also @ TechSpot: 'Supercapacitor' could fully charge your phone in less than 30 seconds

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Cannot remove MBR: Alureo rootkit from Vista

Discussion in 'Virus and Malware Removal' started by doowop25, Mar 20, 2012.

Post New Reply

Page 1 of 2

doowop25 Newcomer, in training Posts: 24

There is a rootkit malware on my Vista computer called Alureo and it's being detected on this particular partition:

MBR: \PHYSICALDRIVE0\Partition 3

I only recall attracting this virus a couple of weeks ago prior to downloading MSE and Avast while browsing. I have recently uninstalled both programs. No program that I've used so far has been successful in removing Alureo.

Per the request to fulfill the 5-step preliminary removal instructions I have the Malwarebytes log file, and the Gmer log file, but whenever I try to run the DDS file it just seems to run a scan but after 20 minutes there are still no log files popping up and if I try to interrupt my computer stalls and I have to force a reboot. Any help would be appreciated:

Malewarebytes log file

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.20.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Dawon :: DAWON-PC [administrator]

3/20/2012 1:21:38 PM
mbam-log-2012-03-20 (13-21-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 267369
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

First half of Gmer log file

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-20 15:23:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005f WDC_WD32 rev.01.0
Running: tykegnrd.exe; Driver: C:\Users\Dawon\AppData\Local\Temp\pwloapog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x91027DF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9274FA5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9102885E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x9102D2E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x9102D330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x9102D422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x9102D252]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x9102D374]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9102D29A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x9102D3DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x91027E44]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9274FB34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x91027AD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x91027E90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9102AD1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x91028B02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9102D30E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x9102D352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9102D446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x9102D278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9102D3AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x9102D2C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x9102D400]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x9274FCA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x910289CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x91027EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x91027F28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x91027B46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x91027CEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x91027C92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x91027D5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x9274FD60]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x91027F74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x9274FBE0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x92765D92]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 10D 81CC1890 4 Bytes [F8, 7D, 02, 91] {CLC ; JGE 0x5; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 131 81CC18B4 4 Bytes [5A, FA, 74, 92] {POP EDX; CLI ; JZ 0xffffffffffffff96}
.text ntkrnlpa.exe!KeSetEvent + 191 81CC1914 4 Bytes JMP 8454779A
.text ntkrnlpa.exe!KeSetEvent + 1D1 81CC1954 8 Bytes [E4, D2, 02, 91, 30, D3, 02, ...] {IN AL, 0xd2; ADD DL, [ECX-0x6efd2cd0]}
.text ntkrnlpa.exe!KeSetEvent + 1DD 81CC1960 4 Bytes [22, D4, 02, 91]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81DEC62F 5 Bytes JMP 92762C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 81E45543 5 Bytes JMP 9276474C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 81E4EE68 4 Bytes CALL 910291B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 81E52ADC 4 Bytes CALL 910291CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81EA6DCA 7 Bytes JMP 92765D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[628] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[628] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[628] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[628] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\csrss.exe[636] KERNEL32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00070600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00070804
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00070A08
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000703FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00080600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00081014
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00080804
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00080A08
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00080C0C
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00080E10
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[644] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000801F8
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[688] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[688] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000503FC
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00050600
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00051014
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00050804
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00050A08
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00050C0C
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00050E10
.text C:\Windows\system32\wininit.exe[688] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000501F8
.text C:\Windows\system32\wininit.exe[688] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00060600
.text C:\Windows\system32\wininit.exe[688] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00060804
.text C:\Windows\system32\wininit.exe[688] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00060A08
.text C:\Windows\system32\wininit.exe[688] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000601F8
.text C:\Windows\system32\wininit.exe[688] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000603FC
.text C:\Windows\system32\csrss.exe[696] KERNEL32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\services.exe[732] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[732] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[732] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\services.exe[732] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\services.exe[732] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00080600
.text C:\Windows\system32\services.exe[732] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00080804
.text C:\Windows\system32\services.exe[732] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\services.exe[732] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\services.exe[732] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\lsass.exe[748] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsass.exe[748] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsass.exe[748] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 000B0600
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 000B1014
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 000B0804
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 000B0A08
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\lsass.exe[748] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000B01F8
.text C:\Windows\system32\lsass.exe[748] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 000C0600
.text C:\Windows\system32\lsass.exe[748] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 000C0804
.text C:\Windows\system32\lsass.exe[748] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 000C0A08
.text C:\Windows\system32\lsass.exe[748] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000C01F8
.text C:\Windows\system32\lsass.exe[748] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000C03FC
.text C:\Windows\system32\lsm.exe[760] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsm.exe[760] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsm.exe[760] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsm.exe[760] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 001501F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 001503FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 001703FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00170600
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00171014
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00170804
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00170A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00170C0C
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00170E10
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 001701F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00180600
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00180804
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00180A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001801F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[780] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001803FC
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 001401F8
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 001403FC
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 001603FC
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00160600
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00161014
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00160804
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00160A08
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00160C0C
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00160E10
.text C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe[808] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 001601F8
.text C:\Windows\system32\winlogon.exe[836] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[836] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[836] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000603FC
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00060600
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00061014
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00060804
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00060A08
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00060C0C
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00060E10
.text C:\Windows\system32\winlogon.exe[836] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000601F8
.text C:\Windows\system32\winlogon.exe[836] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00070600
.text C:\Windows\system32\winlogon.exe[836] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00070804
.text C:\Windows\system32\winlogon.exe[836] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00070A08
.text C:\Windows\system32\winlogon.exe[836] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000701F8
.text C:\Windows\system32\winlogon.exe[836] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[940] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000901F8
.text C:\Windows\system32\svchost.exe[940] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000903FC
.text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 000B1014
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000B01F8
.text C:\Windows\system32\svchost.exe[948] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[948] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00100600
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00100804
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00100A08
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001001F8
.text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001003FC
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2A

