WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Korrupted- No Doubt-By What?...To be Determined [Closed]

Started by krptd , Aug 27 2013 09:11 AM

This topic is locked

8 replies to this topic

#1 krptd

New Member

Authentic Member
5 posts

Posted 27 August 2013 - 09:11 AM

Hello there _, Thank you in advance for being patient and willing to help. I could be infected beyond the scope of anyone being able to help me, I honestly don't know. Im having several issues, it could be owner error, tired quipment, settings, intentional sabotage from ex-boyfriend or lack of computer skill....I dont know, and thats why I am here. Its old computer running xp professional ,In the recent past, It has had several installs on the one hard drive. I was infected by the windows defender trojan 2011 previously and was walked thru virus/malware/spyware removal, the computer restored to a working state, but has never been completely "fixed" but for the most part functioned satisfactory (for what I need it for. The most obvious was a number of files that could not be removed, deleted or restored the names of the files would change following each system restore-or malicious removal instruction.- to the present-browser hijacking or homepage being changed-addition of new tool bars or search boxes-without my knowledge or consent, the background of pages never loads-it remains white and is characteristic of a clear piece of overlay that puts sign in boxes or clickable links in incorrect places or behind othr text, so that you are unable to click the act now buttton, or play, or sign in...whatever it is you are trying to do. Or the captha display is unseen as indicated it should be. Yesterday I did a troubleshoot on mozilla, I dont even know how I got there honestly, but the jist of the message was true and falses on certain settings, tasks, and what not, one thing particular caught my eye, and it was a specialized preerence(not made by me) that says it was outside the scope of mozilla settings or something very close to that, it was a "yahoo"dont ask" _ I dont remember for sure and cannot return to its location because I don;'t know how to...when I googled the command it brought up several complants (none of the exact same symptons as mine} but bsically was directing the user to what the tech or bleeping computer, I am still unsureif its indicative of having a virus or if its adware...another redirect that always comes up is "conduit".
The other concern is messages saying flashplayer or java out of date- I download the fix or player and then cannot open the download or install the updae or the file is empty....that is all.
I apologize if I was too windy, or all over the place with my description, I do not know what is related, to one or the other or what is relevant and what is just extra noise that I am making for no apparent reasonPlease forgive.+++++++
Below is a copy of the content results after running OTL. I look forward to hearing from someone soon.

Thank you for your time

Krptd

OTL logfile created on: 8/27/2013 6:05:16 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\taryn\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

989.90 Mb Total Physical Memory | 227.19 Mb Available Physical Memory | 22.95% Memory free
5.56 Gb Paging File | 4.81 Gb Available in Paging File | 86.48% Paging File free
Paging file location(s): C:\pagefile.sys 4800 7000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 32.39 Gb Free Space | 43.50% Space Free | Partition Type: NTFS

Computer Name: MYRADXP | User Name: taryn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\taryn\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\AVG\AVG2013\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgidsagent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\SearchProtect\bin\CltMngSvc.exe (Conduit)
PRC - C:\Program Files\AVG\AVG2013\avgemcx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\tryme\Application Data\DefaultTab\DefaultTab\DTUpdate.exe ()

========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\tryme\Application Data\DefaultTab\DefaultTab\DTUpdate.exe ()

========== Services (SafeList) ==========

SRV - (SSHNAS) -- C:\WINDOWS\system32\sshnas21.dll File not found
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2013\avgidsagent.exe (AVG Technologies CZ, s.r.o.)
SRV - (CltMngSvc) -- C:\Program Files\SearchProtect\bin\CltMngSvc.exe (Conduit)
SRV - (RaMediaServer) -- C:\Program Files\Ralink\Common\RaMediaServer.exe ()
SRV - (RalinkRegistryWriter) -- C:\Program Files\Ralink\Common\RaRegistry.exe (Ralink Technology, Corp.)
SRV - (WefiEngSvc) -- C:\Program Files\WeFi\WefiEngSvc.exe (WeFi)
SRV - (getPlusHelper) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (DefaultTabUpdate) -- C:\Documents and Settings\tryme\Application Data\DefaultTab\DefaultTab\DTUpdate.exe ()
SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)

========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (Trufos) -- File not found
DRV - (RTL8192su) -- system32\DRIVERS\RTL8192su.sys File not found
DRV - (Profos) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (cpuz132) -- File not found
DRV - (cpuz129) -- C:\DOCUME~1\taryn\LOCALS~1\Temp\pcwiz32.sys File not found
DRV - (Changer) -- File not found
DRV - (ATMFVsp) -- File not found
DRV - (ATMFNVsp) -- File not found
DRV - (ATMFNET) -- File not found
DRV - (ATMFMdm) -- File not found
DRV - (ATMFFLT) -- File not found
DRV - (ATMFCVsp) -- File not found
DRV - (ATMFBUS) -- File not found
DRV - (Avglogx) -- C:\WINDOWS\system32\drivers\avglogx.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSHX) -- C:\WINDOWS\system32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\avgidsshimx.sys (AVG Technologies CZ, s.r.o.)
DRV - (rt2870) -- C:\WINDOWS\system32\drivers\rt2870.sys (Ralink Technology, Corp.)
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (Scutum50) -- C:\WINDOWS\system32\drivers\Scutum50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atiide) -- C:\WINDOWS\system32\drivers\atiide.sys (ATI Technologies Inc.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (MA311) -- C:\WINDOWS\system32\drivers\ma311n51.sys (NETGEAR)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (USB-100) -- C:\WINDOWS\system32\drivers\USBKR100.SYS (USB Corporation Reserved.)
DRV - (PCANDIS5) -- C:\Program Files\MA311 PCI Adapter Configuration Utility\PCANDIS5.SYS (Printing Communications Assoc., Inc. (PCAUSA))

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\..\SearchScopes,DefaultScope = {68EDDF53-2625-49FD-A013-EFB676CAC1E5}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...;ctid=CT3293216
IE - HKCU\..\URLSearchHook: {73507124-6acd-43aa-b749-c3bcfefbea97} - C:\Program Files\Vgrabber_v1.5\prxtbVgra.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {68EDDF53-2625-49FD-A013-EFB676CAC1E5}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...amp;FORM=IE8SRC
IE - HKCU\..\SearchScopes\{53068978-8A98-4648-91F8-7796DBA0520C}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{68EDDF53-2625-49FD-A013-EFB676CAC1E5}: "URL" = http://search.condui...?...832843&UM=2
IE - HKCU\..\SearchScopes\{C8F27DFA-530F-4E94-AA5E-6FBA410A1313}: "URL" = http://www.mysearchr...q={searchTerms}
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incre...box_im2_test_v2
IE - HKCU\..\SearchScopes\{D034B5A4-6CFD-48C3-A013-BE00774E9336}: "URL" = http://search.yahoo....0091250,0,0,0,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:59274

========== FireFox ==========

FF - prefs.js..CT3287802.browser.search.defaultthis.engineName: "true"
FF - prefs.js..CT3293216.browser.search.defaultthis.engineName: "true"
FF - prefs.js..browser.search.defaultengine: "SafeSearch"
FF - prefs.js..browser.search.defaultthis.engineName: "Vgrabber v1.5 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.order.1: "SafeSearch"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.baggagere...t-an-assclown/"
FF - prefs.js..extensions.enabledAddons: info%40switchviasdasdfsdffasfd.net:0.5
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1
FF - prefs.js..extensions.enabledItems: {3e0e7d2a-070f-4a47-b019-91fe5385ba79}:3.0.1
FF - prefs.js..extensions.enabledItems: {D02B1E87-A8C6-433f-9B5C-2CEC4A072736}:04.10.00.03
FF - prefs.js..extensions.enabledItems: {4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.0.900
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1423
FF - prefs.js..extensions.enabledItems: crossriderapp19866@crossrider.com:0.88.28
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Plus Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media )
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013/07/19 14:43:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/08/19 11:46:38 | 000,000,000 | ---D | M]

[2009/04/05 20:42:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Extensions
[2013/08/26 15:39:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions
[2013/05/28 03:34:12 | 000,000,000 | ---D | M] (AddThis) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2013/08/20 10:55:57 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/11/05 08:48:10 | 000,000,000 | ---D | M] (CommentsBar Toolbar) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}(2)
[2013/08/25 01:02:10 | 000,000,000 | ---D | M] (Vgrabber v1.5) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{73507124-6acd-43aa-b749-c3bcfefbea97}
[2013/07/25 23:01:32 | 000,000,000 | ---D | M] (VisualBee V.3) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}
[2009/12/14 21:49:27 | 000,000,000 | ---D | M] (SignupShield) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}
[2013/05/28 03:34:25 | 000,000,000 | ---D | M] ("Deal Vault") -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\crossriderapp19866@crossrider.com
[2013/08/18 17:48:54 | 000,000,000 | ---D | M] (Vaudix) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\erd7wu@zydf.com
[2013/07/10 15:54:07 | 000,000,000 | ---D | M] ("SafeSearch") -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\general@safesearch.net
[2013/05/28 03:34:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\crossriderapp19866@crossrider.com\chrome\content\extensionCode
[2013/08/26 15:39:58 | 000,007,974 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\info@switchviasdasdfsdffasfd.net.xpi
[2013/08/26 14:06:25 | 000,006,796 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\info@youtube-mp3.org.xpi
[2013/05/28 02:31:58 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013/08/23 22:58:03 | 000,001,003 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\conduit.xml
[2009/11/26 20:58:07 | 000,002,149 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\MyStart Search.xml
[2013/07/31 00:10:40 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\safesearch-1.xml
[2012/08/01 18:04:00 | 000,001,235 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\safesearch.xml
[2013/08/18 17:22:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/18 17:22:01 | 000,000,000 | ---D | M] (Wyeke) -- C:\Program Files\Mozilla Firefox\extensions\{4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}
[2013/08/18 17:22:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/18 17:22:19 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/11/26 08:44:54 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011/01/07 14:01:35 | 000,001,600 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\WebSearchober27940250.xml
[2009/12/10 05:33:54 | 000,002,377 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wyeke127.xml
[2009/12/29 20:38:30 | 000,002,377 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wyeke129.xml

