Author Topic: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps (Read 39353 times)

mongerlane · « **on:** July 12, 2010, 05:59:14 AM »

I recently opened message on facebook. It puported to come from a contact, but was not. I got a message from them saying dont open, but too late, damage was done. before coming to this website i had done various scans with malware bytes and ad-aware, which came up with different threat results each time, as well as AVG alerts. Here are some of the infections that were shown. full results later, following malware removal guide first bit here is just to give a bit more info
--------------------------------------------------------------------------------------------------------
vutovo.exe (Trojan horse PSW.generic8.DKA)
ulmuot.exe (Trojan horse PSW.generic8.DKA)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elcmfvwf (Trojan.Downloader) -> Quarantined and deleted successfully.

Trojan.JS.Redirector.bg(v)
Trojan.Win32.Generic!BT
Win32.adware.activeSearch/l
Win32.Trojan.Vbkrypt

-----------------------------------------------------

I followed the malware removal guide steps, and here are the logs in sequence

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/09/2010 at 03:32 PM

Application Version : 4.40.1002

Core Rules Database Version : 5177
Trace Rules Database Version: 2989

Scan type : Complete Scan
Total Scan Time : 03:10:45

Memory items scanned : 981
Memory threats detected : 0
Registry items scanned : 10188
Registry threats detected : 29
File items scanned : 226031
File threats detected : 248

Adware.HBHelper
   HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\InprocServer32#ThreadingModel
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib
   HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID
   HKCR\URLSearchHook.ToolbarURLSearchHook.1
   HKCR\URLSearchHook.ToolbarURLSearchHook.1\CLSID
   HKCR\URLSearchHook.ToolbarURLSearchHook
   HKCR\URLSearchHook.ToolbarURLSearchHook\CLSID
   HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}
   HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0
   HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0
   HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0\win32
   HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS
   HKCR\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR
   C:\PROGRAM FILES\FAST BROWSER SEARCH\IE\TBHELPER.DLL

Adware.Tracking Cookie
   C:\Users\Joyce\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Joyce\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Users\Joyce\AppData\Roaming\Microsoft\Windows\Cookies\joyce@doubleclick[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@247realmedia[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@247realmedia[3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@2o7[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@adbrite[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@adrevolver[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@adtech[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@advertising[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@adviva[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@apmebf[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@atdmt[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@atdmt[3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@doubleclick[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@doubleclick[3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@fastclick[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@media6degrees[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@mediaplex[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@overture[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@partyaccount[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@questionmarket[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@revsci[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][4].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][5].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@serving-sys[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@specificclick[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@statcounter[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@tradedoubler[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@tradedoubler[2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@tribalfusion[1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\neil@tribalfusion[3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][3].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Users\neil\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   media.heavy.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JU25KWY8 ]
   media.podaddies.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JU25KWY8 ]
   objects.tremormedia.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JU25KWY8 ]
   s0.2mdn.net [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JU25KWY8 ]
   stat.easydate.biz [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\JU25KWY8 ]
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@77tracking[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@77tracking[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adcloudmedia[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@admarketplace[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adtech[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adtech[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adviva[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adviva[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clicksor[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@enhance[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@insightexpressai[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[11].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[10].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[6].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@overture[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@partypoker[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@questionmarket[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[4].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[7].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[8].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[9].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tacoda[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tacoda[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tradedoubler[1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tradedoubler[2].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tradedoubler[3].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tradedoubler[5].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
   C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt

Browser Hijacker.Deskbar
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib
   HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

Rogue.AntivirusSoft
   HKU\.DEFAULT\Software\avsoft
   HKU\S-1-5-18\Software\avsoft

Malware.Trace
   HKU\.DEFAULT\SOFTWARE\AVSUITE
   HKU\S-1-5-18\SOFTWARE\AVSUITE

Security.HiJack[ImageFileExecutionOptions]
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4296

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

09/07/2010 16:14:16
mbam-log-2010-07-09 (16-14-16).txt

Scan type: Quick scan
Objects scanned: 150121
Time elapsed: 11 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25:21, on 09/07/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\MagicDisc\MagicDisc.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\ehome\ehmsas.exe
c:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Trend Micro\HijackThis\peemthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [accrdsub] "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKCU\..\Run: [{4C4F084C-DC11-DEB1-0E29-42CD091F277C}] C:\Users\Joyce\AppData\Roaming\Raepmi\puqa.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: APSHook.dll,avgrsstx.dll
O23 - Service: McAfee Application Installer Cleanup (0119181230928706) (0119181230928706mcinstcleanup) - Unknown owner - C:\windows\TEMP\011918~1.EXE (file missing)
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - c:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: DHCP Client DhcpTHREADORDER (DhcpTHREADORDER) - Unknown owner - C:\windows\system32\accelerometerSTm.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c984595a42a400) (gupdate1c984595a42a400) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 14422 bytes

Dr Jay · « **Reply #1 on:** July 15, 2010, 02:16:28 PM »

Sorry for the delay. We are busy here on the boards. If you are still having issues, please do the following, if possible:

Please download MySystem-Search from here: Download mirror

Save the file to your Desktop.
Double-click on mss.exe
Allow it to run, and follow the prompts.
Once done, it will launch a log.
Post it in your next reply.

Note: the logs are long. Please use more than one post, if necessary.

mongerlane · « **Reply #2 on:** July 15, 2010, 04:08:01 PM »

Thanks for your help.

Forgot to mention, hard drive is always busy since the infection.

Here is the log

MySystem-Search

MSS v1.6

Basic System Information

Username: Joyce - Date: 15/07/2010 - Time: 22:45:21

Microsoft Windows [Version 6.0.6002]
Processor type: x86 Family 17 Model 3 Stepping 1, AuthenticAMD
Total processors: 2
Computer Name: JOYCE-PC
Logon Server: \\JOYCE-PC

CD Emulation Drivers running?

Nero found!

Peer-to-Peer applications?

File associations

.exe=exefile
.scr=scrfile
.pif=piffile
.com=comfile
.bat=batfile
.cmd=cmdfile
.log=txtfile
.txt=txtfile
.reg=regfile
.sys=sysfile
.dll=dllfile
.ini=inifile
.inf=inffile

Running processes

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 113,096 K
smss.exe 500 Services 0 1,028 K
csrss.exe 576 Services 0 8,748 K
wininit.exe 636 Services 0 12,960 K
csrss.exe 644 Console 1 14,496 K
avgchsvx.exe 656 Services 0 2,140 K
avgrsx.exe 664 Services 0 1,096 K
services.exe 700 Services 0 16,576 K
lsass.exe 712 Services 0 23,064 K
lsm.exe 720 Services 0 13,808 K
winlogon.exe 744 Console 1 14,332 K
avgcsrvx.exe 920 Services 0 11,356 K
svchost.exe 1140 Services 0 7,192 K
svchost.exe 1192 Services 0 9,932 K
HPFSService.exe 1220 Services 0 21,084 K
HpFkCrypt.exe 1300 Services 0 12,400 K
svchost.exe 1336 Services 0 18,992 K
RapportMgmtService.exe 1488 Services 0 37,000 K
Ati2evxx.exe 1568 Services 0 14,044 K
svchost.exe 1588 Services 0 11,856 K
svchost.exe 1616 Services 0 81,616 K
svchost.exe 1660 Services 0 36,600 K
audiodg.exe 1740 Services 0 12,844 K
svchost.exe 1812 Services 0 4,464 K
SLsvc.exe 1832 Services 0 22,888 K
svchost.exe 1876 Services 0 9,824 K
hpservice.exe 1956 Services 0 22,460 K
svchost.exe 2040 Services 0 17,480 K
Ati2evxx.exe 344 Console 1 18,848 K
wlanext.exe 1556 Services 0 19,236 K
spoolsv.exe 2036 Services 0 34,236 K
svchost.exe 1044 Services 0 24,680 K
accoca.exe 2212 Services 0 16,524 K
AEADISRV.EXE 2228 Services 0 12,032 K
agrsmsvc.exe 2260 Services 0 11,496 K
acevents.exe 2276 Services 0 25,716 K
avgwdsvc.exe 2304 Services 0 2,164 K
svchost.exe 2316 Services 0 4,016 K
PTChangeFilterService.exe 2496 Services 0 86,964 K
iviRegMgr.exe 2648 Services 0 13,236 K
LSSrvc.exe 2716 Services 0 21,088 K
avgnsx.exe 2772 Services 0 284 K
ramaint.exe 2928 Services 0 22,036 K
LogMeIn.exe 3016 Services 0 52,560 K
LMIGuardian.exe 3036 Services 0 18,944 K
svchost.exe 3060 Services 0 12,340 K
pdfsvc.exe 3088 Services 0 14,344 K
svchost.exe 3160 Services 0 3,172 K
svchost.exe 3192 Services 0 4,592 K
svchost.exe 3208 Services 0 5,940 K
svchost.exe 3236 Services 0 3,044 K
SearchIndexer.exe 3272 Services 0 47,120 K
hpqWmiEx.exe 3792 Services 0 24,744 K
WmiPrvSE.exe 3928 Services 0 20,820 K
taskeng.exe 4060 Services 0 24,524 K
HPHC_Service.exe 1368 Services 0 59,148 K
taskeng.exe 4152 Console 1 11,048 K
dwm.exe 4312 Console 1 3,144 K
explorer.exe 4348 Console 1 95,784 K
asghost.exe 4356 Console 1 35,088 K
RapportService.exe 4448 Console 1 36,632 K
WmiPrvSE.exe 4760 Services 0 12,324 K
accrdsub.exe 5048 Console 1 28,548 K
pthosttr.exe 5056 Console 1 63,716 K
SynTPEnh.exe 5148 Console 1 26,232 K
HPWAMain.exe 5168 Console 1 26,744 K
CoreShredder.exe 5216 Console 1 27,888 K
QLBCTRL.exe 5228 Console 1 37,672 K
GrooveMonitor.exe 5328 Console 1 30,520 K
LogMeInSystray.exe 5344 Console 1 30,508 K
jusched.exe 5368 Console 1 23,164 K
hpwuschd2.exe 5408 Console 1 22,148 K
smax4pnp.exe 5424 Console 1 26,784 K
NokiaMServer.exe 5468 Console 1 43,884 K
avgtray.exe 5488 Console 1 3,068 K
sidebar.exe 5500 Console 1 66,956 K
LightScribeControlPanel.e 5512 Console 1 30,236 K
ISUSPM.exe 5520 Console 1 26,876 K
msnmsgr.exe 5528 Console 1 42,124 K
ehtray.exe 5596 Console 1 24,852 K
NokiaOviSuite.exe 5640 Console 1 107,012 K
SUPERAntiSpyware.exe 5656 Console 1 672 K
BTTray.exe 5692 Console 1 38,096 K
MagicDisc.exe 5748 Console 1 23,628 K
ehmsas.exe 6120 Console 1 21,408 K
WiFiMsg.exe 6132 Console 1 26,504 K
VolCtrl.exe 4684 Console 1 23,436 K
HpqToaster.exe 4720 Console 1 25,052 K
MOM.exe 3432 Console 1 3,432 K
Com4QLBEx.exe 4116 Services 0 14,532 K
acevents.exe 5964 Console 1 30,484 K
SynTPHelper.exe 5992 Console 1 21,584 K
BTStackServer.exe 4772 Console 1 36,240 K
CCC.exe 6000 Console 1 3,100 K
LMIGuardian.exe 3768 Console 1 3,496 K
nokiaaserver.exe 5728 Console 1 32,660 K
ServiceLayer.exe 2532 Services 0 31,524 K
NclUSBSrv.exe 6192 Services 0 15,544 K
NclRSSrv.exe 6280 Services 0 11,860 K
NclMSBTSrv.exe 6400 Console 1 39,156 K
AAWService.exe 7628 Services 0 87,340 K
unsecapp.exe 2448 Services 0 15,528 K
AAWTray.exe 7804 Console 1 5,500 K
wuauclt.exe 2328 Console 1 6,856 K
LogMeIn.exe 13976 Console 1 28,312 K
LMIGuardian.exe 13792 Console 1 3,900 K
firefox.exe 13132 Console 1 70,736 K
plugin-container.exe 14052 Console 1 14,556 K
mss.exe 14924 Console 1 4,988 K
cmd.exe 14960 Console 1 3,784 K
tasklist.exe 14976 Console 1 5,556 K

Hidden objects

PATH: C:\windows

Installer
WindowsShell.Manifest

PATH: C:\windows\system32

7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
desktop.ini

PATH: C:\windows\system32\drivers

103C_HP_bNB_6735s_Y5336AN_0U_QCNU84711C 9_E480868-A41_4A_I30E4_SHP_V94.1C_68GPP F.06_T081002_WV3-1_L409_M2812_J250_7AMD_8F31_92.10_#080625_N11AB4357;14E44315_(GW694AV)_XMOBILE_CN10_Z_2F.06_G10029612.MRK
Msft_Kernel_ccdcmb_01007.Wdf
Msft_Kernel_SynTP_01000.Wdf
Msft_User_WpdFs_01_00_00.Wdf
Msft_User_WpdFs_01_07_00.Wdf
Msft_User_WpdMtpDr_01_07_00.Wdf

PATH: C:\

$AVG
$Recycle.Bin
boot
bootmgr
Documents and Settings
hiberfil.sys
hp
IO.SYS
MSDOS.SYS
MSOCache
pagefile.sys
ProgramData
sqmdata00.sqm
sqmdata01.sqm
sqmdata02.sqm
sqmdata03.sqm
sqmdata04.sqm
sqmdata05.sqm
sqmdata06.sqm
sqmdata07.sqm
sqmdata08.sqm
sqmdata09.sqm
sqmdata10.sqm
sqmdata11.sqm
sqmdata12.sqm
sqmdata13.sqm
sqmdata14.sqm
sqmdata15.sqm
sqmdata16.sqm
sqmdata17.sqm
sqmdata18.sqm
sqmdata19.sqm
sqmnoopt00.sqm
sqmnoopt01.sqm
sqmnoopt02.sqm
sqmnoopt03.sqm
sqmnoopt04.sqm
sqmnoopt05.sqm
sqmnoopt06.sqm
sqmnoopt07.sqm
sqmnoopt08.sqm
sqmnoopt09.sqm
sqmnoopt10.sqm
sqmnoopt11.sqm
sqmnoopt12.sqm
sqmnoopt13.sqm
sqmnoopt14.sqm
sqmnoopt15.sqm
sqmnoopt16.sqm
sqmnoopt17.sqm
sqmnoopt18.sqm
sqmnoopt19.sqm
System Volume Information
System.sav

