folder moved successfully.
C:\Documents and Settings\DAD\Application Data\IObit\IObit SmartDefrag folder moved successfully.
C:\Documents and Settings\DAD\Application Data\IObit\Advanced SystemCare\Backup\Registry folder moved successfully.
C:\Documents and Settings\DAD\Application Data\IObit\Advanced SystemCare\Backup folder moved successfully.
C:\Documents and Settings\DAD\Application Data\IObit\Advanced SystemCare folder moved successfully.
C:\Documents and Settings\DAD\Application Data\IObit folder moved successfully.
C:\Documents and Settings\DAD\Application Data\uTorrent\dlimagecache folder moved successfully.
C:\Documents and Settings\DAD\Application Data\uTorrent\apps folder moved successfully.
C:\Documents and Settings\DAD\Application Data\uTorrent folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.DJJXF091
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: DAD
->Temp folder emptied: 7736678 bytes
->Temporary Internet Files folder emptied: 1358879 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 65920565 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 615 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 990424 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 1985256 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1130008 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 78066972 bytes

Total Files Cleaned = 150.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.37.1 log created on 03192012_114041

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

**Scolabar** · 2012-03-20, 09:59

Hi musicalpulltoy,

Thank you for the log file and feedback.

Let's try resetting both web browsers (- and updating Firefox) and see if that resolves your Flash Player installation issue.
Please Note: There are separate Flash Player installers Internet Explorer and all other browsers, if you are not already aware.

Again, please remember to read the instructions below carefully before executing and perform the steps, in the order given.
If you have any questions about or problems executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before proceeding please make sure any open programs are closed.

Step 1:
Browser Reset - Internet Explorer

Let's Reset Internet Explorer to see if this helps improve things.

Launch Internet Explorer.
Under the Tools menu, click on Internet Options.
In the pop-up Internet Options window, click on the Advanced tab and then click on the Reset button.
Tick the Delete Personal Settings option.
Then click on the Reset button to process the browser reset.
When complete, click the Close button.
Click on the OK button in the Internet Explorer restart reminder window.
Restart Internet Explorer.

Note: A visual step by step guide is available here, if required.

Step 2:
Browser Reset - FireFox

Click on Start > Run...
Enter the following command:
Code:
```
firefox.exe -safe-mode
```
Then click on the OK button.
In the open window, tick the Reset all preferences to default Firefox option.
Click on the Make the changes and restart button.
After FireFox restarts click on the Help menu, select Check for Updates... and allow Firefox to process any updates it finds.

Step 3:
Update FireFox

The version of Firefox installed on your computer is very out-of-date - version 3.6.12.
I strongly advise that you install the latest available verion of the program for your operating system. The latest currently available version is version 11.0.
The latest version can be downloaded from Here.

Step 4:
DNS Flush

Now let's flush the DNS on the computer:

Click on Start > Run.
Enter the following command:
Code:
```
cmd
```
Then click on the OK button.
A black Command window will now open.
Please enter after the command prompt - it may appear as:
Code:
```
C:\> or C:\path to user account\>
```
the following text in that window:
Code:
```
ipconfig /flushdns
```
Then press Enter to process the command.
When then command prompt reappears Close the Command window.

Step 5:
Malwarebytes' Anti-Malware

I notice you already have this program installed on your computer.

Let's check for updates and run the program.

Please save any items you have been working on and close any open programs. You may be asked to reboot your machine.

Launch Malwarebytes' Anti-Malware
You will be asked to update the program before performing a scan. Please do so.
- If an update is found, the program will automatically downoad and install the update.
- Click on the OK button to close that box and continue.
- If you have any problems downloading updates download them manually from here and double-click on mbam-rules.exe to complete the installation.

On the Scanner tab:

Make sure the Perform quick scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and then click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will be displayed saying The scan completed successfully. Click 'Show Results' to display all objects found.
Click on the OK button to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder and then click on the Remove Selected button.
The System Volume Information items will be taken care of later.
When the removal has been completed, a log report will open in Notepad and you may be prompted to restart your computer. (See Note below).
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Account Name\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Please Copy and Paste the entire contents of mbam-log-date (time).txt into your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either prompt and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 6:
Include in Next Post

Did you have any problems carrying out the instructions?
Did the browser reset resolve the Flash Player installation issue?
mbam-log-date (time).txt.
How is the computer now running?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Thread: SVCHOST trojan

Thread Tools

Display

Posting Permissions