========== Chrome ==========

CHR - Extension: No name found = C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.9_0\
CHR - Extension: No name found = C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eafmaofdanmllainmcmnbgpajhgpmdcb\1.3\
CHR - Extension: No name found = C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.172_0\
CHR - Extension: No name found = C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb\2.3.19.11_0\

O1 HOSTS File: ([2010/01/10 20:01:16 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Deal Vault) - {11111111-1111-1111-1111-110111981166} - C:\Program Files\Deal Vault\Deal Vault.dll (215 Apps)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Vgrabber v1.5 Toolbar) - {73507124-6acd-43aa-b749-c3bcfefbea97} - C:\Program Files\Vgrabber_v1.5\prxtbVgra.dll (Conduit Ltd.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Documents and Settings\tryme\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {3BD53DEC-24D7-4F9E-B27C-925559B8D27D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Vgrabber v1.5 Toolbar) - {73507124-6ACD-43AA-B749-C3BCFEFBEA97} - C:\Program Files\Vgrabber_v1.5\prxtbVgra.dll (Conduit Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl.sun.co...?BundleId=26688 (Java Plug-in 10.25.2)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.25.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DF59FD9F-B738-47C6-9CD1-8C7539D1B4A7}: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\taryn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\taryn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/26 16:13:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\AutoRun\command - "" = E:\rcaeasyrip_setup.exe
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\install\command - "" = E:\rcaeasyrip_setup.exe
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\usermanualEnglish\command - "" = E:\rcaeasyrip_setup.exe /pdf_English
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\usermanualFrench\command - "" = E:\rcaeasyrip_setup.exe /pdf_French
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\usermanualSpanish\command - "" = E:\rcaeasyrip_setup.exe /pdf_Spanish
O33 - MountPoints2\{328395b0-c112-11de-8c24-0014a504f0a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{328395b0-c112-11de-8c24-0014a504f0a1}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{328395b0-c112-11de-8c24-0014a504f0a1}\Shell\phone\command - "" = E:\autorun.exe
O33 - MountPoints2\{8aea37aa-87e3-11de-8bec-0014a504f0a1}\Shell - "" = AutoRun
O33 - MountPoints2\{8aea37aa-87e3-11de-8bec-0014a504f0a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8aea37aa-87e3-11de-8bec-0014a504f0a1}\Shell\AutoRun\command - "" = E:\start.exe
O33 - MountPoints2\{9da570c2-fea0-11de-8c6c-c405af798ab9}\Shell - "" = AutoRun
O33 - MountPoints2\{9da570c2-fea0-11de-8c6c-c405af798ab9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9da570c2-fea0-11de-8c6c-c405af798ab9}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MySHit.exE
O33 - MountPoints2\{f9900082-de6c-11dd-8b49-0014a504f0a1}\Shell - "" = AutoRun
O33 - MountPoints2\{f9900082-de6c-11dd-8b49-0014a504f0a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f9900082-de6c-11dd-8b49-0014a504f0a1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tRYmE.EXE
O33 - MountPoints2\{fe84dd90-e88f-11de-8c56-00a0c6000000}\Shell - "" = AutoRun
O33 - MountPoints2\{fe84dd90-e88f-11de-8c56-00a0c6000000}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fe84dd90-e88f-11de-8c56-00a0c6000000}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - C:\WINDOWS\system32\sshnas21.dll File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co....hors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/08/27 06:02:46 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\taryn\Desktop\OTL.exe
[2013/08/26 16:21:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/08/26 16:21:51 | 000,263,592 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/08/26 16:21:39 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/08/26 16:21:38 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/08/26 16:21:36 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/08/26 13:41:19 | 000,000,000 | ---D | C] -- C:\tmedia
[2013/08/26 04:06:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\taryn\Recent
[2013/08/23 23:00:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Local Settings\Application Data\Vgrabber_v1.5
[2013/08/23 23:00:08 | 000,000,000 | ---D | C] -- C:\Program Files\Vgrabber_v1.5
[2013/08/19 09:44:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Local Settings\Application Data\Spotify
[2013/08/19 09:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Application Data\Spotify
[2013/08/19 06:06:22 | 000,083,968 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\KPAPI32.DLL
[2013/08/19 06:06:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\PhotoCD
[2013/08/19 06:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Start Menu\Programs\Adobe PhotoDeluxe
[2013/08/19 06:06:21 | 000,353,392 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTIM.DLL
[2013/08/19 06:06:21 | 000,200,912 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRPZA.QTC
[2013/08/19 06:06:21 | 000,182,368 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTCVID.QTC
[2013/08/19 06:06:21 | 000,165,056 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTSMC.QTC
[2013/08/19 06:06:21 | 000,111,488 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QCMC.QTC
[2013/08/19 06:06:21 | 000,093,200 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRLE.QTC
[2013/08/19 06:06:21 | 000,073,360 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTOLE.DLL
[2013/08/19 06:06:21 | 000,064,720 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\QTIV32.QTC
[2013/08/19 06:06:21 | 000,058,544 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRT21.QTC
[2013/08/19 06:06:21 | 000,041,344 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\MCIQTW.DRV
[2013/08/19 06:06:21 | 000,039,936 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\QTIYVU9.QTC
[2013/08/19 06:06:21 | 000,032,128 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\DHIO_DH.QTC
[2013/08/19 06:06:21 | 000,029,072 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTMOVIE.VBX
[2013/08/19 06:06:21 | 000,028,352 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTJPEG.QTC
[2013/08/19 06:06:21 | 000,023,888 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\NAVG.QTC
[2013/08/19 06:06:21 | 000,015,024 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTPIC.VBX
[2013/08/19 06:06:21 | 000,014,336 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTIMCMGR.DLL
[2013/08/19 06:06:21 | 000,010,944 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\REELMGIC.QTC
[2013/08/19 06:06:21 | 000,007,712 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRAW.QTC
[2013/08/19 06:06:21 | 000,004,128 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTNOTIFY.EXE
[2013/08/19 06:06:20 | 000,060,992 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\PLAYER.EXE
[2013/08/19 06:06:20 | 000,047,712 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\VIEWER.EXE
[2013/08/19 06:06:20 | 000,017,536 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\VIEWENU.DLL
[2013/08/19 06:06:20 | 000,016,912 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\PLAYENU.DLL
[2013/08/19 06:06:20 | 000,008,320 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTHNDLR.DLL
[2013/08/19 06:06:20 | 000,007,312 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTOLD.QTC
[2013/08/19 06:06:18 | 000,249,856 | ---- | C] (Play Incorporated) -- C:\WINDOWS\System32\SNAP32N.DLL
[2013/08/19 06:06:18 | 000,202,752 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\PICN1112.DLL
[2013/08/19 06:06:18 | 000,097,568 | ---- | C] (Eastman Kodak) -- C:\WINDOWS\System32\DC50.DLL
[2013/08/19 06:06:18 | 000,034,816 | ---- | C] (Apple Computer, Inc. & Eastman Kodak) -- C:\WINDOWS\System32\QTAKE-D.DLL
[2013/08/19 06:06:17 | 000,078,544 | ---- | C] (Apple Computer, Inc. & Eastman Kodak Company) -- C:\WINDOWS\System32\QTAKE-I.DLL
[2013/08/19 06:06:17 | 000,020,992 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\PICN12.DLL
[2013/08/19 06:06:17 | 000,020,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CTL3D.DLL
[2013/08/19 06:06:14 | 000,000,000 | ---D | C] -- C:\PhotoDlx
[2013/08/19 01:53:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Desktop\photo shop
[2013/08/18 17:48:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\StarApp
[2013/08/18 17:47:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Vaudix
[2013/08/18 17:46:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
[2013/08/18 17:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/08/11 19:36:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\jason louis muthafucking kutyba.rip sister carrie ann kutyba_files
[2013/08/01 12:57:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Desktop\untitled folder
[2013/07/31 04:11:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\AVG
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\taryn\My Documents\*.tmp files -> C:\Documents and Settings\taryn\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/27 06:16:00 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2013/08/27 06:15:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{9FA917AF-EDD9-4124-9237-3392F6B80E4C}.job
[2013/08/27 06:02:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\taryn\Desktop\OTL.exe
[2013/08/27 05:53:00 | 000,000,246 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2013/08/27 05:43:17 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/08/27 04:57:10 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C7008321-5B43-4F9C-85F2-4D328FD574B9}.job
[2013/08/27 04:52:34 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/27 04:52:07 | 000,000,310 | -HS- | M] () -- C:\WINDOWS\tasks\Yegzj.job
[2013/08/27 04:52:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/26 16:21:22 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/08/26 16:21:20 | 000,867,240 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2013/08/26 16:21:20 | 000,789,416 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2013/08/26 16:21:20 | 000,263,592 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/08/26 16:21:20 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/08/26 16:21:20 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/08/26 16:21:20 | 000,144,896 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013/08/26 12:11:16 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2013/08/26 06:51:25 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\Internet.lnk
[2013/08/26 03:53:49 | 000,000,323 | -HS- | M] () -- C:\boot.ini
[2013/08/26 03:52:27 | 000,463,592 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/08/26 03:52:27 | 000,078,842 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/08/26 03:49:28 | 000,040,606 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\wklnhst.dat
[2013/08/25 23:00:00 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/08/25 23:00:00 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/08/23 23:00:50 | 000,097,995 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2013/08/23 23:00:27 | 000,000,009 | ---- | M] () -- C:\END
[2013/08/23 22:56:25 | 001,169,609 | ---- | M] () -- C:\WINDOWS\unins000.exe
[2013/08/23 00:26:47 | 000,002,664 | ---- | M] () -- C:\Documents and Settings\taryn\My Documents\cc_20130823_002627.reg
[2013/08/21 20:45:23 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2013/08/21 07:51:57 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/08/21 07:51:56 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/08/19 11:46:39 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2013/08/19 11:41:03 | 000,002,893 | ---- | M] () -- C:\WINDOWS\ACROREAD.INI
[2013/08/19 09:44:44 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\Spotify.lnk
[2013/08/19 06:06:14 | 000,000,171 | ---- | M] () -- C:\WINDOWS\KPCMS.INI
[2013/08/19 06:02:36 | 000,000,986 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2013/08/19 01:49:13 | 000,012,292 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\.DS_Store
[2013/08/14 05:42:36 | 000,001,462 | RHS- | M] () -- C:\Documents and Settings\taryn\ntuser.pol
[2013/08/11 19:36:43 | 000,074,597 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\jason louis muthafucking kutyba.rip sister carrie ann kutyba.htm
[2013/08/07 22:07:51 | 007,886,336 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\setup.msi
[2013/08/04 00:08:21 | 000,006,481 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\th.jpg
[2013/08/03 23:47:39 | 000,020,449 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\biggest_dog6.jpg
[2013/07/31 18:51:33 | 000,000,256 | ---- | M] () -- C:\WINDOWS\tasks\SSVerify.job
[2013/07/31 18:51:30 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2013/07/31 18:51:27 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\MaxPerformaSys.job
[2013/07/31 18:51:25 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/31 18:51:22 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/31 18:51:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/07/31 04:11:18 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\AVG 2013.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\taryn\My Documents\*.tmp files -> C:\Documents and Settings\taryn\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\lekovaba
[2013/08/26 06:51:25 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\taryn\Desktop\Internet.lnk
[2013/08/23 23:00:50 | 001,169,609 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2013/08/23 23:00:50 | 000,097,995 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2013/08/23 00:26:37 | 000,002,664 | ---- | C] () -- C:\Documents and Settings\taryn\My Documents\cc_20130823_002627.reg
[2013/08/19 11:46:39 | 000,001,810 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe Reader 7.0.lnk
[2013/08/19 11:46:39 | 000,001,757 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2013/08/19 09:44:44 | 000,001,860 | ---- | C] () -- C:\Documents and Settings\taryn\Start Menu\Programs\Spotify.lnk
[2013/08/19 09:44:44 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\taryn\Desktop\Spotify.lnk
[2013/08/19 06:06:21 | 000,003,888 | ---- | C] () -- C:\WINDOWS\System32\MCIQTENU.DLL
[2013/08/19 06:06:18 | 000,078,944 | ---- | C] () -- C:\WINDOWS\System32\DC50IP.DLL
[2013/08/19 06:06:17 | 002,109,504 | ---- | C] () -- C:\WINDOWS\System32\KPT20HUB.DLL
[2013/08/19 06:02:36 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2013/08/19 06:02:35 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe ImageReady 7.0.lnk
[2013/08/19 06:02:35 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe Photoshop 7.0.lnk
[2013/08/11 19:36:42 | 000,074,597 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\jason louis muthafucking kutyba.rip sister carrie ann kutyba.htm
[2013/08/04 00:08:20 | 000,006,481 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\th.jpg
[2013/08/03 23:47:38 | 000,020,449 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\biggest_dog6.jpg
[2013/07/24 01:09:48 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\$_hpcst$.hpc
[2013/05/28 03:03:26 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\WlanApp.dll
[2013/05/28 03:03:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2011/01/08 00:14:54 | 000,000,454 | ---- | C] () -- C:\Program Files\010820110145407.bat
[2010/09/26 00:56:34 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\taryn\PDPURCYL.exe
[2010/08/17 18:58:06 | 000,000,258 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\ANICONFIG_{105B27AF-92DD-49DE-A153-B5CA2C7FC4AC}.ini
[2010/07/21 08:48:46 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\taryn\dpdifomx.exe
[2010/02/08 23:39:43 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\Launch Internet Explorer Browser.lnk
[2009/01/16 13:00:04 | 000,040,606 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\wklnhst.dat
[2009/01/04 08:43:03 | 000,000,978 | ---- | C] () -- C:\Program Files\reset_fp10.zip
[2008/12/31 20:04:13 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\taryn\Local Settings\Application Data\fusioncache.dat
[2008/12/31 16:22:08 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\taryn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/26 01:51:59 | 000,001,462 | RHS- | C] () -- C:\Documents and Settings\taryn\ntuser.pol

