Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

colonelh

19 Posts

3801

May 9th, 2010 14:00

Restarts in Stand-by/Hijackthis log

I have been having an issue with restarts when trying to put my system in standby. I have looked over power settings etc. to no avail.

I can't seem to find what is causing this problem, so here is a log to see if you can find something that Vipre, Malwarebytes and I cannot.

I Am trying to narrow down the possibilties, it's quite strange and making me nuts.

The system as a whole seems to be fine.

I'm also wanting to upgrade to xp sp3 and do not want to if there is a problem existing.

DELL Dimension 1100

Windows XP SP2 Home Ver. 5.1.2600

Intel Celeron 2.53GHz  x86, 1GIG RAM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32:51, on 5/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} -

https://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device -   - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program

Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt

Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt

Software\VIPRE\SBPIMSvc.exe

--
End of file - 4358 bytes

Thank you for your time, any help and suggestions are appriciated.

COL.

kevin27_b3d29f

1.5K Posts

May 20th, 2010 13:00

colonelh,

Sorry for the delay in getting to your log.

Welcome to Dell Community Malware Removal Forums,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

If you still require assistance please follow these instructions:

 

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
I need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.


  • Instead of attaching, please copy/past both logs into your next reply.

  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Please COPY/PASTE your fresh MBAM log and BOTH DDS logs. (note: before posting any logs, please go to Format on notepads toolbar and make sure WordWrap is unchecked)

Thankyou,
K27.

colonelh

19 Posts

May 22nd, 2010 07:00

K27,

   Thanks for your reply, not to worry about the delay. My schedule is more than full also.

I haven't done anything else to find the cause of the glich.  So here is the information you requested for your analisys.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/22/2010 08:30:44
mbam-log-2010-05-22 (08-30-44).txt

Scan type: Quick scan
Objects scanned: 119829
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
An error has occurred. Please report this error code to our support team.

MBAM_ERROR_NOT_REGISTERED (0, 0)

 

DDS LOGS:

 


DDS (Ver_09-09-29.01) - NTFSx86 
Run by Owner at  8:55:40.46 on Sat 05/22/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1022.508 [GMT -4:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated)   {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *enabled*   {FF1CD5B7-1553-4625-A258-1775385CED33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.verizon.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRunOnce: [Shockwave 8] "c:\windows\system32\macromed\shockwave 8\swinit.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [FLMOFFICE4DMOUSE] c:\program files\browser mouse\mouse32a.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xktanzji.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://home.verizon.yahoo.com/
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xktanzji.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xktanzji.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xktanzji.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-5-4 13400]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-5-4 322904]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-5-4 204632]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-4-30 2730120]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-5-4 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-4-30 181584]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-3-13 67800]
R3 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-5-4 86232]

=============== Created Last 30 ================

2010-05-12 12:44    411,368    a-------    c:\windows\system32\deployJava1.dll
2010-05-12 12:44    73,728    a-------    c:\windows\system32\javacpl.cpl
2010-05-09 15:32   

    --d-----    c:\program files\Trend Micro
2010-05-08 17:12        --d-----    c:\windows\system32\VirtualExpander
2010-05-04 21:30    69,720    a-------    c:\windows\system32\drivers\sbapifs.sys
2010-05-04 21:28    13,400    a-------    c:\windows\system32\drivers\sbaphd.sys
2010-05-04 21:23    204,632    a-------    c:\windows\system32\drivers\sbtis.sys
2010-05-04 21:23    86,232    a-------    c:\windows\system32\drivers\sbhips.sys
2010-05-04 21:22    322,904    a-------    c:\windows\system32\drivers\SbFw.sys
2010-04-30 12:31    27,984    a-------    c:\windows\system32\sbbd.exe
2010-04-28 07:13        --d-----    c:\windows\system32\wbem\Repository
2010-04-27 22:34        --d-----    c:\windows\Cache
2010-04-27 22:33        --d-----    c:\windows\Performance
2010-04-27 22:32        --d-----    c:\docume~1\owner\applic~1\GARMIN
2010-04-27 22:32        --d-----    c:\windows\system32\Dell
2010-04-27 22:31        --d-----    C:\0c4c677c0e84eb8dd56dc00e2e
2010-04-24 19:44        --d-----    c:\docume~1\owner\applic~1\Malwarebytes
2010-04-24 19:43    38,224    a-------    c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 19:43    20,952    a-------    c:\windows\system32\drivers\mbam.sys
2010-04-24 19:43        --d-----    c:\program files\Malwarebytes' Anti-Malware
2010-04-24 19:43        --d-----    c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-24 18:31        --d-----    C:\VIPRERESCUE
2010-04-24 11:52    116,224    ac------    c:\windows\system32\dllcache\xrxwiadr.dll
2010-04-24 11:52    23,040    ac------    c:\windows\system32\dllcache\xrxwbtmp.dll
2010-04-24 11:52    17,408    ac------    c:\windows\system32\dllcache\xrxscnui.dll
2010-04-24 11:52    27,648    ac------    c:\windows\system32\dllcache\xrxftplt.exe
2010-04-24 11:52    4,608    ac------    c:\windows\system32\dllcache\xrxflnch.exe
2010-04-24 11:51    99,865    ac------    c:\windows\system32\dllcache\xlog.exe
2010-04-24 11:51    16,970    ac------    c:\windows\system32\dllcache\xem336n5.sys
2010-04-24 11:51    19,455    ac------    c:\windows\system32\dllcache\wvchntxx.sys
2010-04-24 11:51    19,328    ac------    c:\windows\system32\dllcache\wstcodec.sys
2010-04-24 11:51    12,063    ac------    c:\windows\system32\dllcache\wsiintxx.sys
2010-04-24 11:51    8,192    ac------    c:\windows\system32\dllcache\wshirda.dll
2010-04-24 11:51    8,832    ac------    c:\windows\system32\dllcache\wmiacpi.sys
2010-04-24 11:51    154,624    ac------    c:\windows\system32\dllcache\wlluc48.sys
2010-04-24 11:51    34,890    ac------    c:\windows\system32\dllcache\wlandrv2.sys
2010-04-24 11:51    771,581    ac------    c:\windows\system32\dllcache\winacisa.sys
2010-04-24 11:51    53,760    ac------    c:\windows\system32\dllcache\wiamsmud.dll
2010-04-24 11:51    87,040    ac------    c:\windows\system32\dllcache\wiafbdrv.dll
2010-04-24 11:49    24,576    ac------    c:\windows\system32\dllcache\viairda.sys
2010-04-24 11:48    28,160    ac------    c:\windows\system32\dllcache\umaxu40.dll
2010-04-24 11:47    159,232    ac------    c:\windows\system32\dllcache\tridkbm.sys
2010-04-24 11:46    17,129    ac------    c:\windows\system32\dllcache\tdkcd31.sys
2010-04-24 11:45    10,240    ac------    c:\windows\system32\dllcache\swpdflt2.dll
2010-04-24 11:44    37,040    ac------    c:\windows\system32\dllcache\sonypi.sys
2010-04-24 11:43    28,160    ac------    c:\windows\system32\dllcache\sm91w.dll
2010-04-24 11:42    161,568    ac------    c:\windows\system32\dllcache\sgsmusb.sys
2010-04-24 11:42    18,400    ac------    c:\windows\system32\dllcache\sgsmld.sys
2010-04-24 11:42    98,080    ac------    c:\windows\system32\dllcache\sgiulnt5.sys
2010-04-24 11:42    386,560    ac------    c:\windows\system32\dllcache\sgiul50.dll
2010-04-24 11:42    36,480    ac------    c:\windows\system32\dllcache\sfmanm.sys
2010-04-24 11:42    6,784    ac------    c:\windows\system32\dllcache\serscan.sys
2010-04-24 11:42    17,664    ac------    c:\windows\system32\dllcache\sermouse.sys
2010-04-24 11:42    6,912    ac------    c:\windows\system32\dllcache\seaddsmc.sys
2010-04-24 11:42    10,880    ac------    c:\windows\system32\dllcache\scsiscan.sys
2010-04-24 11:42    11,648    ac------    c:\windows\system32\dllcache\scsiprnt.sys
2010-04-24 11:42    17,280    ac------    c:\windows\system32\dllcache\scr111.sys
2010-04-24 11:42    16,640    ac------    c:\windows\system32\dllcache\scmstcs.sys
2010-04-24 11:42    23,936    ac------    c:\windows\system32\dllcache\sccmusbm.sys
2010-04-24 11:40    26,624    ac------    c:\windows\system32\dllcache\rw450ext.dll
2010-04-24 11:39    41,472    ac------    c:\windows\system32\dllcache\qvusd.dll
2010-04-24 11:38    7,552    ac------    c:\windows\system32\dllcache\powerfil.sys
2010-04-24 11:37    29,769    ac------    c:\windows\system32\dllcache\pcntn5m.sys
2010-04-24 11:36    43,689    ac------    c:\windows\system32\dllcache\otceth5.sys
2010-04-24 11:35    39,264    ac------    c:\windows\system32\dllcache\neo20xx.sys
2010-04-24 11:34    452,736    ac------    c:\windows\system32\dllcache\mtxparhm.sys
2010-04-24 11:33    320,384    ac------    c:\windows\system32\dllcache\mgaum.sys
2010-04-24 11:32    20,573    ac------    c:\windows\system32\dllcache\lne100.sys
2010-04-24 11:31    23,552    ac------    c:\windows\system32\dllcache\irmk7.sys
2010-04-24 11:30    91,136    ac------    c:\windows\system32\dllcache\icam4com.dll
2010-04-24 11:29    73,279    ac------    c:\windows\system32\dllcache\hsf_spkp.sys
2010-04-24 11:28    48,128    ac------    c:\windows\system32\dllcache\hpgt33tk.dll
2010-04-24 11:27    92,160    ac------    c:\windows\system32\dllcache\fuusd.dll
2010-04-24 11:26    63,360    ac------    c:\windows\system32\dllcache\ess.sys
2010-04-24 11:25    44,103    ac------    c:\windows\system32\dllcache\el515.sys
2010-04-24 11:24    419,357    ac------    c:\windows\system32\dllcache\dgconfig.dll
2010-04-24 11:23    9,344    ac------    c:\windows\system32\dllcache\compbatt.sys
2010-04-24 11:22    13,824    ac------    c:\windows\system32\dllcache\bulltlp3.sys
2010-04-24 11:21    73,216    ac------    c:\windows\system32\dllcache\atintuxx.sys
2010-04-24 11:20    12,288    ac------    c:\windows\system32\dllcache\4mmdat.sys
2010-04-24 11:20    762,780    ac------    c:\windows\system32\dllcache\3cwmcru.sys
2010-04-24 11:20    689,216    ac------    c:\windows\system32\dllcache\3dfxvs.dll
2010-04-24 11:20    148,352    ac------    c:\windows\system32\dllcache\3dfxvsm.sys
2010-04-24 11:20    11,264    ac------    c:\windows\system32\dllcache\1394vdbg.sys
2010-04-24 11:20    53,248    ac------    c:\windows\system32\dllcache\1394bus.sys
2010-04-24 11:20    66,048    ac------    c:\windows\system32\dllcache\s3legacy.dll
2010-04-23 18:03    230,824    a----r--    c:\windows\system32\cpnprt2.cid
2010-04-23 18:03        --d-----    c:\program files\Coupons

==================== Find3M  ====================

2010-05-03 20:00    2,418    a-------    c:\docume~1\owner\applic~1\wklnhst.dat
2010-04-21 13:49    24,932    a---h---    c:\windows\system32\mlfcache.dat
2010-03-28 12:15    107    --------    c:\docume~1\owner\applic~1\netstat.bat
2010-03-27 09:39    23,510,720    --------    c:\windows\dotnetfx.exe
2010-03-17 19:11    7,293    --------    c:\program files\ST6UNST.LOG
2010-03-17 19:08    249,856    --------    c:\windows\Setup1.exe
2010-03-17 19:08    73,216    --------    c:\windows\ST6UNST.EXE
2010-03-17 18:43    252,176    --------    c:\windows\system32\MSRD2X35.DLL
2010-03-10 04:02    417,792    a-------    c:\windows\system32\vbscript.dll
2010-02-26 02:12    662,016    a-------    c:\windows\system32\wininet.dll
2010-02-26 02:12    81,920    a-------    c:\windows\system32\ieencode.dll
2010-02-25 10:53    34,405    --------    c:\windows\DIIUnin.dat
2010-02-25 10:43    2,829    --------    c:\windows\DIIUnin.pif
2010-02-25 10:43    94,208    --------    c:\windows\DIIUnin.exe
2004-12-11 14:47    1,413,120    --------    c:\program files\NSObserverList.exe
2004-12-11 14:31    562,848    --------    c:\program files\NexStar Observer List Manual.pdf
2004-12-11 14:26    143,093    --------    c:\program files\helpmain.htm
2004-03-19 23:04    488    --------    c:\program files\help.htm
2003-12-31 22:52    5,335    --------    c:\program files\helptoc.htm
2003-12-28 13:24    6,506,496    --------    c:\program files\NSObserverList.mdb
2003-09-15 22:46    90,112    --------    c:\program files\NSObserverTemplate.tmp
2003-09-05 22:52    5,518    --------    c:\program files\Astronomy Friendly.Theme
2001-03-16 16:56    4,748    --------    c:\program files\License.rtf

============= FINISH:  8:56:57.07 ===============

 

DDS ATTACH LOG:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/4/2009 22:04:24
System Uptime: 5/7/2010 13:46:00 (355 hours ago)

Motherboard: Dell Computer Corp. |  | 0WF887
Processor:                 Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 109 GiB total, 91.501 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 24.659 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/28/2010 07:07:36 - System Checkpoint
RP2: 4/28/2010 07:11:52 - c:/
RP3: 4/28/2010 07:12:53 - Restore Operation
RP4: 4/29/2010 15:36:49 - System Checkpoint
RP5: 4/30/2010 17:49:07 - System Checkpoint
RP6: 5/1/2010 19:12:14 - System Checkpoint
RP7: 5/2/2010 20:27:49 - System Checkpoint
RP8: 5/3/2010 20:36:29 - System Checkpoint
RP9: 5/4/2010 21:22:25 - Removed VIPRE Antivirus Premium.
RP10: 5/4/2010 21:22:53 - Installed VIPRE Antivirus Premium.
RP11: 5/5/2010 21:45:49 - System Checkpoint
RP12: 5/7/2010 14:02:38 - System Checkpoint
RP13: 5/8/2010 18:14:21 - System Checkpoint
RP14: 5/9/2010 19:33:18 - System Checkpoint
RP15: 5/10/2010 20:07:11 - System Checkpoint
RP16: 5/11/2010 20:50:05 - System Checkpoint
RP17: 5/12/2010 12:44:02 - Installed Java(TM) 6 Update 20
RP18: 5/13/2010 12:50:05 - System Checkpoint
RP19: 5/14/2010 12:52:35 - System Checkpoint
RP20: 5/15/2010 08:17:34 - Software Distribution Service 3.0
RP21: 5/16/2010 08:50:05 - System Checkpoint
RP22: 5/17/2010 09:50:05 - System Checkpoint
RP23: 5/18/2010 10:50:05 - System Checkpoint
RP24: 5/19/2010 11:50:05 - System Checkpoint
RP25: 5/20/2010 12:50:05 - System Checkpoint
RP26: 5/21/2010 13:50:05 - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3.2
Amazon MP3 Downloader 1.0.9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Browser MOUSE
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell Color Printer 725
Dell Resource CD
Diablo II
Driver Genius Professional Edition
Evidence The Last Ritual
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) Extreme Graphics 2 Driver
Intel(R) Network Connections
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Missing
Move Media Player
Mozilla Firefox (3.6.2)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NexStar Observer List
NexStar Observer List (C:\Program Files\)
QuickTime
Return to Mysterious Island
Sansa Updater
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Shockwave
SoundMAX
TheSkyX First Light Edition
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Verizon High Speed Internet
Verizon Servicepoint 1.5.24
VIPRE Antivirus Premium
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB839210
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Yahoo! Install Manager

==== End Of File ===========================

OK, so there's the goods. Let's see what what may be revealed.