User Profile check

Joyce
neil
Public

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
Default REG_EXPAND_SZ %SystemDrive%\Users\Default
Public REG_EXPAND_SZ %SystemDrive%\Users\Public
ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
Flags REG_DWORD 0xc
State REG_DWORD 0x0
RefCount REG_DWORD 0x1
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\LocalService
Flags REG_DWORD 0x0
State REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemRoot%\ServiceProfiles\NetworkService
Flags REG_DWORD 0x0
State REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-666564277-3309807266-2236694496-1004
ProfileImagePath REG_EXPAND_SZ C:\Users\Joyce
Flags REG_DWORD 0x0
State REG_DWORD 0x100
Sid REG_BINARY 010500000000000515000000B5F6BA27A2A647C 5E03F5185EC030000
ProfileLoadTimeLow REG_DWORD 0x0
ProfileLoadTimeHigh REG_DWORD 0x0
RefCount REG_DWORD 0x2
RunLogonScriptSync REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-666564277-3309807266-2236694496-1005
ProfileImagePath REG_EXPAND_SZ C:\Users\neil
Flags REG_DWORD 0x0
State REG_DWORD 0x0
Sid REG_BINARY 010500000000000515000000B5F6BA27A2A647C 5E03F5185ED030000
ProfileLoadTimeLow REG_DWORD 0x0
ProfileLoadTimeHigh REG_DWORD 0x0
RefCount REG_DWORD 0x0
RunLogonScriptSync REG_DWORD 0x0

Current Scheduled Tasks

PATH: C:\Windows\Tasks

Google Software Updater.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job
SCHEDLGU.TXT
SA.DAT
User_Feed_Synchronization-{580DF64F-48A0-499D-98CB-C46749C12044}.job

Windows Drivers and NT-Services

Volume in drive C has no label.
Volume Serial Number is 5AB0-0B44

Directory of C:\Windows\System32\Drivers

02/01/2009 00:04 0 103C_HP_bNB_6735s_Y5336AN_0U_QCNU84711C 9_E480868-A41_4A_I30E4_SHP_V94.1C_68GPP F.06_T081002_WV3-1_L409_M2812_J250_7AMD_8F31_92.10_#080625_N11AB4357;14E44315_(GW694AV)_XMOBILE_CN10_Z_2F.06_G10029612.MRK
02/02/2010 16:58 0 Msft_Kernel_ccdcmb_01007.Wdf
26/06/2008 07:44 0 Msft_Kernel_SynTP_01000.Wdf
02/01/2009 01:11 0 Msft_User_WpdFs_01_00_00.Wdf
17/11/2009 04:18 0 Msft_User_WpdFs_01_07_00.Wdf
02/02/2010 16:58 0 Msft_User_WpdMtpDr_01_07_00.Wdf
6 File(s) 0 bytes
0 Dir(s) 140,235,014,144 bytes free
Volume in drive C has no label.
Volume Serial Number is 5AB0-0B44

Directory of C:\Windows\System32\Drivers

23/08/2006 18:26 328,162 ativcaxx.cpa
23/08/2006 18:26 929 ativcaxx.vp
18/09/2006 22:26 3,440,660 gm.dls
18/09/2006 22:26 646 gmreadme.txt
02/11/2006 07:37 20,480 secdrv.sys
02/11/2006 08:36 235,520 HdAudio.sys
02/11/2006 08:36 20,608 ntrigdigi.sys
02/11/2006 09:24 62,336 BrSerWdm.sys
02/11/2006 09:24 12,160 BrUsbMdm.sys
02/11/2006 09:24 13,568 BrFiltLo.sys
02/11/2006 09:24 5,248 BrFiltUp.sys
02/11/2006 09:24 11,904 BrUsbSer.sys
02/11/2006 09:25 71,808 BrSerId.sys
02/11/2006 09:51 17,920 serenum.sys
02/11/2006 09:51 83,456 serial.sys
02/11/2006 09:51 13,312 sfloppy.sys
02/11/2006 09:52 20,608 wacompen.sys
02/11/2006 09:55 21,504 hidir.sys
02/11/2006 09:55 68,608 usbcir.sys
02/11/2006 09:55 29,184 hidbth.sys
02/11/2006 09:55 39,936 bthmodem.sys
02/11/2006 10:04 878,080 PEAuth.sys
02/11/2006 10:14 18,944 usbprint.sys
02/11/2006 10:49 31,848 sym_hi.sys
02/11/2006 10:49 33,384 Mraid35x.sys
02/11/2006 10:50 34,920 sym_u3.sys
02/11/2006 10:50 35,944 symc8xx.sys
02/11/2006 10:50 35,944 iteatapi.sys
02/11/2006 10:50 35,944 iteraid.sys
02/11/2006 10:50 71,272 djsvs.sys
02/11/2006 10:50 76,392 sbp2port.sys
02/11/2006 10:50 41,576 iirsp.sys
02/11/2006 10:50 45,160 nfrd960.sys
02/11/2006 10:50 98,408 ulsata.sys
02/11/2006 10:50 106,088 ql40xx.sys
02/11/2006 12:18 <DIR> etc
02/11/2006 15:09 1,419,232 wdfcoinstaller01005.dll
18/04/2007 09:19 2,096 ativdkxx.vp
10/05/2007 15:16 28,160 sncduvc.sys
30/05/2007 12:37 2,096 ativpkxx.vp
30/05/2007 12:37 2,096 ativokxx.vp
19/06/2007 01:12 16,768 HpqKbFiltr.sys
17/08/2007 14:31 101,376 ewusbmdm.sys
08/09/2007 23:37 52,400 ativvpxx.vp
21/01/2008 03:23 6,656 errdev.sys
21/01/2008 03:23 11,264 wmiacpi.sys
21/01/2008 03:23 28,216 battc.sys
21/01/2008 03:23 20,792 compbatt.sys
21/01/2008 03:23 41,472 intelppm.sys
21/01/2008 03:23 41,472 viac7.sys
21/01/2008 03:23 44,032 amdk8.sys
21/01/2008 03:23 41,472 amdk7.sys
21/01/2008 03:23 40,960 crusoe.sys
21/01/2008 03:23 40,960 processr.sys
21/01/2008 03:23 17,976 intelide.sys
21/01/2008 03:23 19,000 cmdide.sys
21/01/2008 03:23 16,440 pciide.sys
21/01/2008 03:23 20,024 viaide.sys
21/01/2008 03:23 17,464 aliide.sys
21/01/2008 03:23 17,976 amdide.sys
21/01/2008 03:23 55,864 SISAGP.SYS
21/01/2008 03:23 15,288 swenum.sys
21/01/2008 03:23 60,984 ULIAGPKX.SYS
21/01/2008 03:23 109,112 NV_AGP.SYS
21/01/2008 03:23 31,288 mssmbios.sys
21/01/2008 03:23 16,440 msisadrv.sys
21/01/2008 03:23 56,376 AGP440.sys
21/01/2008 03:23 49,720 isapnp.sys
21/01/2008 03:23 52,792 volmgr.sys
21/01/2008 03:23 56,888 VIAAGP.SYS
21/01/2008 03:23 57,400 AMDAGP.SYS
21/01/2008 03:23 248,832 rdpdr.sys
21/01/2008 03:23 45,568 blbdrive.sys
21/01/2008 03:23 8,704 parvdm.sys
21/01/2008 03:23 79,360 parport.sys
21/01/2008 03:23 26,112 vgapnp.sys
21/01/2008 03:23 30,264 i2omp.sys
21/01/2008 03:23 19,000 i2omgmt.sys
21/01/2008 03:23 179,256 pcmcia.sys
21/01/2008 03:23 23,552 usbuhci.sys
21/01/2008 03:23 5,888 usbd.sys
21/01/2008 03:23 179,712 b57nd60x.sys
21/01/2008 03:23 54,784 i8042prt.sys
21/01/2008 03:23 15,872 mouhid.sys
21/01/2008 03:23 34,360 mouclass.sys
21/01/2008 03:23 19,968 sermouse.sys
21/01/2008 03:23 25,088 fdc.sys
21/01/2008 03:23 20,480 flpydisk.sys
21/01/2008 03:23 73,216 usbccgp.sys
21/01/2008 03:23 105,016 mpio.sys
21/01/2008 03:23 92,160 bthpan.sys
21/01/2008 03:23 238,648 uliahci.sys
21/01/2008 03:23 130,048 drmk.sys
21/01/2008 03:23 5,632 drmkaud.sys
21/01/2008 03:23 422,968 adp94xx.sys
21/01/2008 03:23 45,112 nvstor.sys
21/01/2008 03:23 102,968 nvraid.sys
21/01/2008 03:23 94,776 msdsm.sys
21/01/2008 03:23 53,376 1394bus.sys
21/01/2008 03:23 61,952 ohci1394.sys
21/01/2008 03:23 59,448 UAGP35.SYS
21/01/2008 03:23 61,496 GAGP30KX.SYS
21/01/2008 03:23 41,984 monitor.sys
21/01/2008 03:23 24,632 crcdisk.sys
21/01/2008 03:23 342,584 elxstor.sys
21/01/2008 03:23 64,512 IPMIDrv.sys
21/01/2008 03:23 34,816 umbus.sys
21/01/2008 03:23 96,312 lsi_scsi.sys
21/01/2008 03:23 235,064 iaStorV.sys
21/01/2008 03:23 12,288 sffp_mmc.sys
21/01/2008 03:23 13,312 sffdisk.sys
21/01/2008 03:23 11,776 sffp_sd.sys
21/01/2008 03:23 115,816 ulsata2.sys
21/01/2008 03:23 35,384 kbdclass.sys
21/01/2008 03:23 96,312 lsi_fc.sys
21/01/2008 03:23 79,416 arc.sys
21/01/2008 03:23 130,616 vsmraid.sys
21/01/2008 03:23 79,928 arcsas.sys
21/01/2008 03:23 22,072 wd.sys
21/01/2008 03:23 118,784 E1G60I32.sys
21/01/2008 03:23 1,122,360 ql2300.sys
21/01/2008 03:23 89,656 lsi_sas.sys
21/01/2008 03:23 300,600 adpahci.sys
21/01/2008 03:23 41,016 sisraid2.sys
21/01/2008 03:23 35,328 circlass.sys
21/01/2008 03:23 134,016 usbvideo.sys
21/01/2008 03:23 101,432 adpu160m.sys
21/01/2008 03:23 74,808 sisraid4.sys
21/01/2008 03:23 45,624 tpm.sys
21/01/2008 03:23 40,504 HpCISSs.sys
21/01/2008 03:23 14,208 CmBatt.sys
21/01/2008 03:23 25,472 hidparse.sys
21/01/2008 03:23 386,616 MegaSR.sys
21/01/2008 03:23 149,560 adpu320.sys
21/01/2008 03:23 31,288 megasas.sys
21/01/2008 03:23 31,232 qwavedrv.sys
21/01/2008 03:23 12,288 bdasup.sys
21/01/2008 03:23 17,976 wmilib.sys
21/01/2008 03:23 110,080 videoprt.sys
21/01/2008 03:23 57,400 mountmgr.sys
21/01/2008 03:23 6,144 beep.sys
21/01/2008 03:23 7,680 umpass.sys
21/01/2008 03:23 4,608 null.sys
21/01/2008 03:23 22,528 msfs.sys
21/01/2008 03:23 70,144 cdfs.sys
21/01/2008 03:23 503,864 Wdf01000.sys
21/01/2008 03:23 35,896 WdfLdr.sys
21/01/2008 03:23 3 MsftWdf_Kernel_01007_Inbox_Critical.Wdf
21/01/2008 03:23 69,632 bowser.sys
21/01/2008 03:23 13,312 irenum.sys
21/01/2008 03:23 142,904 scsiport.sys
21/01/2008 03:24 58,936 fileinfo.sys
21/01/2008 03:24 17,408 asyncmac.sys
21/01/2008 03:24 20,992 tdi.sys
21/01/2008 03:24 6,144 RDPCDD.sys
21/01/2008 03:24 12,800 fs_rec.sys
21/01/2008 03:24 29,184 tdtcp.sys
21/01/2008 03:24 17,920 tdpipe.sys
21/01/2008 03:24 21,048 spldr.sys
21/01/2008 03:24 11,776 rasacd.sys
21/01/2008 03:24 35,840 netbios.sys
21/01/2008 03:24 27,648 filetrace.sys
21/01/2008 03:24 13,312 dxapi.sys
21/01/2008 03:24 62,464 wanarp.sys
21/01/2008 03:24 49,664 ndproxy.sys
21/01/2008 03:24 20,992 ndistapi.sys
21/01/2008 03:24 100,864 ipnat.sys
21/01/2008 03:24 15,360 TUNMP.SYS
21/01/2008 03:24 95,744 irda.sys
21/01/2008 03:24 60,416 rspndr.sys
21/01/2008 03:24 47,104 lltdio.sys
21/01/2008 03:24 84,480 luafv.sys
21/01/2008 03:24 24,576 tape.sys
21/01/2008 03:24 47,616 ipfltdrv.sys
21/01/2008 03:24 18,944 mcd.sys
21/01/2008 03:24 16,384 nsiproxy.sys
21/01/2008 03:24 15,872 ws2ifsl.sys
21/01/2008 03:24 64,000 mpsdrv.sys
21/01/2008 03:24 8,192 rootmdm.sys
21/01/2008 03:24 6,144 RDPENCDD.sys
21/01/2008 03:24 25,088 vga.sys
21/01/2008 03:24 8,192 mskssrv.sys
21/01/2008 03:24 5,504 mspqm.sys
21/01/2008 03:24 6,016 mstee.sys
21/01/2008 03:24 5,888 mspclock.sys
21/01/2008 03:24 16,896 ndisuio.sys
21/01/2008 03:24 17,408 smclib.sys
21/01/2008 03:24 62,976 raspptp.sys
21/01/2008 03:24 76,288 rasl2tp.sys
21/01/2008 03:24 31,744 modem.sys
21/01/2008 03:24 83,328 WUDFRd.sys
21/01/2008 03:24 51,200 WUDFPf.sys
21/01/2008 03:24 23,552 tssecsrv.sys
29/02/2008 17:13 1,202,560 AGRSM.sys
21/03/2008 19:35 1,207,288 BCMWL6.SYS
27/03/2008 20:06 199,472 SynTP.sys
03/04/2008 22:57 310,272 yk60x86.sys
07/04/2008 19:13 34,664 Accelerometer.sys
07/04/2008 19:13 25,448 hpdskflt.sys
11/04/2008 02:27 1,804,160 snp2uvc.sys
11/04/2008 15:38 382,464 ADIHdAud.sys
14/04/2008 22:39 9,344 CPQBttn.sys
28/04/2008 10:26 14,352 AtiPcie.sys
21/05/2008 09:47 49,152 ati2erec.dll
21/05/2008 11:35 3,552,768 atikmdag.sys
28/05/2008 13:27 81,960 btwavdt.sys
28/05/2008 13:27 80,424 btwaudio.sys
28/05/2008 13:27 16,168 btwrchid.sys
30/05/2008 17:36 108,752 SafeBoot.sys
30/05/2008 17:37 12,496 rsvlock.sys
30/05/2008 17:37 12,928 SbFsLock.sys
30/05/2008 17:37 10,832 SbHiber.sys
30/05/2008 17:37 51,376 SbAlg.sys
24/07/2008 19:45 10,144 lmimirr.sys
24/07/2008 19:46 47,640 LMIRfsDriver.sys
28/07/2008 18:19 116,736 mcdbus.sys
26/08/2008 10:26 18,816 pccsmcfd.sys
11/04/2009 03:52 684,032 spsys.sys
11/04/2009 05:13 142,848 fastfat.sys
11/04/2009 05:13 136,704 exfat.sys
11/04/2009 05:13 226,816 udfs.sys
11/04/2009 05:14 35,328 npfs.sys
11/04/2009 05:14 75,264 dfsc.sys
11/04/2009 05:14 225,280 rdbss.sys
11/04/2009 05:14 114,688 mrxdav.sys
11/04/2009 05:22 33,280 watchdog.sys
11/04/2009 05:23 76,288 dxg.sys
11/04/2009 05:38 17,408 kbdhid.sys
11/04/2009 05:38 149,504 ks.sys
11/04/2009 05:39 19,456 Diskdump.sys
11/04/2009 05:39 67,072 cdrom.sys
11/04/2009 05:42 561,152 hdaudbus.sys
11/04/2009 05:42 52,992 stream.sys
11/04/2009 05:42 39,424 hidclass.sys
11/04/2009 05:42 12,800 hidusb.sys
11/04/2009 05:42 167,936 portcls.sys
11/04/2009 05:42 19,456 usbohci.sys
11/04/2009 05:42 39,936 usbehci.sys
11/04/2009 05:42 27,648 usbser.sys
11/04/2009 05:42 65,536 USBSTOR.SYS
11/04/2009 05:42 25,856 USBCAMD.sys
11/04/2009 05:42 25,856 USBCAMD2.sys
11/04/2009 05:42 226,304 usbport.sys
11/04/2009 05:43 29,696 BTHUSB.SYS
11/04/2009 05:43 507,904 bthport.sys
11/04/2009 05:43 22,528 bthenum.sys
11/04/2009 05:43 148,992 rfcomm.sys
11/04/2009 05:43 196,096 usbhub.sys
11/04/2009 05:43 148,480 nwifi.sys
11/04/2009 05:45 66,560 smb.sys
11/04/2009 05:45 113,664 rmcast.sys
11/04/2009 05:45 185,856 netbt.sys
11/04/2009 05:45 72,192 pacer.sys
11/04/2009 05:45 72,192 tdx.sys
11/04/2009 05:46 33,280 RNDISMP.sys
11/04/2009 05:46 15,872 usb8023.sys
11/04/2009 05:46 41,472 raspppoe.sys
11/04/2009 05:46 121,344 ndiswan.sys
11/04/2009 05:46 69,120 rassstp.sys
11/04/2009 05:47 273,920 afd.sys
11/04/2009 05:51 180,736 rdpwd.sys
11/04/2009 06:42 93,696 bridge.sys
11/04/2009 07:32 19,944 atapi.sys
11/04/2009 07:32 27,112 msahci.sys
11/04/2009 07:32 27,624 Dumpata.sys
11/04/2009 07:32 35,304 crashdmp.sys
11/04/2009 07:32 48,104 mup.sys
11/04/2009 07:32 53,736 disk.sys
11/04/2009 07:32 54,248 partmgr.sys
11/04/2009 07:32 109,032 ataport.sys
11/04/2009 07:32 99,816 FWPKCLNT.SYS
11/04/2009 07:32 141,288 ecache.sys
11/04/2009 07:32 125,928 Classpnp.sys
11/04/2009 07:32 161,752 msrpc.sys
11/04/2009 07:32 180,712 msiscsi.sys
11/04/2009 07:32 223,208 netio.sys
11/04/2009 07:32 265,688 acpi.sys
11/04/2009 07:32 190,424 fltMgr.sys
11/04/2009 07:32 527,848 ndis.sys
11/04/2009 07:32 1,083,880 ntfs.sys
11/04/2009 07:32 43,496 pciidex.sys
11/04/2009 07:32 53,224 termdd.sys
11/04/2009 07:32 122,344 Storport.sys
11/04/2009 07:32 149,480 pci.sys
11/04/2009 07:32 226,280 volsnap.sys
11/04/2009 07:33 292,840 volmgrx.sys
16/06/2009 00:15 439,864 ksecdd.sys
14/09/2009 10:29 144,896 srv2.sys
25/09/2009 02:27 634,880 dxgkrnl.sys
01/10/2009 02:01 40,448 WpdUsb.sys
06/10/2009 12:52 17,664 ccdcmb.sys
06/10/2009 12:52 7,936 usbser_lowerflt.sys
06/10/2009 12:52 22,016 ccdcmbo.sys
06/10/2009 12:52 7,936 usbser_lowerfltj.sys
08/12/2009 18:26 30,720 tcpipreg.sys
11/12/2009 12:43 98,816 srvnet.sys
11/12/2009 12:43 302,080 srv.sys
02/02/2010 16:58 <DIR> UMDF
18/02/2010 12:28 25,088 tunnel.sys
18/02/2010 15:07 904,576 tcpip.sys
20/02/2010 21:53 411,648 http.sys
23/02/2010 12:10 106,496 mrxsmb.sys
23/02/2010 12:10 79,360 mrxsmb20.sys
23/02/2010 12:10 212,992 mrxsmb10.sys
28/02/2010 15:22 390,528 RapportBuka.sys
17/03/2010 04:01 <DIR> en-US
18/03/2010 09:52 216,200 avgldx86.sys
29/04/2010 15:39 20,952 mbam.sys
29/04/2010 15:39 38,224 mbamswissarmy.sys
03/06/2010 09:29 29,584 avgmfx86.sys
03/06/2010 09:29 242,896 avgtdix.sys
11/06/2010 14:01 95,024 SBREDrv.sys
06/07/2010 18:28 64,288 Lbd.sys
07/07/2010 21:40 <DIR> ..
07/07/2010 21:40 <DIR> .
15/07/2010 09:37 <DIR> Avg
310 File(s) 41,789,424 bytes
6 Dir(s) 140,234,997,760 bytes free