========== ZeroAccess Check ==========

[2008/12/31 19:58:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/08/07 01:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\ACASystems
[2013/07/20 06:43:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG2013
[2009/12/28 10:02:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2007/11/27 00:36:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Common Files
[2010/06/16 20:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Driver Whiz
[2009/11/26 21:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\IM
[2009/11/26 21:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\IncrediMail
[2013/08/18 17:48:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
[2013/08/27 05:20:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MFAData
[2011/01/08 00:14:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Oberon Media
[2011/01/02 22:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\oDbNi06300
[2009/03/08 11:35:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Drivers HeadQuarters
[2007/11/29 22:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ralink Driver
[2010/03/08 09:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\RegCure
[2010/01/18 09:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
[2013/08/18 17:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\StarApp
[2010/01/21 01:37:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
[2008/02/14 13:41:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2010/01/27 10:20:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ulead Systems
[2013/08/18 17:47:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Vaudix
[2010/09/20 09:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\VirtualizedApplications
[2007/11/26 08:34:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\W3i
[2011/07/06 00:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WildTangent
[2007/11/26 16:54:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Wyeke
[2009/03/15 10:34:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/07/06 11:52:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/25 12:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/07 01:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\ACASystems
[2007/11/26 15:06:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\AVG10
[2013/07/20 06:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\AVG2013
[2013/07/10 15:07:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\AVSoftware
[2007/11/26 06:10:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Babylon
[2009/12/10 02:48:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\blinkx
[2010/03/13 00:25:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Cricket
[2010/06/28 12:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\FixCleaner
[2009/03/14 09:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\GetRightToGo
[2010/01/25 14:59:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Jasc
[2007/11/29 23:54:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\mjusbsp
[2009/04/02 10:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\OfficeUpdate12
[2009/11/09 08:10:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Password Solutions
[2013/08/24 04:04:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\PriceGong
[2013/07/24 01:11:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\SearchProtect
[2010/08/07 02:55:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\SmartDraw
[2010/05/16 12:48:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Smilebox
[2010/10/13 12:20:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\SoftGrid Client
[2013/08/19 10:28:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Spotify
[2010/08/03 06:28:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\TP
[2013/05/10 00:33:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\TuneUp Software
[2010/01/30 10:11:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Ulead Systems
[2010/03/08 09:11:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\taryn\Application Data\Uniblue

========== Purity Check ==========

========== Custom Scans ==========

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s > >

< MD5 for: EXPLORER.EXE >
[2008/04/13 21:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS.0\explorer.exe
[2008/04/13 21:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS.0\system32\dllcache\explorer.exe
[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 04:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2013/08/27 04:53:02 | 000,081,734 | ---- | M] () MD5=0DF4B5BAD066817FE99421D8CA8FDBBA -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.HTM >
[2005/01/19 15:25:42 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\da\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\de\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\es\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:26:08 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\fi\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\fr\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2003/09/15 11:06:02 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\it\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\ja\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:26:42 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\ko\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\nl\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:26:58 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\no\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\pt-BR\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/20 14:42:18 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\ru\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:27:14 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\sv\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\zh-CHS\Help\wwhelp\wwhimpl\java\html\explorer.htm
[2005/01/19 15:44:52 | 000,002,057 | ---- | M] () MD5=0768146E197314BF50A1E3E5E89892F1 -- C:\Program Files\ATI Technologies\ATI.ACE\zh-CHT\Help\wwhelp\wwhimpl\java\html\explorer.htm

< MD5 for: EXPLORER.SCF >
[2001/08/23 04:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS.0\explorer.scf
[2001/08/23 05:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\ie7\iexplore.chm
[2007/04/02 14:09:24 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS.0\Help\iexplore.chm
[2004/07/17 11:40:18 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ServicePackFiles\i386\iexplore.chm
[2006/09/01 08:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\Documents and Settings\All Users.WINDOWS\Documents\My Pictures\idunnos\63822586338664cd4ad81323\iexplore.chm
[2006/09/01 08:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\WINDOWS\ie8\iexplore.chm