I thank you for your time and effort. Hope to hear from you soon.

COL>

 

 

 

 

 

kevin27_b3d29f

1.5K Posts

May 22nd, 2010 14:00

Hi colonelh,

Your Welcome,

Nothing major showing in the logs, just a bit of adware,

 

First i need you to go to:

  • Start (windows icon bottom left corner of screen)
  • Control panel
  • Add/Remove programs

Coupon Printer for Windows

  • Uninstall
  • Reboot PC

 

Please download OTM by OldTimer. Save it to your desktop.

Double click OTM.exe to start the tool.

  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    ----------------------------------------------------------------------

    :files
    c:\windows\system32\cpnprt2.cid
    c:\program files\Coupons

    :commands
    [emptytemp]
    [reboot]

    ---------------------------------------------------------------------

    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

     

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.


    After the machine has rebooted please navigate to the folder in bold C:\0c4c677c0e84eb8dd56dc00e2e and please list for me all, if any files that are in it.

    And please tell me, Are you putting your system in to sleep mode and its waking itself, or are you trying to put your system into sleep mode and the whole system is rebooting.

    Thanks
    K27.

colonelh

19 Posts

May 23rd, 2010 09:00

Hey K27,

Went through all your suggested routines and here's what we've got.

The OTM results:

All processes killed
========== FILES ==========
File/Folder c:\windows\system32\cpnprt2.cid not found.
File/Folder c:\program files\Coupons not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes
 
User: Guest
->Temp folder emptied: 2687 bytes
->Temporary Internet Files folder emptied: 334340 bytes
->Flash cache emptied: 41044 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Owner
->Temp folder emptied: 623332765 bytes
->Temporary Internet Files folder emptied: 3956692 bytes
->Java cache emptied: 11554 bytes
->FireFox cache emptied: 87687096 bytes
->Flash cache emptied: 123238 bytes
 
User: Systech
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2175612 bytes
%systemroot%\System32 .tmp files removed: 2932753 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9959293 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 697.00 mb
 
 
OTM by OldTimer - Version 3.1.12.0 log created on 05232010_103817

Files moved on Reboot...

Registry entries deleted on Reboot...

 

In the folder C:\0c4c677c0e84eb8dd56dc00e2e there were two folders, amd64 and i386, both containing these files:

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/filterpipelineprintproc.dll

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/msxpsdrv.cat

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/msxpsdrv.inf

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/msxpsinc.gpd

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/msxpsinc.ppd

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/mxdwdrv.dll

file:///C:/0c4c677c0e84eb8dd56dc00e2e/amd64/xpssvcs.dll

The only differance in the files I see was the version number of: file:///C:/0c4c677c0e84eb8dd56dc00e2e/i386/filterpipelineprintproc.dll

 All that said and done, the system repeatedly sleeps and wakes itself. It does not go through atotal reboot.

Thanks again,

COL>

 

kevin27_b3d29f

1.5K Posts

May 24th, 2010 12:00

Hi colonelh,

I would like to run a few more scans just to double check that the is no infection hiding on the system.

YOU MUST DISABLE ALL REAL TIME PROTECTION BEFORE RUNNING THE NEXT TOOL,

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply.
  • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.

 

If the ARK tool crashes your machine or causes a Blue Screen error, please post the log results from the first inital quick scan,this can be saved in the same way as the full scan in the above instructions.

 

Then please Run an online virus scan called Kaspersky from HERE.

  • 1. At the main page. Press on " Accept". After reading the contents.
    2. At the next window Select Update. Allow the Database to update.
    Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
    3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
    4. Select Scan Report.
    5. If any threats were found they will appear in the report
    6. Select "Save error report as"
    Then in the file name just type in kaspersky
    Under "save as type" select text .txt
    Save it to your Desktop.

     

    Copy and post the results of the the ARK log and the Kaspersky Online scan. If Kaspersky reports no threats were found then report that as well.

     

Thanks

K27.

 

kevin27_b3d29f

1.5K Posts

May 31st, 2010 04:00

colonelh,

Do you still require assistance?

colonelh

19 Posts

May 31st, 2010 17:00

Hey K27,

Sorry about the lapse, haven't had time.

The issue does remain and her is the ARK report.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-31 18:55:58
Windows 5.1.2600 Service Pack 2
Running: 0lcwtx00.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software)                                                 ZwCreateKey [0xF79BC4D0]
SSDT            \SystemRoot\system32\drivers\sbhips.sys (Legacy Host Intrusion Prevention System Driver/Sunbelt Software, Inc.)                                 ZwLoadDriver [0xEC3CBEC4]
SSDT            \SystemRoot\system32\drivers\sbhips.sys (Legacy Host Intrusion Prevention System Driver/Sunbelt Software, Inc.)                                 ZwMapViewOfSection [0xEC3CC07A]
SSDT            \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software)                                                 ZwSetValueKey [0xF79BC520]