Virtual drives found?

Environment variables

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Joyce\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOYCE-PC
ComSpec=C:\windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Joyce
LOCALAPPDATA=C:\Users\Joyce\AppData\Local
LOGONSERVER=\\JOYCE-PC
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\Joyce\AppData\Roaming\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Program Files\PC Connectivity Solution\;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;c:\Program Files\ATI Technologies\ATI.ACE\Core-Static;c:\Program Files\ActivIdentity\ActivClient\;c:\Program Files\Hewlett-Packard\IAM\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
Platform=BNB
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 17 Model 3 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=17
PROCESSOR_REVISION=0301
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\windows
TEMP=C:\Users\Joyce\AppData\Local\Temp
TMP=C:\Users\Joyce\AppData\Local\Temp
TRACE_FORMAT_SEARCH_PATH=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
USERDOMAIN=Joyce-PC
USERNAME=Joyce
USERPROFILE=C:\Users\Joyce
windir=C:\windows

Stealth malware?

Internet Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Start Page REG_SZ http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
AutoHide REG_SZ yes
Default_Page_URL REG_SZ http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
Default_Secondary_Page_URL REG_MULTI_SZ
Default_Search_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896
Search Page REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896
Extensions Off Page REG_SZ about:NoAdd-ons
Security Risk Page REG_SZ about:SecurityRisk
Enable_Disk_Cache REG_SZ yes
Cache_Percent_of_Disk REG_BINARY 0A000000
Delete_Temp_Files_On_Exit REG_SZ yes
Local Page REG_SZ C:\windows\System32\blank.htm
Anchor_Visitation_Horizon REG_BINARY 01000000
Use_Async_DNS REG_SZ yes
Placeholder_Width REG_BINARY 1A000000
Placeholder_Height REG_BINARY 1A000000
tp REG_SZ 1000
TI REG_SZ 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\UrlTemplate

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
IE5_UA_Backup_Flag REG_SZ 5.0
User Agent REG_SZ Mozilla/4.0 (compatible; MSIE 8.0; Win32)
EmailName REG_SZ IEUser@
AutoConfigProxy REG_SZ wininet.dll
MimeExclusionListForCache REG_SZ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
UseSchannelDirectly REG_BINARY 01000000
EnableHttp1_1 REG_DWORD 0x1
PrivDiscUiShown REG_DWORD 0x1
WarnOnIntranet REG_DWORD 0x1
EnableNegotiate REG_DWORD 0x1
MigrateProxy REG_DWORD 0x1
ProxyEnable REG_DWORD 0x0
GlobalUserOffline REG_DWORD 0x0
WarnOnPost REG_BINARY 01000000
UrlEncoding REG_DWORD 0x0
SecureProtocols REG_DWORD 0xa0
PrivacyAdvanced REG_DWORD 0x0
ZonesSecurityUpgradeDone REG_DWORD 0x1
DisableCachingOfSSLPages REG_DWORD 0x0
WarnonZoneCrossing REG_DWORD 0x0
CertificateRevocation REG_DWORD 0x1
NoNetAutodial REG_DWORD 0x0
EnableAutodial REG_DWORD 0x0
ZonesSecurityUpgrade REG_BINARY 83AD422D9D01CA01

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Http Filters
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Disable Script Debugger REG_SZ yes
Start Page REG_SZ http://uk.yahoo.com/
Default_Page_URL REG_SZ http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
Anchor Underline REG_SZ yes
Cache_Update_Frequency REG_SZ Once_Per_Session
Display Inline Images REG_SZ yes
Do404Search REG_BINARY 01000000
Local Page REG_SZ C:\windows\system32\blank.htm
Save_Session_History_On_Exit REG_SZ no
Show_FullURL REG_SZ no
Show_StatusBar REG_SZ yes
Show_ToolBar REG_SZ yes
Show_URLinStatusBar REG_SZ yes
Show_URLToolBar REG_SZ yes
Use_DlgBox_Colors REG_SZ yes
Search Page REG_SZ
XMLHTTP REG_DWORD 0x1
NoUpdateCheck REG_DWORD 0x1
UseClearType REG_SZ no
Enable Browser Extensions REG_SZ yes
Play_Background_Sounds REG_SZ yes
Play_Animations REG_SZ yes
CompatibilityFlags REG_DWORD 0x0
FullScreen REG_SZ no
SearchMigrated REG_DWORD 0x0
Window_Placement REG_BINARY&n

mongerlane · « **Reply #3 on:** July 15, 2010, 05:51:43 PM »

looks like needs multiple postings for log. will repeat last line each time.
Window_Placement REG_BINARY 2C0000000200000003000000FFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFC2000000290000005B0300 0062020000
StartPageCache REG_DWORD 0x1
RunOnceComplete REG_DWORD 0x1
RunOnceHasShown REG_DWORD 0x1
NotifyDownloadComplete REG_SZ yes
Use FormSuggest REG_SZ no
HistoryViewType REG_BINARY 08006663010000000000
AlwaysShowMenus REG_DWORD 0x1
AutoHide REG_SZ yes
IE8RunOnceLastShown REG_DWORD 0x1
IE8RunOnceLastShown_TIMESTAMP REG_BINARY DE2C3902EE1ECB01
IE8TourShown REG_DWORD 0x1
IE8TourShownTime REG_BINARY A0A8C466F501CA01
FormSuggest PW Ask REG_SZ no
SmoothScroll REG_DWORD 0x0
Use Search Asst REG_SZ
Search Bar REG_SZ
SearchAssistant REG_SZ
tp REG_SZ 1000

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default Feeds
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3134413B-49B4-425C-98A5-893C1F195601}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF21F1DB-80C6-11D3-9483-B03D0EC10000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
{0BF43445-2F28-4351-9252-17FE6E806AA0} REG_SZ McAfee SiteAdvisor
{DE9C389F-3316-41A7-809B-AA305ED9D922} REG_SZ AOL Toolbar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} REG_BINARY 00

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&AOL Toolbar Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Send image to &Bluetooth Device...
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Send page to &Bluetooth Device...

Protocol hijack?

Security Center

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
cval REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
AntiVirusOverride REG_DWORD 0x0
AntiSpywareOverride REG_DWORD 0x0
FirewallOverride REG_DWORD 0x0
VistaSp1 REG_NONE 5CA0485DD75BC801
VistaSp2 REG_NONE CBF9CE639846CA01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
EnableFirewall REG_DWORD 0x1
DisableNotifications REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging

Uninstall List

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\504244733D18C8F63FF584AEB290E3904E791693
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Agere Systems Soft Modem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AOL Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ArbSurfer2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG9Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Combined Community Codec Pack_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectVobSub
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DivX Plus DirectShow Filters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driving Theory Test Professional v2.1.0.0_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Updater
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HOMESTUDENTR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{79D1BA4A-BEB4-4357-A431-C3EF58E72E6C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\M979906
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MagicDisc 2.7.105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MagicDisc 2.7.97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 1.1 (1033)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 3.5 SP1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (3.6.6)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nero - Burning Rom!UninstallKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroBackItUp!UninstallKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroMediaHome!UninstallKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroRecode!UninstallKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroShowTime!UninstallKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroVision!UninstallKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nokia Ovi Application Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nokia Ovi Content Copier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nokia Ovi One Touch Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nokia Ovi Suite
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nokia Ovi System Utilities
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PDF Complete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PROHYBRID2R
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rapport_msi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SMALLBUSINESSR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SynTPDeinstKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{004C5DA2-2051-4D25-94BA-51CF810C91EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01F81577-D786-49D7-BAAF-B8A8B44CE251}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{03D1988F-469F-4843-8E6E-E5FE9D17889D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{082702D5-5DD8-4600-BCE5-48B15174687F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{084D80A0-A897-F435-CE63-A3A7CDB46D9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0E485D10-139A-21B6-471C-7856AF893F42}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0EABFEF6-6D10-4C12-8667-3029C481D355}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0F98662A-EA83-414F-8766-3FCE46A32641}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12D61C9C-5E84-47F0-BD81-A48DF61A86D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13F3917B56CD4C25848BDC69916971BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{154E4F71-DFC0-4B31-8D99-F97615031B02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{18455581-E099-4BA8-BC6B-F34B2F06600C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{18D10072035C4515918F7E37EAFAACFC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{196A2093-817C-7237-9FB8-7223FF8D3424}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{19C6BC99-B7D0-E36A-3F72-24501D2FF8F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{228C6B46-64E2-404E-898A-EF0830603EF4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{235BBFC6-D863-4066-A01A-3BD504C31033}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2462B5A9-CDE0-A51C-5646-6863B445B717}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2472CC23-7C6E-F1A5-F439-B93CC198D0E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{254C37AA-6B72-4300-84F6-98A82419187E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2614F54E-A828-49FA-93BA-45A3F756BFAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216013FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216015FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83216020FB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{27AB9B63-70B4-3444-7FE7-EAAF837286B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2ACA66D0-7C67-4235-90B5-7AB382FF8633}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B01122D-645A-7A29-5F98-025F3F920EEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E8A56E1-8421-623F-7D27-5B0D64052D35}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3032FE9D-1EF0-2B28-E28F-D14123A54091}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30BF4E6C-D866-46F7-A4F6-81A45E97706E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160060}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{32D95F2D-17A3-9457-667D-DC603227295F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{34D2AB40-150D-475D-AE32-BD23FB5EE355}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3762698E-E9DF-4DD8-99F1-8192D0F8EE06}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3921A67A-5AB1-4E48-9444-C71814CF3027}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3FC7CBBC4C1E11DCA1A752EA55D89593}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3FE45683-E0A6-8887-BA46-93846D76A571}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{420BBA1D-B275-4891-838C-EA88FE87A632}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{42B74521-4706-412A-9A27-AED12B83E886}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4645CFF7-898F-427B-AF43-E3E4F08463D8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B8CE04B-567D-A6D1-C8C3-55151585051A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BBB1697-A0C0-C00D-CC3B-2A3D8D7ED8E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BDBFEB0-784B-8FBB-E323-17F4B8C3450D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4CE6B3C4-D8E2-4A5D-BEF5-5B69AF843B0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DEB1738-EE2D-9415-B1F3-99FE75519BB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{564B16F4-6B5B-47B0-9AB6-FF2E943947F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5D97A4A7-C274-4B63-86D9-07A33435F505}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FEB063B-B9A0-7677-8D4B-5DE1397BBC7F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6079977A-C216-0ED5-7E82-5E94A7683EB1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{609C59C0-2920-B88F-AC4E-8434CEEA093F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62369F2F77534556AEF4C58152E3BDE5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{62A07DAC-EE36-7C2D-28D4-18A4B8F55EC9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6442DEDF-AC2F-4CBA-85DE-42E459C5006C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{669D4A35-146B-4314-89F1-1AC3D7B88367}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6716796A-DD6E-8B10-AF22-D30ECB25C682}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69333A04-5134-40A5-A055-9166A7AA1EC8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6F854740-01D1-46A4-C809-D73B14F9FAA2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{70CEFEBA-F757-4DBE-8A21-027C326137CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7210BCFE-ED8D-4261-8537-81B5A4BDFA2A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7585478E9D9B42108671C12F8714CEFE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75D7BB3A-9AB7-4ad1-AD5E-0059B90C624B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{789C97CE-9E17-4126-BDF4-11FF458BF705}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{79D1BA4A-BEB4-4357-A431-C3EF58E72E6C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B63B2922B174135AFC0E1377DD81EC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B7FB763-09C2-476E-89F0-D68F069E5DC1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7BE6A272-9078-5035-FB61-D2D1C15D1EA0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7F831576-6246-42C7-B523-55B3F96509CC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{818ABC3C-635C-4651-8183-D0E9640B7DD1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8253DB6F-C883-93A4-435F-9526DC07C17F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8ADFC4160D694100B5B8A22DE9DCABD9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8BB128BE-2670-485D-A221-B00715BCEBCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D100E0C-1A5A-43AD-93EF-76F94AE61C30}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8EC7AB5C-7128-B1CD-CA1D-74190D31313E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-040C-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0C0A-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0115-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0117-0409-0000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{914E1AB1-DCA0-4A7D-935F-B58C4B887A2B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9320B364-EF7F-90E6-63F8-C58EEB9AE517}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{959B8759-D31A-CE42-6BA1-A8F7812C040B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{959BAC64-7722-EBD6-660E-C74ED44CA0D3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99A5C123-2741-45BA-276A-8BDA52303CAD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CDB5063-D699-42BA-9135-7B8C4ECAC856}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9DEE62F7-3C8A-A6E8-6D00-99BB99B0A19C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9F59C3AE-81B0-4EF6-9762-D674BB079705}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3EB6C7C-F959-9258-3A35-2A6EDB9CA176}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A4B50564-9B8D-49DF-4A90-C6EC349A6538}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A528306A-C5EC-481C-A619-6106334E6800}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A55C2FF6-4217-F05B-E603-0544CB9EBD93}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A96E97134CA649888820BCDE5E300BBD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAC389499AEF40428987B3D30CFC76C9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC194855-F7AC-4D04-B4C9-07BA46FCB697}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE052EF7-2640-48D7-8915-69B810D975CB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AEF9DC35ADDF4825B049ACBFD1C6EB37}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AF111648-99A1-453E-81DD-80DBBF6DAD0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B076BAB8-B78C-053A-FAC2-0A9CCD802E0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13A7C41581B411290FBC0395694E2A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B1508FDD-AFC7-373B-8B96-6A6BEC48A9A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B3B36E34-2E5A-20E8-AF99-A2D40E84CC6F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B5761811-28F3-4257-B537-815C5EEF472C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B57BC333-F983-C25E-4C04-834548DF8607}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B7050CBDB2504B34BC2A9CA0A692CC29}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B79DB290-9F72-4B20-9776-848D7832705B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BECF6C08-ED85-7F05-E2CD-43A18DA0B3D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BEEA5BCB-CCA1-6FBA-764C-625239FE0F50}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C09C13C7-B636-01CC-D5A1-A7411F858891}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C19BD21C-AF1A-CBC1-3B73-938B37F6B0E6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4B045DB-C2C0-4A05-8DA5-754B4733EE31}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C50EF365-2898-489A-B6C7-30DAA466E9A2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C9EF2D75-ECB0-602D-6700-977702AD7CCF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CBC24502-5EB5-45B6-9E56-E6A2F6AFA367}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CC8128C5-EC9A-0167-65F5-305E78F1A535}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB350003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB953595
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB958484
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB960043
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D0FF1E97-85BA-C735-1D4C-636293B0E9F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D405A9E1-5D02-46FB-A2B3-796F1F218B32}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D4C5185C-A8DF-8466-FE8A-1692E08ECBF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D642E38E-0D24-486C-9A2D-E316DD696F4B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7FD9036-5EE1-A970-B981-BF46AF433380}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E333CA5F-00ED-4EEF-90E5-6A33A8FE969F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EF3C3C9A-C96B-051E-99D1-72D7CE823DA8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0A37341-D692-11D4-A984-009027EC0A9C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F173C2B3-296F-458C-98FF-1676A42EBA02}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F18DB86D-BC16-4E01-BCCE-63F62B931D82}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F1C3541D-5B93-4131-B440-692FBA3DD250}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F333A33D-125C-32A2-8DCE-5C5D14231E27}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F46CBAC2-20F4-98DA-D890-81F4DE2BF3BA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F545FAC8-4D05-229A-E1A3-3DF671518DC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F657EF23-08BB-4C8D-B688-78C20FA657EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B0939E-58DF-11DF-B3A6-005056806466}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F9EA1C47-64A6-45E4-9A80-8CC1575B971D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FF165D48-1562-B757-E006-69197226E903}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FFCA8569-F139-54BF-A9EF-092A3DFDFB4B}

Adobe Products

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
DisplayName REG_SZ Adobe Flash Player 10 ActiveX
Publisher REG_SZ Adobe Systems Incorporated
DisplayVersion REG_SZ 10.1.53.64
HelpLink REG_SZ http://www.adobe.com/go/flashplayer_support/
NoModify REG_DWORD 0x1
NoRepair REG_DWORD 0x1
RequiresIESysFile REG_SZ 4.70.0.1155
URLInfoAbout REG_SZ http://www.adobe.com
URLUpdateInfo REG_SZ http://www.adobe.com/go/getflashplayer/
VersionMajor REG_DWORD 0xa
VersionMinor REG_DWORD 0x1
UninstallString REG_SZ C:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
DisplayIcon REG_SZ C:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
EstimatedSize REG_DWORD 0x1800

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin
DisplayName REG_SZ Adobe Flash Player 10 Plugin
Publisher REG_SZ Adobe Systems Incorporated
DisplayVersion REG_SZ 10.1.53.64
HelpLink REG_SZ http://www.adobe.com/go/flashplayer_support/
NoModify REG_DWORD 0x1
NoRepair REG_DWORD 0x1
RequiresIESysFile REG_SZ 4.70.0.1155
URLInfoAbout REG_SZ http://www.adobe.com
URLUpdateInfo REG_SZ http://www.adobe.com/go/getflashplayer/
VersionMajor REG_DWORD 0xa
VersionMinor REG_DWORD 0x1
UninstallString REG_SZ C:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe -maintain plugin
DisplayIcon REG_SZ C:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
EstimatedSize REG_DWORD 0x1800

Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sidebar REG_SZ C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
LightScribe Control Panel REG_SZ C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} REG_SZ "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
ISUSPM REG_SZ "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
msnmsgr REG_SZ "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
ehTray.exe REG_SZ C:\windows\ehome\ehTray.exe
swg REG_SZ "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
(Default) REG_SZ
NokiaOviSuite2 REG_SZ C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
{4C4F084C-DC11-DEB1-0E29-42CD091F277C} REG_SZ C:\Users\Joyce\AppData\Roaming\Raepmi\puqa.exe
SUPERAntiSpyware REG_SZ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Windows Defender REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCui.exe -hide
StartCCC REG_SZ "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
(Default) REG_SZ
accrdsub REG_SZ "c:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
PTHOSTTR REG_SZ c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
CognizanceTS REG_SZ rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
PDF Complete REG_SZ C:\Program Files\PDF Complete\pdfsty.exe
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
hpWirelessAssistant REG_SZ C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
HP Health Check Scheduler REG_SZ c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
File Sanitizer REG_SZ C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
QlbCtrl.exe REG_SZ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
WatchDog REG_SZ C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
SoundMAX REG_SZ C:\Program Files\Analog Devices\SoundMAX\soundmax.exe /tray
GrooveMonitor REG_SZ "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
NBKeyScan REG_SZ "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
LogMeIn GUI REG_SZ "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
NeroFilterCheck REG_SZ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
SunJavaUpdateSched REG_SZ "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
FBSSA REG_SZ C:\Program Files\SGPSA\ie3sh.exe
HP Software Update REG_SZ C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
SoundMAXPnP REG_SZ C:\Program Files\Analog Devices\Core\smax4pnp.exe
NokiaMServer REG_SZ C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
NokiaMusic FastStart REG_SZ "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart
AVG9_TRAY REG_SZ C:\PROGRA~1\AVG\AVG9\avgtray.exe

Restrictions - Internet Explorer

Restrictions - REGEDIT

Restrictions - Explorer

DNS Settings

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3a539854-6a70-11db-887c-806e6f6e6963}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6EC102A1-35D8-4F5F-AC4F-783EEB5F404C}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{81BD546B-BC19-448F-ADE1-9FB4B0F03411}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E7968B17-B975-4E2A-AE2B-16861689F44C}

Windows IP Configuration

Host Name . . . . . . . . . . . . : Joyce-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-21-00-77-F5-26
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::995d:aba5:9d2a:6dc7%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.68(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 11 July 2010 08:45:28
Lease Expires . . . . . . . . . . : 16 July 2010 20:45:58
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 318775552
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-F9-40-AF-00-22-64-6C-29-3E
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Marvell Yukon 88E8042 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-22-64-6C-29-3E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 00-21-86-D1-D8-6D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : isatap.home
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{E7968B17-B975-4E2A-AE2B-16861689F44C}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:73ba:43b:145e:a968:b915(Preferred)
Link-local IPv6 Address . . . . . : fe80::43b:145e:a968:b915%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

mongerlane · « **Reply #4 on:** July 15, 2010, 05:52:39 PM »

NetBIOS over Tcpip. . . . . . . . : Disabled

AppInit DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ APSHook.dll,avgrsstx.dll

Shell Service Object Delay Load

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Shell Execute Hooks

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} REG_SZ Groove GFS Stub Execution Hook

Image File Execution Options

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEInstal.exe

Security Providers

Local Security Authority

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
auditbaseobjects REG_DWORD 0x0
auditbasedirectories REG_DWORD 0x0
crashonauditfail REG_DWORD 0x0
fullprivilegeauditing REG_BINARY 00
Bounds REG_BINARY 0030000000200000
LimitBlankPasswordUse REG_DWORD 0x1
LmCompatibilityLevel REG_DWORD 0x3
NoLmHash REG_DWORD 0x1
Notification Packages REG_MULTI_SZ scecli\0ASWLNPkg
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0tspkg
Authentication Packages REG_MULTI_SZ msv1_0
LsaPid REG_DWORD 0x2c8
SecureBoot REG_DWORD 0x1
ProductType REG_DWORD 0x3
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x0
forceguest REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Credssp
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache

AppCert DLLs

App Paths

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\AVGSE.DLL
(Default) REG_SZ C:\PROGRA~1\AVG\AVG9\avgse.dll
Menu1 REG_SZ Scan with &AVG Free
Help1 REG_SZ Scan against viruses with AVG Free

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\BackItUp.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero BackItUp\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ccleaner.exe
(Default) REG_SZ C:\Program Files\CCleaner\ccleaner.exe
Path REG_SZ C:\Program Files\CCleaner

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\chrome.exe
(Default) REG_SZ C:\Program Files\Google\Chrome\Application\chrome.exe
Path REG_SZ C:\Program Files\Google\Chrome\Application

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\cmmgr32.exe
CmstpExtensionDll REG_SZ C:\Windows\system32\cmcfg32.dll
CmNative REG_DWORD 0x2

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\dvdmaker.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Movie Maker\dvdmaker.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\excel.exe
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
SaveURL REG_SZ 1
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\firefox.exe
(Default) REG_SZ C:\Program Files\Mozilla Firefox\firefox.exe
Path REG_SZ C:\Program Files\Mozilla Firefox

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\fsquirt.exe
DropTarget REG_SZ {047ea9a0-93bb-415f-a1c3-d7aeb3dd5087}

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\GROOVE.EXE
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\GROOVE.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\HijackThis.exe
(Default) REG_SZ C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
Path REG_SZ C:\Program Files\Trend Micro\HijackThis

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\IEXPLORE.EXE
(Default) REG_SZ C:\Program Files\Internet Explorer\IEXPLORE.EXE
Path REG_SZ C:\Program Files\Internet Explorer;

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\infopath.exe
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\INFOPATH.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\inkball.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Microsoft Games\inkball\inkball.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\install.exe
BlockOnTSNonInstallMode REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\javaws.exe
(Default) REG_SZ C:\Program Files\Java\jre6\bin\javaws.exe
Path REG_SZ C:\Program Files\Java\jre6\bin