doowop25, Mar 20, 2012

#1
doowop25 Newcomer, in training Posts: 24

Second half of Gmer log file

76737099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 000C0600
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 000C0804
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 000C0A08
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000C01F8
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000C03FC
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000B03FC
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 000B0600
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 000B1014
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 000B0804
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 000B0A08
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 000B0C0C
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 000B0E10
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000B01F8
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00170600
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00170804
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00170A08
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001701F8
.text C:\Windows\System32\svchost.exe[1108] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001703FC
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1120] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00120600
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00120804
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00120A08
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001201F8
.text C:\Windows\system32\svchost.exe[1120] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001203FC
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\AUDIODG.EXE[1256] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1284] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1284] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1396] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1396] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1396] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1396] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1396] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00BF0600
.text C:\Windows\system32\svchost.exe[1396] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00BF0804
.text C:\Windows\system32\svchost.exe[1396] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00BF0A08
.text C:\Windows\system32\svchost.exe[1396] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 00BF01F8
.text C:\Windows\system32\svchost.exe[1396] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 00BF03FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 001501F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 001503FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 001703FC
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00170600
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00171014
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00170804
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00170A08
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00170C0C
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00170E10
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 001701F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00180600
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00180804
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00180A08
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001801F8
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1516] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001803FC
.text C:\Windows\system32\svchost.exe[1520] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1520] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1520] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1520] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1520] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00250600
.text C:\Windows\system32\svchost.exe[1520] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00250804
.text C:\Windows\system32\svchost.exe[1520] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00250A08
.text C:\Windows\system32\svchost.exe[1520] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 002501F8
.text C:\Windows\system32\svchost.exe[1520] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 002503FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1596] kernel32.dll!SetUnhandledExceptionFilter 7549A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1596] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\afwServ.exe[1644] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1736] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1736] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1736] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1736] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1736] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 000F0600
.text C:\Windows\system32\svchost.exe[1736] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 000F0804
.text C:\Windows\system32\svchost.exe[1736] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 000F0A08
.text C:\Windows\system32\svchost.exe[1736] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000F01F8
.text C:\Windows\system32\svchost.exe[1736] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000F03FC
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 001401F8
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 001403FC
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 001603FC
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00160600
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00161014
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00160804
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00160A08
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00160C0C
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00160E10
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 001601F8
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00270600
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00270804
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00270A08
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 002701F8
.text C:\Windows\system32\DRIVERS\xaudio.exe[2152] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 002703FC
.text C:\Windows\system32\SearchIndexer.exe[2324] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchIndexer.exe[2324] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchIndexer.exe[2324] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\SearchIndexer.exe[2324] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2324] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00080600
.text C:\Windows\system32\SearchIndexer.exe[2324] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00080804
.text C:\Windows\system32\SearchIndexer.exe[2324] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\SearchIndexer.exe[2324] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\SearchIndexer.exe[2324] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000803FC
.text C:\Users\Dawon\Desktop\tykegnrd.exe[2632] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\Explorer.EXE[2636] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\Explorer.EXE[2636] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\Explorer.EXE[2636] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\Explorer.EXE[2636] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\Explorer.EXE[2636] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00080600
.text C:\Windows\Explorer.EXE[2636] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00080804
.text C:\Windows\Explorer.EXE[2636] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00080A08
.text C:\Windows\Explorer.EXE[2636] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000801F8
.text C:\Windows\Explorer.EXE[2636] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[2648] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[2648] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[2648] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[2648] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[2648] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[2648] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[2648] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskeng.exe[2648] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[2648] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00080600
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00080804
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00080A08
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Defender\MSASCui.exe[2744] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000803FC
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2800] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2844] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2844] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2844] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2844] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[2844] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00120600
.text C:\Windows\System32\svchost.exe[2844] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00120804
.text C:\Windows\System32\svchost.exe[2844] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00120A08
.text C:\Windows\System32\svchost.exe[2844] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001201F8
.text C:\Windows\System32\svchost.exe[2844] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001203FC
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 001501F8
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 001503FC
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 003E0600
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 003E0804
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 003E0A08
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 003E01F8
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 003E03FC
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 003F03FC
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 003F0600
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 003F1014
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 003F0804
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 003F0A08
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 003F0C0C
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 003F0E10
.text C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe[2876] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 003F01F8
.text C:\Windows\system32\taskeng.exe[2932] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[2932] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[2932] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[2932] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[2932] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00090600
.text C:\Windows\system32\taskeng.exe[2932] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00090804

doowop25, Mar 20, 2012

#2
doowop25 Newcomer, in training Posts: 24

Third part to Gmer log file

.text C:\Windows\system32\taskeng.exe[2932] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00090A08
.text C:\Windows\system32\taskeng.exe[2932] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000901F8
.text C:\Windows\system32\taskeng.exe[2932] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000903FC
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Program Files\iPod\bin\iPodService.exe[3076] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 002703FC
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00270600
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00271014
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00270804
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00270A08
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00270C0C
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00270E10
.text C:\Program Files\iPod\bin\iPodService.exe[3076] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 002701F8
.text C:\Program Files\iPod\bin\iPodService.exe[3076] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00280600
.text C:\Program Files\iPod\bin\iPodService.exe[3076] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00280804
.text C:\Program Files\iPod\bin\iPodService.exe[3076] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00280A08
.text C:\Program Files\iPod\bin\iPodService.exe[3076] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 002801F8
.text C:\Program Files\iPod\bin\iPodService.exe[3076] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 002803FC
.text C:\Windows\system32\svchost.exe[3736] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[3736] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[3736] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[3736] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[3808] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[3808] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[3808] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[3808] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[3808] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00150600
.text C:\Windows\system32\svchost.exe[3808] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00150804
.text C:\Windows\system32\svchost.exe[3808] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00150A08
.text C:\Windows\system32\svchost.exe[3808] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 001501F8
.text C:\Windows\system32\svchost.exe[3808] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 001503FC
.text C:\Windows\System32\mobsync.exe[3980] ntdll.dll!LdrLoadDll 76DD9378 5 Bytes JMP 000501F8
.text C:\Windows\System32\mobsync.exe[3980] ntdll.dll!LdrUnloadDll 76DEB680 5 Bytes JMP 000503FC
.text C:\Windows\System32\mobsync.exe[3980] kernel32.dll!GetBinaryTypeW + 70 754C2467 1 Byte [62]
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!CreateServiceW 766F9EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!DeleteService 766FA07E 5 Bytes JMP 00070600
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!SetServiceObjectSecurity 76736CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!ChangeServiceConfigA 76736DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!ChangeServiceConfigW 76736F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!ChangeServiceConfig2A 76737099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!ChangeServiceConfig2W 767371E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\mobsync.exe[3980] ADVAPI32.dll!CreateServiceA 767372A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\mobsync.exe[3980] USER32.dll!SetWindowsHookExA 76856322 5 Bytes JMP 00080600
.text C:\Windows\System32\mobsync.exe[3980] USER32.dll!SetWindowsHookExW 768587AD 5 Bytes JMP 00080804
.text C:\Windows\System32\mobsync.exe[3980] USER32.dll!UnhookWindowsHookEx 768598DB 5 Bytes JMP 00080A08
.text C:\Windows\System32\mobsync.exe[3980] USER32.dll!SetWinEventHook 76859F3A 5 Bytes JMP 000801F8
.text C:\Windows\System32\mobsync.exe[3980] USER32.dll!UnhookWinEvent 7685C06F 5 Bytes JMP 000803FC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[732] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00130002
IAT C:\Windows\system32\services.exe[732] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00130000
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1596] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72C3F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\afwServ.exe[1644] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72C3F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72C3F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs pffilter.sys
AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\ProgramData\IObit\Protected Folder\config.ini 57 bytes
File C:\ProgramData\IObit\Protected Folder\drawposs.db 0 bytes
File C:\ProgramData\IObit\Protected Folder\fstile.cds 0 bytes

---- EOF - GMER 1.0.15 ----

doowop25, Mar 20, 2012

#3
Broni Malware Annihilator Posts: 39,324 +175
Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

====================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==================================================================

Download Bootkit Remover to your desktop.