---- Kernel code sections - GMER 1.0.15 ----

init            C:\WINDOWS\system32\drivers\senfilt.sys                                                                                                         entry point in "init" section [0xF6CDFF80]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] ntdll.dll!LdrLoadDll                                                                          7C915CBB 5 Bytes  JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!VirtualProtectEx                                                                 7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!VirtualProtect                                                                   7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!WriteProcessMemory                                                               7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!CreateProcessW                                                                   7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!CreateProcessA                                                                   7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!VirtualAlloc                                                                     7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!VirtualAllocEx                                                                   7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!CreateRemoteThread                                                               7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!CreateThread                                                                     7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!CreateProcessInternalW                                                           7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!CreateProcessInternalA                                                           7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!WinExec                                                                          7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] kernel32.dll!SetThreadContext                                                                 7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WS2_32.dll!socket                                                                             71AB3B91 5 Bytes  JMP 001308C4
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WS2_32.dll!bind                                                                               71AB3E00 5 Bytes  JMP 00130838
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WS2_32.dll!connect                                                                            71AB406A 5 Bytes  JMP 00130950
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] USER32.dll!SetWindowsHookExW                                                                  77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] USER32.dll!SetWindowsHookExA                                                                  77D702B2 5 Bytes  JMP 00130720
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WININET.dll!InternetOpenW                                                                     771BAEED 5 Bytes  JMP 00130DB0
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WININET.dll!InternetConnectA                                                                  771C308A 5 Bytes  JMP 00130F54
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WININET.dll!InternetOpenA                                                                     771C573E 5 Bytes  JMP 00130D24
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WININET.dll!InternetOpenUrlA                                                                  771C59F1 5 Bytes  JMP 00130E3C
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WININET.dll!InternetConnectW                                                                  771CEDC8 5 Bytes  JMP 00130FE0
.text           C:\Program Files\Mozilla Firefox\firefox.exe[208] WININET.dll!InternetOpenUrlW                                                                  771D5B3A 5 Bytes  JMP 00130EC8
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!VirtualProtectEx                                                                              7C801A5D 5 Bytes  JMP 000801A8
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!VirtualProtect                                                                                7C801AD0 5 Bytes  JMP 00080090
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!WriteProcessMemory                                                                            7C80220F 5 Bytes  JMP 00080694
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!CreateProcessW                                                                                7C802332 5 Bytes  JMP 000802C0
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!CreateProcessA                                                                                7C802367 5 Bytes  JMP 00080234
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!VirtualAlloc                                                                                  7C809A61 5 Bytes  JMP 00080004
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!VirtualAllocEx                                                                                7C809A82 5 Bytes  JMP 0008011C
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!CreateRemoteThread                                                                            7C81043C 5 Bytes  JMP 000804F0
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!CreateThread                                                                                  7C810647 5 Bytes  JMP 0008057C
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!CreateProcessInternalW                                                                        7C819527 5 Bytes  JMP 000803D8
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!CreateProcessInternalA                                                                        7C81DDE6 5 Bytes  JMP 0008034C
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!WinExec                                                                                       7C86158D 5 Bytes  JMP 00080464
.text           C:\WINDOWS\system32\svchost.exe[496] kernel32.dll!SetThreadContext                                                                              7C862C89 5 Bytes  JMP 00080608
.text           C:\WINDOWS\system32\svchost.exe[496] USER32.dll!SetWindowsHookExW                                                                               77D6E621 5 Bytes  JMP 000807AC
.text           C:\WINDOWS\system32\svchost.exe[496] USER32.dll!SetWindowsHookExA                                                                               77D702B2 5 Bytes  JMP 00080720
.text           C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtAllocateVirtualMemory                                                                          7C90CF6E 5 Bytes  JMP 0062106C
.text           C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtCreateThread                                                                                   7C90D1AE 5 Bytes  JMP 00621184
.text           C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtProtectVirtualMemory                                                                           7C90D6EE 5 Bytes  JMP 006210F8
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!VirtualProtectEx                                                                              7C801A5D 5 Bytes  JMP 006201A8
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!VirtualProtect                                                                                7C801AD0 5 Bytes  JMP 00620090
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!WriteProcessMemory                                                                            7C80220F 5 Bytes  JMP 00620694
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateProcessW                                                                                7C802332 5 Bytes  JMP 006202C0
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateProcessA                                                                                7C802367 5 Bytes  JMP 00620234
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!VirtualAlloc                                                                                  7C809A61 5 Bytes  JMP 00620004
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!VirtualAllocEx                                                                                7C809A82 5 Bytes  JMP 0062011C
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateRemoteThread                                                                            7C81043C 5 Bytes  JMP 006204F0
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateThread                                                                                  7C810647 5 Bytes  JMP 0062057C
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateProcessInternalW                                                                        7C819527 5 Bytes  JMP 006203D8
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!CreateProcessInternalA                                                                        7C81DDE6 5 Bytes  JMP 0062034C
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!WinExec                                                                                       7C86158D 5 Bytes  JMP 00620464
.text           C:\WINDOWS\system32\svchost.exe[564] kernel32.dll!SetThreadContext                                                                              7C862C89 5 Bytes  JMP 00620608
.text           C:\WINDOWS\system32\svchost.exe[564] USER32.dll!SetWindowsHookExW                                                                               77D6E621 3 Bytes  JMP 006207AC
.text           C:\WINDOWS\system32\svchost.exe[564] USER32.dll!SetWindowsHookExW + 4                                                                           77D6E625 1 Byte  [88]
.text           C:\WINDOWS\system32\svchost.exe[564] USER32.dll!SetWindowsHookExA                                                                               77D702B2 3 Bytes  JMP 00620720
.text           C:\WINDOWS\system32\svchost.exe[564] USER32.dll!SetWindowsHookExA + 4                                                                           77D702B6 1 Byte  [88]
.text           C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenW                                                                                  771BAEED 5 Bytes  JMP 00620DB0
.text           C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetConnectA                                                                               771C308A 5 Bytes  JMP 00620F54
.text           C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenA                                                                                  771C573E 5 Bytes  JMP 00620D24
.text           C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenUrlA                                                                               771C59F1 5 Bytes  JMP 00620E3C
.text           C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetConnectW                                                                               771CEDC8 5 Bytes  JMP 00620FE0
.text           C:\WINDOWS\system32\svchost.exe[564] WININET.dll!InternetOpenUrlW                                                                               771D5B3A 5 Bytes  JMP 00620EC8
.text           C:\WINDOWS\system32\svchost.exe[564] WS2_32.dll!socket                                                                                          71AB3B91 5 Bytes  JMP 006208C4
.text           C:\WINDOWS\system32\svchost.exe[564] WS2_32.dll!bind                                                                                            71AB3E00 5 Bytes  JMP 00620838
.text           C:\WINDOWS\system32\svchost.exe[564] WS2_32.dll!connect                                                                                         71AB406A 5 Bytes  JMP 00620950
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] ntdll.dll!NtAllocateVirtualMemory                                                                   7C90CF6E 5 Bytes  JMP 00E3106C
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] ntdll.dll!NtCreateThread                                                                            7C90D1AE 5 Bytes  JMP 00E31184
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] ntdll.dll!NtProtectVirtualMemory                                                                    7C90D6EE 5 Bytes  JMP 00E310F8
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!VirtualProtectEx                                                                       7C801A5D 5 Bytes  JMP 00E301A8
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!VirtualProtect                                                                         7C801AD0 5 Bytes  JMP 00E30090
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!WriteProcessMemory                                                                     7C80220F 5 Bytes  JMP 00E30694
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!CreateProcessW                                                                         7C802332 5 Bytes  JMP 00E302C0
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!CreateProcessA                                                                         7C802367 5 Bytes  JMP 00E30234
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!VirtualAlloc                                                                           7C809A61 5 Bytes  JMP 00E30004
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!VirtualAllocEx                                                                         7C809A82 5 Bytes  JMP 00E3011C
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!CreateRemoteThread                                                                     7C81043C 5 Bytes  JMP 00E304F0
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!CreateThread                                                                           7C810647 5 Bytes  JMP 00E3057C
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!CreateProcessInternalW                                                                 7C819527 5 Bytes  JMP 00E303D8
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!CreateProcessInternalA                                                                 7C81DDE6 5 Bytes  JMP 00E3034C
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!WinExec                                                                                7C86158D 5 Bytes  JMP 00E30464
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] kernel32.dll!SetThreadContext                                                                       7C862C89 5 Bytes  JMP 00E30608
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] WS2_32.dll!socket                                                                                   71AB3B91 5 Bytes  JMP 00E308C4
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] WS2_32.dll!bind                                                                                     71AB3E00 5 Bytes  JMP 00E30838
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] WS2_32.dll!connect                                                                                  71AB406A 5 Bytes  JMP 00E30950
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] USER32.dll!SetWindowsHookExW                                                                        77D6E621 5 Bytes  JMP 00E307AC
.text           C:\Program Files\Java\jre6\bin\jqs.exe[632] USER32.dll!SetWindowsHookExA                                                                        77D702B2 5 Bytes  JMP 00E30720
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] ntdll.dll!NtAllocateVirtualMemory                                                     7C90CF6E 5 Bytes  JMP 00CA106C
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] ntdll.dll!NtCreateThread                                                              7C90D1AE 5 Bytes  JMP 00CA1184
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] ntdll.dll!NtProtectVirtualMemory                                                      7C90D6EE 5 Bytes  JMP 00CA10F8
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!VirtualProtectEx                                                         7C801A5D 5 Bytes  JMP 00CA01A8
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!VirtualProtect                                                           7C801AD0 5 Bytes  JMP 00CA0090
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!WriteProcessMemory                                                       7C80220F 5 Bytes  JMP 00CA0694
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!CreateProcessW                                                           7C802332 5 Bytes  JMP 00CA02C0
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!CreateProcessA                                                           7C802367 5 Bytes  JMP 00CA0234
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!VirtualAlloc                                                             7C809A61 5 Bytes  JMP 00CA0004
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!VirtualAllocEx                                                           7C809A82 5 Bytes  JMP 00CA011C
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!CreateRemoteThread                                                       7C81043C 5 Bytes  JMP 00CA04F0
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!CreateThread                                                             7C810647 5 Bytes  JMP 00CA057C
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!CreateProcessInternalW                                                   7C819527 5 Bytes  JMP 00CA03D8
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!CreateProcessInternalA                                                   7C81DDE6 5 Bytes  JMP 00CA034C
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!WinExec                                                                  7C86158D 5 Bytes  JMP 00CA0464
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] kernel32.dll!SetThreadContext                                                         7C862C89 5 Bytes  JMP 00CA0608
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] USER32.dll!SetWindowsHookExW                                                          77D6E621 5 Bytes  JMP 00CA07AC
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] USER32.dll!SetWindowsHookExA                                                          77D702B2 5 Bytes  JMP 00CA0720
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WININET.dll!InternetOpenW                                                             771BAEED 5 Bytes  JMP 00CA0DB0
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WININET.dll!InternetConnectA                                                          771C308A 5 Bytes  JMP 00CA0F54
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WININET.dll!InternetOpenA                                                             771C573E 5 Bytes  JMP 00CA0D24
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WININET.dll!InternetOpenUrlA                                                          771C59F1 5 Bytes  JMP 00CA0E3C
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WININET.dll!InternetConnectW                                                          771CEDC8 5 Bytes  JMP 00CA0FE0
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WININET.dll!InternetOpenUrlW                                                          771D5B3A 5 Bytes  JMP 00CA0EC8
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WS2_32.dll!socket                                                                     71AB3B91 5 Bytes  JMP 00CA08C4
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WS2_32.dll!bind                                                                       71AB3E00 5 Bytes  JMP 00CA0838
.text           C:\Program Files\Verizon\VSP\VerizonServicepoint.exe[776] WS2_32.dll!connect                                                                    71AB406A 5 Bytes  JMP 00CA0950
.text           C:\Program Files\iPod\bin\iPodService.exe[856] ntdll.dll!NtAllocateVirtualMemory                                                                7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\iPod\bin\iPodService.exe[856] ntdll.dll!NtCreateThread                                                                         7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\iPod\bin\iPodService.exe[856] ntdll.dll!NtProtectVirtualMemory                                                                 7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!VirtualProtectEx                                                                    7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!VirtualProtect                                                                      7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!WriteProcessMemory                                                                  7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!CreateProcessW                                                                      7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!CreateProcessA                                                                      7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!VirtualAlloc                                                                        7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!VirtualAllocEx                                                                      7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!CreateRemoteThread                                                                  7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!CreateThread                                                                        7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!CreateProcessInternalW                                                              7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!CreateProcessInternalA                                                              7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!WinExec                                                                             7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\iPod\bin\iPodService.exe[856] kernel32.dll!SetThreadContext                                                                    7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\iPod\bin\iPodService.exe[856] USER32.dll!SetWindowsHookExW                                                                     77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\iPod\bin\iPodService.exe[856] USER32.dll!SetWindowsHookExA                                                                     77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\System32\snmp.exe[920] ntdll.dll!NtAllocateVirtualMemory                                                                             7C90CF6E 5 Bytes  JMP 0069106C
.text           C:\WINDOWS\System32\snmp.exe[920] ntdll.dll!NtCreateThread                                                                                      7C90D1AE 5 Bytes  JMP 00691184
.text           C:\WINDOWS\System32\snmp.exe[920] ntdll.dll!NtProtectVirtualMemory                                                                              7C90D6EE 5 Bytes  JMP 006910F8
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!VirtualProtectEx                                                                                 7C801A5D 5 Bytes  JMP 006901A8
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!VirtualProtect                                                                                   7C801AD0 5 Bytes  JMP 00690090
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!WriteProcessMemory                                                                               7C80220F 5 Bytes  JMP 00690694
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!CreateProcessW                                                                                   7C802332 5 Bytes  JMP 006902C0
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!CreateProcessA                                                                                   7C802367 5 Bytes  JMP 00690234
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!VirtualAlloc                                                                                     7C809A61 5 Bytes  JMP 00690004
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!VirtualAllocEx                                                                                   7C809A82 5 Bytes  JMP 0069011C
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!CreateRemoteThread                                                                               7C81043C 5 Bytes  JMP 006904F0
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!CreateThread                                                                                     7C810647 5 Bytes  JMP 0069057C
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!CreateProcessInternalW                                                                           7C819527 5 Bytes  JMP 006903D8
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!CreateProcessInternalA                                                                           7C81DDE6 5 Bytes  JMP 0069034C
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!WinExec                                                                                          7C86158D 5 Bytes  JMP 00690464
.text           C:\WINDOWS\System32\snmp.exe[920] kernel32.dll!SetThreadContext                                                                                 7C862C89 5 Bytes  JMP 00690608
.text           C:\WINDOWS\System32\snmp.exe[920] WS2_32.dll!socket                                                                                             71AB3B91 5 Bytes  JMP 006908C4
.text           C:\WINDOWS\System32\snmp.exe[920] WS2_32.dll!bind                                                                                               71AB3E00 5 Bytes  JMP 00690838
.text           C:\WINDOWS\System32\snmp.exe[920] WS2_32.dll!connect                                                                                            71AB406A 5 Bytes  JMP 00690950
.text           C:\WINDOWS\System32\snmp.exe[920] USER32.dll!SetWindowsHookExW                                                                                  77D6E621 5 Bytes  JMP 006907AC
.text           C:\WINDOWS\System32\snmp.exe[920] USER32.dll!SetWindowsHookExA                                                                                  77D702B2 5 Bytes  JMP 00690720
.text           C:\WINDOWS\System32\smss.exe[956] ntdll.dll!NtAllocateVirtualMemory                                                                             7C90CF6E 5 Bytes  JMP 0030106C
.text           C:\WINDOWS\System32\smss.exe[956] ntdll.dll!NtCreateThread                                                                                      7C90D1AE 5 Bytes  JMP 00301184
.text           C:\WINDOWS\System32\smss.exe[956] ntdll.dll!NtProtectVirtualMemory                                                                              7C90D6EE 5 Bytes  JMP 003010F8
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!VirtualProtectEx                                                         7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!VirtualProtect                                                           7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!WriteProcessMemory                                                       7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!CreateProcessW                                                           7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!CreateProcessA                                                           7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!VirtualAlloc                                                             7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!VirtualAllocEx                                                           7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!CreateRemoteThread                                                       7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!CreateThread                                                             7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!CreateProcessInternalW                                                   7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!CreateProcessInternalA                                                   7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!WinExec                                                                  7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] kernel32.dll!SetThreadContext                                                         7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] USER32.dll!SetWindowsHookExW                                                          77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe[976] USER32.dll!SetWindowsHookExA                                                          77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\system32\csrss.exe[1004] ntdll.dll!NtAllocateVirtualMemory                                                                           7C90CF6E 5 Bytes  JMP 0078106C
.text           C:\WINDOWS\system32\csrss.exe[1004] ntdll.dll!NtCreateThread                                                                                    7C90D1AE 5 Bytes  JMP 00781184
.text           C:\WINDOWS\system32\csrss.exe[1004] ntdll.dll!NtProtectVirtualMemory                                                                            7C90D6EE 5 Bytes  JMP 007810F8
.text           C:\WINDOWS\system32\csrss.exe[1004] USER32.dll!SetWindowsHookExW                                                                                77D6E621 5 Bytes  JMP 007807AC
.text           C:\WINDOWS\system32\csrss.exe[1004] USER32.dll!SetWindowsHookExA                                                                                77D702B2 5 Bytes  JMP 00780720
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!VirtualProtectEx                                                                               7C801A5D 5 Bytes  JMP 007801A8
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!VirtualProtect                                                                                 7C801AD0 5 Bytes  JMP 00780090
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!WriteProcessMemory                                                                             7C80220F 5 Bytes  JMP 00780694
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!CreateProcessW                                                                                 7C802332 5 Bytes  JMP 007802C0
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!CreateProcessA                                                                                 7C802367 5 Bytes  JMP 00780234
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!VirtualAlloc                                                                                   7C809A61 5 Bytes  JMP 00780004
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!VirtualAllocEx                                                                                 7C809A82 5 Bytes  JMP 0078011C
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!CreateRemoteThread                                                                             7C81043C 5 Bytes  JMP 007804F0
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!CreateThread                                                                                   7C810647 5 Bytes  JMP 0078057C
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!CreateProcessInternalW                                                                         7C819527 5 Bytes  JMP 007803D8
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!CreateProcessInternalA                                                                         7C81DDE6 5 Bytes  JMP 0078034C
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!WinExec                                                                                        7C86158D 5 Bytes  JMP 00780464
.text           C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!SetThreadContext                                                                               7C862C89 5 Bytes  JMP 00780608
.text           C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtAllocateVirtualMemory                                                                        7C90CF6E 5 Bytes  JMP 00BB106C
.text           C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtCreateThread                                                                                 7C90D1AE 5 Bytes  JMP 00BB1184
.text           C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!NtProtectVirtualMemory                                                                         7C90D6EE 5 Bytes  JMP 00BB10F8
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!VirtualProtectEx                                                                            7C801A5D 5 Bytes  JMP 00BB01A8
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!VirtualProtect                                                                              7C801AD0 5 Bytes  JMP 00BB0090
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!WriteProcessMemory                                                                          7C80220F 5 Bytes  JMP 00BB0694
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!CreateProcessW                                                                              7C802332 5 Bytes  JMP 00BB02C0
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!CreateProcessA                                                                              7C802367 5 Bytes  JMP 00BB0234
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!VirtualAlloc                                                                                7C809A61 5 Bytes  JMP 00BB0004
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!VirtualAllocEx                                                                              7C809A82 5 Bytes  JMP 00BB011C
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!CreateRemoteThread                                                                          7C81043C 5 Bytes  JMP 00BB04F0
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!CreateThread                                                                                7C810647 5 Bytes  JMP 00BB057C
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!CreateProcessInternalW                                                                      7C819527 5 Bytes  JMP 00BB03D8
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!CreateProcessInternalA                                                                      7C81DDE6 5 Bytes  JMP 00BB034C