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Journal.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Journal\Journal.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\LightScribeControlPanel.exe
(Default) REG_SZ C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
Path REG_SZ C:\Program Files\Common Files\LightScribe\;C:\Program Files\Common Files\LightScribe\controlpanel\;;

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\mbam.exe
(Default) REG_SZ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Path REG_SZ C:\Program Files\Malwarebytes' Anti-Malware

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\migwiz.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\moviemk.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Movie Maker\moviemk.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\mplayer2.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe
Path REG_EXPAND_SZ %ProgramFiles%\Windows Media Player

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\mplayerc.exe
(Default) REG_SZ C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
Path REG_SZ C:\Program Files\Combined Community Codec Pack\MPC

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MSACCESS.EXE
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\MSACCESS.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\msimn.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Mail\WinMail.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MSNMSGR.EXE
(Default) REG_SZ C:\Program Files\MSN Messenger\MsnMsgr.Exe
Path REG_SZ C:\Program Files\MSN Messenger\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MsoHtmEd.exe
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\msoxmled.exe
(Default) REG_SZ C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLED.EXE
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\MSPUB.EXE
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\MSPUB.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
useURL REG_DWORD 0x1
SaveURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NCoverEd.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverDes.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero CoverDesigner\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Nero.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Core\Nero.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Core\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NeroBurnRights.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero Toolkit\NeroBurnRights.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero Toolkit\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NeroHome.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero Home\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NeroMediaHome.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero MediaHome\NeroMediaHome.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero MediaHome\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NeroVision.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero Vision\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NokiaMusic.exe
(Default) REG_SZ C:\Program Files\Nokia\Ovi Player\NokiaMusic.exe
Path REG_SZ C:\Program Files\Nokia\Ovi Player\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NokiaOviPlayer.exe
(Default) REG_SZ C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe
Path REG_SZ C:\Program Files\Nokia\Ovi Player

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\NokiaOviSuite.exe
(Default) REG_SZ C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ois.exe
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\OIS.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
SaveURL REG_SZ 0
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\OneNote.exe
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
SaveURL REG_SZ 1
useURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\OUTLOOK.EXE
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\pbrush.exe
(Default) REG_EXPAND_SZ %SystemRoot%\System32\mspaint.exe
Path REG_EXPAND_SZ %SystemRoot%\System32

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\PhotoSnapViewer.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero PhotoSnap\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\powerpnt.exe
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\POWERPNT.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
useURL REG_SZ 1
SaveURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Recode.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero Recode\Recode.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero Recode\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\RosettaStoneVersion3.exe
(Default) REG_SZ C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe
Path REG_SZ C:\Program Files\Rosetta Stone\Rosetta Stone V3\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\setup.exe
BlockOnTSNonInstallMode REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\ShowTime.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero ShowTime\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\sidebar.exe
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows Sidebar\sidebar.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\smax4pnp.exe
(Default) REG_SZ C:\Program Files\Analog Devices\Core\smax4pnp.exe
Path REG_SZ C:\Program Files\Analog Devices\Core

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SMaxCore
(Default) REG_SZ C:\Program Files\Analog Devices\Core
Path REG_SZ C:\Program Files\Analog Devices\Core

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\smwdmif.dll
(Default) REG_SZ C:\Program Files\Analog Devices\Core\smwdmif.dll
Path REG_SZ C:\Program Files\Analog Devices\Core

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SnippingTool.exe
(Default) REG_EXPAND_SZ C:\Windows\System32\SnippingTool.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SoundMAX
Path REG_SZ C:\Program Files\Analog Devices\SoundMAX
(Default) REG_SZ C:\Program Files\Analog Devices\SoundMAX

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\soundmax.exe
(Default) REG_SZ C:\Program Files\Analog Devices\SoundMAX\soundmax.exe
Path REG_SZ C:\Program Files\Analog Devices\SoundMAX

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\SoundTrax.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero SoundTrax\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\stikynot.exe
(Default) REG_EXPAND_SZ C:\Windows\System32\stikynot.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\table30.exe
UseShortName REG_SZ

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\TabTip.exe
(Default) REG_EXPAND_SZ %CommonProgramFiles%\microsoft shared\ink\TabTip.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wab.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Mail\wab.exe
Path REG_EXPAND_SZ %ProgramFiles%\Windows Mail

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wabmig.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Mail\wabmig.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\waveedit.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero WaveEditor\waveedit.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero WaveEditor\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WinCal.exe
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows Calendar\wincal.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WinDVD.exe
Path REG_SZ C:\Program Files\InterVideo\WinDVD
(Default) REG_SZ C:\Program Files\InterVideo\WinDVD\WinDVD.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WinMail.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Mail\WinMail.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WinRAR.exe
(Default) REG_SZ C:\Program Files\WinRAR\WinRAR.exe
Path REG_SZ C:\Program Files\WinRAR

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\Winword.exe
(Default) REG_SZ C:\PROGRA~1\MICROS~2\Office12\WINWORD.EXE
Path REG_SZ C:\Program Files\Microsoft Office\Office12\
useURL REG_SZ 1
SaveURL REG_SZ 1

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WMPBurn.exe
(Default) REG_SZ C:\Program Files\Nero\Nero 7\Nero Fast CD-DVD Burning Plug-in\WMPBurn.exe
Path REG_SZ C:\Program Files\Nero\Nero 7\Nero Fast CD-DVD Burning Plug-in\

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\wmplayer.exe
(Default) REG_EXPAND_SZ %ProgramFiles%\Windows Media Player\wmplayer.exe
Path REG_EXPAND_SZ %ProgramFiles%\Windows Media Player

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WORDPAD.EXE
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\WRITE.EXE
(Default) REG_EXPAND_SZ "%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\XPSViewer.exe
(Default) REG_SZ "C:\Windows\System32\XPSViewer\XPSViewer.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app paths\zplayer.exe
(Default) REG_SZ C:\Program Files\Combined Community Codec Pack\Zoom Player\zplayer.exe
Path REG_SZ C:\Program Files\Combined Community Codec Pack\Zoom Player

Mozilla

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
{20a82645-c095-46ed-80e3-08825760534b} REG_SZ c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
(Default) REG_SZ 1.9.2.6
CurrentVersion REG_SZ 3.6.6 (en-GB)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\3.6.6 (en-GB)
(Default) REG_SZ 3.6.6 (en-GB)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\3.6.6 (en-GB)\Main
Install Directory REG_SZ C:\Program Files\Mozilla Firefox
PathToExe REG_SZ C:\Program Files\Mozilla Firefox\firefox.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\3.6.6 (en-GB)\Uninstall
Description REG_SZ Mozilla Firefox (3.6.6)

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.6.6
GeckoVer REG_SZ 1.9.2.6

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.6.6\bin
PathToExe REG_SZ C:\Program Files\Mozilla Firefox\firefox.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.6.6\extensions
Components REG_SZ C:\Program Files\Mozilla Firefox\components
Plugins REG_SZ C:\Program Files\Mozilla Firefox\plugins

Shared Task Scheduler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

SafeBoot

SafeBootMinimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

SafeBootNetwork

mongerlane · « **Reply #5 on:** July 15, 2010, 05:53:35 PM »

SafeBootNetwork

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppInfo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BFE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\bowser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dfsc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DnsCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dot3Svc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Eaphost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\File system
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HelpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\IKEEXT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\KeyIso
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lavasoft Ad-Aware Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LmHosts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Messenger
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MPSDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MPSSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mrxsmb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mrxsmb10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mrxsmb20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NativeWifiP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetMan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Network
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Nsi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nsiproxy.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NTDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Primary disk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ProfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdbss
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpencdd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sacsvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCardSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SWPRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TabletInputService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TBS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\volmgr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\volmgrx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wlansvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfPf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfRd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WudfUsbccidDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{50DD5230-BA8A-11D1-BF5D-0000F805F530}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}

File Rename Operations - Session

Known DLLs - Session

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDlls
clbcatq REG_SZ clbcatq.dll
ole32 REG_SZ ole32.dll
advapi32 REG_SZ advapi32.dll
COMDLG32 REG_SZ COMDLG32.dll
DllDirectory REG_EXPAND_SZ %SystemRoot%\system32
gdi32 REG_SZ gdi32.dll
IERTUTIL REG_SZ IERTUTIL.dll
IMAGEHLP REG_SZ IMAGEHLP.dll
IMM32 REG_SZ IMM32.dll
kernel32 REG_SZ kernel32.dll
LPK REG_SZ LPK.dll
MSCTF REG_SZ MSCTF.dll
MSVCRT REG_SZ MSVCRT.dll
NORMALIZ REG_SZ NORMALIZ.dll
NSI REG_SZ NSI.dll
OLEAUT32 REG_SZ OLEAUT32.dll
rpcrt4 REG_SZ rpcrt4.dll
Setupapi REG_SZ Setupapi.dll
SHELL32 REG_SZ SHELL32.dll
SHLWAPI REG_SZ SHLWAPI.dll
URLMON REG_SZ URLMON.dll
user32 REG_SZ user32.dll
USP10 REG_SZ USP10.dll
WININET REG_SZ WININET.dll
WLDAP32 REG_SZ WLDAP32.dll
WS2_32 REG_SZ WS2_32.dll

Downloaded program files (ActiveX)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{138E6DC9-722B-4F4B-B09D-95D191869696}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8100D56A-5661-482C-BEE8-AFECE305D968}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E77F23EB-E7AB-4502-8F37-247DBAF1A147}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}

PATH: C:\windows\Downloaded Program Files

BeboUploader.inf
BeboUploader.ocx
desktop.ini
LMIBroker.exe
LMIGuardian.exe
LMIGuardianDll.dll
LMIGuardianEvt.dll
LMIProxyHelper.exe
MsnPUpld.dll
MSNPUpld.inf
PhotoUploader55.inf
PhotoUploader55.ocx
PURen-gb.dll
RACtrl.dll
RACtrl.inf

Mountpoints

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58ac283c-d915-11dd-9c75-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71df9bb7-e006-11dd-b535-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8162f73-ebba-11dd-b423-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8162f75-ebba-11dd-b423-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8162f77-ebba-11dd-b423-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8162f7f-ebba-11dd-b423-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8162f80-ebba-11dd-b423-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bea49c31-30fc-11de-8c03-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c2fc0e02-de71-11dd-9bf8-806e6f6e6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c2fc0e03-de71-11dd-9bf8-806e6f6e6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c2fc0e07-de71-11dd-9bf8-806e6f6e6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c2fc0e39-de71-11dd-9bf8-002186d1d86d}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f38b10c9-d860-11dd-bf65-002186d1d86d}

Winlogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
AutoRestartShell REG_DWORD 0x1
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ShutdownWithoutLogon REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0x0
passwordexpirywarning REG_DWORD 0xe
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
WinStationsDisabled REG_SZ 0
DisableCAD REG_DWORD 0x1
scremoveoption REG_SZ 0
ShutdownFlags REG_DWORD 0x2b
AutoLogonCount REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked

Windows Update

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\windowsupdate\auto update\results\install
LastSuccessTime REG_SZ 2010-06-11 02:15:28
LastError REG_DWORD 0x0

Security Software Information

*Note*: Some security software does not store itself in the WMI.

Antivirus: AVG Anti-Virus Free *Scanner enabled* (Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
Antispyware: AVG Anti-Virus Free *Scanner enabled* (Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
Antispyware: Windows Defender *Scanner enabled* (Up to date) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
Antispyware: SUPERAntiSpyware *Scanner enabled* (Up to date) {222A897C-5018-402e-943F-7E7AC8560DA7}

{END OF FILE}

Dr Jay · « **Reply #6 on:** July 15, 2010, 10:10:57 PM »

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

mongerlane · « **Reply #7 on:** July 16, 2010, 07:28:46 AM »

Hi again

When RKU gets to the files tab, i select C: as requested, then ok.

Popup says: Please wait while RKU makes scan You can stop scan by pressing "cancel"

This remained for 45 minutes.

There does not seem to be much activity. on opening task manager, processes there is an image running. X3*******.exe, which i think is the process, but this just flicks into 1% cpu usage occassionaly. nothing else is showing much, although the total CPU usage is over 60% (morethan the sum of the parts.

I shut down ad-aware, and disabled avg as much as possible by stopping the resident shield and tried again, and left it running, but same result. The report without the files scan follows, and I will scan again and leave it running whilst waiting for your reply.
Thanks again for your help.

mongerlane · « **Reply #8 on:** July 16, 2010, 07:32:22 AM »