< MD5 for: IEXPLORE.CHW >
[2011/02/13 04:54:44 | 000,153,185 | ---- | M] () MD5=E51A8C3B101F290C26A48EEE51C8AC0A -- C:\Documents and Settings\tryme\Application Data\Microsoft\HTML Help\iexplore.chw

< MD5 for: IEXPLORE.EXE >
[2009/06/29 00:25:31 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=02E2754D3E566C11A4934825920C47DD -- C:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[2008/12/18 22:25:25 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=030D78FE84A086ED376EFCBD2D72C522 -- C:\WINDOWS\ie7updates\KB969897-IE7\iexplore.exe
[2008/10/14 23:34:58 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=056C927CF7207857E8B34F7A8FFD9B9E -- C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[2009/04/24 22:27:50 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=092A7F2B49A19ECCE5369D3CB2276148 -- C:\WINDOWS\ie7updates\KB972260-IE7\iexplore.exe
[2008/12/18 22:25:30 | 000,634,024 | ---- | M] (Microsoft Corporation) MD5=15E8A89499741D5CF59A9CF6463A4339 -- C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[2009/08/26 22:18:42 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=332EC7562F3AA7364F2D4231C56DA986 -- C:\WINDOWS\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[2009/06/29 01:35:10 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=3CFC56F73D494FC1AA2B6E981DF15ACD -- C:\WINDOWS\ie7updates\KB974455-IE7\iexplore.exe
[2009/10/27 23:54:16 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- C:\WINDOWS\ie7updates\KB978207-IE7\iexplore.exe
[2009/12/18 06:05:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=53C291F3B01EECECBD7FD358EA3ACC94 -- C:\WINDOWS\ie7updates\KB980182-IE7\iexplore.exe
[2008/04/13 21:42:24 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS.0\system32\dllcache\iexplore.exe
[2008/04/13 21:42:24 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ie7\iexplore.exe
[2008/04/13 17:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
[2009/10/27 23:54:21 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- C:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[2008/10/15 00:06:26 | 000,633,632 | ---- | M] (Microsoft Corporation) MD5=9D3DB9ADFABD2F0BC778EC03250A3ABB -- C:\WINDOWS\ie7updates\KB961260-IE7\iexplore.exe
[2009/02/27 21:54:41 | 000,636,072 | ---- | M] (Microsoft Corporation) MD5=A251068640DDB69FD7805B57D89D7FF7 -- C:\WINDOWS\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\iexplore.exe
[2010/04/16 04:08:29 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B24A4E23A2FEDB6976EB04D334AD82B2 -- C:\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[2010/02/22 22:20:02 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B5116340B84824DDD0A641E36B126194 -- C:\WINDOWS\ie7updates\KB982381-IE7\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2009/02/27 21:54:44 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=BCD8E48709BE4A79606F0B6E8E9A6162 -- C:\WINDOWS\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\iexplore.exe
[2009/04/24 22:27:39 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=C0503FD8D163652735C1EE900672A75C -- C:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[2010/04/16 04:43:25 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=C4BA5E36FB57F547117305BF1E0FE454 -- C:\WINDOWS\ie8\iexplore.exe
[2010/02/22 22:19:59 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=C8DDA4028065D5CE39CBE7A156B72AB9 -- C:\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[2009/12/18 00:00:27 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=D19E56D5930C37CF211867DF450C372A -- C:\WINDOWS\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[2007/08/13 18:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\Documents and Settings\All Users.WINDOWS\Documents\My Pictures\idunnos\63822586338664cd4ad81323\iexplore.exe
[2007/08/13 18:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- C:\WINDOWS\ie7updates\KB958215-IE7\iexplore.exe
[2004/08/04 00:56:52 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- C:\WINDOWS\$NtServicePackUninstall$\iexplore.exe
[2009/08/26 22:18:44 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=F232BA9F39BC0F722672C7E79E68EBEA -- C:\WINDOWS\ie7updates\KB976325-IE7\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\iexplore.exe.mui
[2007/08/13 18:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- C:\Documents and Settings\All Users.WINDOWS\Documents\My Pictures\idunnos\63822586338664cd4ad81323\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2013/08/27 05:53:02 | 000,096,346 | ---- | M] () MD5=A54E60EADC1F7BDA326E84BA70DB43AB -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
[2013/07/21 01:57:44 | 000,044,124 | ---- | M] () MD5=DB2763688AB3413AD5084D1626DBDBCF -- C:\WINDOWS.0\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HLP >
[2001/08/23 04:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS.0\Help\iexplore.hlp
[2001/08/23 05:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: SERVICES >
[2001/08/23 04:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS.0\system32\drivers\etc\services
[2001/08/23 05:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.EXE >
[2009/02/06 04:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS.0\$hf_mig$\KB956572\SP3QFE\services.exe
[2009/02/06 04:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 21:42:36 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS.0\$NtUninstallKB956572$\services.exe
[2008/04/13 17:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 04:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS.0\system32\dllcache\services.exe
[2009/02/06 04:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS.0\system32\services.exe
[2009/02/06 04:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 04:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 00:56:56 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SERVICES.HTML >
[2011/01/07 10:06:09 | 000,005,334 | ---- | M] () MD5=A33CF6EB7CC2AAD518DB5543E8E5239B -- C:\Documents and Settings\tryme\Desktop\build\us\lib\sites\Celestial Terrestrial\sitebuilder\preview\services.html
[2011/01/07 10:06:09 | 000,005,572 | ---- | M] () MD5=AF50F1A7EF49F64A0DBBF0683DDD8B30 -- C:\Documents and Settings\tryme\Desktop\build\us\lib\sites\Celestial Terrestrial\services.html

< MD5 for: SERVICES.LNK >
[2010/03/08 09:18:30 | 000,001,602 | ---- | M] () MD5=5186AAFCAFF51667064BC28351F722F7 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk
[2010/03/08 09:18:58 | 000,001,602 | ---- | M] () MD5=577B640BAAAEB22E8A7F8C26F94C282F -- C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Administrative Tools\Services.lnk
[2010/03/08 09:18:50 | 000,001,602 | ---- | M] () MD5=D711D3F8A17192E4BB44C1EF77B7ADFB -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MSC >
[2001/08/23 04:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS.0\system32\services.msc
[2001/08/23 05:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: WINLOGON.EXE >
[2004/08/04 00:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 21:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS.0\system32\dllcache\winlogon.exe
[2008/04/13 21:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS.0\system32\winlogon.exe
[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %SYSTEMDRIVE%\*.* >
[2007/11/26 16:13:36 | 000,000,000 | ---- | M] () -- C:\asdasd.asdasd
[2007/11/26 16:13:36 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2013/08/26 03:53:49 | 000,000,323 | -HS- | M] () -- C:\boot.ini
[2007/11/26 16:13:36 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2013/08/23 23:00:27 | 000,000,009 | ---- | M] () -- C:\END
[2010/05/28 01:03:35 | 000,000,521 | ---- | M] () -- C:\hpfr3420.xml
[2010/05/28 01:03:33 | 000,002,823 | ---- | M] () -- C:\hpfr3425.log
[2007/11/26 16:13:36 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/11/26 16:13:36 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/13 14:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/13 16:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2009/12/19 18:43:24 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
[2009/12/19 18:43:24 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG
[2013/08/27 04:51:51 | 738,197,503 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/12/26 04:52:31 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2006/06/16 17:31:22 | 000,106,496 | ---- | M] (Nova Development.) -- C:\WINDOWS\UPSCR.Scr
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >
[2007/11/26 10:36:45 | 000,001,310 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Favorites\WildTangent Games.lnk

< %APPDATA%\Microsoft\*.* >
[2010/06/23 16:58:25 | 000,001,826 | -H-- | M] () -- C:\Documents and Settings\taryn\Application Data\Microsoft\LastFlashConfig.WFC

< %PROGRAMFILES%\*.* >
[2011/01/08 00:14:55 | 000,000,454 | ---- | M] () -- C:\Program Files\010820110145407.bat
[2009/01/04 08:55:56 | 000,000,978 | ---- | M] () -- C:\Program Files\reset_fp10.zip

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< dir "%systemdrive%\*" /S /A:L /C >
Volume in drive C has no label.
Volume Serial Number is BC85-A62E
Directory of C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices
06/02/2011 03:10 AM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes
Directory of C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote
06/02/2011 03:09 AM <JUNCTION> 2.0.0.0__b03f5f7f11d50a3a
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 34,741,161,984 bytes free

< %systemroot%\System32\config\*.sav >
[2008/12/25 21:18:38 | 000,090,112 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2008/12/25 21:18:38 | 000,630,784 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2008/12/25 21:18:38 | 000,413,696 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/04/03 13:17:54 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >
[2010/01/12 14:23:13 | 000,005,632 | -HS- | M] () -- C:\WINDOWS\system32\Thumbs.db
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/04/03 13:55:01 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\taryn\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2008/12/26 05:08:39 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2013/08/27 06:02:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\taryn\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-07-11 08:35:19