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!WinExec                                                                                     7C86158D 5 Bytes  JMP 00BB0464
.text           C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!SetThreadContext                                                                            7C862C89 5 Bytes  JMP 00BB0608
.text           C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!SetWindowsHookExW                                                                             77D6E621 5 Bytes  JMP 00BB07AC
.text           C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!SetWindowsHookExA                                                                             77D702B2 5 Bytes  JMP 00BB0720
.text           C:\WINDOWS\system32\winlogon.exe[1028] WS2_32.dll!socket                                                                                        71AB3B91 5 Bytes  JMP 00BB08C4
.text           C:\WINDOWS\system32\winlogon.exe[1028] WS2_32.dll!bind                                                                                          71AB3E00 5 Bytes  JMP 00BB0838
.text           C:\WINDOWS\system32\winlogon.exe[1028] WS2_32.dll!connect                                                                                       71AB406A 5 Bytes  JMP 00BB0950
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] ntdll.dll!NtAllocateVirtualMemory                                                       7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] ntdll.dll!NtCreateThread                                                                7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] ntdll.dll!NtProtectVirtualMemory                                                        7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!VirtualProtectEx                                                           7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!VirtualProtect                                                             7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!WriteProcessMemory                                                         7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!CreateProcessW                                                             7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!CreateProcessA                                                             7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!VirtualAlloc                                                               7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!VirtualAllocEx                                                             7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!CreateRemoteThread                                                         7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!CreateThread                                                               7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!CreateProcessInternalW                                                     7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!CreateProcessInternalA                                                     7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!WinExec                                                                    7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] kernel32.dll!SetThreadContext                                                           7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] USER32.dll!SetWindowsHookExW                                                            77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Analog Devices\Core\smax4pnp.exe[1064] USER32.dll!SetWindowsHookExA                                                            77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtAllocateVirtualMemory                                                                        7C90CF6E 5 Bytes  JMP 0004106C
.text           C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtCreateThread                                                                                 7C90D1AE 5 Bytes  JMP 00041184
.text           C:\WINDOWS\system32\services.exe[1072] ntdll.dll!NtProtectVirtualMemory                                                                         7C90D6EE 5 Bytes  JMP 000410F8
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtectEx                                                                            7C801A5D 5 Bytes  JMP 000401A8
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualProtect                                                                              7C801AD0 5 Bytes  JMP 00040090
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!WriteProcessMemory                                                                          7C80220F 5 Bytes  JMP 00040694
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessW                                                                              7C802332 5 Bytes  JMP 000402C0
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessA                                                                              7C802367 5 Bytes  JMP 00040234
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualAlloc                                                                                7C809A61 5 Bytes  JMP 00040004
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!VirtualAllocEx                                                                              7C809A82 5 Bytes  JMP 0004011C
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateRemoteThread                                                                          7C81043C 5 Bytes  JMP 000404F0
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateThread                                                                                7C810647 5 Bytes  JMP 0004057C
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessInternalW                                                                      7C819527 5 Bytes  JMP 000403D8
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!CreateProcessInternalA                                                                      7C81DDE6 5 Bytes  JMP 0004034C
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!WinExec                                                                                     7C86158D 5 Bytes  JMP 00040464
.text           C:\WINDOWS\system32\services.exe[1072] kernel32.dll!SetThreadContext                                                                            7C862C89 5 Bytes  JMP 00040608
.text           C:\WINDOWS\system32\services.exe[1072] USER32.dll!SetWindowsHookExW                                                                             77D6E621 5 Bytes  JMP 000407AC
.text           C:\WINDOWS\system32\services.exe[1072] USER32.dll!SetWindowsHookExA                                                                             77D702B2 5 Bytes  JMP 00040720
.text           C:\WINDOWS\system32\services.exe[1072] WS2_32.dll!socket                                                                                        71AB3B91 5 Bytes  JMP 000408C4
.text           C:\WINDOWS\system32\services.exe[1072] WS2_32.dll!bind                                                                                          71AB3E00 5 Bytes  JMP 00040838
.text           C:\WINDOWS\system32\services.exe[1072] WS2_32.dll!connect                                                                                       71AB406A 5 Bytes  JMP 00040950
.text           C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtAllocateVirtualMemory                                                                           7C90CF6E 5 Bytes  JMP 0095106C
.text           C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtCreateThread                                                                                    7C90D1AE 5 Bytes  JMP 00951184
.text           C:\WINDOWS\system32\lsass.exe[1084] ntdll.dll!NtProtectVirtualMemory                                                                            7C90D6EE 5 Bytes  JMP 009510F8
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtectEx                                                                               7C801A5D 5 Bytes  JMP 009501A8
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualProtect                                                                                 7C801AD0 5 Bytes  JMP 00950090
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!WriteProcessMemory                                                                             7C80220F 5 Bytes  JMP 00950694
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessW                                                                                 7C802332 5 Bytes  JMP 009502C0
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessA                                                                                 7C802367 5 Bytes  JMP 00950234
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualAlloc                                                                                   7C809A61 5 Bytes  JMP 00950004
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!VirtualAllocEx                                                                                 7C809A82 5 Bytes  JMP 0095011C
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateRemoteThread                                                                             7C81043C 5 Bytes  JMP 009504F0
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateThread                                                                                   7C810647 5 Bytes  JMP 0095057C
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessInternalW                                                                         7C819527 5 Bytes  JMP 009503D8
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!CreateProcessInternalA                                                                         7C81DDE6 5 Bytes  JMP 0095034C
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!WinExec                                                                                        7C86158D 5 Bytes  JMP 00950464
.text           C:\WINDOWS\system32\lsass.exe[1084] kernel32.dll!SetThreadContext                                                                               7C862C89 5 Bytes  JMP 00950608
.text           C:\WINDOWS\system32\lsass.exe[1084] USER32.dll!SetWindowsHookExW                                                                                77D6E621 5 Bytes  JMP 009507AC
.text           C:\WINDOWS\system32\lsass.exe[1084] USER32.dll!SetWindowsHookExA                                                                                77D702B2 5 Bytes  JMP 00950720
.text           C:\WINDOWS\system32\lsass.exe[1084] WS2_32.dll!socket                                                                                           71AB3B91 5 Bytes  JMP 009508C4
.text           C:\WINDOWS\system32\lsass.exe[1084] WS2_32.dll!bind                                                                                             71AB3E00 5 Bytes  JMP 00950838
.text           C:\WINDOWS\system32\lsass.exe[1084] WS2_32.dll!connect                                                                                          71AB406A 5 Bytes  JMP 00950950
.text           C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 0062106C
.text           C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 00621184
.text           C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 006210F8
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 006201A8
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00620090
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00620694
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 006202C0
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00620234
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00620004
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0062011C
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 006204F0
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0062057C
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 006203D8
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0062034C
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00620464
.text           C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00620608
.text           C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExW                                                                              77D6E621 3 Bytes  JMP 006207AC
.text           C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExW + 4                                                                          77D6E625 1 Byte  [88]
.text           C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExA                                                                              77D702B2 3 Bytes  JMP 00620720
.text           C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExA + 4                                                                          77D702B6 1 Byte  [88]
.text           C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!socket                                                                                         71AB3B91 5 Bytes  JMP 006208C4
.text           C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!bind                                                                                           71AB3E00 5 Bytes  JMP 00620838
.text           C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!connect                                                                                        71AB406A 5 Bytes  JMP 00620950
.text           C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 0087106C
.text           C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 00871184
.text           C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 008710F8
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 008701A8
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00870090
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00870694
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 008702C0
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00870234
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00870004
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0087011C
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 008704F0
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0087057C
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 008703D8
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0087034C
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00870464
.text           C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00870608
.text           C:\WINDOWS\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 008707AC
.text           C:\WINDOWS\system32\svchost.exe[1316] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 00870720
.text           C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket                                                                                         71AB3B91 5 Bytes  JMP 008708C4
.text           C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!bind                                                                                           71AB3E00 5 Bytes  JMP 00870838
.text           C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!connect                                                                                        71AB406A 5 Bytes  JMP 00870950
.text           C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 006A106C
.text           C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 006A1184
.text           C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 006A10F8
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 006A01A8
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 006A0090
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 006A0694
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 006A02C0
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 006A0234
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 006A0004
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 006A011C
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 006A04F0
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 006A057C
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 006A03D8
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 006A034C
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 006A0464
.text           C:\WINDOWS\System32\svchost.exe[1440] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 006A0608
.text           C:\WINDOWS\System32\svchost.exe[1440] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 006A07AC
.text           C:\WINDOWS\System32\svchost.exe[1440] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 006A0720
.text           C:\WINDOWS\System32\svchost.exe[1440] WS2_32.dll!socket                                                                                         71AB3B91 5 Bytes  JMP 006A08C4
.text           C:\WINDOWS\System32\svchost.exe[1440] WS2_32.dll!bind                                                                                           71AB3E00 5 Bytes  JMP 006A0838
.text           C:\WINDOWS\System32\svchost.exe[1440] WS2_32.dll!connect                                                                                        71AB406A 5 Bytes  JMP 006A0950
.text           C:\WINDOWS\System32\svchost.exe[1440] WININET.dll!InternetOpenW                                                                                 771BAEED 5 Bytes  JMP 006A0DB0
.text           C:\WINDOWS\System32\svchost.exe[1440] WININET.dll!InternetConnectA                                                                              771C308A 5 Bytes  JMP 006A0F54
.text           C:\WINDOWS\System32\svchost.exe[1440] WININET.dll!InternetOpenA                                                                                 771C573E 5 Bytes  JMP 006A0D24
.text           C:\WINDOWS\System32\svchost.exe[1440] WININET.dll!InternetOpenUrlA                                                                              771C59F1 5 Bytes  JMP 006A0E3C
.text           C:\WINDOWS\System32\svchost.exe[1440] WININET.dll!InternetConnectW                                                                              771CEDC8 5 Bytes  JMP 006A0FE0
.text           C:\WINDOWS\System32\svchost.exe[1440] WININET.dll!InternetOpenUrlW                                                                              771D5B3A 5 Bytes  JMP 006A0EC8
.text           C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 0062106C
.text           C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 00621184
.text           C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 006210F8
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 006201A8
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00620090
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00620694
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 006202C0
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00620234
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00620004
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0062011C
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 006204F0
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0062057C
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 006203D8
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0062034C
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00620464
.text           C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00620608
.text           C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW                                                                              77D6E621 3 Bytes  JMP 006207AC
.text           C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW + 4                                                                          77D6E625 1 Byte  [88]
.text           C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA                                                                              77D702B2 3 Bytes  JMP 00620720
.text           C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA + 4                                                                          77D702B6 1 Byte  [88]
.text           C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 0071106C
.text           C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 00711184
.text           C:\WINDOWS\system32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 007110F8
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 007101A8
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00710090
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00710694
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 007102C0
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00710234
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00710004
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0071011C
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 007104F0
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0071057C
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 007103D8
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0071034C
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00710464
.text           C:\WINDOWS\system32\svchost.exe[1644] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00710608
.text           C:\WINDOWS\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 007107AC
.text           C:\WINDOWS\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 00710720
.text           C:\WINDOWS\system32\svchost.exe[1644] WS2_32.dll!socket                                                                                         71AB3B91 5 Bytes  JMP 007108C4
.text           C:\WINDOWS\system32\svchost.exe[1644] WS2_32.dll!bind                                                                                           71AB3E00 5 Bytes  JMP 00710838
.text           C:\WINDOWS\system32\svchost.exe[1644] WS2_32.dll!connect                                                                                        71AB406A 5 Bytes  JMP 00710950
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] ntdll.dll!NtAllocateVirtualMemory            7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] ntdll.dll!NtCreateThread                     7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] ntdll.dll!NtProtectVirtualMemory             7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!VirtualProtectEx                7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!VirtualProtect                  7C801AD0 5 Bytes  JMP 00130090
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!WriteProcessMemory              7C80220F 5 Bytes  JMP 00130694
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!CreateProcessW                  7C802332 5 Bytes  JMP 001302C0
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!CreateProcessA                  7C802367 5 Bytes  JMP 00130234
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!VirtualAlloc                    7C809A61 5 Bytes  JMP 00130004
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!VirtualAllocEx                  7C809A82 5 Bytes  JMP 0013011C
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!CreateRemoteThread              7C81043C 5 Bytes  JMP 001304F0
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!CreateThread                    7C810647 5 Bytes  JMP 0013057C
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!CreateProcessInternalW          7C819527 5 Bytes  JMP 001303D8
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!CreateProcessInternalA          7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!WinExec                         7C86158D 5 Bytes  JMP 00130464
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] kernel32.dll!SetThreadContext                7C862C89 5 Bytes  JMP 00130608
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] USER32.dll!SetWindowsHookExW                 77D6E621 5 Bytes  JMP 001307AC
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] USER32.dll!SetWindowsHookExA                 77D702B2 5 Bytes  JMP 00130720
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WININET.dll!InternetOpenW                    771BAEED 5 Bytes  JMP 00130DB0
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WININET.dll!InternetConnectA                 771C308A 5 Bytes  JMP 00130F54
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WININET.dll!InternetOpenA                    771C573E 5 Bytes  JMP 00130D24
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WININET.dll!InternetOpenUrlA                 771C59F1 5 Bytes  JMP 00130E3C
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WININET.dll!InternetConnectW                 771CEDC8 5 Bytes  JMP 00130FE0
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WININET.dll!InternetOpenUrlW                 771D5B3A 5 Bytes  JMP 00130EC8
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WS2_32.dll!socket                            71AB3B91 5 Bytes  JMP 001308C4
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WS2_32.dll!bind                              71AB3E00 5 Bytes  JMP 00130838
.text           C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe[1744] WS2_32.dll!connect                           71AB406A 5 Bytes  JMP 00130950
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] ntdll.dll!NtAllocateVirtualMemory                                              7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] ntdll.dll!NtCreateThread                                                       7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] ntdll.dll!NtProtectVirtualMemory                                               7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!VirtualProtectEx                                                  7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!VirtualProtect                                                    7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!WriteProcessMemory                                                7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!CreateProcessW                                                    7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!CreateProcessA                                                    7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!VirtualAlloc                                                      7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!VirtualAllocEx                                                    7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!CreateRemoteThread                                                7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!CreateThread                                                      7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!CreateProcessInternalW                                            7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!CreateProcessInternalA                                            7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!WinExec                                                           7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] kernel32.dll!SetThreadContext                                                  7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] USER32.dll!SetWindowsHookExW                                                   77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] USER32.dll!SetWindowsHookExA                                                   77D702B2 5 Bytes  JMP 00130720
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] WININET.dll!InternetOpenW                                                      771BAEED 5 Bytes  JMP 00130DB0
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] WININET.dll!InternetConnectA                                                   771C308A 5 Bytes  JMP 00130F54
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] WININET.dll!InternetOpenA                                                      771C573E 5 Bytes  JMP 00130D24
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] WININET.dll!InternetOpenUrlA                                                   771C59F1 5 Bytes  JMP 00130E3C
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] WININET.dll!InternetConnectW                                                   771CEDC8 5 Bytes  JMP 00130FE0
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[1756] WININET.dll!InternetOpenUrlW                                                   771D5B3A 5 Bytes  JMP 00130EC8
.text           C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 006A106C
.text           C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 006A1184
.text           C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 006A10F8
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 006A01A8
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 006A0090
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 006A0694
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 006A02C0
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 006A0234
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 006A0004
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 006A011C
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 006A04F0
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 006A057C
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 006A03D8
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 006A034C
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 006A0464
.text           C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 006A0608
.text           C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 006A07AC
.text           C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 006A0720
.text           C:\WINDOWS\system32\svchost.exe[1796] WS2_32.dll!socket                                                                                         71AB3B91 5 Bytes  JMP 006A08C4
.text           C:\WINDOWS\system32\svchost.exe[1796] WS2_32.dll!bind                                                                                           71AB3E00 5 Bytes  JMP 006A0838
.text           C:\WINDOWS\system32\svchost.exe[1796] WS2_32.dll!connect                                                                                        71AB406A 5 Bytes  JMP 006A0950
.text           C:\WINDOWS\system32\svchost.exe[1796] WININET.dll!InternetOpenW                                                                                 771BAEED 5 Bytes  JMP 006A0DB0
.text           C:\WINDOWS\system32\svchost.exe[1796] WININET.dll!InternetConnectA                                                                              771C308A 5 Bytes  JMP 006A0F54
.text           C:\WINDOWS\system32\svchost.exe[1796] WININET.dll!InternetOpenA                                                                                 771C573E 5 Bytes  JMP 006A0D24
.text           C:\WINDOWS\system32\svchost.exe[1796] WININET.dll!InternetOpenUrlA                                                                              771C59F1 5 Bytes  JMP 006A0E3C
.text           C:\WINDOWS\system32\svchost.exe[1796] WININET.dll!InternetConnectW                                                                              771CEDC8 5 Bytes  JMP 006A0FE0
.text           C:\WINDOWS\system32\svchost.exe[1796] WININET.dll!InternetOpenUrlW                                                                              771D5B3A 5 Bytes  JMP 006A0EC8
.text           C:\WINDOWS\system32\igfxpers.exe[1928] ntdll.dll!NtAllocateVirtualMemory                                                                        7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\WINDOWS\system32\igfxpers.exe[1928] ntdll.dll!NtCreateThread                                                                                 7C90D1AE 5 Bytes  JMP 00131184
.text           C:\WINDOWS\system32\igfxpers.exe[1928] ntdll.dll!NtProtectVirtualMemory                                                                         7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!VirtualProtectEx                                                                            7C801A5D 5 Bytes  JMP 001301A8
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!VirtualProtect                                                                              7C801AD0 5 Bytes  JMP 00130090
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!WriteProcessMemory                                                                          7C80220F 5 Bytes  JMP 00130694
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!CreateProcessW                                                                              7C802332 5 Bytes  JMP 001302C0
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!CreateProcessA                                                                              7C802367 5 Bytes  JMP 00130234
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!VirtualAlloc                                                                                7C809A61 5 Bytes  JMP 00130004
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!VirtualAllocEx                                                                              7C809A82 5 Bytes  JMP 0013011C
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!CreateRemoteThread                                                                          7C81043C 5 Bytes  JMP 001304F0
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!CreateThread                                                                                7C810647 5 Bytes  JMP 0013057C
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!CreateProcessInternalW                                                                      7C819527 5 Bytes  JMP 001303D8
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!CreateProcessInternalA                                                                      7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!WinExec                                                                                     7C86158D 5 Bytes  JMP 00130464
.text           C:\WINDOWS\system32\igfxpers.exe[1928] kernel32.dll!SetThreadContext                                                                            7C862C89 5 Bytes  JMP 00130608
.text           C:\WINDOWS\system32\igfxpers.exe[1928] USER32.dll!SetWindowsHookExW                                                                             77D6E621 5 Bytes  JMP 001307AC
.text           C:\WINDOWS\system32\igfxpers.exe[1928] USER32.dll!SetWindowsHookExA                                                                             77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\system32\spoolsv.exe[1988] ntdll.dll!NtAllocateVirtualMemory                                                                         7C90CF6E 5 Bytes  JMP 0092106C
.text           C:\WINDOWS\system32\spoolsv.exe[1988] ntdll.dll!NtCreateThread                                                                                  7C90D1AE 5 Bytes  JMP 00921184