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x82DDCAEF-->A126AE26 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtCreateFile, Type: Address change 0x82E60E19-->A126B704 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtDeleteFile, Type: Address change 0x82D8FC5E-->A126B864 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x82DD16D3-->A126F086 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x82DCCC74-->A126F0B8 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtLoadKey, Type: Address change 0x82D7C158-->A126F21A [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtOpenFile, Type: Address change 0x82E2504D-->A126B7C8 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x82E3FC08-->A126AF6A [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x82E3B15A-->A126B15C [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x82E38F3D-->A126B28E [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtQueryValueKey, Type: Address change 0x82E3C5A8-->A126F190 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Address change 0x82E7318C-->A126F0FA [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x82E72A96-->A126F12C [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x82E71892-->A126F15E [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x82EB134F-->A126ADCC [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetInformationFile, Type: Address change 0x82E18AFD-->A126B8C4 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x82DFD022-->A126F01E [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x82DB9929-->A126AD68 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x82E0FDA3-->A01DF620 [C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x82E3B18F-->A126AD04 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtGdiAlphaBlend, Type: Address change 0xAAF03E04-->A1271636 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiBitBlt, Type: Address change 0xAAF2EF2A-->A12714C8 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address change 0xAAE98DC0-->A1271570 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiPlgBlt, Type: Address change 0xAAF5DFF1-->A12715BE [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiStretchBlt, Type: Address change 0xAAF25105-->A1271516 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiTransparentBlt, Type: Address change 0xAAE99BAC-->A12715FA [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address change 0xAAF00FF2-->A126BBEC [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserPrintWindow, Type: Address change 0xAAF5E766-->A1271672 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserQueryWindow, Type: Address change 0xAAEF4117-->A126BB60 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
==============================================
>Processes
==============================================
0x8A9104C0 [436] C:\Windows\System32\smss.exe (Microsoft Corporation, Windows Session Manager)
0x87ABAD90 [540] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0xA2277458 [600] C:\Windows\System32\wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0xA227BC68 [608] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x877C2020 [620] C:\Program Files\AVG\AVG9\avgchsvx.exe (AVG Technologies CZ, s.r.o., AVG Cache Server)
0x877C2898 [628] C:\Program Files\AVG\AVG9\avgrsx.exe (AVG Technologies CZ, s.r.o., AVG Resident Shield Service)
0x87B762C8 [660] C:\Windows\System32\services.exe (Microsoft Corporation, Services and Controller app)
0x8773C908 [676] C:\Windows\System32\lsass.exe (Microsoft Corporation, Local Security Authority Process)
0x87B76820 [684] C:\Windows\System32\lsm.exe (Microsoft Corporation, Local Session Manager Service)
0xA2288670 [704] C:\Program Files\AVG\AVG9\avgcsrvx.exe (AVG Technologies CZ, s.r.o., AVG Scanning Core Module - Server Part)
0xA22B2D90 [728] C:\Windows\System32\winlogon.exe (Microsoft Corporation, Windows Logon Application)
0xAF6EF570 [796] C:\Windows\System32\wlanext.exe (Microsoft Corporation, Windows Wireless LAN 802.11 Extensibility Framework)
0x820CF8E8 [1084] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x8613CB68 [1092] C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe (Broadcom Corporation., Bluetooth Stack COM Server)
0x820E7B68 [1136] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x8213D318 [1224] C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe (Hewlett-Packard, File Sanitizer for HP ProtectTools)
0x82127960 [1252] C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International, Drive Encryption for HP ProtectTools Service)
0x82165518 [1292] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x861AE588 [1496] C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity, ActivIdentity Event Service)
0xA23CA568 [1532] C:\Windows\System32\Ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)
0x874B0990 [1552] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x874B5940 [1576] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA23D64C8 [1588] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xAF7484F0 [1740] C:\Windows\System32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0xA3306678 [1768] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x861019C0 [1780] C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Synaptics, Inc., Synaptics Pointing Device Helper)
0xAF6472C8 [1788] C:\Windows\System32\SLsvc.exe (Microsoft Corporation, Microsoft Software Licensing Service)
0x8638CD90 [1796] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe (Hewlett-Packard Development Company, L.P., Com for QLB application)
0xAF650020 [1832] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xAF663500 [1896] C:\Windows\System32\hpservice.exe (Hewlett-Packard Corporation, HpService)
0xAF671570 [1932] C:\Windows\System32\Ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)
0xAF7557B8 [1940] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xAF79A020 [2024] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB221E4B8 [2128] C:\Program Files\ActivIdentity\ActivClient\accoca.exe (ActivIdentity, ActivIdentity Cache Server)
0xB2220CA0 [2156] C:\Windows\System32\AEADISRV.EXE (Andrea Electronics Corporation, Andrea filters APO access service (32-bit))
0xB2229380 [2188] C:\Windows\System32\agrsmsvc.exe (Agere Systems, Agere Soft Modem Call Progress Service)
0xB222B940 [2204] C:\Program Files\ActivIdentity\ActivClient\acevents.exe (ActivIdentity, ActivIdentity Event Service)
0xAF7894C0 [2232] C:\Program Files\AVG\AVG9\avgwdsvc.exe (AVG Technologies CZ, s.r.o., AVG Watchdog Service)
0xB22442F8 [2260] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB22AFD90 [2484] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P, PTChangeFilterService)
0xB2277730 [2560] C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo, RegMgr Module)
0xB2259B00 [2608] C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company, LightScribe Service)
0xB2295020 [2692] C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc., LogMeIn Maintenance Service)
0xB229B820 [2724] C:\Program Files\AVG\AVG9\avgnsx.exe (AVG Technologies CZ, s.r.o., AVG Network scanner Service)
0xA337AD28 [2788] C:\Windows\System32\wbem\WmiPrvSE.exe (Microsoft Corporation, WMI Provider Host)
0xB22C7B68 [2972] C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc., LogMeIn)
0x86256920 [2996] C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe (-, HpqToaster Module)
0xB2337630 [3028] C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc., LMIGuardian)
0xB2271D90 [3044] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB23224F0 [3072] C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc, Dispatcher)
0xB2335810 [3136] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB2342970 [3168] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB234FD90 [3192] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x85E093F8 [3224] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe (Hewlett-Packard, HP Health Check Service)
0xB2368B68 [3236] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB2375718 [3268] C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0xDA215358 [3552] C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc., LogMeIn)
0x821F9020 [3772] C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe (Hewlett-Packard Development Company, L.P., hpqwmiex Module)
0x864012A8 [3796] C:\Program Files\Common Files\Nokia\NoA\nokiaaserver.exe
0xB3A3F798 [3808] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0xB236A2E0 [3916] C:\Windows\System32\wbem\WmiPrvSE.exe (Microsoft Corporation, WMI Provider Host)
0x8623E5B8 [4296] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe (Hewlett-Packard Development Company, L.P., Module to process WiFi messages.)
0x860A7D90 [4444] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x860A4B68 [4460] C:\Windows\System32\dwm.exe (Microsoft Corporation, Desktop Window Manager)
0x86034B68 [4468] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0x863E8D90 [4656] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc., Catalyst Control Centre: Host application)
0x86153020 [4660] C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe (Bioscrypt Inc., Global Virtual Card Host)
0x86284020 [4820] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity, ActivIdentity card event handler)
0x86176598 [4856] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe (Hewlett-Packard Development Company, L.P., HP ProtectTools Security Manager)
0x860CED90 [5044] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc., Synaptics TouchPad Enhancements)
0x8609CD90 [5108] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard Development Company, L.P., HPWAMain Module)
0x86076B80 [5136] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe (Hewlett-Packard, File Sanitizer for HP ProtectTools)
0x860F4AA0 [5144] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P., Quick Launch Buttons)
0x860E25A0 [5224] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation, GrooveMonitor Utility)
0x861A3020 [5260] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc., LogMeIn Desktop Application)
0x8607BD90 [5304] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe ( Hewlett-Packard Development Company, L.P., Volume related element)
0x861A8D90 [5324] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x8610D2F0 [5352] C:\Program Files\HP\HP Software Update\hpwuschd2.exe (Hewlett-Packard, hpwuSchd Application)
0x8605F3F8 [5368] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc., SMax4PNP)
0x8613EB68 [5384] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia, Nokia M Platform)
0x861CEB80 [5392] C:\Windows\System32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x862EE980 [5468] C:\Windows\ehome\ehmsas.exe (Microsoft Corporation, Media Center Media Status Aggregator Service)
0x860C8B68 [5496] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)
0x8635ED90 [5524] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o., AVG Tray Monitor)
0x8617CD90 [5552] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation, Windows Sidebar)
0x863628B0 [5616] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company, -)
0x86432020 [5644] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation, Macrovision Software Manager)
0x86142940 [5672] C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation, Messenger)
0x8614A940 [5684] C:\Windows\ehome\ehtray.exe (Microsoft Corporation, Media Center Tray Applet)
0x86300D90 [5716] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe (Nokia, Nokia Ovi Suite 2)
0x86307D90 [5784] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com, SUPERAntiSpyware Application)
0x8609E3F0 [5860] C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc., LMIGuardian)
0x86303368 [5888] C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation., Bluetooth Tray Application)
0x8614E020 [5984] C:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc., MagicISO Virtual CD/DVD Manager)
0x85EF5940 [6092] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc., Catalyst Control Center: Monitoring program)
0x863315A0 [6176] C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia, ServiceLayer Module)
0x868F73F8 [6244] C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe (Nokia, USB Media Server)
0x85E4ED90 [6272] C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe (Nokia, Serial Media Server)
0x861052E0 [6296] C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe (Nokia, Microsoft Bluetooth Media Server)
0x868DF448 [6576] C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation, Plugin Container for Firefox)
0x8628D3C0 [6608] C:\Users\Joyce\Desktop\MustBeRandomlyNamed\x3Isffd3rTfG.exe (UG North, RKULE, SR2 Normandy)
0xE8D116B8 [7652] C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc., LMIGuardian)
0x857817C8 [4] System
0xA330D458 [1672] C:\Windows\System32\audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
0x85E39880 [3652] C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd., RapportMgmtService)
0x85FEB020 [4512] C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd., RapportService)
==============================================

mongerlane · « **Reply #9 on:** July 16, 2010, 07:33:35 AM »

>Drivers
==============================================
0x9FA07000 C:\windows\system32\DRIVERS\atikmdag.sys 5042176 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82C1F000 C:\windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x82C1F000 PnpManager 3903488 bytes
0x82C1F000 RAW 3903488 bytes
0x82C1F000 WMIxWDM 3903488 bytes
0xAAE60000 Win32k 2109440 bytes
0xAAE60000 C:\windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA0807000 C:\windows\system32\DRIVERS\snp2uvc.sys 1806336 bytes (-, UVC Camera Streaming Driver)
0x8B001000 C:\windows\system32\drivers\ql2300.sys 1277952 bytes (QLogic Corporation, QLogic Fibre Channel Stor Miniport Driver)
0x9F001000 C:\windows\system32\DRIVERS\bcmwl6.sys 1220608 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xA0604000 C:\windows\system32\DRIVERS\AGRSM.sys 1204224 bytes (Agere Systems, SoftModem Device Driver)
0x8B60C000 C:\windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8B272000 C:\windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8B407000 C:\windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x8066B000 C:\windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xB1EEA000 C:\windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8AE03000 C:\windows\system32\drivers\megasr.sys 749568 bytes (LSI Corporation, Inc., LSI MegaRAID Software RAID Driver)
0xB000B000 C:\windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x9FED6000 C:\windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8AA0D000 C:\windows\system32\drivers\iastorv.sys 659456 bytes (Intel Corporation, Intel Matrix Storage Manager driver (base))
0x8AC99000 C:\windows\system32\drivers\elxstor.sys 606208 bytes (Emulex, Storport Miniport Driver for LightPulse HBAs)
0x8B53C000 C:\windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0xA074D000 C:\windows\System32\Drivers\bthport.sys 524288 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0xA1009000 C:\windows\system32\drivers\btwaudio.sys 524288 bytes (Broadcom Corporation., Bluetooth Audio Device)
0x8074B000 C:\windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8B201000 C:\windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB0112000 C:\windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA016A000 C:\windows\system32\drivers\btwavdt.sys 438272 bytes (Broadcom Corporation., Broadcom Bluetooth AVDT Service)
0x8AB44000 C:\windows\system32\drivers\adp94xx.sys 434176 bytes (Adaptec, Inc., Adaptec Windows SAS/SATA Storport Driver)
0xA00B5000 C:\windows\system32\drivers\ADIHdAud.sys 405504 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xA12A0000 C:\windows\system32\drivers\RapportBuka.sys 393216 bytes (Trusteer Ltd., RapportBuka)
0x8B139000 C:\windows\system32\drivers\ql40xx.sys 348160 bytes (QLogic Corporation, QLogic iSCSI Storport Miniport Driver)
0x9FF83000 C:\windows\system32\DRIVERS\yk60x86.sys 323584 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0xB1E78000 C:\windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x8ABAE000 C:\windows\system32\drivers\adpahci.sys 311296 bytes (Adaptec, Inc., Adaptec Windows SATA Storport Driver)
0x832D7000 C:\windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0xA1177000 C:\windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x83203000 C:\windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8062A000 C:\windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8AAEE000 C:\windows\system32\drivers\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x9F14D000 C:\windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xA1206000 C:\windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8AEE0000 C:\windows\system32\drivers\uliahci.sys 245760 bytes (ULi Electronics Inc., ULi SATA Controller Driver)
0x8B3A8000 C:\windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA10F7000 C:\windows\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xB1E00000 C:\windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8B724000 C:\windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA0066000 C:\windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xA1327000 C:\windows\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x82FD8000 ACPI_HAL 208896 bytes
0x82FD8000 C:\windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8AF69000 C:\windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xA1131000 C:\windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x9F1BD000 C:\windows\system32\DRIVERS\SynTP.sys 196608 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x8AFBA000 C:\windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8333D000 C:\windows\system32\DRIVERS\pcmcia.sys 184320 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xA0118000 C:\windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8AF1C000 C:\windows\system32\drivers\ulsata2.sys 180224 bytes (Promise Technology, Inc., Promise SATAII150 Series Windows Drivers)
0x8B37D000 C:\windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0xA0025000 C:\windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0xB00CB000 C:\windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0xA07CD000 C:\windows\system32\DRIVERS\rfcomm.sys 167936 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0xA1242000 C:\windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA126A000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 163840 bytes (Trusteer Ltd., RapportPG)
0x8B7A2000 C:\windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x8325A000 C:\windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB1E51000 C:\windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8AC33000 C:\windows\system32\drivers\adpu320.sys 155648 bytes (Adaptec, Inc., Adaptec StorPort Ultra320 SCSI Driver)
0x8AC0D000 C:\windows\system32\drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0xA0145000 C:\windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8AD9B000 C:\windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA01D5000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x833C5000 C:\windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB01CA000 C:\windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8B1D2000 C:\windows\system32\drivers\ulsata.sys 135168 bytes (Promise Technology, Inc., Promise Ultra/Sata Series Driver for Win2003)
0x8B5C9000 C:\windows\system32\DRIVERS\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8AF48000 C:\windows\system32\drivers\vsmraid.sys 135168 bytes (VIA Technologies Inc.,Ltd, VIA RAID DRIVER FOR AMD-X86-64)
0xA13C8000 C:\windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8AAB6000 C:\windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0xA0006000 C:\windows\system32\DRIVERS\mcdbus.sys 118784 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0xB017F000 C:\windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x83290000 C:\windows\system32\drivers\mpio.sys 114688 bytes (Microsoft Corporation, MultiPath Support Bus-Driver)
0x807D4000 C:\windows\system32\drivers\adpu160m.sys 110592 bytes (Adaptec, Inc., Adaptec LH Ultra160 Driver (x86))
0x8B4F1000 C:\windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0xA13AD000 C:\windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x833AA000 C:\windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) RAID Driver)
0xA09E6000 C:\windows\system32\DRIVERS\bthpan.sys 106496 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0x8AD5F000 C:\windows\system32\drivers\lsi_fc.sys 106496 bytes (LSI Logic, LSI Logic Fusion-MPT FC Driver (StorPort))
0x8AAD4000 C:\windows\system32\drivers\lsi_scsi.sys 106496 bytes (LSI Logic, LSI Logic Fusion-MPT SCSI Driver (StorPort))
0x83390000 C:\windows\system32\drivers\msdsm.sys 106496 bytes (Microsoft Corporation, Microsoft Device Specific Module)
0xB019C000 C:\windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8B77A000 C:\windows\System32\Drivers\SafeBoot.sys 102400 bytes
0x9F12B000 C:\windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8AD79000 C:\windows\system32\drivers\lsi_sas.sys 98304 bytes (LSI Logic, LSI Logic Fusion-MPT SAS Driver (StorPort))
0xB1E39000 C:\windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0xA130A000 C:\windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8B3E3000 C:\windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8AC6D000 C:\windows\system32\drivers\arc.sys 90112 bytes (Adaptec, Inc., Adaptec RAID Storport Driver)
0x8AC83000 C:\windows\system32\drivers\arcsas.sys 90112 bytes (Adaptec, Inc., Adaptec SAS RAID WS03 Driver)
0xA135B000 C:\windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xA11BF000 C:\windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0xA10E1000 C:\windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xB01B5000 C:\windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8ADD2000 C:\windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8B765000 C:\windows\system32\drivers\sbp2port.sys 86016 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0x8B19B000 C:\windows\system32\drivers\sisraid4.sys 86016 bytes (Silicon Integrated Systems, SiS AHCI Stor-Miniport Driver)
0x8AC59000 C:\windows\system32\drivers\djsvs.sys 81920 bytes (Adaptec, Inc., Adaptec Ultra SCSI miniport)
0x8ADBE000 C:\windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA1163000 C:\windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x9F19A000 C:\windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0xB00FF000 C:\windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0xA11E3000 C:\windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8B7D2000 C:\windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0xA00A4000 C:\windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80611000 C:\windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8AF9B000 C:\windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9FFE0000 C:\windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x8AD37000 C:\windows\system32\drivers\iirsp.sys 65536 bytes (Intel Corp./ICP vortex GmbH, Intel/ICP Raid Storport Driver)
0xB00BB000 C:\windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x83380000 C:\windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8ADE7000 C:\windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x83281000 C:\windows\system32\drivers\isapnp.sys 61440 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0x8AFAB000 C:\windows\system32\DRIVERS\Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xA139E000 C:\windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8B793000 C:\windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x832AC000 C:\windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8B52D000 C:\windows\system32\DRIVERS\processr.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8AFE9000 C:\windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x9F18B000 C:\windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x832C8000 C:\windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0xAB0A0000 C:\windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0xA11D5000 C:\windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8AEC5000 C:\windows\system32\drivers\nfrd960.sys 57344 bytes (IBM Corporation, IBM ServeRAID Controller Driver)
0xA10CA000 C:\windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x83328000 C:\windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xA1292000 C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys 57344 bytes (Trusteer Ltd., RapportKE)
0xA0740000 C:\windows\System32\Drivers\BTHUSB.sys 53248 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0xA1371000 C:\windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0xA072A000 C:\windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8AED3000 C:\windows\system32\drivers\nvstor.sys 53248 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) Sata Performance Driver)
0x8B18E000 C:\windows\system32\drivers\sisraid2.sys 53248 bytes (Microsoft Corporation, SiS RAID Stor Miniport Driver)
0xA09C0000 C:\windows\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xA0059000 C:\windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x807C7000 C:\windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x8AD47000 C:\windows\system32\drivers\iteatapi.sys 49152 bytes (Integrated Technology Express, Inc., ITE IT8211 ATA/ATAPI SCSI miniport)
0x8AD53000 C:\windows\system32\drivers\iteraid.sys 49152 bytes (Integrated Technology Express, Inc., ITE IT8212 ATA RAID SCSI miniport)
0x8B1B0000 C:\windows\system32\drivers\symc8xx.sys 49152 bytes (LSI Logic, LSI Logic 8XX SCSI Miniport Driver)
0xB1FD2000 C:\windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0xA10A3000 C:\windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9FF77000 C:\windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x9FFD2000 C:\windows\system32\DRIVERS\Accelerometer.sys 45056 bytes (Hewlett-Packard Corporation, HP Accelerometer)
0xA137E000 C:\windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8AB39000 C:\windows\system32\drivers\hpcisss.sys 45056 bytes (Hewlett-Packard Company, Smart Array Storport Driver)
0x9F1B2000 C:\windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x9F1EF000 C:\windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8AEBA000 C:\windows\system32\drivers\mraid35x.sys 45056 bytes (LSI Logic Corporation, MegaRAID RAID Controller Driver for Windows Vista/Longhorn for x86)
0xA10BF000 C:\windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8B5F5000 C:\windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8B1F3000 C:\windows\System32\Drivers\SbAlg.sys 45056 bytes (SafeBoot N.V., SafeBoot FIPS AES Algorithm (256 bit))
0x8B1BC000 C:\windows\system32\drivers\sym_hi.sys 45056 bytes (LSI Logic, LSI Logic Hi-Perf SCSI Miniport Driver)
0x8B1C7000 C:\windows\system32\drivers\sym_u3.sys 45056 bytes (LSI Logic, LSI Logic Ultra160 SCSI Miniport Driver)
0x8B5EA000 C:\windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)