Unzip downloaded file to your Desktop.

Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.
Broni, Mar 20, 2012

#4
doowop25 Newcomer, in training Posts: 24

aswMBR log file

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-20 21:12:47
-----------------------------
21:12:47.074 OS Version: Windows 6.0.6002 Service Pack 2
21:12:47.074 Number of processors: 2 586 0x6B02
21:12:47.077 ComputerName: DAWON-PC UserName: Dawon
21:12:48.544 Initialize success
21:14:20.429 AVAST engine defs: 12032000
21:14:32.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
21:14:32.645 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
21:14:32.668 Disk 0 MBR read successfully
21:14:32.679 Disk 0 MBR scan
21:14:32.702 Disk 0 unknown MBR code
21:14:32.714 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293829 MB offset 63
21:14:32.754 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11413 MB offset 601762770
21:14:32.782 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
21:14:32.797 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
21:14:32.806 Disk 0 scanning sectors +625142432
21:14:32.868 Disk 0 scanning C:\Windows\system32\drivers
21:14:43.697 Service scanning
21:15:07.613 Modules scanning
21:15:12.341 Disk 0 trace - called modules:
21:15:12.357 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
21:15:12.358 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b52f0]
21:15:12.359 3 CLASSPNP.SYS[823358b3] -> nt!IofCallDriver -> [0x84e4f4d0]
21:15:12.360 5 acpi.sys[822126bc] -> nt!IofCallDriver -> \Device\00000055[0x84ec15f8]
21:15:13.887 AVAST engine scan C:\Windows
21:15:17.371 AVAST engine scan C:\Windows\system32
21:16:02.690 File: C:\Windows\system32\jureg.exe **INFECTED** Win32:SMSSend-IG [Trj]
21:18:23.690 AVAST engine scan C:\Windows\system32\drivers
21:18:37.436 AVAST engine scan C:\Users\Dawon
21:24:42.899 AVAST engine scan C:\ProgramData
21:28:32.944 Scan finished successfully
21:29:49.400 Disk 0 MBR has been saved successfully to "C:\Users\Dawon\Desktop\SercurityStuff\MBR.dat"
21:29:49.410 The log file has been saved successfully to "C:\Users\Dawon\Desktop\SercurityStuff\aswMBR.txt"

Bootkit Remover log file

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6e1c385735071a353ec369fd572116f3

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;
Press any key to quit...

*While attempting to run the boot cleaner I get the following warning message:
"ATA_Pass_Through_Direct is not supported by your disk controller"
"SCSI_Pass_Through_Direct will be use for disk I/O"

After I click ok then I guess it does it's thing.

doowop25, Mar 20, 2012

#5

Broni Malware Annihilator Posts: 39,324 +175

Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

Broni, Mar 20, 2012

#6

doowop25 Newcomer, in training Posts: 24

ListParts log

ListParts by Farbar Version: 12-03-2012 03
Ran by Dawon (administrator) on 20-03-2012 at 22:04:21
Windows Vista (X86)
Running From: C:\Users\Dawon\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 28%
Total physical RAM: 3005.76 MB
Available physical RAM: 2135.58 MB
Total Pagefile: 7419.19 MB
Available Pagefile: 6151.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.1 MB

======================= Partitions =========================

1 Drive c: (COMPAQ) (Fixed) (Total:286.94 GB) (Free:182.24 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:11.15 GB) (Free:1.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 287 GB 32 KB
Partition 2 Primary 11 GB 287 GB
Partition 3 Primary 2544 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C COMPAQ NTFS Partition 287 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D FACTORY_IMA NTFS Partition 11 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

doowop25, Mar 20, 2012

#7
Broni Malware Annihilator Posts: 39,324 +175
WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.
If you have any doubts, ask.

Download GETxPUD.exe to the desktop of your clean computer

Double click on GETxPUD.exe

A new folder will appear on the desktop.

Open the GETxPUD folder and click on the get&burn.bat

The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.

Insert blank CD into your CD drive.

Click on Start and follow the prompts to burn the image to a CD.

Boot bad computer from the CD

Click Menu then Terminal Emulator

Type parted /dev/sda set 1 boot on

Press Enter

Type parted /dev/sda rm 3

Press Enter

Remove xPUD CD, reboot, run aswMBR and post the log
Broni, Mar 20, 2012

#8
doowop25 Newcomer, in training Posts: 24

What exactly do you mean by, "to the desktop of my clean computer?"
You mean the one that I'm trying to fix right now?

doowop25, Mar 20, 2012

#9
Broni Malware Annihilator Posts: 39,324 +175

It'd be better to create the above CD on another working computer but if you don't have one use the one we've been working on.