< >
[2007/11/26 07:07:27 | 000,000,880 | ---- | C] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
[2007/11/26 07:07:28 | 000,000,884 | ---- | C] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
[2007/11/26 13:11:52 | 000,000,246 | -H-- | C] () -- C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2007/11/26 13:11:55 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2007/11/26 13:11:59 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2007/11/26 13:12:41 | 000,000,310 | -HS- | C] () -- C:\WINDOWS\Tasks\Yegzj.job
[2008/12/26 04:50:34 | 000,000,065 | RH-- | C] () -- C:\WINDOWS\Tasks\desktop.ini
[2008/12/26 04:52:41 | 000,000,006 | -H-- | C] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/02/04 18:07:31 | 000,000,284 | ---- | C] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2010/01/07 06:45:01 | 000,000,294 | ---- | C] () -- C:\WINDOWS\Tasks\ckzbekkl.job
[2010/08/05 12:32:14 | 000,000,422 | -H-- | C] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{C7008321-5B43-4F9C-85F2-4D328FD574B9}.job
[2010/12/31 04:09:01 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
[2011/01/03 08:37:20 | 000,000,398 | ---- | C] () -- C:\WINDOWS\Tasks\At1.job
[2011/01/03 08:40:20 | 000,000,398 | ---- | C] () -- C:\WINDOWS\Tasks\At2.job
[2011/01/04 13:18:46 | 000,000,422 | -H-- | C] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{9FA917AF-EDD9-4124-9237-3392F6B80E4C}.job
[2013/07/10 15:07:57 | 000,000,292 | ---- | C] () -- C:\WINDOWS\Tasks\MaxPerformaSys.job
[2013/07/10 15:08:55 | 000,000,256 | ---- | C] () -- C:\WINDOWS\Tasks\SSVerify.job
[2013/07/20 07:33:03 | 000,000,830 | ---- | C] () -- C:\WINDOWS\Tasks\Adobe Flash Player Updater.job

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Documents and Settings\All Users.WINDOWS\Documents\.DS_Store:AFP_AfpInfo
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:373E1720
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:45FE2B4E
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8

< End of report >

Advertisements

Register to Remove

#2 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 28 August 2013 - 06:42 AM

Hello krptd and welcome to the WTT forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

please follow all instructions in the order posted
please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
if you don't understand something, please don't hesitate to ask for clarification before proceeding
the fixes are specific to your problem and should only be used for this issue on this machine.
please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Due to what has been seen in your logs, it is important that you run these in the order given in the instructions.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.

Download one of these to your desktop:

for a 32-bt system download this version.
for 64-bit use this one

close all running programs
for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
when the pre-scan is finished, click on Scan
click on Report and copy/paste the content in your next post
NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.
Please post the contents of the RKreport.txt in your next reply.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

run AdwCleaner
when it has finished, select Clean
if it asks to reboot - allow the reboot
on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Posted Image

Please download Junkware Removal Tool to your desktop.

shut down your protection software now to avoid potential conflicts.
run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
the tool will open and start scanning your system
please be patient as this can take a while to complete depending on your system's specifications
on completion, a log (JRT.txt) is saved to your desktop and will automatically open
post the contents of JRT.txt into your next message.

Logs to include in the next post:

RKreport.txt
AdwCleaner log
JRT.txt

Please also post a new OTL log and tell me if there are any changes.