.text           C:\WINDOWS\system32\spoolsv.exe[1988] ntdll.dll!NtProtectVirtualMemory                                                                          7C90D6EE 5 Bytes  JMP 009210F8
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 009201A8
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00920090
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00920694
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 009202C0
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00920234
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00920004
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0092011C
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 009204F0
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0092057C
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 009203D8
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0092034C
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00920464
.text           C:\WINDOWS\system32\spoolsv.exe[1988] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00920608
.text           C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 009207AC
.text           C:\WINDOWS\system32\spoolsv.exe[1988] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 00920720
.text           C:\WINDOWS\system32\spoolsv.exe[1988] WS2_32.dll!socket                                                                                         71AB3B91 5 Bytes  JMP 009208C4
.text           C:\WINDOWS\system32\spoolsv.exe[1988] WS2_32.dll!bind                                                                                           71AB3E00 5 Bytes  JMP 00920838
.text           C:\WINDOWS\system32\spoolsv.exe[1988] WS2_32.dll!connect                                                                                        71AB406A 5 Bytes  JMP 00920950
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] ntdll.dll!NtAllocateVirtualMemory                  7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] ntdll.dll!NtCreateThread                           7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] ntdll.dll!NtProtectVirtualMemory                   7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!VirtualProtectEx                      7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!VirtualProtect                        7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!WriteProcessMemory                    7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!CreateProcessW                        7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!CreateProcessA                        7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!VirtualAlloc                          7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!VirtualAllocEx                        7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!CreateRemoteThread                    7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!CreateThread                          7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!CreateProcessInternalW                7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!CreateProcessInternalA                7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!WinExec                               7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] kernel32.dll!SetThreadContext                      7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] WS2_32.dll!socket                                  71AB3B91 5 Bytes  JMP 001308C4
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] WS2_32.dll!bind                                    71AB3E00 5 Bytes  JMP 00130838
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] WS2_32.dll!connect                                 71AB406A 5 Bytes  JMP 00130950
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] USER32.dll!SetWindowsHookExW                       77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2096] USER32.dll!SetWindowsHookExA                       77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 000801A8
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00080090
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00080694
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 000802C0
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00080234
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00080004
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0008011C
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 000804F0
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0008057C
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 000803D8
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0008034C
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00080464
.text           C:\WINDOWS\system32\wuauclt.exe[2124] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00080608
.text           C:\WINDOWS\system32\wuauclt.exe[2124] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 000807AC
.text           C:\WINDOWS\system32\wuauclt.exe[2124] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 00080720
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] ntdll.dll!NtAllocateVirtualMemory                                                             7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] ntdll.dll!NtCreateThread                                                                      7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] ntdll.dll!NtProtectVirtualMemory                                                              7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!VirtualProtectEx                                                                 7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!VirtualProtect                                                                   7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!WriteProcessMemory                                                               7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!CreateProcessW                                                                   7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!CreateProcessA                                                                   7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!VirtualAlloc                                                                     7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!VirtualAllocEx                                                                   7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!CreateRemoteThread                                                               7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!CreateThread                                                                     7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!CreateProcessInternalW                                                           7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!CreateProcessInternalA                                                           7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!WinExec                                                                          7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] kernel32.dll!SetThreadContext                                                                 7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] user32.dll!SetWindowsHookExW                                                                  77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Browser MOUSE\mouse32a.exe[2268] user32.dll!SetWindowsHookExA                                                                  77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\Explorer.EXE[2276] ntdll.dll!NtAllocateVirtualMemory                                                                                 7C90CF6E 5 Bytes  JMP 0008106C
.text           C:\WINDOWS\Explorer.EXE[2276] ntdll.dll!NtCreateThread                                                                                          7C90D1AE 5 Bytes  JMP 00081184
.text           C:\WINDOWS\Explorer.EXE[2276] ntdll.dll!NtProtectVirtualMemory                                                                                  7C90D6EE 5 Bytes  JMP 000810F8
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!VirtualProtectEx                                                                                     7C801A5D 5 Bytes  JMP 000801A8
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!VirtualProtect                                                                                       7C801AD0 5 Bytes  JMP 00080090
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!WriteProcessMemory                                                                                   7C80220F 5 Bytes  JMP 00080694
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!CreateProcessW                                                                                       7C802332 5 Bytes  JMP 000802C0
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!CreateProcessA                                                                                       7C802367 5 Bytes  JMP 00080234
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!VirtualAlloc                                                                                         7C809A61 5 Bytes  JMP 00080004
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!VirtualAllocEx                                                                                       7C809A82 5 Bytes  JMP 0008011C
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!CreateRemoteThread                                                                                   7C81043C 5 Bytes  JMP 000804F0
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!CreateThread                                                                                         7C810647 5 Bytes  JMP 0008057C
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!CreateProcessInternalW                                                                               7C819527 5 Bytes  JMP 000803D8
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!CreateProcessInternalA                                                                               7C81DDE6 5 Bytes  JMP 0008034C
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!WinExec                                                                                              7C86158D 5 Bytes  JMP 00080464
.text           C:\WINDOWS\Explorer.EXE[2276] kernel32.dll!SetThreadContext                                                                                     7C862C89 5 Bytes  JMP 00080608
.text           C:\WINDOWS\Explorer.EXE[2276] USER32.dll!SetWindowsHookExW                                                                                      77D6E621 5 Bytes  JMP 000807AC
.text           C:\WINDOWS\Explorer.EXE[2276] USER32.dll!SetWindowsHookExA                                                                                      77D702B2 5 Bytes  JMP 00080720
.text           C:\WINDOWS\Explorer.EXE[2276] WININET.dll!InternetOpenW                                                                                         771BAEED 5 Bytes  JMP 00080DB0
.text           C:\WINDOWS\Explorer.EXE[2276] WININET.dll!InternetConnectA                                                                                      771C308A 5 Bytes  JMP 00080F54
.text           C:\WINDOWS\Explorer.EXE[2276] WININET.dll!InternetOpenA                                                                                         771C573E 5 Bytes  JMP 00080D24
.text           C:\WINDOWS\Explorer.EXE[2276] WININET.dll!InternetOpenUrlA                                                                                      771C59F1 5 Bytes  JMP 00080E3C
.text           C:\WINDOWS\Explorer.EXE[2276] WININET.dll!InternetConnectW                                                                                      771CEDC8 5 Bytes  JMP 00080FE0
.text           C:\WINDOWS\Explorer.EXE[2276] WININET.dll!InternetOpenUrlW                                                                                      771D5B3A 5 Bytes  JMP 00080EC8
.text           C:\WINDOWS\Explorer.EXE[2276] WS2_32.dll!socket                                                                                                 71AB3B91 5 Bytes  JMP 000808C4
.text           C:\WINDOWS\Explorer.EXE[2276] WS2_32.dll!bind                                                                                                   71AB3E00 5 Bytes  JMP 00080838
.text           C:\WINDOWS\Explorer.EXE[2276] WS2_32.dll!connect                                                                                                71AB406A 5 Bytes  JMP 00080950
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] ntdll.dll!NtAllocateVirtualMemory                                                              7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] ntdll.dll!NtCreateThread                                                                       7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] ntdll.dll!NtProtectVirtualMemory                                                               7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!VirtualProtectEx                                                                  7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!VirtualProtect                                                                    7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!WriteProcessMemory                                                                7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!CreateProcessW                                                                    7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!CreateProcessA                                                                    7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!VirtualAlloc                                                                      7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!VirtualAllocEx                                                                    7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!CreateRemoteThread                                                                7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!CreateThread                                                                      7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!CreateProcessInternalW                                                            7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!CreateProcessInternalA                                                            7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!WinExec                                                                           7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] kernel32.dll!SetThreadContext                                                                  7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] WS2_32.dll!socket                                                                              71AB3B91 5 Bytes  JMP 001308C4
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] WS2_32.dll!bind                                                                                71AB3E00 5 Bytes  JMP 00130838
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] WS2_32.dll!connect                                                                             71AB406A 5 Bytes  JMP 00130950
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] USER32.dll!SetWindowsHookExW                                                                   77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\Bonjour\mDNSResponder.exe[2432] USER32.dll!SetWindowsHookExA                                                                   77D702B2 5 Bytes  JMP 00130720
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!VirtualProtectEx                                                                             7C801A5D 5 Bytes  JMP 000801A8
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!VirtualProtect                                                                               7C801AD0 5 Bytes  JMP 00080090
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!WriteProcessMemory                                                                           7C80220F 5 Bytes  JMP 00080694
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!CreateProcessW                                                                               7C802332 5 Bytes  JMP 000802C0
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!CreateProcessA                                                                               7C802367 5 Bytes  JMP 00080234
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!VirtualAlloc                                                                                 7C809A61 5 Bytes  JMP 00080004
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!VirtualAllocEx                                                                               7C809A82 5 Bytes  JMP 0008011C
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!CreateRemoteThread                                                                           7C81043C 5 Bytes  JMP 000804F0
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!CreateThread                                                                                 7C810647 5 Bytes  JMP 0008057C
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!CreateProcessInternalW                                                                       7C819527 5 Bytes  JMP 000803D8
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!CreateProcessInternalA                                                                       7C81DDE6 5 Bytes  JMP 0008034C
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!WinExec                                                                                      7C86158D 5 Bytes  JMP 00080464
.text           C:\WINDOWS\system32\notepad.exe[2440] kernel32.dll!SetThreadContext                                                                             7C862C89 5 Bytes  JMP 00080608
.text           C:\WINDOWS\system32\notepad.exe[2440] USER32.dll!SetWindowsHookExW                                                                              77D6E621 5 Bytes  JMP 000807AC
.text           C:\WINDOWS\system32\notepad.exe[2440] USER32.dll!SetWindowsHookExA                                                                              77D702B2 5 Bytes  JMP 00080720
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] ntdll.dll!NtAllocateVirtualMemory                                                     7C90CF6E 5 Bytes  JMP 03FA106C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] ntdll.dll!NtCreateThread                                                              7C90D1AE 5 Bytes  JMP 03FA1184
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] ntdll.dll!NtProtectVirtualMemory                                                      7C90D6EE 5 Bytes  JMP 03FA10F8
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!VirtualProtectEx                                                         7C801A5D 5 Bytes  JMP 03FA01A8
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!VirtualProtect                                                           7C801AD0 5 Bytes  JMP 03FA0090
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!WriteProcessMemory                                                       7C80220F 5 Bytes  JMP 03FA0694
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!CreateProcessW                                                           7C802332 5 Bytes  JMP 03FA02C0
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!CreateProcessA                                                           7C802367 5 Bytes  JMP 03FA0234
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!VirtualAlloc                                                             7C809A61 5 Bytes  JMP 03FA0004
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!VirtualAllocEx                                                           7C809A82 5 Bytes  JMP 03FA011C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!CreateRemoteThread                                                       7C81043C 5 Bytes  JMP 03FA04F0
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!CreateThread                                                             7C810647 5 Bytes  JMP 03FA057C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!CreateProcessInternalW                                                   7C819527 5 Bytes  JMP 03FA03D8
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!CreateProcessInternalA                                                   7C81DDE6 5 Bytes  JMP 03FA034C
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!WinExec                                                                  7C86158D 5 Bytes  JMP 03FA0464
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] kernel32.dll!SetThreadContext                                                         7C862C89 5 Bytes  JMP 03FA0608
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] USER32.dll!SetWindowsHookExW                                                          77D6E621 5 Bytes  JMP 03FA07AC
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] USER32.dll!SetWindowsHookExA                                                          77D702B2 5 Bytes  JMP 03FA0720
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] WS2_32.dll!socket                                                                     71AB3B91 5 Bytes  JMP 03FA08C4
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] WS2_32.dll!bind                                                                       71AB3E00 5 Bytes  JMP 03FA0838
.text           C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe[3252] WS2_32.dll!connect                                                                    71AB406A 5 Bytes  JMP 03FA0950
.text           C:\WINDOWS\system32\hkcmd.exe[3332] ntdll.dll!NtAllocateVirtualMemory                                                                           7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\WINDOWS\system32\hkcmd.exe[3332] ntdll.dll!NtCreateThread                                                                                    7C90D1AE 5 Bytes  JMP 00131184
.text           C:\WINDOWS\system32\hkcmd.exe[3332] ntdll.dll!NtProtectVirtualMemory                                                                            7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!VirtualProtectEx                                                                               7C801A5D 5 Bytes  JMP 001301A8
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!VirtualProtect                                                                                 7C801AD0 5 Bytes  JMP 00130090
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!WriteProcessMemory                                                                             7C80220F 5 Bytes  JMP 00130694
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!CreateProcessW                                                                                 7C802332 5 Bytes  JMP 001302C0
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!CreateProcessA                                                                                 7C802367 5 Bytes  JMP 00130234
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!VirtualAlloc                                                                                   7C809A61 5 Bytes  JMP 00130004
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!VirtualAllocEx                                                                                 7C809A82 5 Bytes  JMP 0013011C
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!CreateRemoteThread                                                                             7C81043C 5 Bytes  JMP 001304F0
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!CreateThread                                                                                   7C810647 5 Bytes  JMP 0013057C
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!CreateProcessInternalW                                                                         7C819527 5 Bytes  JMP 001303D8
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!CreateProcessInternalA                                                                         7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!WinExec                                                                                        7C86158D 5 Bytes  JMP 00130464
.text           C:\WINDOWS\system32\hkcmd.exe[3332] kernel32.dll!SetThreadContext                                                                               7C862C89 5 Bytes  JMP 00130608
.text           C:\WINDOWS\system32\hkcmd.exe[3332] USER32.dll!SetWindowsHookExW                                                                                77D6E621 5 Bytes  JMP 001307AC
.text           C:\WINDOWS\system32\hkcmd.exe[3332] USER32.dll!SetWindowsHookExA                                                                                77D702B2 5 Bytes  JMP 00130720
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!VirtualProtectEx                                         7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!VirtualProtect                                           7C801AD0 5 Bytes  JMP 00130090
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!WriteProcessMemory                                       7C80220F 5 Bytes  JMP 00130694
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!CreateProcessW                                           7C802332 5 Bytes  JMP 001302C0
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!CreateProcessA                                           7C802367 5 Bytes  JMP 00130234
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!VirtualAlloc                                             7C809A61 5 Bytes  JMP 00130004
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!VirtualAllocEx                                           7C809A82 5 Bytes  JMP 0013011C
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!CreateRemoteThread                                       7C81043C 5 Bytes  JMP 001304F0
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!CreateThread                                             7C810647 5 Bytes  JMP 0013057C
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!CreateProcessInternalW                                   7C819527 5 Bytes  JMP 001303D8
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!CreateProcessInternalA                                   7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!WinExec                                                  7C86158D 5 Bytes  JMP 00130464
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] kernel32.dll!SetThreadContext                                         7C862C89 5 Bytes  JMP 00130608
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] USER32.dll!SetWindowsHookExW                                          77D6E621 5 Bytes  JMP 001307AC
.text           C:\Documents and Settings\Owner\My Documents\Downloads\0lcwtx00.exe[3368] USER32.dll!SetWindowsHookExA                                          77D702B2 5 Bytes  JMP 00130720
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] ntdll.dll!NtAllocateVirtualMemory                                                                7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] ntdll.dll!NtCreateThread                                                                         7C90D1AE 5 Bytes  JMP 00131184
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] ntdll.dll!NtProtectVirtualMemory                                                                 7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!VirtualProtectEx                                                                    7C801A5D 5 Bytes  JMP 001301A8
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!VirtualProtect                                                                      7C801AD0 5 Bytes  JMP 00130090
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!WriteProcessMemory                                                                  7C80220F 5 Bytes  JMP 00130694
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!CreateProcessW                                                                      7C802332 5 Bytes  JMP 001302C0
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!CreateProcessA                                                                      7C802367 5 Bytes  JMP 00130234
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!VirtualAlloc                                                                        7C809A61 5 Bytes  JMP 00130004
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!VirtualAllocEx                                                                      7C809A82 5 Bytes  JMP 0013011C
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!CreateRemoteThread                                                                  7C81043C 5 Bytes  JMP 001304F0
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!CreateThread                                                                        7C810647 5 Bytes  JMP 0013057C
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!CreateProcessInternalW                                                              7C819527 5 Bytes  JMP 001303D8
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!CreateProcessInternalA                                                              7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!WinExec                                                                             7C86158D 5 Bytes  JMP 00130464
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] kernel32.dll!SetThreadContext                                                                    7C862C89 5 Bytes  JMP 00130608
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] USER32.dll!SetWindowsHookExW                                                                     77D6E621 5 Bytes  JMP 001307AC
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] USER32.dll!SetWindowsHookExA                                                                     77D702B2 5 Bytes  JMP 00130720
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WS2_32.dll!socket                                                                                71AB3B91 5 Bytes  JMP 001308C4
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WS2_32.dll!bind                                                                                  71AB3E00 5 Bytes  JMP 00130838
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WS2_32.dll!connect                                                                               71AB406A 5 Bytes  JMP 00130950
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WININET.DLL!InternetOpenW                                                                        771BAEED 5 Bytes  JMP 00130DB0
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WININET.DLL!InternetConnectA                                                                     771C308A 5 Bytes  JMP 00130F54
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WININET.DLL!InternetOpenA                                                                        771C573E 5 Bytes  JMP 00130D24
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WININET.DLL!InternetOpenUrlA                                                                     771C59F1 5 Bytes  JMP 00130E3C
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WININET.DLL!InternetConnectW                                                                     771CEDC8 5 Bytes  JMP 00130FE0
.text           C:\Program Files\iTunes\iTunesHelper.exe[3492] WININET.DLL!InternetOpenUrlW                                                                     771D5B3A 5 Bytes  JMP 00130EC8
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] ntdll.dll!NtAllocateVirtualMemory                                                                        7C90CF6E 5 Bytes  JMP 0013106C
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] ntdll.dll!NtCreateThread                                                                                 7C90D1AE 5 Bytes  JMP 00131184
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] ntdll.dll!NtProtectVirtualMemory                                                                         7C90D6EE 5 Bytes  JMP 001310F8
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!VirtualProtectEx                                                                            7C801A5D 5 Bytes  JMP 001301A8
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!VirtualProtect                                                                              7C801AD0 5 Bytes  JMP 00130090
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!WriteProcessMemory                                                                          7C80220F 5 Bytes  JMP 00130694
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!CreateProcessW                                                                              7C802332 5 Bytes  JMP 001302C0
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!CreateProcessA                                                                              7C802367 5 Bytes  JMP 00130234
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!VirtualAlloc                                                                                7C809A61 5 Bytes  JMP 00130004
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!VirtualAllocEx                                                                              7C809A82 5 Bytes  JMP 0013011C
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!CreateRemoteThread                                                                          7C81043C 5 Bytes  JMP 001304F0
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!CreateThread                                                                                7C810647 5 Bytes  JMP 0013057C
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!CreateProcessInternalW                                                                      7C819527 5 Bytes  JMP 001303D8
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!CreateProcessInternalA                                                                      7C81DDE6 5 Bytes  JMP 0013034C
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!WinExec                                                                                     7C86158D 5 Bytes  JMP 00130464
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] kernel32.dll!SetThreadContext                                                                            7C862C89 5 Bytes  JMP 00130608
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] USER32.dll!SetWindowsHookExW                                                                             77D6E621 5 Bytes  JMP 001307AC
.text           C:\WINDOWS\system32\dlcfcoms.exe[4080] USER32.dll!SetWindowsHookExA                                                                             77D702B2 5 Bytes  JMP 00130720