Broni, Mar 20, 2012

#10
doowop25 Newcomer, in training Posts: 24

aswMBR log

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-20 21:12:47
-----------------------------
21:12:47.074 OS Version: Windows 6.0.6002 Service Pack 2
21:12:47.074 Number of processors: 2 586 0x6B02
21:12:47.077 ComputerName: DAWON-PC UserName: Dawon
21:12:48.544 Initialize success
21:14:20.429 AVAST engine defs: 12032000
21:14:32.635 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
21:14:32.645 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
21:14:32.668 Disk 0 MBR read successfully
21:14:32.679 Disk 0 MBR scan
21:14:32.702 Disk 0 unknown MBR code
21:14:32.714 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293829 MB offset 63
21:14:32.754 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11413 MB offset 601762770
21:14:32.782 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 625137345
21:14:32.797 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
21:14:32.806 Disk 0 scanning sectors +625142432
21:14:32.868 Disk 0 scanning C:\Windows\system32\drivers
21:14:43.697 Service scanning
21:15:07.613 Modules scanning
21:15:12.341 Disk 0 trace - called modules:
21:15:12.357 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
21:15:12.358 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b52f0]
21:15:12.359 3 CLASSPNP.SYS[823358b3] -> nt!IofCallDriver -> [0x84e4f4d0]
21:15:12.360 5 acpi.sys[822126bc] -> nt!IofCallDriver -> \Device\00000055[0x84ec15f8]
21:15:13.887 AVAST engine scan C:\Windows
21:15:17.371 AVAST engine scan C:\Windows\system32
21:16:02.690 File: C:\Windows\system32\jureg.exe **INFECTED** Win32:SMSSend-IG [Trj]
21:18:23.690 AVAST engine scan C:\Windows\system32\drivers
21:18:37.436 AVAST engine scan C:\Users\Dawon
21:24:42.899 AVAST engine scan C:\ProgramData
21:28:32.944 Scan finished successfully
21:29:49.400 Disk 0 MBR has been saved successfully to "C:\Users\Dawon\Desktop\SercurityStuff\MBR.dat"
21:29:49.410 The log file has been saved successfully to "C:\Users\Dawon\Desktop\SercurityStuff\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-20 22:53:09
-----------------------------
22:53:09.488 OS Version: Windows 6.0.6002 Service Pack 2
22:53:09.488 Number of processors: 2 586 0x6B02
22:53:09.488 ComputerName: DAWON-PC UserName: Dawon
22:53:10.970 Initialize success
22:53:20.081 AVAST engine defs: 12032000
22:53:26.773 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
22:53:26.773 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
22:53:26.804 Disk 0 MBR read successfully
22:53:26.820 Disk 0 MBR scan
22:53:26.835 Disk 0 unknown MBR code
22:53:26.835 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293829 MB offset 63
22:53:26.898 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11413 MB offset 601762770
22:53:26.913 Disk 0 scanning sectors +625137345
22:53:27.038 Disk 0 scanning C:\Windows\system32\drivers
22:53:48.124 Service scanning
22:54:19.365 Modules scanning
22:54:24.637 Disk 0 trace - called modules:
22:54:24.681 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
22:54:24.697 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853b2060]
22:54:24.707 3 CLASSPNP.SYS[8073a8b3] -> nt!IofCallDriver -> [0x84ec97c8]
22:54:24.716 5 acpi.sys[806176bc] -> nt!IofCallDriver -> \Device\00000055[0x84ec9c90]
22:54:26.387 AVAST engine scan C:\Windows
22:54:30.837 AVAST engine scan C:\Windows\system32
22:55:24.726 File: C:\Windows\system32\jureg.exe **INFECTED** Win32:SMSSend-IG [Trj]
22:58:40.519 AVAST engine scan C:\Windows\system32\drivers
22:59:28.019 AVAST engine scan C:\Users\Dawon
23:06:30.233 AVAST engine scan C:\ProgramData
23:07:50.681 Disk 0 MBR has been saved successfully to "C:\Users\Dawon\Desktop\SercurityStuff\MBR.dat"
23:07:50.696 The log file has been saved successfully to "C:\Users\Dawon\Desktop\SercurityStuff\aswMBR.txt"

doowop25, Mar 21, 2012

#11
Broni Malware Annihilator Posts: 39,324 +175
Good job

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Mar 21, 2012

#12
doowop25 Newcomer, in training Posts: 24

When I run Combofix it displays message that it cannot run because I have CA antivirus installed, but I don't have CA installed. I had it once before a couple years ago but I'm not sure what file it thinks is CA Antivirus

doowop25, Mar 21, 2012

#13
Broni Malware Annihilator Posts: 39,324 +175

If it's just a warning and it'll run, run it.

Broni, Mar 21, 2012

#14
doowop25 Newcomer, in training Posts: 24

It won't run, it just closes out. Here is the message:

Warning:
Combofix cannot run when CA Anti-virus is installed. Please uninstall CA Anti-virus or use another tool.

The only option it gives me is to click ok, or I can click the 'x' and close the window out. Either way, the tool closes out. Strange because I no longer have CA Anti-virus.

doowop25, Mar 21, 2012

#15
Broni Malware Annihilator Posts: 39,324 +175

Try safe mode.

Broni, Mar 21, 2012

#16
doowop25 Newcomer, in training Posts: 24

Ok, just tried it in safe mode and I still get the same message. Earlier I found a CA fix for the issue of uninstalling all of their software because unfortunately there's no complete uninstall on their program but the fix didn't seem to work either.

doowop25, Mar 21, 2012

#17
Broni Malware Annihilator Posts: 39,324 +175
Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Broni, Mar 21, 2012

#18
doowop25 Newcomer, in training Posts: 24

OTL log - part 1

OTL logfile created on: 3/21/2012 12:08:39 AM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Users\Dawon\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.94 Gb Total Physical Memory | 2.40 Gb Available Physical Memory | 81.91% Memory free
7.25 Gb Paging File | 6.74 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): c:\pagefile.sys 4507 4507 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.94 Gb Total Space | 181.97 Gb Free Space | 63.42% Space Free | Partition Type: NTFS
Drive D: | 11.15 Gb Total Space | 1.53 Gb Free Space | 13.72% Space Free | Partition Type: NTFS

Computer Name: DAWON-PC | User Name: Dawon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/21 00:03:50 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Users\Dawon\Desktop\OTL.exe
PRC - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/31 14:14:36 | 000,421,208 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2005/02/23 16:56:14 | 000,053,248 | ---- | M] (Computer Associates) -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

========== Modules (No Company Name) ==========

MOD - [2011/04/21 17:54:40 | 000,347,024 | -H-- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\madexcept_.bpl
MOD - [2011/04/21 17:54:40 | 000,179,088 | -H-- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\madbasic_.bpl
MOD - [2011/04/21 17:54:40 | 000,046,480 | -H-- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\maddisAsm_.bpl