Thanks

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#3 krptd

New Member

Authentic Member
5 posts

Posted 30 August 2013 - 08:14 AM

Hello Satchfan and Thank you for your reply. I am already having difficulty in implementing your instructions, forgive me, I am not trying to be difficult. As per instruction 1, i attempted to download RogueKiller. The RK Quarantine file appeared on my desktop but no program to execute. After numerous attempts,at trying to save the file, I hit the run button, Before I could close the open window with your message the scan started, but stopped midway in process, the program shutting down. I did save the file with the idea I would close all windows and run the scan again without any other programs running as instructed and post the directed log. The file appeared to save to desktop...scan executed and program froze this time before it shut down I saw something like "STOPPED- Driver did not load" but the program would not resume. 2 more attempts program froze same spot...the icon disappears from my desktop so I could not rename the file, it does not appear in my programs list, I tried to download again and recieved an error codefile could not be copied...check disk for space. At this point I am unsure if I am to continue to second part of instruction, or if I need to start over and attempt completion of a full scan before proceeding, please advise... Just in case here is the copy of the first scan (in several peices after error messages of being too long . [00:00:0688] ***** Global Init ***** [00:00:0688] Has crashed before : 1 [00:00:0688] Create mutex : RogueKiller [00:07:0360] Mutex Created : 0x1b4 [00:07:0360] Fill lists [00:07:0860] OS Language : English [00:07:0860] Take Privileges [00:07:0860] Modify Token [00:08:0172] Set priority to HIGH [00:08:0172] Getting Operating System [00:08:0172] Os Getted : Windows XP (5.1.2600 Service Pack 3) 32 bits version [00:08:0172] ***** Global Init OK ***** [00:08:0172] ***** GUI Init ***** [00:09:0625] ***** GUI Init OK ***** [00:09:0641] Get build number [00:09:0641] build number : RogueKiller™ v8.6.7 [Aug 28 2013] (x64 : 0) [00:09:0641] ***** PreScan ***** [00:09:0641] Clear ListViews [00:09:0641] [Check Window] TF_FloatingLangBar_WndTitle [00:09:0641] [Check Window] CiceroUIWndFrame [00:09:0641] [Check Window] SysFader [00:09:0641] [Check Window] Start Menu [00:09:0641] [Check Window] SysFader [00:09:0641] [Check Window] RogueKiller™ v8.6.7 [00:09:0641] [Check Window] Korrupted- No Doubt-By What?...To be Determined - Internet Explorer, optimized for Bing and MSN [00:09:0641] [Check Window] CT3293216 [00:09:0641] [Check Window] WND_IE8_PARENT_DISPATCHER1824 [00:09:0641] [Check Window] CT3293216 [00:09:0641] [Check Window] CT3293216 [00:09:0641] [Check Window] tbVgra.dll [00:09:0641] [Check Window] WND_IE8_PARENT_DISPATCHER3320 [00:09:0641] [Check Window] ldrtbVgra.dll [00:09:0641] [Check Window] DDE Server Window [00:09:0641] [Check Window] Acrobat IEHelper [00:09:0641] [Check Window] Connections Tray [00:09:0641] [Check Window] MCI command handling window [00:09:0657] [Check Window] HiddenFaxWindow [00:09:0657] [Check Window] DccMan [00:09:0657] [Check Window] RAPIMgr [00:09:0657] [Check Window] UPnP Notification Monitor [00:09:0657] [Check Window] Power Meter [00:09:0657] [Check Window] MS_WebcheckMonitor [00:09:0657] [Check Window] ATI video bios poller [00:09:0657] [Check Window] GDI+ Window [00:09:0657] [Check Window] GDI+ Window [00:09:0657] [Check Window] Program Manager [00:09:0657] [Check Window] M [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] M [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] M [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] M [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] M [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0657] [Check Window] Default IME [00:09:0672] [Check Window] Default IME [00:09:0688] [Check Window] Default IME [00:09:0688] [Check Window] M [00:09:0688] [Check Window] Default IME [00:09:0719] [Check Processes] Service PID : 1024 [00:33:0594] [Check Processes] [0][_0] [System Process] : [00:33:0641] [CHECK] WhiteDLL [00:33:0641] [CHECK] Whitelist [00:33:0641] [CHECK] WellKnown [00:33:0641] [Check Processes] [4][_0] System : [00:33:0641] [CHECK] WhiteDLL [00:33:0641] [CHECK] Whitelist [00:33:0641] [CHECK] WellKnown [00:33:0938] [Check Processes] [668][_4] smss.exe : C:\WINDOWS\System32\smss.exe [00:33:0938] [CHECK] WhiteDLL [00:33:0938] [CHECK] Whitelist [00:33:0938] [CHECK] WellKnown [00:34:0469] [Check Processes] [720][_704] avgrsx.exe : C:\Program Files\AVG\AVG2013\avgrsx.exe [00:34:0485] [CHECK] WhiteDLL [00:34:0485] [CHECK] Whitelist [00:34:0485] [CHECK] WellKnown [00:34:0485] [CHECK] WhitelistPath [00:34:0485] [CHECK] HijackName [00:34:0485] [CHECK] Signature [00:34:0500] [PE] Mapping [00:34:0500] [PE] Parsing [00:34:0500] [PE] Dos header -> 0x24e0000 [00:34:0500] [PE] Nt header (offset : 0xf8) file size 0xba830 [00:34:0500] [PE] pNtHeadersx86 -> 0x24e00f8 [00:34:0500] [PE] Chars -> 0x102 [00:34:0500] [PE] Optional header [00:34:0500] [PE] Sections : 5 [00:34:0500] [PE] Section : 0 - .text [00:34:0500] [PE] Section : 1 - .rdata [00:34:0500] [PE] Section : 2 - .data [00:34:0500] [PE] Section : 3 - .rsrc [00:34:0500] [PE] Section : 4 - .reloc [00:34:0500] [PE] File open : 1 [00:34:0500] [PE] Search sigs [00:34:0500] [PE] Section[0/4] : 0x24e0400 [00:34:0500] [PE] Init AhoCorasick [00:34:0500] [PE] Start AhoCorasick [00:34:0516] [PE] Looking results : 0 [00:34:0516] [PE] Section[1/4] : 0x256f600 [00:34:0516] [PE] Init AhoCorasick [00:34:0516] [PE] Start AhoCorasick [00:34:0516] [PE] Looking results : 0 [00:34:0516] [PE] Section[2/4] : 0x2588400 [00:34:0516] [PE] Init AhoCorasick [00:34:0516] [PE] Start AhoCorasick [00:34:0516] [PE] Looking results : 0 [00:34:0516] [PE] Section[3/4] : 0x258a200 [00:34:0516] [PE] Init AhoCorasick [00:34:0516] [PE] Start AhoCorasick [00:34:0516] [PE] Looking results : 0 [00:34:0516] [PE] Section[4/4] : 0x258aa00 [00:34:0516] [PE] Init AhoCorasick [00:34:0516] [PE] Start AhoCorasick [00:34:0516] [PE] Looking results : 0 [00:34:0516] [CHECK] Blacklist [00:34:0516] [CHECK] BlacklistPath [00:34:0516] [CHECK] BlacklistMD5 [00:34:0516] [CHECK] MadeNumbers [00:34:0516] [CHECK] HasUnicode [00:34:0516] [CHECK] SuspPath [00:34:0516] [CHECK] ProcessResidue [00:34:0516] [CHECK] Not found! [00:34:0625] [Check Processes] [764][_720] avgcsrvx.exe : C:\Program Files\AVG\AVG2013\avgcsrvx.exe [00:34:0625] [CHECK] WhiteDLL [00:34:0625] [CHECK] Whitelist [00:34:0625] [CHECK] WellKnown [00:34:0625] [CHECK] WhitelistPath [00:34:0625] [CHECK] HijackName [00:34:0625] [CHECK] Signature [00:34:0641] [PE] Mapping [00:34:0641] [PE] Parsing [00:34:0641] [PE] Dos header -> 0x24e0000 [00:34:0641] [PE] Nt header (offset : 0xf8) file size 0x6e630 [00:34:0641] [PE] pNtHeadersx86 -> 0x24e00f8 [00:34:0641] [PE] Chars -> 0x102 [00:34:0641] [PE] Optional header [00:34:0641] [PE] Sections : 5 [00:34:0641] [PE] Section : 0 - .text [00:34:0641] [PE] Section : 1 - .rdata [00:34:0641] [PE] Section : 2 - .data [00:34:0641] [PE] Section : 3 - .rsrc [00:34:0641] [PE] Section : 4 - .reloc [00:34:0641] [PE] File open : 1 [00:34:0641] [PE] Search sigs [00:34:0641] [PE] Section[0/4] : 0x24e0400 [00:34:0641] [PE] Init AhoCorasick [00:34:0641] [PE] Start AhoCorasick [00:34:0641] [PE] Looking results : 0 [00:34:0641] [PE] Section[1/4] : 0x2536600 [00:34:0641] [PE] Init AhoCorasick [00:34:0641] [PE] Start AhoCorasick [00:34:0657] [PE] Looking results : 0 [00:34:0657] [PE] Section[2/4] : 0x2542200 [00:34:0657] [PE] Init AhoCorasick [00:34:0657] [PE] Start AhoCorasick [00:34:0657] [PE] Looking results : 0 [00:34:0657] [PE] Section[3/4] : 0x2542c00 [00:34:0657] [PE] Init AhoCorasick [00:34:0657] [PE] Start AhoCorasick [00:34:0657] [PE] Looking results : 0 [00:34:0657] [PE] Section[4/4] : 0x2543400 [00:34:0657] [PE] Init AhoCorasick [00:34:0657] [PE] Start AhoCorasick [00:34:0657] [PE] Looking results : 0 [00:34:0657] [CHECK] Blacklist [00:34:0657] [CHECK] BlacklistPath [00:34:0657] [CHECK] BlacklistMD5 [00:34:0657] [CHECK] MadeNumbers [00:34:0657] [CHECK] HasUnicode [00:34:0657] [CHECK] SuspPath [00:34:0657] [CHECK] ProcessResidue [00:34:0657] [CHECK] Not found! [00:34:0813] [Check Processes] [952][_668] csrss.exe : C:\WINDOWS\system32\csrss.exe [00:34:0813] [CHECK] WhiteDLL [00:34:0813] [CHECK] Whitelist [00:34:0813] [CHECK] WellKnown [00:35:0391] [Check