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                        SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                       SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                       SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                     SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                        fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8BC779924E27E5D4492BEBB66528611C\Usage@SunbeltMergeModules  1019155134

---- EOF - GMER 1.0.15 ----

At this time I was Unable to complete the Kapersky update to run the scan.

I must shut down for the lightening gets very close on my hilltop.

See you soon,

Remember our fallen brothers.

COL>

kevin27_b3d29f

1.5K Posts

May 31st, 2010 23:00

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)


Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

kevin27_b3d29f

1.5K Posts

June 8th, 2010 22:00

This topic is Inactive.....

The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.

All other user's, please read THIS page and then please start a New Topic at the top of the Malware Removal Forum by clicking the DCFnewpost.png button.

Regards
K27

colonelh

19 Posts

June 11th, 2010 11:00

K27,

Hey there,

 I did get to run the Kapersky scan and it did not show any malicious files.

The system still will not go into a low power state. When I try to put it in stand-by,  windows states preparing to stand-by, the monitor and hard drive shuts down (the cooling fan continues to run). A minute or less later the hard drive starts back up as it would when woken up. The monitor will stay blank unil I intervene. This will conitinue in cycles unless I log on and just leave the system running. I can not seem to find what is keeping the system from sleeping.

   Here is the fresh log you requested:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:32:39, on 6/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Startup: Secunia PSI.lnk = C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device -   - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe

--

End of file - 5446 bytes

Thanks yet again,

COL>

 

In addition, I had not been notified of your post about Combofix so did not initially see it.

Anyway here is the Combofix log file:

ComboFix 10-06-10.06 - Owner 06/11/2010  14:22:36.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1022.525 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Sunbelt VIPRE *disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
.

(((((((((((((((((((((((((   Files Created from 2010-05-11 to 2010-06-11  )))))))))))))))))))))))))))))))
.

2010-06-10 20:57 . 2010-06-10 20:57    53632    ----a-w-    c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-10 20:57 . 2010-06-10 20:57    --------    d-----w-    c:\program files\Common Files\Adobe AIR
2010-06-10 20:38 . 2010-06-10 20:38    71680    ----a-w-    c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-09 22:16 . 2009-09-04 21:29    1974616    ----a-w-    c:\windows\system32\D3DCompiler_42.dll
2010-06-09 22:16 . 2009-09-04 21:29    1892184    ----a-w-    c:\windows\system32\D3DX9_42.dll
2010-06-09 22:16 . 2008-10-15 10:22    4379984    ----a-w-    c:\windows\system32\D3DX9_40.dll
2010-06-09 22:15 . 2007-07-19 22:14    3727720    ----a-w-    c:\windows\system32\d3dx9_35.dll
2010-06-09 22:15 . 2007-05-16 20:45    3497832    ----a-w-    c:\windows\system32\d3dx9_34.dll
2010-06-09 22:15 . 2010-06-09 22:15    --------    d-----w-    c:\windows\Logs
2010-06-09 17:49 . 2010-06-11 16:26    --------    d-----w-    c:\program files\nLite
2010-06-09 17:05 . 2010-06-09 17:05    --------    d-----w-    c:\program files\Smart Projects
2010-06-09 16:34 . 2010-06-11 16:14    --------    d-----w-    C:\winxpcd
2010-06-05 00:57 . 2010-06-05 00:57    --------    d-----w-    c:\windows\system32\Events
2010-05-28 11:04 . 2010-05-28 11:04    14896    ----a-w-    c:\windows\system32\drivers\psi_mf.sys
2010-05-28 08:20 . 2010-05-28 08:20    503808    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-74e5f840-n\msvcp71.dll
2010-05-28 08:20 . 2010-05-28 08:20    499712    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-74e5f840-n\jmc.dll
2010-05-28 08:20 . 2010-05-28 08:20    348160    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-74e5f840-n\msvcr71.dll
2010-05-28 08:20 . 2010-05-28 08:20    61440    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-535824dc-n\decora-sse.dll
2010-05-28 08:20 . 2010-05-28 08:20    12800    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-535824dc-n\decora-d3d.dll
2010-05-23 18:03 . 2010-05-23 18:03    --------    d-----w-    c:\program files\iPod
2010-05-23 18:03 . 2010-05-23 18:03    --------    d-----w-    c:\program files\iTunes
2010-05-23 18:03 . 2010-05-23 18:03    --------    d-----w-    c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-23 17:59 . 2010-05-23 18:00    --------    d-----w-    c:\program files\QuickTime
2010-05-23 17:56 . 2010-05-23 17:56    --------    d-----w-    c:\program files\Bonjour
2010-05-23 17:44 . 2010-05-23 17:44    73000    ----a-w-    c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-23 14:38 . 2010-05-23 14:38    --------    d-----w-    C:\_OTM

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 18:20 . 2009-12-05 20:33    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
2010-06-10 14:01 . 2010-01-24 02:20    2810    ----a-w-    c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-06-05 12:45 . 2009-12-05 06:32    --------    d-----w-    c:\program files\Microsoft Silverlight
2010-06-05 11:23 . 2009-12-25 20:27    --------    d-----w-    c:\documents and settings\Owner\Application Data\Apple Computer
2010-05-23 18:03 . 2009-12-25 20:24    --------    d-----w-    c:\program files\Common Files\Apple
2010-05-22 12:18 . 2010-04-24 23:43    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-05-12 16:45 . 2010-05-12 16:45    --------    d-----w-    c:\program files\Common Files\Java
2010-05-12 16:44 . 2010-05-12 16:44    503808    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3779e092-n\msvcp71.dll
2010-05-12 16:44 . 2010-05-12 16:44    499712    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3779e092-n\jmc.dll
2010-05-12 16:44 . 2010-05-12 16:44    348160    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3779e092-n\msvcr71.dll
2010-05-12 16:44 . 2010-05-12 16:44    61440    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-24ca6ec0-n\decora-sse.dll
2010-05-12 16:44 . 2010-05-12 16:44    12800    ----a-w-    c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-24ca6ec0-n\decora-d3d.dll
2010-05-12 16:44 . 2010-05-12 16:44    411368    ----a-w-    c:\windows\system32\deployJava1.dll
2010-05-12 16:44 . 2010-05-12 16:44    --------    d-----w-    c:\program files\Java
2010-05-09 19:32 . 2010-05-09 19:32    --------    d-----w-    c:\program files\Trend Micro
2010-05-02 05:56 . 2004-08-04 10:00    1850880    ----a-w-    c:\windows\system32\win32k.sys
2010-04-30 16:31 . 2010-04-30 16:31    27984    ----a-w-    c:\windows\system32\sbbd.exe
2010-04-29 19:39 . 2010-04-24 23:43    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-04-24 23:43    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-04-28 19:12 . 2010-05-05 01:23    86232    ----a-w-    c:\windows\system32\drivers\sbhips.sys
2010-04-28 19:12 . 2010-05-05 01:23    204632    ----a-w-    c:\windows\system32\drivers\sbtis.sys
2010-04-28 19:12 . 2010-05-05 01:22    322904    ----a-w-    c:\windows\system32\drivers\SbFw.sys
2010-04-28 02:38 . 2010-02-27 20:10    --------    d-----w-    c:\program files\Common Files\AVSMedia
2010-04-28 02:32 . 2010-04-28 02:32    --------    d-----w-    c:\documents and settings\Owner\Application Data\GARMIN
2010-04-28 02:32 . 2009-12-05 05:03    --------    d-----w-    c:\program files\Common Files\Motive
2010-04-28 02:32 . 2009-12-05 04:59    --------    d-----w-    c:\program files\Verizon
2010-04-24 23:44 . 2010-04-24 23:44    --------    d-----w-    c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-24 23:43 . 2010-04-24 23:43    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-21 17:49 . 2009-12-26 00:16    24932    ---ha-w-    c:\windows\system32\mlfcache.dat
2010-04-20 05:51 . 2004-08-04 10:00    285696    ----a-w-    c:\windows\system32\atmfd.dll
2010-04-16 15:36 . 2006-03-04 03:33    662016    ----a-w-    c:\windows\system32\wininet.dll
2010-04-16 15:36 . 2004-08-04 10:00    81920    ----a-w-    c:\windows\system32\ieencode.dll
2010-04-08 17:20 . 2010-04-08 17:20    91424    ----a-w-    c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20    107808    ----a-w-    c:\windows\system32\dns-sd.exe
2010-03-28 16:15 . 2009-12-05 16:16    107    ------w-    c:\documents and settings\Owner\Application Data\netstat.bat
2010-03-28 16:15 . 2009-12-05 16:16    107    ------w-    c:\documents and settings\Owner\Application Data\netstat.bat
2010-03-27 19:54 . 2009-12-05 04:29    29528    ------w-    c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 13:39 . 2010-03-27 13:29    23510720    ------w-    c:\windows\dotnetfx.exe
2010-03-17 23:11 . 2010-03-17 23:08    7293    ------w-    c:\program files\ST6UNST.LOG
2010-03-17 23:08 . 2010-03-17 22:41    249856    ------w-    c:\windows\Setup1.exe
2010-03-17 23:08 . 2010-03-17 22:41    73216    ------w-    c:\windows\ST6UNST.EXE
2010-03-17 22:43 . 2010-03-17 22:43    252176    ------w-    c:\windows\system32\MSRD2X35.DLL
2004-12-11 18:47 . 2004-12-11 18:47    1413120    ------w-    c:\program files\NSObserverList.exe
2004-12-11 18:31 . 2004-12-11 18:31    562848    ------w-    c:\program files\NexStar Observer List Manual.pdf
2004-12-11 18:26 . 2004-12-11 18:26    143093    ------w-    c:\program files\helpmain.htm
2004-03-20 03:04 . 2004-03-20 03:04    488    ------w-    c:\program files\help.htm
2004-01-01 02:52 . 2004-01-01 02:52    5335    ------w-    c:\program files\helptoc.htm
2003-12-28 17:24 . 2003-12-28 17:24    6506496    ------w-    c:\program files\NSObserverList.mdb
2003-09-16 02:46 . 2003-09-16 02:46    90112    ------w-    c:\program files\NSObserverTemplate.tmp
2003-09-06 02:52 . 2003-09-06 02:52    5518    ------w-    c:\program files\Astronomy Friendly.Theme
2001-03-16 20:56 . 2001-03-16 20:56    4748    ------w-    c:\program files\License.rtf
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2010-05-08 21:12    73728    ----a-w-    c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2010-03-07 360448]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-30 1291600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe [2010-5-28 911920]
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2010-5-8 474808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-05 04:12    10536    ------w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [5/4/2010 21:28 13400]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [5/4/2010 21:22 322904]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [5/4/2010 21:23 204632]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [5/4/2010 21:30 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/30/2010 12:30 181584]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [3/13/2010 16:14 67800]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 09:02 95024]
S2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/30/2010 12:31 2730120]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [5/28/2010 07:04 14896]
S3 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [5/4/2010 21:23 86232]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.verizon.yahoo.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://home.verizon.yahoo.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 14:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1272)
c:\windows\system32\VirtualExpander\VEShellExt.dll
c:\program files\Browser MOUSE\MOUDL32A.DLL
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-11  14:31:15
ComboFix-quarantined-files.txt  2010-06-11 18:31