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (VQYLZES)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - File not found [On_Demand | Stopped] -- -- (MPUW)
SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/12/29 23:29:04 | 000,497,496 | ---- | M] (IObit) [Disabled | Stopped] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Disabled | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCore.exe -- (!SASCORE)
SRV - [2011/08/03 06:50:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2010/11/18 13:48:04 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/04/21 12:46:17 | 000,373,760 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/04/21 12:46:17 | 000,373,760 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2009/04/11 01:28:17 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/31 10:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 10:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/05/28 11:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Disabled | Stopped] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2005/02/23 16:56:14 | 000,053,248 | ---- | M] (Computer Associates) [Auto | Running] -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe -- (LogWatch)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vpnva.sys -- (vpnva)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\usbser_lowerflt.sys -- (upperdev)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (rootrepeal)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pcdrndisuio.sys -- (PcdrNdisuio)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\pccsmcfd.sys -- (pccsmcfd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\nmwcdnsu.sys -- (nmwcdnsu)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - File not found [Kernel | System | Stopped] -- -- (MpKsl9900cb84)
DRV - File not found [Kernel | Auto | Stopped] -- -- (MCSTRM)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (cpuz132)
DRV - [2011/08/03 06:50:00 | 010,304,104 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/03/16 19:00:08 | 000,032,672 | ---- | M] (IObit Information Technology) [File_System | Auto | Running] -- C:\Program Files\IObit\Protected Folder\pffilter.sys -- (PfFilter)
DRV - [2011/02/23 16:52:34 | 000,016,184 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/06/06 14:13:40 | 000,133,152 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2008/06/06 14:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2008/05/22 04:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/02/12 10:25:22 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/03/26 21:37:52 | 000,206,336 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS3.sys -- (HSXHWBS3)
DRV - [2007/01/30 21:23:30 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\..\SearchScopes,DefaultScope = {293B6F50-4C29-402E-994F-5F895838E224}
IE - HKLM\..\SearchScopes\{293B6F50-4C29-402E-994F-5F895838E224}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
IE - HKLM\..\SearchScopes\{A797851D-92CE-46FB-B33A-90E5EAE73837}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {293B6F50-4C29-402E-994F-5F895838E224}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {293B6F50-4C29-402E-994F-5F895838E224}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.comcast.net/
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes,DefaultScope = {293B6F50-4C29-402E-994F-5F895838E224}
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{080FBDF6-B230-4e4d-A4E7-7C7A56D7BABC}: "URL" = http://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&qry={searchTerms}&type=Web&orig=IMC-IE
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{293B6F50-4C29-402E-994F-5F895838E224}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{2BF3535E-BDB0-45E4-B986-EA9F938C7A03}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{7ECCE87F-E9EB-432A-A65B-A656BA35F4F7}: "URL" = http://search.comcast.net/search?cat=Web&con=ie7&q={searchTerms}
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{A797851D-92CE-46FB-B33A-90E5EAE73837}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{E519AA1F-E8A8-47ED-92E3-BCFB65055819}: "URL" = http://search.comcast.net/search?cat=Web&con=toolbar&q={searchTerms}
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\SearchScopes\{EA4B13CA-FDBF-E716-8E65-65F1231BD0D7}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=ZUGO&form=ZGAIDF
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/?pc=Z007&form=ZGAPHP"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {9D6218B8-03C7-4b91-AA43-680B305DD35C}:1.7.9.7
FF - prefs.js..extensions.enabledItems: {98e34367-8df7-42b4-837b-20b892ff0849}:1.6
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Dawon\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Dawon\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Dawon\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Dawon\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Users\Dawon\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2012/02/13 19:14:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2012/02/13 19:14:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/30 11:11:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/13 19:14:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/13 19:14:37 | 000,000,000 | ---D | M]

[2009/10/24 21:03:35 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Extensions
[2009/10/24 21:03:35 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b}
[2012/02/14 23:54:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\extensions
[2010/06/23 13:34:29 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(102)
[2010/07/27 13:11:27 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}(589)
[2012/02/14 23:54:55 | 000,000,000 | ---D | M] (Yontoo) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\extensions\plugin@yontoo.com
[2012/02/13 19:14:49 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\extensions\searchtoolbar@zugo.com
[2010/06/23 13:34:27 | 000,000,000 | -H-D | M] (FastestFox) -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\extensions\smarterwiki@wikiatic(101).com
[2011/03/01 20:59:59 | 000,001,919 | -H-- | M] () -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\searchplugins\bing-zugo.xml
[2007/10/25 11:46:32 | 000,004,946 | -H-- | M] () -- C:\Users\Dawon\AppData\Roaming\Mozilla\Firefox\Profiles\te5vu0e8.default\searchplugins\comcast.xml
[2012/03/19 15:50:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/13 19:14:36 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/02/13 19:14:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2012/02/13 19:14:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2012/02/13 19:14:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2012/03/19 15:50:33 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/01/30 11:11:41 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2009/07/28 20:55:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/13 21:19:00 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/06/18 01:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2012/03/19 15:50:22 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/13 21:18:58 | 000,002,252 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2008/12/01 11:50:26 | 000,004,946 | -H-- | M] () -- C:\Program Files\mozilla firefox\searchplugins\comcast.xml