Processes] [980][_668] winlogon.exe : C:\WINDOWS\system32\winlogon.exe [00:35:0391] [CHECK] WhiteDLL [00:35:0391] [CHECK] Whitelist [00:35:0391] [CHECK] WellKnown [00:35:0547] [Check Processes] [1024][_980] services.exe : C:\WINDOWS\system32\services.exe [00:35:0547] [CHECK] WhiteDLL [00:35:0547] [CHECK] Whitelist [00:35:0547] [CHECK] WellKnown [00:35:0688] [Check Processes] [1036][_980] lsass.exe : C:\WINDOWS\system32\lsass.exe [00:35:0688] [CHECK] WhiteDLL [00:35:0688] [CHECK] Whitelist [00:35:0688] [CHECK] WellKnown [00:35:0938] [Check Processes] [1200][_1024] ati2evxx.exe : C:\WINDOWS\system32\ati2evxx.exe [00:35:0938] [CHECK] WhiteDLL [00:35:0938] [CHECK] Whitelist [00:35:0953] [CHECK] WellKnown [00:35:0953] [CHECK] WhitelistPath [00:35:0953] [CHECK] HijackName [00:35:0953] [CHECK] Signature [00:35:0953] [PE] Mapping [00:35:0953] [PE] Parsing [00:35:0953] [PE] Dos header -> 0x24e0000 [00:35:0953] [PE] Nt header (offset : 0xe0) file size 0x68000 [00:35:0953] [PE] pNtHeadersx86 -> 0x24e00e0 [00:35:0953] [PE] Chars -> 0x10f [00:35:0953] [PE] Optional header [00:35:0953] [PE] Sections : 4 [00:35:0953] [PE] Section : 0 - .text [00:35:0953] [PE] Section : 1 - .rdata [00:35:0953] [PE] Section : 2 - .data [00:35:0953] [PE] Section : 3 - .rsrc [00:35:0953] [PE] File open : 1 [00:35:0953] [PE] Search sigs [00:35:0953] [PE] Section[0/3] : 0x24e1000 [00:35:0953] [PE] Init AhoCorasick [00:35:0953] [PE] Start AhoCorasick [00:35:0969] [PE] Looking results : 0 [00:35:0969] [PE] Section[1/3] : 0x2527000 [00:35:0969] [PE] Init AhoCorasick [00:35:0969] [PE] Start AhoCorasick [00:35:0969] [PE] Looking results : 0 [00:35:0969] [PE] Section[2/3] : 0x2546000 [00:35:0969] [PE] Init AhoCorasick [00:35:0969] [PE] Start AhoCorasick [00:35:0969] [PE] Looking results : 0 [00:35:0969] [PE] Section[3/3] : 0x2547000 [00:35:0969] [PE] Init AhoCorasick [00:35:0969] [PE] Start AhoCorasick [00:35:0969] [PE] Looking results : 0 [00:35:0969] [CHECK] Blacklist [00:35:0969] [CHECK] BlacklistPath [00:35:0969] [CHECK] BlacklistMD5 [00:35:0969] [CHECK] MadeNumbers [00:35:0969] [CHECK] HasUnicode [00:35:0969] [CHECK] SuspPath [00:35:0969] [CHECK] ProcessResidue [00:35:0969] [CHECK] Not found! [00:36:0172] [Check Processes] [1220][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [00:36:0172] [CHECK] WhiteDLL [00:36:0172] [CHECK] Whitelist [00:36:0172] [CHECK] WellKnown [00:36:0172] [Check Processes] [1280][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [00:36:0172] [CHECK] WhiteDLL [00:36:0172] [CHECK] Whitelist [00:36:0172] [CHECK] WellKnown [00:36:0188] [Check Processes] [1320][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [00:36:0188] [CHECK] WhiteDLL [00:36:0188] [CHECK] Whitelist [00:36:0188] [CHECK] WellKnown [00:36:0188] [Check Processes] [1360][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [00:36:0188] [CHECK] WhiteDLL [00:36:0188] [CHECK] Whitelist [00:36:0188] [CHECK] WellKnown [00:36:0188] [Check Processes] [1440][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [00:36:0188] [CHECK] WhiteDLL [00:36:0188] [CHECK] Whitelist [00:36:0188] [CHECK] WellKnown [00:36:0282] [Check Processes] [1744][_1024] spoolsv.exe : C:\WINDOWS\system32\spoolsv.exe [00:36:0282] [CHECK] WhiteDLL [00:36:0282] [CHECK] Whitelist [00:36:0282] [CHECK] WellKnown [00:36:0469] [Check Processes] [1852][_1024] AppleMobileDeviceService.exe : C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [00:36:0469] [CHECK] WhiteDLL [00:36:0469] [CHECK] Whitelist [00:36:0469] [CHECK] WellKnown [00:36:0469] [CHECK] WhitelistPath [00:36:0469] [CHECK] HijackName [00:36:0469] [CHECK] Signature [00:36:0469] [PE] Mapping [00:36:0469] [PE] Parsing [00:36:0469] [PE] Dos header -> 0x24e0000 [00:36:0469] [PE] Nt header (offset : 0xf0) file size 0x23330 [00:36:0469] [PE] pNtHeadersx86 -> 0x24e00f0 [00:36:0469] [PE] Chars -> 0x102 [00:36:0469] [PE] Optional header [00:36:0469] [PE] Sections : 5 [00:36:0469] [PE] Section : 0 - .text [00:36:0469] [PE] Section : 1 - .rdata [00:36:0469] [PE] Section : 2 - .data [00:36:0469] [PE] Section : 3 - .rsrc [00:36:0469] [PE] Section : 4 - .reloc [00:36:0469] [PE] File open : 1 [00:36:0469] [PE] Search sigs [00:36:0469] [PE] Section[0/4] : 0x24e1000 [00:36:0469] [PE] Init AhoCorasick [00:36:0485] [PE] Start AhoCorasick [00:36:0485] [PE] Looking results : 0 [00:36:0485] [PE] Section[1/4] : 0x24f5000 [00:36:0485] [PE] Init AhoCorasick [00:36:0485] [PE] Start AhoCorasick [00:36:0485] [PE] Looking results : 0 [00:36:0485] [PE] Section[2/4] : 0x24f8000 [00:36:0485] [PE] Init AhoCorasick [00:36:0485] [PE] Start AhoCorasick [00:36:0485] [PE] Looking results : 0 [00:36:0485] [PE] Section[3/4] : 0x24ff000 [00:36:0485] [PE] Init AhoCorasick [00:36:0485] [PE] Start AhoCorasick [00:36:0485] [PE] Looking results : 0 [00:36:0485] [PE] Section[4/4] : 0x2500000 [00:36:0485] [PE] Init AhoCorasick [00:36:0485] [PE] Start AhoCorasick [00:36:0485] [PE] Looking results : 0 [00:36:0485] [CHECK] Blacklist [00:36:0485] [CHECK] BlacklistPath [00:36:0485] [CHECK] BlacklistMD5 [00:36:0485] [CHECK] MadeNumbers [00:36:0485] [CHECK] HasUnicode [00:36:0485] [CHECK] SuspPath [00:36:0485] [CHECK] ProcessResidue [00:36:0485] [CHECK] Not found! [00:38:0610] [Check Processes] [1896][_1024] avgidsagent.exe : C:\Program Files\AVG\AVG2013\avgidsagent.exe [00:38:0610] [CHECK] WhiteDLL [00:38:0610] [CHECK] Whitelist [00:38:0610] [CHECK] WellKnown [00:38:0610] [CHECK] WhitelistPath [00:38:0610] [CHECK] HijackName [00:38:0610] [CHECK] Signature [00:38:0703] [PE] Mapping [00:38:0703] [PE] Parsing [00:38:0703] [PE] Dos header -> 0x2aa0000 [00:38:0703] [PE] Nt header (offset : 0xf8) file size 0x4b5e30 [00:38:0703] [PE] pNtHeadersx86 -> 0x2aa00f8 [00:38:0703] [PE] Chars -> 0x102 [00:38:0703] [PE] Optional header [00:38:0703] [PE] Sections : 5 [00:38:0703] [PE] Section : 0 - .text [00:38:0703] [PE] Section : 1 - .rdata [00:38:0703] [PE] Section : 2 - .data [00:38:0703] [PE] Section : 3 - .rsrc [00:38:0703] [PE] Section : 4 - .reloc [00:38:0703] [PE] File open : 1 [00:38:0703] [PE] Search sigs [00:38:0703] [PE] Section[0/4] : 0x2aa0400 [00:38:0703] [PE] Init AhoCorasick [00:38:0703] [PE] Start AhoCorasick [00:38:0797] [PE] Looking results : 0 [00:38:0797] [PE] Section[1/4] : 0x2e07000 [00:38:0797] [PE] Init AhoCorasick [00:38:0797] [PE] Start AhoCorasick [00:38:0813] [PE] Looking results : 0 [00:38:0813] [PE] Section[2/4] : 0x2eafe00 [00:38:0813] [PE] Init AhoCorasick [00:38:0813] [PE] Start AhoCorasick [00:38:0813] [PE] Looking results : 0 [00:38:0813] [PE] Section[3/4] : 0x2ed9e00 [00:38:0813] [PE] Init AhoCorasick [00:38:0813] [PE] Start AhoCorasick [00:38:0813] [PE] Looking results : 0 [00:38:0813] [PE] Section[4/4] : 0x2eef800 [00:38:0813] [PE] Init AhoCorasick [00:38:0813] [PE] Start AhoCorasick [00:38:0813] [PE] Looking results : 0 [00:38:0828] [CHECK] Blacklist [00:38:0828] [CHECK] BlacklistPath [00:38:0828] [CHECK] BlacklistMD5 [00:38:0828] [CHECK] MadeNumbers [00:38:0828] [CHECK] HasUnicode [00:38:0828] [CHECK] SuspPath [00:38:0828] [CHECK] ProcessResidue [00:38:0828] [CHECK] Not found! [00:39:0125] [Check Processes] [188][_1024] avgwdsvc.exe : C:\Program Files\AVG\AVG2013\avgwdsvc.exe [00:39:0125] [CHECK] WhiteDLL [00:39:0125] [CHECK] Whitelist [00:39:0125] [CHECK] WellKnown [00:39:0125] [CHECK] WhitelistPath [00:39:0125] [CHECK] HijackName [00:39:0125] [CHECK] Signature [00:39:0141] [PE] Mapping [00:39:0141] [PE] Parsing [00:39:0141] [PE] Dos header -> 0x24e0000 [00:39:0141] [PE] Nt header (offset : 0x100) file size 0x45200 [00:39:0141] [PE] pNtHeadersx86 -> 0x24e0100 [00:39:0141] [PE] Chars -> 0x102 [00:39:0141] [PE] Optional header [00:39:0141] [PE] Sections : 5 [00:39:0141] [PE] Section : 0 - .text [00:39:0141] [PE] Section : 1 - .rdata [00:39:0141] [PE] Section : 2 - .data [00:39:0141] [PE] Section : 3 - .rsrc [00:39:0141] [PE] Section : 4 - .reloc [00:39:0141] [PE] File open : 1 [00:39:0141] [PE] Search sigs [00:39:0141] [PE] Section[0/4] : 0x24e0400 [00:39:0141] [PE] Init AhoCorasick [00:39:0141] [PE] Start AhoCorasick [00:39:0141] [PE] Looking results : 0 [00:39:0141] [PE] Section[1/4] : 0x2500000 [00:39:0141] [PE] Init AhoCorasick [00:39:0141] [PE] Start AhoCorasick [00:39:0141] [PE] Looking results : 0 [00:39:0141] [PE] Section[2/4] : 0x2509600 [00:39:0157] [PE] Init AhoCorasick [00:39:0157] [PE] Start AhoCorasick [00:39:0157] [PE] Looking results : 0 [00:39:0157] [PE] Section[3/4] : 0x2509800 [00:39:0157] [PE] Init AhoCorasick [00:39:0157] [PE] Start