Pre-Run: 95,435,710,464 bytes free
Post-Run: 97,859,276,800 bytes free

- - End Of File - - 247B5A64F6060F2255E9E448AF08321A

 

Her also is another HJT log from after the Combofix run, which I figured is what you were after.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:48:48, on 6/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Startup: Secunia PSI.lnk = C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device -   - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VIPRE Antivirus Premium (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe

--
End of file - 5568 bytes

 

Sorry about the mix up.

Thanks,

Col>

kevin27_b3d29f

1.5K Posts

June 11th, 2010 14:00

Hi colonelh,

No worries.

All them logs are clean, I really do not think this is malware related, one final check:

 

Please download OTL to your Desktop.

  • Double click on the icon to run it.(Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:



netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
%PROGRAMFILES%\*.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

 

 

  • Please put a check mark in the boxes next to LOP Check and Purity Check
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan is complete, two text files will be created on your Desktop.
  • OTL.Txt <- this one will be opened
  • Extras.txt <- this one will be minimized

.

 

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTL.Txt and the Extras.txt in your next reply.

These will be long logs, so please use multipul post if need be.

Thanks,
K27.

colonelh

19 Posts

June 12th, 2010 07:00

K27,

The extras OTL log as previously stated.

 

OTL Extras logfile created on: 6/12/2010 08:34:02 - Run 1
OTL by OldTimer - Version 3.2.6.0     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,022.00 Mb Total Physical Memory | 500.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.59 Gb Total Space | 91.19 Gb Free Space | 83.98% Space Free | Partition Type: NTFS
Drive D: | 36.98 Gb Total Space | 24.66 Gb Free Space | 66.67% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: BRIDGE
Current User Name: Owner
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ ]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\ ]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ \shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BBBA9A9-02E8-467D-BE57-4797A50F7861}" = Intel(R) Network Connections
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29977CB8-72E4-4D5E-94B2-BE6B568216C1}" = VIPRE Antivirus Premium
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ECE3188A-3B11-4332-B1B9-43FAA9A02626}" = TheSkyX First Light Edition
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"Browser MOUSE" = Browser MOUSE
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dell Color Printer 725" = Dell Color Printer 725
"Diablo II" = Diablo II
"Driver Genius Professional Edition_is1" = Driver Genius Professional Edition
"Evidence The Last Ritual" = Evidence The Last Ritual
"GoToAssist" = GoToAssist 8.0.0.514
"HijackThis" = HijackThis 2.0.2
"IsoBuster_is1" = IsoBuster 2.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Missing" = Missing
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"nLite_is1" = nLite 1.4.9.1
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.5.24
"Return to Mysterious Island" = Return to Mysterious Island
"Secunia PSI" = Secunia PSI
"Shockwave" = Shockwave
"ST6UNST #1" = NexStar Observer List
"ST6UNST #2" = NexStar Observer List (C:\Program Files\)
"Verizon High Speed Internet_is1" = Verizon High Speed Internet
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YInstHelper" = Yahoo! Install Manager
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"Sansa Updater" = Sansa Updater
"UnityWebPlayer" = Unity Web Player
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 3/21/2010 13:38:34 | Computer Name = BRIDGE | Source = Application Error | ID = 1000
Description = Faulting application missing.exe, version 9.0.0.432, faulting module
 dirapi.dll, version 8.5.1.104, fault address 0x000a71b5.
 
Error - 3/21/2010 13:38:49 | Computer Name = BRIDGE | Source = Application Error | ID = 1001
Description = Fault bucket 118741512.
 
Error - 3/21/2010 14:55:39 | Computer Name = BRIDGE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 3/22/2010 17:21:46 | Computer Name = BRIDGE | Source = MsiInstaller | ID = 10005
Description = Product: VIPRE Antivirus Premium -- You do not have sufficient privileges
 to complete this installation for all users of the machine.  Log on as an administrator
 and then retry this installation.
 
Error - 3/22/2010 17:22:53 | Computer Name = BRIDGE | Source = MsiInstaller | ID = 10005
Description = Product: VIPRE Antivirus Premium -- You do not have sufficient privileges
 to complete this installation for all users of the machine.  Log on as an administrator
 and then retry this installation.
 
Error - 3/27/2010 10:14:44 | Computer Name = BRIDGE | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
 module unknown, version 0.0.0.0, fault address 0x4ec683bd.
 
Error - 3/27/2010 10:14:50 | Computer Name = BRIDGE | Source = Application Error | ID = 1001
Description = Fault bucket 1453726857.
 
Error - 3/27/2010 12:36:17 | Computer Name = BRIDGE | Source = MsiInstaller | ID = 11721
Description = Product: Vz In Home Agent -- Error 1721. There is a problem with this
 Windows Installer package. A program required for this install to complete could
 not be run. Contact your support personnel or package vendor. Action: Run_iHAStarter,
 location: C:\Program Files\Verizon\FiOS\ihs\iHAStarter.exe, command: RunFromInstall
 
 
[ System Events ]
Error - 4/24/2010 12:45:22 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:22 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
Error - 4/24/2010 12:45:23 | Computer Name = BRIDGE | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
   %%126
 
 
< End of report >

 

If this does in fact rule out a malware issue, any recommendations as to which direction to go in are more than welcome.

Thanks again,

COL>

colonelh

19 Posts

June 12th, 2010 07:00

HI K27,

I do beleive you are correct in thinking that there is some other cause for this issue. I make a strong effort to keep my system clean and in good maintenance.

This is one of those want to find something dirty, but don't want to find something slipped in either.

At any rate, here is the first log from OTL:

 

OTL logfile created on: 6/12/2010 08:34:02 - Run 1
OTL by OldTimer - Version 3.2.6.0     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,022.00 Mb Total Physical Memory | 500.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.59 Gb Total Space | 91.19 Gb Free Space | 83.98% Space Free | Partition Type: NTFS
Drive D: | 36.98 Gb Total Space | 24.66 Gb Free Space | 66.67% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: BRIDGE
Current User Name: Owner
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010/06/12 08:28:48 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/04/30 12:39:36 | 001,291,600 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
PRC - [2010/04/30 12:31:50 | 002,730,120 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
PRC - [2010/04/30 12:30:46 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/06 20:40:12 | 000,360,448 | ---- | M] () -- C:\Program Files\Browser MOUSE\mouse32a.exe
PRC - [2009/03/12 13:31:54 | 002,303,216 | ---- | M] (Verizon) -- C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/05 12:27:32 | 000,474,808 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
PRC - [2006/11/20 04:42:45 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe
PRC - [2005/10/28 08:41:52 | 000,491,520 | ---- | M] ( ) -- C:\WINDOWS\system32\dlcfcoms.exe
PRC - [2004/10/14 15:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/06/12 08:28:48 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/03/06 20:40:13 | 000,057,344 | ---- | M] () -- C:\Program Files\Browser MOUSE\mouDL32A.dll
MOD - [2007/11/06 18:08:30 | 000,106,496 | ---- | M] (Nektra S.A.) -- C:\Program Files\Sunbelt Software\VIPRE\oehook.dll
MOD - [2004/08/04 06:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2010/04/30 12:31:50 | 002,730,120 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2010/04/30 12:30:46 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/12/05 00:12:48 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2006/11/20 04:42:45 | 000,033,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\snmp.exe -- (SNMP)
SRV - [2005/10/28 08:41:52 | 000,491,520 | ---- | M] ( ) [On_Demand | Running] -- C:\WINDOWS\System32\dlcfcoms.exe -- (dlcf_device)
SRV - [2004/08/04 06:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2010/05/28 07:04:52 | 000,014,896 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/04/28 15:12:40 | 000,322,904 | ---- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbFw.sys -- (SbFw)
DRV - [2010/04/28 15:12:40 | 000,204,632 | ---- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (SbTis)
DRV - [2010/04/28 15:12:40 | 000,086,232 | ---- | M] (Sunbelt Software, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sbhips.sys -- (SbHips)
DRV - [2010/03/17 16:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/03/17 16:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/02/11 08:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2010/01/14 05:42:42 | 000,067,800 | ---- | M] (Sunbelt Software, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SbFwIm.sys -- (SBFWIMCL)
DRV - [2010/01/04 06:29:42 | 000,069,720 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2010/01/04 06:29:40 | 000,013,400 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2009/10/13 09:02:36 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/04 06:00:00 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2004/08/04 06:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 06:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2003/11/17 16:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 16:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 16:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://home.verizon.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {6AC85730-7D0F-4de0-B3FA-21142DD85326}:2.0.2
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2c}:0.6.4
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}:1.3
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
 
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/31 20:49:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/11 14:20:13 | 000,000,000 | ---D | M]
 
[2009/12/05 01:29:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/06/11 14:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions
[2010/04/08 18:14:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/04/27 22:38:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/05 01:33:14 | 000,000,000 | ---D | M] (Organize Status Bar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2c}
[2009/12/05 01:39:39 | 000,000,000 | ---D | M] (ColorZilla) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
[2010/03/24 13:22:16 | 000,000,000 | ---D | M] (FoxTab) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
[2010/04/27 22:38:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\extensions\personas@christopher.beard
[2009/12/27 17:27:32 | 000,002,256 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\searchplugins\acronym-finder.xml
[2009/12/05 01:53:17 | 000,002,172 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xktanzji.default\searchplugins\bing.xml
[2010/06/11 09:02:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/12 12:44:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/12 12:44:15 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
 
O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe ()
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
O4 - HKCU..\RunOnce: [Shockwave 8] C:\WINDOWS\System32\Macromed\Shockwave 8\swinit.exe (Macromedia, Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\PSI\psi.exe (Secunia)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemywifi.verizon.net/sdcCommon/download/WIFI/Verizon%20WiFi%20Installer.cab (Reg Error: Key error.)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/04 23:02:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/12/04 23:01:43 | 000,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
 
 
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SBAMSvc - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software)
SafeBootMin: SBPIMSvc - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe (Sunbelt Software)
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
 
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SBAMSvc - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe (Sunbelt Software)
SafeBootNet: SBPIMSvc - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe (Sunbelt Software)
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
 
ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 9.0
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 9.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
 