========== Chrome ==========

doowop25, Mar 21, 2012

#19
doowop25 Newcomer, in training Posts: 24

part 2

CHR - default_search_provider: Yahoo! (Enabled)
CHR - default_search_provider: search_url = http://search.yahoo.com/search?fr=chr-greentree_gc&ei=utf-8&ilc=12&type=937811&p={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Native Client (Enabled) = C:\Users\Dawon\AppData\Local\Google\Chrome\Application\18.0.1025.113\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Dawon\AppData\Local\Google\Chrome\Application\18.0.1025.113\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Dawon\AppData\Local\Google\Chrome\Application\18.0.1025.113\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\Dawon\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\Dawon\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Dawon\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: BrowserPlus (from Yahoo!) v2.9.8 (Enabled) = C:\Users\Dawon\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.18_0\
CHR - Extension: DivX HiQ = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjbmmemklcjgepojigaapkoodmkgbae\2.1.1.94_0\
CHR - Extension: Facebook News Ticker Remover = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\inbogeebjloglncnccgemjfedfhobfak\1.3_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.1.94_0\
CHR - Extension: Gmail = C:\Users\Dawon\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKU\S-1-5-21-2150334436-476888621-3169721696-1000\..\Toolbar\WebBrowser: (CA Toolbar) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll (CallingID Ltd.)
O4 - HKU\S-1-5-21-2150334436-476888621-3169721696-1000..\Run: [Advanced SystemCare 5] C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (IObit)
O4 - HKU\S-1-5-21-2150334436-476888621-3169721696-1000..\Run: [SmartRAM] C:\Program Files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe (IObit)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 vpnweb.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6D203F38-2A3A-4B6A-9DD0-1C25CCD3DD90}: DhcpNameServer = 192.168.15.1
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img17.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img17.jpg
O28 - HKLM ShellExecuteHooks: {1869181A-9F50-4FCF-8BFF-1B8588ECB85C} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/04 13:31:03 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{59e15cb4-8eab-11dd-bc18-001e9048cbf5}\Shell - "" = AutoRun
O33 - MountPoints2\{59e15cb4-8eab-11dd-bc18-001e9048cbf5}\Shell\AutoRun\command - "" = F:\autoplay.exe
O33 - MountPoints2\{5de34b84-05c3-11de-8b56-001e9048cbf5}\Shell - "" = AutoRun
O33 - MountPoints2\{5de34b84-05c3-11de-8b56-001e9048cbf5}\Shell\AutoRun\command - "" = F:\autoplay.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.i420 - C:\Windows\System32\i420vfw.dll (www.helixcommunity.org)
Drivers32: vidc.MP42 - MPG4C32.dll File not found
Drivers32: vidc.yv12 - C:\Windows\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/21 00:03:49 | 000,594,432 | ---- | C] (OldTimer Tools) -- C:\Users\Dawon\Desktop\OTL.exe
[2012/03/20 23:18:29 | 004,441,698 | R--- | C] (Swearware) -- C:\Users\Dawon\Desktop\ComboFix.exe
[2012/03/20 22:25:05 | 000,000,000 | ---D | C] -- C:\Users\Dawon\Desktop\GETxPUD
[2012/03/20 21:53:04 | 006,600,192 | ---- | C] (Mirage Systems) -- C:\Windows\System32\LicProtector310.exe
[2012/03/20 21:53:04 | 000,000,000 | -H-D | C] -- C:\ProgramData\{A73A8D1F-7E6C-45C6-90E5-2799C895CB0C}
[2012/03/20 21:53:03 | 002,323,520 | ---- | C] (gdpicture.com) -- C:\Windows\System32\gdpicturepro5.ocx
[2012/03/20 21:53:03 | 000,000,000 | ---D | C] -- C:\Users\Dawon\AppData\Local\PackageAware
[2012/03/20 21:53:03 | 000,000,000 | ---D | C] -- C:\Users\Dawon\AppData\Local\Free File Opener
[2012/03/20 21:53:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free File Opener
[2012/03/20 21:53:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Free File Opener
[2012/03/20 21:53:03 | 000,000,000 | ---D | C] -- C:\Program Files\Free File Opener
[2012/03/20 21:52:33 | 000,000,000 | ---D | C] -- C:\Program Files\Free Offers from Freeze.com
[2012/03/20 15:37:15 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Dawon\Desktop\dds.scr
[2012/03/20 12:47:37 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Dawon\Desktop\aswMBR.exe
[2012/03/19 21:54:41 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
[2012/03/19 21:54:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager
[2012/03/19 21:54:37 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2012/03/19 18:49:51 | 000,000,000 | ---D | C] -- C:\Users\Dawon\AppData\Roaming\Philipp Winterberg
[2012/03/19 18:49:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener
[2012/03/19 18:49:48 | 000,000,000 | ---D | C] -- C:\Program Files\RAR File Open Knife - Free Opener
[2012/03/19 17:39:57 | 000,000,000 | -H-D | C] -- C:\Config.msi
[2012/03/19 17:31:35 | 000,000,000 | ---D | C] -- C:\ProgramData\CA
[2012/03/19 17:30:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/03/19 16:48:08 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2012/03/19 16:39:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/03/19 16:39:28 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/03/19 16:36:18 | 000,000,000 | ---D | C] -- C:\MGtools
[2012/03/19 16:30:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/19 16:30:35 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/03/19 16:30:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/19 16:25:17 | 000,000,000 | ---D | C] -- C:\Users\Dawon\Desktop\SercurityStuff
[2012/03/19 10:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/03/19 10:58:20 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/03/17 17:14:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/03/17 17:13:27 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/02/27 22:07:01 | 000,000,000 | ---D | C] -- C:\Users\Dawon\AppData\Local\RockMelt
[2012/02/23 15:47:52 | 000,000,000 | ---D | C] -- C:\Program Files\Localphone
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/21 00:03:50 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Users\Dawon\Desktop\OTL.exe
[2012/03/21 00:00:26 | 000,665,102 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/21 00:00:26 | 000,124,276 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/20 23:56:09 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/20 23:56:09 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/20 23:56:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/20 23:56:02 | 3152,515,072 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/20 23:49:30 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/03/20 23:19:33 | 000,002,587 | ---- | M] () -- C:\Users\Dawon\Desktop\Microsoft Office Word 2007.lnk
[2012/03/20 23:18:39 | 004,441,698 | R--- | M] (Swearware) -- C:\Users\Dawon\Desktop\ComboFix.exe
[2012/03/20 22:17:00 | 000,497,272 | ---- | M] () -- C:\Users\Dawon\Desktop\GETxPUD.exe
[2012/03/20 22:04:01 | 000,304,845 | ---- | M] () -- C:\Users\Dawon\Desktop\ListParts.exe
[2012/03/20 21:53:04 | 000,000,812 | ---- | M] () -- C:\Users\Dawon\Application Data\Microsoft\Internet Explorer\Quick Launch\Free File Opener.lnk
[2012/03/20 21:53:04 | 000,000,788 | ---- | M] () -- C:\Users\Dawon\Desktop\Free File Opener.lnk
[2012/03/20 21:33:37 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\Dawon\Desktop\boot_cleaner.exe
[2012/03/20 21:32:38 | 000,044,607 | ---- | M] () -- C:\Users\Dawon\Desktop\bootkit_remover.zip
[2012/03/20 15:37:17 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Dawon\Desktop\dds.scr
[2012/03/20 13:33:13 | 000,302,592 | ---- | M] () -- C:\Users\Dawon\Desktop\tykegnrd.exe
[2012/03/20 12:47:39 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Dawon\Desktop\aswMBR.exe
[2012/03/19 20:35:46 | 000,003,416 | ---- | M] () -- C:\Users\Dawon\Documents\cc_20120319_203543.reg
[2012/03/19 20:05:41 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/03/19 16:39:31 | 000,001,766 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/19 16:36:22 | 000,039,862 | ---- | M] () -- C:\MGlogs.zip
[2012/03/19 16:30:37 | 000,000,872 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/19 16:20:03 | 000,002,088 | ---- | M] () -- C:\Users\Dawon\Desktop\Google Chrome.lnk
[2012/03/19 16:20:03 | 000,002,050 | ---- | M] () -- C:\Users\Dawon\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/03/19 16:01:59 | 000,000,000 | ---- | M] () -- C:\Users\Dawon\defogger_reenable
[2012/03/19 10:32:00 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/03/19 10:31:44 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/03/18 22:02:04 | 000,000,770 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/03/17 17:14:19 | 000,001,630 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/03/16 23:25:25 | 000,334,656 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/03/16 23:02:05 | 000,000,129 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2012/03/08 23:47:47 | 003,909,679 | ---- | M] () -- C:\Users\Dawon\Desktop\tdsskiller.zip
[2012/03/01 15:57:53 | 000,137,216 | ---- | M] () -- C:\Users\Dawon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/27 16:02:27 | 000,014,632 | ---- | M] () -- C:\Users\Dawon\Documents\cc_20120227_150224.reg
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/20 23:56:02 | 3152,515,072 | -HS- | C] () -- C:\hiberfil.sys
[2012/03/20 22:16:59 | 000,497,272 | ---- | C] () -- C:\Users\Dawon\Desktop\GETxPUD.exe
[2012/03/20 22:04:00 | 000,304,845 | ---- | C] () -- C:\Users\Dawon\Desktop\ListParts.exe
[2012/03/20 21:53:04 | 000,000,812 | ---- | C] () -- C:\Users\Dawon\Application Data\Microsoft\Internet Explorer\Quick Launch\Free File Opener.lnk
[2012/03/20 21:53:04 | 000,000,788 | ---- | C] () -- C:\Users\Dawon\Desktop\Free File Opener.lnk
[2012/03/20 21:32:38 | 000,044,607 | ---- | C] () -- C:\Users\Dawon\Desktop\bootkit_remover.zip
[2012/03/20 13:33:13 | 000,302,592 | ---- | C] () -- C:\Users\Dawon\Desktop\tykegnrd.exe
[2012/03/19 20:35:45 | 000,003,416 | ---- | C] () -- C:\Users\Dawon\Documents\cc_20120319_203543.reg
[2012/03/19 18:50:32 | 000,472,064 | ---- | C] ( ) -- C:\Users\Dawon\Desktop\RootRepeal.exe
[2012/03/19 16:36:22 | 000,039,862 | ---- | C] () -- C:\MGlogs.zip
[2012/03/19 16:30:37 | 000,000,872 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/19 16:21:13 | 000,001,766 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/03/19 16:01:59 | 000,000,000 | ---- | C] () -- C:\Users\Dawon\defogger_reenable
[2012/03/17 17:14:19 | 000,001,630 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/02/27 16:02:25 | 000,014,632 | ---- | C] () -- C:\Users\Dawon\Documents\cc_20120227_150224.reg
[2012/02/13 16:46:37 | 000,000,304 | ---- | C] () -- C:\ProgramData\~xR088cMiciJQkt
[2012/02/13 16:46:37 | 000,000,208 | ---- | C] () -- C:\ProgramData\~xR088cMiciJQktr
[2012/02/13 16:46:35 | 000,000,440 | ---- | C] () -- C:\ProgramData\xR088cMiciJQkt
[2012/01/24 21:14:34 | 015,028,931 | ---- | C] () -- C:\Program Files\bibjam80.zip
[2011/10/14 13:11:40 | 000,025,140 | -H-- | C] () -- C:\Users\Dawon\AppData\Roaming\Comma Separated Values (Windows).ADR
[2011/09/24 11:26:40 | 000,017,408 | -H-- | C] () -- C:\Users\Dawon\AppData\Local\WebpageIcons.db
[2011/06/14 00:22:10 | 000,000,011 | ---- | C] () -- C:\Windows\System32\ONBV2VER.INI
[2011/06/14 00:22:09 | 000,000,364 | ---- | C] () -- C:\Windows\ONBLV2CL.INI
[2011/06/14 00:20:35 | 000,003,375 | ---- | C] () -- C:\Windows\ONBRV2CL.INI
[2011/04/22 16:32:53 | 000,029,520 | ---- | C] () -- C:\Windows\System32\SmartDefragBootTime.exe
[2011/04/22 16:32:52 | 000,016,184 | ---- | C] () -- C:\Windows\System32\drivers\SmartDefragDriver.sys
[2011/04/14 14:47:43 | 000,000,129 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/03/19 12:33:21 | 000,000,033 | ---- | C] () -- C:\Windows\EasyRip.ini
[2011/03/01 20:10:59 | 000,000,225 | ---- | C] () -- C:\Windows\wininit.ini
[2010/12/30 20:57:39 | 000,000,058 | -H-- | C] () -- C:\Windows\popcreg.dat
[2010/12/30 20:57:39 | 000,000,020 | ---- | C] () -- C:\Windows\popcinfot.dat
[2010/07/30 11:13:44 | 000,000,036 | -H-- | C] () -- C:\Users\Dawon\AppData\Local\housecall.guid.cache
[2010/06/29 20:32:06 | 000,000,112 | ---- | C] () -- C:\ProgramData\40Et2gh.dat