mongerlane · « **Reply #10 on:** July 16, 2010, 07:34:43 AM »

0x8B519000 C:\windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x832BE000 C:\windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0xA09DC000 C:\windows\system32\DRIVERS\BthEnum.sys 40960 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0xA1389000 C:\windows\System32\Drivers\dump_msahci.sys 40960 bytes
0xA1394000 C:\windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8AD2D000 C:\windows\system32\drivers\i2omp.sys 40960 bytes (Microsoft Corporation, I2O Miniport Driver)
0xB1EE0000 C:\windows\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0x8AD91000 C:\windows\system32\drivers\megasas.sys 40960 bytes (LSI Corporation, MEGASAS RAID Controller Driver for Windows Vista/Longhorn for x86)
0x8AB2F000 C:\windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0xA004F000 C:\windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB00F5000 C:\windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0xA1300000 C:\windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xB1FC8000 C:\windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x9F143000 C:\windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x8B7EB000 C:\windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0xA108C000 C:\windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xA0737000 C:\windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8B7C9000 C:\windows\system32\DRIVERS\hpdskflt.sys 36864 bytes (Hewlett-Packard Corporation, HP Disk Filter - SATA/RAID)
0xA009B000 C:\windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0xB1FF0000 C:\windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xA10D8000 C:\windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xAB080000 C:\windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8B524000 C:\windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x9FFF7000 C:\windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x83249000 C:\windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8AAAE000 C:\windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8B7E3000 C:\windows\system32\DRIVERS\AtiPcie.sys 32768 bytes (ATI Technologies Inc., ATI PCIE Driver for ATI PCIE chipset)
0x80622000 C:\windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x83378000 C:\windows\system32\drivers\cmdide.sys 32768 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xA09D4000 C:\windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x83252000 C:\windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0xA10AF000 C:\windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0xA10B7000 C:\windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8B75D000 C:\windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x833E6000 C:\windows\system32\drivers\viaide.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0x8B71C000 C:\windows\system32\drivers\wd.sys 32768 bytes (Microsoft Corporation, Microsoft Watchdog Timer Driver)
0x8336A000 C:\windows\system32\drivers\aliide.sys 28672 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0x83371000 C:\windows\system32\drivers\amdide.sys 28672 bytes (Microsoft Corporation, AMD IDE Driver)
0xA109C000 C:\windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x9FFF0000 C:\windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x83321000 C:\windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x8060A000 C:\windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA1095000 C:\windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x83336000 C:\windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xA09CD000 C:\windows\system32\DRIVERS\sncduvc.SYS 28672 bytes (-, USBCAMD for Sonix UVC)
0xA1321000 C:\windows\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xA11F6000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x9F1AD000 C:\windows\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0xAB0C0000 C:\windows\System32\lmimirr.dll 20480 bytes (LogMeIn, Inc., LogMeIn Mirror Driver)
0x9F1FA000 C:\windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA1089000 C:\windows\system32\DRIVERS\btwrchid.sys 12288 bytes (Broadcom Corporation., Bluetooth Remote Control HID Minidriver)
0x832BB000 C:\windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x9FFDD000 C:\windows\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
0xAB0D0000 C:\windows\System32\lmimirr2.dll 8192 bytes (LogMeIn, Inc., LogMeIn Video Helper)
0xB1EDE000 C:\Program Files\LogMeIn\x86\RaInfo.sys 8192 bytes (LogMeIn, Inc., RemotelyAnywhere Kernel Information Provider)
0xA11FC000 C:\windows\System32\Drivers\RsvLock.SYS 8192 bytes (SafeBoot International, SafeBoot Reserved Files Lock Driver)
0x8B1FE000 C:\windows\System32\Drivers\SbFsLock.sys 8192 bytes (SafeBoot International, SafeBoot FS Locker)
0xA0023000 C:\windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9F1ED000 C:\windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xA1393000 C:\windows\System32\Drivers\dump_SbHiber.sys 4096 bytes
0x9F1FE000 C:\windows\system32\DRIVERS\lmimirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)
!!!!!!!!!!!Hidden driver: 0x8A971AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x881D8850 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0x8AAAE000 WARNING: suspicious driver modification [atapi.sys::0x8A971AEA]
0x06380000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 102400 bytes
0x009F0000 Hidden Image-->HP.ActiveSupportLibrary.dll [ EPROCESS 0x85E093F8 ] PID: 3224, 110592 bytes
0x00860000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 110592 bytes
0x00AE0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 110592 bytes
0x06F60000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Das hboard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 126976 bytes
0x04270000 Hidden Image-->PTHostServices.dll [ EPROCESS 0xB22AFD90 ] PID: 2484, 1421312 bytes
0x05280000 Hidden Image-->PTHostServices.dll [ EPROCESS 0x86176598 ] PID: 4856, 1421312 bytes
0x06C40000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 143360 bytes
0x08030000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 1519616 bytes
0x07810000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Dashb oard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 159744 bytes
0x073A0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wiz ard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 1691648 bytes
0x063A0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 208896 bytes
0x06C80000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboar d.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 225280 bytes
0x03450000 Hidden Image-->BIOSDomain.dll [ EPROCESS 0xB22AFD90 ] PID: 2484, 258048 bytes
0x01B80000 Hidden Image-->BIOSDomain.dll [ EPROCESS 0x86176598 ] PID: 4856, 258048 bytes
0x05610000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 266240 bytes
0x00B00000 Hidden Image-->Interop.PTHstServsLib.dll [ EPROCESS 0xB22AFD90 ] PID: 2484, 28672 bytes
0x05590000 Hidden Image-->Interop.HPQWMIEXLib.dll [ EPROCESS 0xB22AFD90 ] PID: 2484, 28672 bytes
0x06220000 Hidden Image-->Interop.HPQWMIEXLib.dll [ EPROCESS 0x86176598 ] PID: 4856, 28672 bytes
0x009B0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 28672 bytes
0x01940000 Hidden Image-->LOG.Foundation.Implementation.Private.D LL [ EPROCESS 0x85EF5940 ] PID: 6092, 28672 bytes
0x004F0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x00A30000 Hidden Image-->LOG.Foundation.Implementation.Private.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x03FB0000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x04220000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x04240000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x04280000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x043F0000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x04FB0000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x04F80000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x04FC0000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x054E0000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05500000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05680000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05660000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05670000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x056C0000 Hidden Image-->LOCALIZATION.Foundation.Private.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x057F0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Run time.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05800000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Sha red.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05850000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Priva te.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x058B0000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x06250000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x05E50000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x062F0000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x062C0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x062B0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x063F0000 Hidden Image-->atixclib.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x064B0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x064C0000 Hidden Image-->CLI.Component.Dashboard.Shared.Private. DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x06BD0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 28672 bytes
0x06BF0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Wizard.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 315392 bytes
WARNING: File locked for read access [C:\windows\system32\drivers\SafeBoot.sys]
0x075B0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard. DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 364544 bytes
0x01280000 Hidden Image-->Interop.PTPluginLib.dll [ EPROCESS 0xB22AFD90 ] PID: 2484, 36864 bytes
0x01BD0000 Hidden Image-->Interop.PTPluginLib.dll [ EPROCESS 0x86176598 ] PID: 4856, 36864 bytes
0x04210000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 36864 bytes
0x00B00000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x04230000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x04200000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x053D0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x05890000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Share d.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x05960000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Sha red.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x059A0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Sha red.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x05E00000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x06130000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Share d.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x062D0000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 36864 bytes
0x06B50000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 413696 bytes
0x07540000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Dashboard .DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 413696 bytes
0x06DF0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Das hboard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 446464 bytes
0x00880000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 45056 bytes
0x008A0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 45056 bytes
0x004C0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x004E0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x00A70000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x03FD0000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes

mongerlane · « **Reply #11 on:** July 16, 2010, 07:36:03 AM »