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010/06/12 08:28:29 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/06/11 14:21:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/11 14:21:28 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/11 14:21:28 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/11 14:21:28 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/11 14:21:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/11 14:20:24 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/11 14:14:27 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/11 14:14:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2010/06/11 14:14:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/06/10 16:57:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/06/10 09:32:20 | 331,805,736 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\DO NOT OPEN!!.exe
[2010/06/09 18:16:20 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2010/06/09 18:16:12 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2010/06/09 18:16:05 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2010/06/09 18:15:58 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2010/06/09 18:15:52 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2010/06/09 18:15:46 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2010/06/09 18:15:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/06/09 13:49:27 | 000,000,000 | ---D | C] -- C:\Program Files\nLite
[2010/06/09 13:05:58 | 000,000,000 | ---D | C] -- C:\Program Files\Smart Projects
[2010/06/09 12:34:51 | 000,000,000 | ---D | C] -- C:\winxpcd
[2010/06/04 20:57:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Events
[2010/05/28 07:04:52 | 000,014,896 | ---- | C] (Secunia) -- C:\WINDOWS\System32\drivers\psi_mf.sys
[2010/05/23 14:03:06 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/23 14:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/23 14:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/23 13:59:34 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/05/23 13:56:23 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/05/23 11:20:31 | 002,936,832 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\xpssvcs.dll
[2010/05/23 11:20:31 | 000,748,032 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\mxdwdrv.dll
[2010/05/23 11:20:31 | 000,147,456 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\filterpipelineprintproc.dll
[2010/05/23 10:38:17 | 000,000,000 | ---D | C] -- C:\_OTM
[2009/12/05 00:27:41 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfserv.dll
[2009/12/05 00:27:41 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfusb1.dll
[2009/12/05 00:27:40 | 000,638,976 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfpmui.dll
[2009/12/05 00:27:40 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfprox.dll
[2009/12/05 00:27:40 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfpplc.dll
[2009/12/05 00:27:39 | 000,774,144 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfhbn3.dll
[2009/12/05 00:27:39 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfcomm.dll
[2009/12/05 00:27:38 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcfcomc.dll
[2009/12/05 00:27:38 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcflmpm.dll
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010/06/12 08:28:48 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/06/11 16:09:41 | 000,002,810 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/06/11 14:31:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/11 14:28:53 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/11 14:17:07 | 003,706,469 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/06/11 14:14:48 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2010/06/11 14:05:16 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 10:30:32 | 331,805,736 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\DO NOT OPEN!!.exe
[2010/06/10 16:58:02 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/06/10 16:54:36 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 16:54:36 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 16:54:36 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/10 16:50:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/10 16:49:49 | 003,145,728 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/06/10 16:49:49 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/06/10 16:14:26 | 000,524,099 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gp.xpi
[2010/06/10 10:01:03 | 000,209,408 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fax cover.wps
[2010/06/10 08:39:55 | 000,867,051 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\xpboot.exe
[2010/06/09 20:58:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/09 13:06:01 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\IsoBuster.lnk
[2010/06/08 19:32:52 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/08 16:15:13 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\tmpAEFD3.FOT
[2010/06/08 14:41:05 | 000,145,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/07 07:24:35 | 000,088,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Untitled Document.wps
[2010/06/05 07:43:27 | 000,001,194 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Secunia PSI.lnk
[2010/06/04 20:57:36 | 000,018,494 | ---- | M] () -- C:\WINDOWS\System32\FirewallConfig.xml
[2010/06/04 20:57:36 | 000,001,110 | ---- | M] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2010/05/28 15:55:17 | 000,960,000 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\hokey.wps
[2010/05/28 07:04:52 | 000,014,896 | ---- | M] (Secunia) -- C:\WINDOWS\System32\drivers\psi_mf.sys
[2010/05/23 14:00:03 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/05/23 13:01:11 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/21 20:03:33 | 000,125,768 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\SCREEN-DOOR-MEASUREMENT.pdf
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/06/11 14:21:28 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/11 14:21:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/11 14:21:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/11 14:21:28 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/11 14:21:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/11 14:17:07 | 003,706,469 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/06/11 14:14:48 | 000,000,211 | -HS- | C] () -- C:\BOOT.BAK
[2010/06/11 14:14:45 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/06/10 16:58:02 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/06/10 16:14:25 | 000,524,099 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gp.xpi
[2010/06/10 10:01:03 | 000,209,408 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fax cover.wps
[2010/06/10 08:39:55 | 000,867,051 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\xpboot.exe
[2010/06/09 13:06:01 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\IsoBuster.lnk
[2010/06/08 16:15:13 | 000,001,409 | ---- | C] () -- C:\WINDOWS\System32\tmpAEFD3.FOT
[2010/06/07 07:24:34 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Untitled Document.wps
[2010/06/05 07:43:27 | 000,001,194 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Secunia PSI.lnk
[2010/06/04 20:57:36 | 000,018,494 | ---- | C] () -- C:\WINDOWS\System32\FirewallConfig.xml
[2010/06/04 20:57:36 | 000,001,110 | ---- | C] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2010/06/03 11:27:26 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Windows Media Player.lnk
[2010/05/28 15:55:16 | 000,960,000 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\hokey.wps
[2010/05/23 14:03:56 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/23 14:00:02 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/05/23 11:20:31 | 000,010,929 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\msxpsdrv.cat
[2010/05/23 11:20:31 | 000,002,204 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\msxpsdrv.inf
[2010/05/23 11:20:31 | 000,000,073 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\msxpsinc.gpd
[2010/05/23 11:20:31 | 000,000,072 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\msxpsinc.ppd
[2010/05/21 20:03:33 | 000,125,768 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\SCREEN-DOOR-MEASUREMENT.pdf
[2009/12/05 00:28:08 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\dlcfcfg.dll
[2009/12/05 00:27:42 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcfvs.dll
[2009/12/05 00:27:37 | 000,430,080 | ---- | C] () -- C:\WINDOWS\System32\dlcfutil.dll
[2009/12/05 00:27:32 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\dlcfjswr.dll
[2009/12/05 00:27:31 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\dlcfinsb.dll
[2009/12/05 00:27:31 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\dlcfins.dll
[2009/12/05 00:27:31 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcfinsr.dll
[2009/12/05 00:27:29 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcfcub.dll
[2009/12/05 00:27:29 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcfcu.dll
[2009/12/05 00:27:29 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcfcur.dll
[2004/08/04 06:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2001/12/27 06:38:04 | 000,054,765 | ---- | C] () -- C:\WINDOWS\System32\drivers\LMFilt.sys
 
========== LOP Check ==========
 
[2009/12/05 00:13:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/05/23 14:03:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/25 16:27:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/01/01 20:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Amazon
[2009/12/05 16:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/27 22:32:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GARMIN
[2010/01/03 12:25:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SanDisk
[2010/01/23 22:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.* >
[2009/12/04 23:02:12 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/12/04 22:57:11 | 000,000,211 | -HS- | M] () -- C:\BOOT.BAK
[2010/06/11 14:14:48 | 000,000,282 | RHS- | M] () -- C:\boot.ini
[2004/08/04 06:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/06/11 14:31:17 | 000,016,192 | ---- | M] () -- C:\ComboFix.txt
[2009/12/04 23:02:12 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/06/10 16:49:50 | 000,007,840 | ---- | M] () -- C:\dlcf.log
[2009/12/04 23:02:12 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/22 08:18:08 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2009/12/04 23:02:12 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/12/05 01:02:10 | 000,000,549 | ---- | M] () -- C:\NTDClient.log
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 06:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/06/10 16:50:15 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2010/06/10 17:45:10 | 000,000,026 | ---- | M] () -- C:\SfeErrors.txt
 
 
< MD5 for: AGP440.SYS  >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\winxpcd\I386\sp2.cab:AGP440.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\winxpcd\I386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
 
< MD5 for: ATAPI.SYS  >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\winxpcd\I386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\winxpcd\I386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 06:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
 
< MD5 for: EVENTLOG.DLL  >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
 
< MD5 for: IASTOR.SYS  >
[2006/05/11 12:30:52 | 000,247,808 | R--- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\cmdcons\iastor.sys
[2006/05/11 12:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\dell\iastor\iastor.sys
[2006/05/11 12:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\winxpcd\I386\IASTOR.SYS
 
< MD5 for: NETLOGON.DLL  >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll
 
< MD5 for: NVATABUS.SYS  >
[2006/03/16 20:51:32 | 000,099,840 | R--- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\cmdcons\NvAtaBus.sys
[2006/03/16 20:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2006/03/16 20:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\winxpcd\I386\NVATABUS.SYS
 
< MD5 for: NVRAID.SYS  >
[2006/03/16 20:51:38 | 000,081,536 | R--- | M] (NVIDIA Corporation) MD5=4BC863E8FB65EBCFDDE04822CF875E76 -- C:\cmdcons\nvraid.sys
[2006/03/16 20:51:38 | 000,081,536 | ---- | M] (NVIDIA Corporation) MD5=4BC863E8FB65EBCFDDE04822CF875E76 -- C:\WINDOWS\dell\nvraid\nvraid.sys
[2006/03/16 20:51:38 | 000,081,536 | ---- | M] (NVIDIA Corporation) MD5=4BC863E8FB65EBCFDDE04822CF875E76 -- C:\winxpcd\I386\NVRAID.SYS
 
< MD5 for: SCECLI.DLL  >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll
 
< MD5 for: SYMMPI.SYS  >
[2005/11/17 14:58:16 | 000,092,672 | R--- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\cmdcons\symmpi.sys
[2005/11/17 14:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\WINDOWS\dell\symmpi\symmpi.sys
[2005/11/17 14:58:16 | 000,092,672 | ---- | M] (LSI Logic) MD5=1FD5249D5103125D2DA63F68D7BE1D35 -- C:\winxpcd\I386\SYMMPI.SYS
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
 
< %systemroot%\system32\*.exe /lockedfiles >
 
< %systemroot%\Tasks\*.job /lockedfiles >
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
[2009/12/04 16:49:25 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/12/04 16:49:25 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/12/04 16:49:25 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
 
< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/05/28 07:04:52 | 000,014,896 | ---- | M] (Secunia) -- C:\WINDOWS\system32\drivers\psi_mf.sys
[2010/04/28 15:12:40 | 000,322,904 | ---- | M] (Sunbelt Software, Inc.) -- C:\WINDOWS\system32\drivers\SbFw.sys
[2010/04/28 15:12:40 | 000,086,232 | ---- | M] (Sunbelt Software, Inc.) -- C:\WINDOWS\system32\drivers\sbhips.sys
[2010/04/28 15:12:40 | 000,204,632 | ---- | M] (Sunbelt Software, Inc.) -- C:\WINDOWS\system32\drivers\sbtis.sys
 
< %PROGRAMFILES%\*. >
[2010/06/10 16:58:01 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/01/01 20:08:53 | 000,000,000 | ---D | M] -- C:\Program Files\Amazon
[2009/12/05 00:16:32 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2009/12/25 16:25:26 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/02/27 16:09:43 | 000,000,000 | ---D | M] -- C:\Program Files\AVS4YOU
[2010/05/23 13:56:24 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2010/03/06 15:52:07 | 000,000,000 | ---D | M] -- C:\Program Files\Browser MOUSE
[2009/12/05 00:12:49 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2010/06/11 14:25:22 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/12/04 22:59:16 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/12/05 00:32:33 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2010/03/17 19:10:57 | 000,000,000 | ---D | M] -- C:\Program Files\Data
[2010/04/01 19:26:30 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2009/12/05 00:27:26 | 000,000,000 | ---D | M] -- C:\Program Files\Dell Color Printer 725
[2010/02/25 10:52:59 | 000,000,000 | ---D | M] -- C:\Program Files\Diablo II
[2009/12/05 00:16:32 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/03/06 21:15:45 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/06/08 14:44:58 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/05/23 14:03:06 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/05/23 14:03:54 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/05/12 12:44:05 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/05/22 08:18:07 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/06 10:17:19 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/12/04 23:02:35 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/01/23 16:12:04 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/06/05 08:45:17 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2010/01/24 22:28:47 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2010/01/03 18:42:10 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works Suite 2000
[2010/03/11 21:09:34 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/05/31 17:35:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/03/27 12:48:11 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2009/12/04 22:57:59 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/12/04 22:58:38 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/12/06 10:10:10 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2010/03/27 12:44:38 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2009/12/04 23:00:08 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/06/11 12:26:57 | 000,000,000 | ---D | M] -- C:\Program Files\nLite
[2010/03/17 18:44:03 | 000,000,000 | ---D | M] -- C:\Program Files\NSObserverList
[2009/12/04 22:58:45 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/15 08:18:02 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/01/24 19:26:10 | 000,000,000 | ---D | M] -- C:\Program Files\Plus!
[2010/05/23 14:00:12 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/03/27 12:48:04 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/06/09 13:05:58 | 000,000,000 | ---D | M] -- C:\Program Files\Smart Projects
[2010/01/24 19:25:29 | 000,000,000 | ---D | M] -- C:\Program Files\Software Bisque
[2010/03/13 16:14:07 | 000,000,000 | ---D | M] -- C:\Program Files\Sunbelt Software
[2010/03/21 09:55:32 | 000,000,000 | ---D | M] -- C:\Program Files\The Adventure Company
[2010/05/09 15:32:21 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2009/12/04 23:05:38 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/04/27 22:32:33 | 000,000,000 | ---D | M] -- C:\Program Files\Verizon
[2010/01/03 15:26:22 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/01/03 15:26:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/12/04 22:58:27 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/12/04 23:00:58 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/12/04 23:02:35 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/12/05 01:08:44 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-08 18:51:35
 
<  >
 
<   >
 
<  >
 
<   >
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\dotnetfx.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\Desktop\DO NOT OPEN!!.exe:SummaryInformation
< End of report >

I will post the Extras log in a seperate post as suggested.

Thanks,

COL>

kevin27_b3d29f

1.5K Posts

June 14th, 2010 13:00

Hi,

The Logs are clean, now for the trouble shooting:

Can you tell me when this started, was it after running a certain program, maybe something like Driver Genius, these kind of driver/registry cleaner programs are notorious for removing important files and hosing system's.

Also there is a file on your system called C:\Documents and Settings\Owner\Desktop\DO NOT OPEN!!.exe can you tell me where this file came from and what it does.

There is also a file on the desktop called C:\Documents and Settings\Owner\Desktop\xpboot.exe, which is related to creating a boot disk to edit the Master Boot Record, can you tell me why you have this and if you have used the disc to edit anything that shoul not of been edited.


The more information you can give me, the easier my job will be.


Next Please hold the Windows key (on the bottom left of the keyboard with the Windows icon on it) and the tap "R", and copy/paste devmgmt.msc in to the run box and hit enter.

A window will open with a list of all the hardware devices and there relevent drivers currentley installed on the machine, Please post back if any have got a yellow exclamation mark ! or a red cross X next to them.

Please post back the answers to the question above and any ! or X showing in device manager.

Thanks,
K27.

colonelh

19 Posts

June 19th, 2010 06:00

HI K27,

I had only run the driver genius once to get a driver update for my networking, everything was still ok afterwards. This was about a month before the problem occourred.  I didn't really like the idea of using it, however it was reccommended being that the wizard and I could not find the update I needed. I'm not sure why I haven't remove it from the system.

I did however notice the problem after a round or two with "Verizon service point" and their support (27 MAR 10) It had prompted plug ins for IE to operate, they were clean, but I do remember not getting the support I was expecting. I ended up going to Westell and configuring the router myself.

The two files in question were temporary and very recent. The naming of "DO NOT..." was just a warning to all.  I had downloaded a standalone XP SP3 file to the desktop and used xpboot to create a slipstreamed windows sp3 boot disk. I believe I need to install sp3, but did not want to in the midst of having dirt in the system or other issues. I am done with these files and probably shoud remove them.

I looked over the drivers in the system. They are all operating properly and are all green check marked.

I am also going to be installing two 1Gb memory modules. Not that it has an impact on whats going on, just need to and letting you know.

Just let me know what else you may need and what I might do to help.

Thanks,

COL>

View More

View All

No Events found!

Top