========== LOP Check ==========

[2010/03/12 01:06:38 | 000,000,000 | ---D | M] -- C:\Users\Administrator.Dawon-PC\AppData\Roaming\CallingID
[2010/06/25 09:16:52 | 000,000,000 | ---D | M] -- C:\Users\Administrator.Dawon-PC\AppData\Roaming\DVDVideoSoftIEHelpers
[2011/04/27 12:14:43 | 000,000,000 | ---D | M] -- C:\Users\Administrator.Dawon-PC\AppData\Roaming\IObit
[2012/02/23 16:11:07 | 000,000,000 | ---D | M] -- C:\Users\Administrator.Dawon-PC\AppData\Roaming\Linphone
[2011/02/07 14:31:15 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\.purple
[2010/03/23 22:55:26 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Acronis
[2010/08/24 12:31:14 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Amazon
[2011/04/08 20:39:42 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Any Video Converter
[2010/08/20 12:42:37 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\BitZipper
[2010/10/20 01:43:15 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\CallingID
[2010/06/23 12:42:06 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\ChromePlus
[2012/02/14 13:50:03 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\DriverCure
[2011/11/28 13:12:54 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Dropbox
[2010/04/01 15:46:05 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\EuroTalk
[2009/11/15 09:13:32 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Flock
[2012/02/13 19:14:49 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\GetRightToGo
[2012/02/13 19:14:49 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\GHISLER
[2010/08/20 12:36:57 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\gnupg
[2012/02/13 19:14:49 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\gtk-2.0
[2010/07/26 13:57:18 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\InfraRecorder
[2012/03/19 22:56:55 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\IObit
[2009/03/03 15:34:59 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\iWin
[2011/06/22 10:47:59 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Linphone
[2011/07/13 18:58:11 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\OpenCandy
[2011/11/28 13:24:15 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\Opera
[2010/11/15 21:17:19 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\PC Suite
[2012/02/13 19:14:49 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\PC-FAX TX
[2012/03/19 18:49:51 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\Philipp Winterberg
[2008/09/22 14:12:48 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\PictureMover
[2009/01/02 01:14:45 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\PlayFirst
[2008/11/05 18:24:28 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\ScanSoft
[2009/06/25 12:37:25 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Skinux
[2012/02/14 13:50:03 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\SpeedyPC Software
[2009/01/13 14:02:07 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\Systweak
[2009/05/06 16:31:40 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Template
[2008/09/30 14:30:17 | 000,000,000 | ---D | M] -- C:\Users\Dawon\AppData\Roaming\ubi.com
[2011/02/24 12:43:47 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\WeatherBug
[2009/01/01 22:12:18 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\WildTangent
[2008/09/23 14:41:42 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\WinBatch
[2011/06/30 16:58:01 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\Windows Live Writer
[2009/09/24 22:16:51 | 000,000,000 | -H-D | M] -- C:\Users\Dawon\AppData\Roaming\YouSendIt
[2011/06/03 13:43:38 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\IObit
[2011/06/03 13:43:38 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\IObit
[2010/06/20 20:03:15 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\CallingID
[2009/11/08 22:35:23 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Flock
[2011/03/31 11:49:45 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\Skinux
[2011/06/03 13:43:38 | 000,000,000 | ---D | M] -- C:\Users\UpdatusUser\AppData\Roaming\IObit
[2010/07/29 23:08:07 | 000,000,376 | ---- | M] () -- C:\Windows\Tasks\PC Health Advisor Defrag.job
[2012/03/20 23:49:33 | 000,032,650 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/10/28 17:20:19 | 000,001,024 | ---- | M] () -- C:\.rnd
[2008/08/04 13:31:03 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2008/08/04 13:59:30 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2010/07/26 14:58:22 | 000,250,473 | ---- | M] () -- C:\boyle1e_student_project_files-1 (4).7z
[2009/01/21 01:28:02 | 000,036,947 | ---- | M] () -- C:\caavsetupLog.txt
[2012/03/19 19:33:38 | 009,709,754 | ---- | M] () -- C:\caisslog.txt
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/03/05 19:35:47 | 000,000,079 | ---- | M] () -- C:\DVDPATH.TXT
[2009/11/21 00:57:38 | 000,000,250 | ---- | M] () -- C:\FINIS_IT.TXT
[2012/03/20 23:56:02 | 3152,515,072 | -HS- | M] () -- C:\hiberfil.sys
[2008/09/30 00:42:33 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/02/24 12:43:37 | 000,006,702 | ---- | M] () -- C:\Live Updater_log.txt
[2009/02/15 00:20:12 | 000,000,243 | ---- | M] () -- C:\log.html
[2012/03/19 16:36:22 | 000,039,862 | ---- | M] () -- C:\MGlogs.zip
[2008/09/30 00:42:33 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/09/22 14:37:03 | 000,000,827 | ---- | M] () -- C:\net_save.dna
[2012/03/20 23:56:00 | 430,964,735 | -HS- | M] () -- C:\pagefile.sys
[2010/07/30 14:32:10 | 000,061,792 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_30.07.2010_14.31.10_log.txt
[2011/05/25 21:42:28 | 000,060,906 | ---- | M] () -- C:\TDSSKiller.2.5.3.0_25.05.2011_21.41.55_log.txt
[2012/02/13 18:43:50 | 000,076,410 | ---- | M] () -- C:\TDSSKiller.2.7.12.0_13.02.2012_17.43.22_log.txt
[2012/02/14 00:37:48 | 000,076,924 | ---- | M] () -- C:\TDSSKiller.2.7.12.0_13.02.2012_23.36.51_log.txt
[2012/02/17 23:23:31 | 000,075,352 | ---- | M] () -- C:\TDSSKiller.2.7.12.0_17.02.2012_22.22.22_log.txt
[2012/03/08 23:37:30 | 000,074,588 | ---- | M] () -- C:\TDSSKiller.2.7.2.0_08.03.2012_22.37.10_log.txt
[2012/02/13 18:19:25 | 000,000,346 | ---- | M] () -- C:\TDSSKiller.2.7.2.0_13.02.2012_17.19.22_log.txt
[2012/02/14 00:36:07 | 000,000,346 | ---- | M] () -- C:\TDSSKiller.2.7.2.0_13.02.2012_23.36.01_log.txt
[2012/02/14 15:21:23 | 000,149,276 | ---- | M] () -- C:\TDSSKiller.2.7.2.0_14.02.2012_14.16.19_log.txt
[2012/03/17 01:12:15 | 000,000,346 | ---- | M] () -- C:\TDSSKiller.2.7.2.0_17.03.2012_01.12.10_log.txt
[2012/03/17 01:25:58 | 000,297,724 | ---- | M] () -- C:\TDSSKiller.2.7.20.0_17.03.2012_01.12.41_log.txt
[2008/09/30 15:26:32 | 000,000,011 | ---- | M] () -- C:\trace.ini