0x058A0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runt ime.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x05900000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shar ed.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x05990000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Run time.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x05BF0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 45056 bytes
0x06F80000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard .DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 487424 bytes
0x06300000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 495616 bytes
0x06400000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 503808 bytes
0x04100000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 53248 bytes
0x00B10000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x00D30000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x040E0000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x042D0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x04F90000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x05870000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x05950000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Run time.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x059B0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x05E40000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x06100000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Runti me.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x062A0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x062E0000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x063E0000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 53248 bytes
0x07940000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Das hboard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 593920 bytes
0x012A0000 Hidden Image-->PTStrings.dll [ EPROCESS 0xB22AFD90 ] PID: 2484, 61440 bytes
0x01C30000 Hidden Image-->PTStrings.dll [ EPROCESS 0x86176598 ] PID: 4856, 61440 bytes
0x00500000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 61440 bytes
0x053C0000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 61440 bytes
0x059C0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 61440 bytes
0x05F90000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 61440 bytes
0x05FC0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 61440 bytes
0x06140000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 61440 bytes
0x00990000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x85EF5940 ] PID: 6092, 69632 bytes
0x00A40000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 69632 bytes
0x05E20000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 69632 bytes
0x05E70000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 69632 bytes
0x05690000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 77824 bytes
0x05820000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 77824 bytes
0x05930000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 77824 bytes
0x07AB0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.D LL [ EPROCESS 0x863E8D90 ] PID: 4656, 815104 bytes
0x00B60000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 86016 bytes
0x05910000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DL L [ EPROCESS 0x863E8D90 ] PID: 4656, 86016 bytes
0x05FE0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 86016 bytes
0x064D0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x863E8D90 ] PID: 4656, 86016 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x82CC77AA-->82CC77B1 [ntkrnlpa.exe]
[1588]svchost.exe-->mswsock.dll+0x00002671, Type: Inline - RelativeJump 0x75792671-->00000000 [unknown_code_page]
[1588]svchost.exe-->mswsock.dll+0x000027D4, Type: Inline - RelativeJump 0x757927D4-->00000000 [unknown_code_page]
[1588]svchost.exe-->mswsock.dll+0x00002995, Type: Inline - RelativeJump 0x75792995-->00000000 [unknown_code_page]
[1588]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x76450B88-->00000000 [unknown_code_page]
[4468]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[4468]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[4468]explorer.exe-->mswsock.dll+0x00002671, Type: Inline - RelativeJump 0x75792671-->00000000 [unknown_code_page]
[4468]explorer.exe-->mswsock.dll+0x000027D4, Type: Inline - RelativeJump 0x757927D4-->00000000 [unknown_code_page]
[4468]explorer.exe-->mswsock.dll+0x00002995, Type: Inline - RelativeJump 0x75792995-->00000000 [unknown_code_page]
[4468]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6D64123C-->00000000 [shimeng.dll]
[4468]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[4468]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[4468]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x704114B0-->00000000 [shimeng.dll]
[4468]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[5392]wuauclt.exe-->mswsock.dll+0x00002671, Type: Inline - RelativeJump 0x75792671-->00000000 [unknown_code_page]
[5392]wuauclt.exe-->mswsock.dll+0x000027D4, Type: Inline - RelativeJump 0x757927D4-->00000000 [unknown_code_page]
[5392]wuauclt.exe-->mswsock.dll+0x00002995, Type: Inline - RelativeJump 0x75792995-->00000000 [unknown_code_page]
[5496]firefox.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77C81500-->00000000 [unknown_code_page]
[5496]firefox.exe-->gdi32.dll-->BitBlt, Type: Inline - PushRet 0x776B70A6-->00000000 [unknown_code_page]
[5496]firefox.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77B61110-->00000000 [unknown_code_page]
[5496]firefox.exe-->gdi32.dll-->user32.dll-->GetWindowRect, Type: IAT modification 0x77B611D0-->00000000 [unknown_code_page]
[5496]firefox.exe-->kernel32.dll-->ntdll.dll-->LdrLoadDll, Type: IAT modification 0x77DF144C-->00000000 [unknown_code_page]
[5496]firefox.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7705A84F-->00000000 [unknown_code_page]
[5496]firefox.exe-->mswsock.dll+0x00002671, Type: Inline - RelativeJump 0x75792671-->00000000 [unknown_code_page]
[5496]firefox.exe-->mswsock.dll+0x000027D4, Type: Inline - RelativeJump 0x757927D4-->00000000 [unknown_code_page]
[5496]firefox.exe-->mswsock.dll+0x00002995, Type: Inline - RelativeJump 0x75792995-->00000000 [unknown_code_page]
[5496]firefox.exe-->ntdll.dll-->KiUserApcDispatcher, Type: Inline - RelativeJump 0x77D95D18-->00000000 [rooksdol.dll]
[5496]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x77D59390-->00000000 [firefox.exe]
[5496]firefox.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x768E1284-->00000000 [unknown_code_page]
[5496]firefox.exe-->shell32.dll-->user32.dll-->GetWindowRect, Type: IAT modification 0x768E1A40-->00000000 [unknown_code_page]
[5496]firefox.exe-->user32.dll-->DdeInitializeW, Type: Inline - PushRet 0x76437921-->00000000 [unknown_code_page]
[5496]firefox.exe-->user32.dll-->GetClipboardData, Type: Inline - PushRet 0x7647715A-->00000000 [unknown_code_page]
[5496]firefox.exe-->user32.dll-->GetMessageW, Type: Inline - PushRet 0x7644FEF7-->00000000 [unknown_code_page]
[5496]firefox.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77D5115C-->00000000 [unknown_code_page]
[5496]firefox.exe-->user32.dll-->RegisterClassExW, Type: Inline - PushRet 0x7643DA30-->00000000 [unknown_code_page]
[5496]firefox.exe-->user32.dll-->TranslateMessage, Type: Inline - PushRet 0x764501AD-->00000000 [unknown_code_page]
[5496]firefox.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x70411450-->00000000 [unknown_code_page]
[5496]firefox.exe-->wininet.dll-->user32.dll-->GetWindowRect, Type: IAT modification 0x7041154C-->00000000 [unknown_code_page]
[5496]firefox.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x4B0D11F0-->00000000 [unknown_code_page]
[5672]msnmsgr.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - RelativeJump 0x7705A84F-->00000000 [msnmsgr.exe]
[6576]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x764514F3-->00000000 [xul.dll]
[684]lsm.exe-->ntdll.dll-->NtOpenProcess, Type: Inline - RelativeJump 0x77D94C34-->00000000 [unknown_code_page]
[684]lsm.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - RelativeJump 0x77D954F4-->00000000 [unknown_code_page]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

mongerlane · « **Reply #12 on:** July 16, 2010, 10:35:43 AM »

Files scan is now in progress. Taking hours, but I will just have to wait. When it is complete I will post the complete report or is it possible for me to just post this part of the report? Thanks

Dr Jay · « **Reply #13 on:** July 16, 2010, 10:13:13 PM »

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
killall::

TDL::
c:\windows\system32\drivers\atapi.sys

Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

NOTE:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

mongerlane · « **Reply #14 on:** July 17, 2010, 10:10:27 AM »

Hi again, ran combo fix as requested. first time it said it had a problem and would have to try other methods and said write down this
C:\windows\system32\drivers\rdpencdd.sys it ran again itself, log file below. Thanks for your help once again
ComboFix 10-07-15.05 - Joyce 17/07/2010 16:03:02.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2812.1698 [GMT 1:00]
Running from: c:\users\Joyce\Downloads\combo-Fix.exe
Command switches used :: c:\users\Joyce\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DFRB349.tmp
C:\fb20100611.log
c:\program files\webserver
c:\users\Joyce\AppData\Roaming\Raepmi\puqa.exe
c:\users\Joyce\GoToAssistDownloadHelper.exe
c:\users\Public\RemoveSGP.exe
c:\windows\system32\1687060122.dat

Infected copy of c:\windows\system32\drivers\rdpencdd.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-17 15:21 . 2010-07-17 15:55   --------   d-----w-   c:\users\Joyce\AppData\Local\temp
2010-07-17 15:21 . 2010-07-17 15:21   --------   d-----w-   c:\users\neil\AppData\Local\temp
2010-07-17 15:21 . 2010-07-17 15:21   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-07-17 07:53 . 2010-07-17 07:53   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-16 11:38 . 2010-07-16 11:38   --------   d-----w-   c:\program files\7-Zip
2010-07-09 15:23 . 2010-04-12 16:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-09 11:17 . 2010-07-09 11:17   --------   d-----w-   c:\users\Joyce\AppData\Roaming\SUPERAntiSpyware.com
2010-07-09 11:17 . 2010-07-09 11:17   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-07-09 11:17 . 2010-07-09 11:17   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-09 11:10 . 2010-07-09 11:10   --------   d-----w-   c:\program files\CCleaner
2010-07-08 15:44 . 2010-07-09 11:14   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-07-08 15:44 . 2010-07-08 15:48   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-07-07 20:34 . 2010-07-07 20:34   --------   d-----w-   c:\users\Joyce\AppData\Local\Sunbelt Software
2010-07-07 20:33 . 2010-07-07 20:33   --------   dc-h--w-   c:\programdata\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-07 11:52 . 2010-07-07 11:52   --------   d-----w-   c:\program files\temp
2010-06-29 10:40 . 2008-01-21 02:24   25088   ----a-w-   c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 15:46 . 2008-06-26 06:07   --------   d-----w-   c:\programdata\hpqLog
2010-07-17 15:44 . 2009-01-09 17:26   12   ----a-w-   c:\windows\bthservsdp.dat
2010-07-17 10:40 . 2009-01-26 15:31   --------   d-----w-   c:\program files\LogMeIn
2010-07-17 07:53 . 2010-07-17 07:53   242896   ----a-w-   c:\programdata\avg9\update\backup\avgtdix.sys
2010-07-17 07:53 . 2010-07-17 07:53   216200   ----a-w-   c:\programdata\avg9\update\backup\avgldx86.sys
2010-07-17 07:53 . 2010-03-17 12:01   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-17 07:52 . 2009-01-02 21:09   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-07-17 07:51 . 2010-07-17 07:51   813336   ----a-w-   c:\programdata\avg9\update\backup\avginet.dll
2010-07-17 07:51 . 2010-07-17 07:51   624920   ----a-w-   c:\programdata\avg9\update\backup\avgiproxy.exe
2010-07-17 07:51 . 2010-07-17 07:51   1690464   ----a-w-   c:\programdata\avg9\update\backup\avgupd.dll
2010-07-17 07:51 . 2010-07-17 07:51   1038688   ----a-w-   c:\programdata\avg9\update\backup\avgupd.exe
2010-07-16 19:52 . 2009-02-01 10:38   --------   d-----w-   c:\programdata\Google Updater
2010-07-09 15:23 . 2008-06-26 07:14   --------   d-----w-   c:\program files\Common Files\Java
2010-07-09 15:23 . 2008-06-26 07:14   --------   d-----w-   c:\program files\Java
2010-07-09 11:18 . 2010-07-09 11:18   63488   ----a-w-   c:\users\Joyce\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-09 11:18 . 2010-07-09 11:18   52224   ----a-w-   c:\users\Joyce\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-09 11:18 . 2010-07-09 11:18   117760   ----a-w-   c:\users\Joyce\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-09 08:42 . 2010-02-15 14:13   69222840   ----a-w-   c:\users\Joyce\AppData\Roaming\Nokia\Ovi Suite\Software Updater\NokiaOviSuite2Installer.exe
2010-07-07 20:31 . 2010-06-11 09:12   --------   d-----w-   c:\program files\Lavasoft
2010-07-06 17:29 . 2010-07-07 20:33   2979280   -c--a-w-   c:\programdata\{65893B95-F47B-4483-B883-86BA181E9B54}\Ad-AwareInstall.exe
2010-07-06 17:28 . 2010-06-11 13:03   64288   ----a-w-   c:\windows\system32\drivers\Lbd.sys
2010-07-06 17:28 . 2010-06-11 10:26   15880   ----a-w-   c:\windows\system32\lsdelete.exe
2010-07-01 11:07 . 2010-07-01 11:07   434176   ----a-w-   c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-29 20:38 . 2010-06-29 20:38   73728   ----a-w-   c:\programdata\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-06-29 20:38 . 2010-06-29 20:38   417792   ----a-w-   c:\programdata\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-06-29 20:38 . 2010-03-03 00:46   --------   d-----w-   c:\users\Joyce\AppData\Roaming\Raepmi
2010-06-29 10:56 . 2009-04-14 03:17   --------   d-----w-   c:\users\Joyce\AppData\Roaming\Ebqek
2010-06-23 10:28 . 2010-06-23 10:28   501936   ----a-w-   c:\programdata\Google\Google Toolbar\Update\gtbECD3.tmp.exe
2010-06-16 21:29 . 2009-03-20 21:07   --------   d-----w-   c:\users\Joyce\AppData\Roaming\uTorrent
2010-06-11 20:52 . 2009-02-15 20:32   680   ----a-w-   c:\users\Joyce\AppData\Local\d3d9caps.dat
2010-06-11 13:01 . 2010-06-11 13:02   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-06-11 09:14 . 2010-06-11 09:12   --------   d-----w-   c:\programdata\Lavasoft
2010-06-11 02:30 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-10 14:44 . 2009-01-26 15:31   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
2010-06-10 14:44 . 2009-01-26 15:31   29568   ----a-w-   c:\windows\system32\LMIport.dll
2010-06-10 14:44 . 2009-01-26 15:31   87424   ----a-w-   c:\windows\system32\LMIinit.dll
2010-06-08 19:40 . 2009-01-26 15:34   --------   d-----w-   c:\programdata\Rosetta Stone
2010-06-03 08:29 . 2009-01-02 21:09   29584   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-05-26 17:06 . 2010-06-10 14:57   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 14:57   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-04 05:59 . 2010-06-10 14:57   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 14:57   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 14:57   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 14:57   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 14:58   2037248   ----a-w-   c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-11-21 22:48   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-11-21 22:48   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-23 14:13 . 2010-05-26 12:18   2048   ----a-w-   c:\windows\system32\tzres.dll
2008-06-26 06:17 . 2008-06-26 06:17   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-03-18 2289664]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-01 39408]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2009-12-10 401728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-06-02 238984]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-05-21 24848]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-05-12 318488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1045800]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2008-05-14 10244096]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-14 177456]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2008-05-24 197904]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]
"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2009-11-06 2090272]

c:\users\Joyce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-1-6 575488]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-13 727592]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-6-26 197904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\APSHook.dll c:\windows\System32\avgrsstx.dll c:\windows\System32\APSHook.dll c:\windows\System32\APSHook.dll c:\windows\System32\APSHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-17 07:53   2065760   ----a-w-   c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-06-29 17:48   2403568   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cb,f9,ce,63,98,46,ca,01

R2 0119181230928706mcinstcleanup;McAfee Application Installer Cleanup (0119181230928706);c:\windows\TEMP\011918~1.EXE

R2 DhcpTHREADORDER;DHCP Client DhcpTHREADORDER;c:\windows\system32\accelerometerSTm.exe

R2 gupdate1c984595a42a400;Google Update Service (gupdate1c984595a42a400);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-17 308136]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-06 64288]
S0 SafeBoot;SafeBoot;

S0 SbAlg;SbAlg;

S0 SbFsLock;SbFsLock;

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-17 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-17 243024]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-28 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S1 RsvLock;RsvLock;

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-05-15 182576]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2008-06-02 18944]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-05-30 256512]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2008-05-14 77824]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-04-07 24936]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-06 1352832]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-05-12 576024]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ     ASBroker ASChannel
HPZ12   REG_MULTI_SZ     Pml Driver HPZ12 Net Driver HPZ12
bthsvcs   REG_MULTI_SZ     BthServ
LocalServiceAndNoImpersonation   REG_MULTI_SZ     FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-03-18 00:56   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 08:30]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 10:39]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-01 10:39]

2010-07-16 c:\windows\Tasks\User_Feed_Synchronization-{580DF64F-48A0-499D-98CB-C46749C12044}.job
- c:\windows\system32\msfeedssync.exe [2010-06-10 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=all&pf=cmnb
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Joyce\AppData\Roaming\Mozilla\Firefox\Profiles\ohvrxg14.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKCU-Run-{4C4F084C-DC11-DEB1-0E29-42CD091F277C} - c:\users\Joyce\AppData\Roaming\Raepmi\puqa.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-FBSSA - c:\program files\SGPSA\ie3sh.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 16:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSSA = c:\program files\SGPSA\ie3sh.exe?wb3sh.dll?=&

?8E0E4715-8917-43ff-B639-C470296546B8}?v=?

?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1132)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\btmmhook.dll
c:\program files\Hewlett-Packard\File Sanitizer\HPPMDesktopIcon.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\AEADISRV.EXE
c:\windows\system32\agrsmsvc.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2010-07-17 17:02:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 16:02

Pre-Run: 139,923,234,816 bytes free
Post-Run: 139,884,859,392 bytes free

- - End Of File - - 85A42C08AFC060253548465CB58901A9

Computer Hope Forum

News:

Author Topic: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps (Read 39353 times)

mongerlane

Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

Dr Jay

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

Dr Jay

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

Dr Jay

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps

mongerlane

Re: Nasty trojan(s) redirecting, came from facebook, followed evilfantasy's steps