< %systemroot%\Fonts\*.com >
[2010/08/02 11:39:32 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2010/08/02 11:39:32 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2010/08/02 11:39:32 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2010/08/02 11:39:33 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\msonpppr.dll
[2001/11/20 15:37:28 | 000,047,616 | R--- | M] (Black Ice Software) -- C:\Windows\system32\spool\prtprocs\w32x86\ppbiPr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2010/11/10 02:28:46 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2012/01/24 21:15:17 | 015,028,931 | ---- | M] () -- C:\Program Files\bibjam80.zip
[2008/01/20 21:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/01/20 22:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 22:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 22:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/06/20 16:55:58 | 000,000,574 | -HS- | M] () -- C:\Users\Dawon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2012/03/20 12:47:39 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Dawon\Desktop\aswMBR.exe
[2012/03/20 21:33:37 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\Dawon\Desktop\boot_cleaner.exe
[2012/03/20 23:18:39 | 004,441,698 | R--- | M] (Swearware) -- C:\Users\Dawon\Desktop\ComboFix.exe
[2012/02/13 18:19:08 | 001,161,112 | ---- | M] (Double Simple LLC) -- C:\Users\Dawon\Desktop\ezLookerSilent_DDD_FTT_BG_BD_BVD.exe
[2012/03/20 22:17:00 | 000,497,272 | ---- | M] () -- C:\Users\Dawon\Desktop\GETxPUD.exe
[2012/03/20 22:04:01 | 000,304,845 | ---- | M] () -- C:\Users\Dawon\Desktop\ListParts.exe
[2012/03/21 00:03:50 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Users\Dawon\Desktop\OTL.exe
[2009/08/13 11:14:17 | 000,472,064 | ---- | M] ( ) -- C:\Users\Dawon\Desktop\RootRepeal.exe
[2012/03/20 13:33:13 | 000,302,592 | ---- | M] () -- C:\Users\Dawon\Desktop\tykegnrd.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2010/07/29 23:08:07 | 000,000,376 | ---- | M] () -- C:\Windows\tasks\PC Health Advisor Defrag.job
[2012/03/20 23:56:05 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2012/03/20 23:49:33 | 000,032,650 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >
[2009/06/17 20:00:39 | 000,070,984 | ---- | M] () -- C:\Users\Dawon\g2mdlhlpx.exe

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2011/07/27 23:59:44 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
[2011/07/27 23:59:44 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
[2009/09/16 23:00:09 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
[2009/09/16 23:00:09 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/06/21 16:56:22 | 000,000,402 | -HS- | M] () -- C:\Users\Dawon\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2009/02/26 12:38:10 | 000,000,041 | -HS- | M] () -- C:\ProgramData\.zreglib
[2012/03/19 10:31:44 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/02/13 16:48:49 | 000,000,440 | ---- | M] () -- C:\ProgramData\xR088cMiciJQkt
[2012/02/13 16:46:37 | 000,000,304 | ---- | M] () -- C:\ProgramData\~xR088cMiciJQkt
[2012/02/13 16:46:37 | 000,000,208 | ---- | M] () -- C:\ProgramData\~xR088cMiciJQktr

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[1998/09/02 03:46:12 | 000,075,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

========== Files - Unicode (All) ==========
[2010/08/02 09:49:33 | 000,000,000 | -H-D | M](C:\Users\Dawon\Favorites\?¤sorted Bookmarks) -- C:\Users\Dawon\Favorites\๐¤sorted Bookmarks

< End of report >

doowop25, Mar 21, 2012

#20

Page 1 of 2

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.