AhoCorasick [00:39:0157] [PE] Looking results : 0 [00:39:0157] [PE] Section[4/4] : 0x251f200 [00:39:0157] [PE] Init AhoCorasick [00:39:0157] [PE] Start AhoCorasick [00:39:0157] [PE] Looking results : 0 [00:39:0157] [CHECK] Blacklist [00:39:0157] [CHECK] BlacklistPath [00:39:0157] [CHECK] BlacklistMD5 [00:39:0157] [CHECK] MadeNumbers [00:39:0157] [CHECK] HasUnicode [00:39:0157] [CHECK] SuspPath [00:39:0157] [CHECK] ProcessResidue [00:39:0157] [CHECK] Not found! [00:39:0235] [Check Processes] [244][_1320] rundll32.exe : C:\WINDOWS\system32\rundll32.exe [00:39:0297] [CHECK] WhiteDLL [00:39:0297] [CHECK] Whitelist [00:39:0297] [CHECK] WellKnown [00:39:0297] [CHECK] WhiteDLL [00:39:0297] [CHECK] Whitelist [00:39:0297] [CHECK] WellKnown [00:39:0297] [CHECK] WhitelistPath [00:39:0297] [CHECK] HijackName [00:39:0297] [CHECK] Signature [00:39:0297] [PE] Mapping [00:39:0297] [PE] Parsing [00:39:0297] [PE] Dos header -> 0x24e0000 [00:39:0297] [PE] File open : 0 [00:39:0297] [CHECK] Blacklist [00:39:0297] [CHECK] BlacklistPath [00:39:0297] [CHECK] BlacklistMD5 [00:39:0297] [CHECK] MadeNumbers [00:39:0297] [CHECK] HasUnicode [00:39:0297] [CHECK] SuspPath [00:39:0297] [CHECK] ProcessResidue [00:39:0297] [CHECK] Not found! [00:39:0297] [CHECK] WhiteDLL [00:39:0297] [CHECK] Whitelist [00:39:0297] [CHECK] WellKnown [00:39:0297] [CHECK] WhitelistPath [00:39:0297] [CHECK] HijackName [00:39:0297] [CHECK] Signature [00:39:0297] [CHECK] Blacklist [00:39:0297] [CHECK] BlacklistPath [00:39:0297] [CHECK] BlacklistMD5 [00:39:0297] [CHECK] MadeNumbers [00:39:0297] [CHECK] HasUnicode [00:39:0297] [CHECK] SuspPath [00:39:0297] [CHECK] ProcessResidue [00:39:0297] [CHECK] Not found! [00:39:0297] [CHECK] WhiteDLL [00:39:0297] [CHECK] Whitelist [00:39:0297] [CHECK] WellKnown [00:39:0500] [Check Processes] [272][_1024] CltMngSvc.exe : C:\Program Files\SearchProtect\bin\CltMngSvc.exe [00:39:0500] [CHECK] WhiteDLL [00:39:0500] [CHECK] Whitelist [00:39:0500] [CHECK] WellKnown [00:39:0500] [CHECK] WhitelistPath [00:39:0500] [CHECK] HijackName [00:39:0500] [CHECK] Signature [00:39:0516] [PE] Mapping [00:39:0516] [PE] Parsing [00:39:0516] [PE] Dos header -> 0x24e0000 [00:39:0516] [PE] Nt header (offset : 0xf8) file size 0x17b20 [00:39:0516] [PE] pNtHeadersx86 -> 0x24e00f8 [00:39:0516] [PE] Chars -> 0x102 [00:39:0516] [PE] Optional header [00:39:0516] [PE] Sections : 5 [00:39:0516] [PE] Section : 0 - .text [00:39:0516] [PE] Section : 1 - .rdata [00:39:0516] [PE] Section : 2 - .data [00:39:0516] [PE] Section : 3 - .rsrc [00:39:0516] [PE] Section : 4 - .reloc [00:39:0516] [PE] File open : 1 [00:39:0516] [PE] Search sigs [00:39:0516] [PE] Section[0/4] : 0x24e0400 [00:39:0516] [PE] Init AhoCorasick [00:39:0516] [PE] Start AhoCorasick [00:39:0516] [PE] Looking results : 0 [00:39:0516] [PE] Section[1/4] : 0x24e5600 [00:39:0516] [PE] Init AhoCorasick [00:39:0516] [PE] Start AhoCorasick [00:39:0516] [PE] Looking results : 0 [00:39:0516] [PE] Section[2/4] : 0x24e7800 [00:39:0516] [PE] Init AhoCorasick [00:39:0516] [PE] Start AhoCorasick [00:39:0516] [PE] Looking results : 0 [00:39:0516] [PE] Section[3/4] : 0x24e7a00 [00:39:0516] [PE] Init AhoCorasick [00:39:0516] [PE] Start AhoCorasick [00:39:0516] [PE] Looking results : 0 [00:39:0516] [PE] Section[4/4] : 0x24f4400 [00:39:0516] [PE] Init AhoCorasick [00:39:0516] [PE] Start AhoCorasick [00:39:0516] [PE] Looking results : 0 [00:39:0516] [CHECK] Blacklist [00:39:0516] [CHECK] BlacklistPath [00:39:0516] [CHECK] BlacklistMD5 [00:39:0516] [CHECK] MadeNumbers [00:39:0516] [CHECK] HasUnicode [00:39:0516] [CHECK] SuspPath [00:39:0516] [CHECK] ProcessResidue [00:39:0516] [CHECK] Not found! [00:39:0672] [Check Processes] [384][_1024] DTUpdate.exe : C:\Documents and Settings\tryme\Application Data\DefaultTab\DefaultTab\DTUpdate.exe [00:39:0672] [CHECK] WhiteDLL [00:39:0672] [CHECK] Whitelist [00:39:0750] [Check Processes] [516][_1024] jqs.exe : C:\Program Files\Java\jre7\bin\jqs.exe [00:39:0750] [CHECK] WhiteDLL [00:39:0750] [CHECK] Whitelist [00:39:0750] [CHECK] WellKnown [00:39:0750] [CHECK] WhitelistPath [00:39:0750] [CHECK] HijackName [00:39:0750] [CHECK] Signature [00:39:0750] [PE] Mapping [00:39:0750] [PE] Parsing [00:39:0750] [PE] Dos header -> 0x24e0000 [00:39:0750] [PE] Nt header (offset : 0xf0) file size 0x2c7a8 [00:39:0750] [PE] pNtHeadersx86 -> 0x24e00f0 [00:39:0750] [PE] Chars -> 0x102 [00:39:0750] [PE] Optional header [00:39:0750] [PE] Sections : 5 [00:39:0750] [PE] Section : 0 - .text [00:39:0750] [PE] Section : 1 - .rdata [00:39:0750] [PE] Section : 2 - .data [00:39:0750] [PE] Section : 3 - .rsrc [00:39:0766] [PE] Section : 4 - .reloc [00:39:0766] [PE] File open : 1 [00:39:0766] [PE] Search sigs [00:39:0766] [PE] Section[0/4] : 0x24e0400 [00:39:0766] [PE] Init AhoCorasick [00:39:0766] [PE] Start AhoCorasick [00:39:0766] [PE] Looking results : 0 [00:39:0766] [PE] Section[1/4] : 0x24fa600 [00:39:0766] [PE] Init AhoCorasick [00:39:0766] [PE] Start AhoCorasick [00:39:0766] [PE] Looking results : 0 [00:39:0766] [PE] Section[2/4] : 0x2506a00 [00:39:0766] [PE] Init AhoCorasick [00:39:0766] [PE] Start AhoCorasick [00:39:0766] [PE] Looking results : 0 [00:39:0766] [PE] Section[3/4] : 0x2507c00 [00:39:0766] [PE] Init AhoCorasick [00:39:0766] [PE] Start AhoCorasick [00:39:0766] [PE] Looking results : 0 [00:39:0766] [PE] Section[4/4] : 0x2508400 [00:39:0766] [PE] Init AhoCorasick [00:39:0766] [PE] Start AhoCorasick [00:39:0766] [PE] Looking results : 0 [00:39:0766] [CHECK] Blacklist [00:39:0766] [CHECK] BlacklistPath [00:39:0766] [CHECK] BlacklistMD5 [00:39:0766] [CHECK] MadeNumbers [00:39:0766] [CHECK] HasUnicode [00:39:0766] [CHECK] SuspPath [00:39:0766] [CHECK] ProcessResidue [00:39:0766] [CHECK] Not found! [00:39:0891] [Check Processes] [536][_344] GoogleUpdate.exe : C:\Program Files\Google\Update\GoogleUpdate.exe [00:39:0891] [CHECK] WhiteDLL [00:39:0891] [CHECK] Whitelist [00:39:0891] [CHECK] WellKnown [00:39:0891] [CHECK] WhitelistPath [00:39:0891] [CHECK] HijackName [00:39:0891] [CHECK] Signature [00:39:0891] [PE] Mapping [00:39:0891] [PE] Parsing [00:39:0891] [PE] Dos header -> 0x24e0000 [00:39:0891] [PE] Nt header (offset : 0xe8) file size 0x207f0 [00:39:0891] [PE] pNtHeadersx86 -> 0x24e00e8 [00:39:0891] [PE] Chars -> 0x103 [00:39:0891] [PE] Optional header [00:39:0891] [PE] Sections : 3 [00:39:0891] [PE] Section : 0 - .text [00:39:0891] [PE] Section : 1 - .data [00:39:0891] [PE] Section : 2 - .rsrc [00:39:0891] [PE] File open : 1 [00:39:0891] [PE] Search sigs [00:39:0907] [PE] Section[0/2] : 0x24e0400 [00:39:0907] [PE] Init AhoCorasick [00:39:0907] [PE] Start AhoCorasick [00:39:0907] [PE] Looking results : 0 [00:39:0907] [PE] Section[1/2] : 0x24f0800 [00:39:0907] [PE] Init AhoCorasick [00:39:0907] [PE] Start AhoCorasick [00:39:0907] [PE] Looking results : 0 [00:39:0907] [PE] Section[2/2] : 0x24f1a00 [00:39:0907] [PE] Init AhoCorasick [00:39:0907] [PE] Start AhoCorasick [00:39:0907] [PE] Looking results : 0 [00:39:0907] [CHECK] Blacklist [00:39:0907] [CHECK] BlacklistPath [00:39:0907] [CHECK] BlacklistMD5 [00:39:0907] [CHECK] MadeNumbers [00:39:0907] [CHECK] HasUnicode [00:39:0907] [CHECK] SuspPath [00:39:0907] [CHECK] ProcessResidue [00:39:0907] [CHECK] Not found! [00:39:0985] [Check Processes] [592][_1024] sqlwriter.exe : c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [00:39:0985] [CHECK] WhiteDLL [00:39:0985] [CHECK] Whitelist [00:39:0985] [CHECK] WellKnown [00:39:0985] [CHECK] WhitelistPath [00:39:0985] [CHECK] HijackName [00:39:0985] [CHECK] Signature [00:39:0985] [PE] Mapping [00:39:0985] [PE] Parsing [00:39:0985] [PE] Dos header -> 0x24e0000 [00:39:0985] [PE] Nt header (offset : 0x110) file size 0x15760 [00:39:0985] [PE] pNtHeadersx86 -> 0x24e0110 [00:39:0985] [PE] Chars -> 0x103 [00:39:0985] [PE] Optional header [00:39:0985] [PE] Sections : 3 [00:39:0985] [PE] Section : 0 - .text [00:39:0985] [PE] Section : 1 - .data [00:39:0985] [PE] Section : 2 - .rsrc [00:39:0985] [PE] File open : 1 [00:39:0985] [PE] Search sigs [00:39:0985] [PE] Section[0/2] : 0x24e0400 [00:39:0985] [PE] Init AhoCorasick [00:39:0985] [PE] Start AhoCorasick [00:39:0985] [PE] Looking results : 0 [00:39:0985] [PE] Section[1/2] : 0x24f3000 [00:39:0985] [PE] Init AhoCorasick [00:39:0985] [PE] Start AhoCorasick [00:39:0985] [PE] Looking results : 0 [00:39:0985] [PE] Section[2/2] : 0x24f3200 [00:39:0985] [PE] Init AhoCorasick [00:39:0985] [PE] Start AhoCorasick [00:39:0985] [PE] Looking results : 0 [00:39:0985] [CHECK] Blacklist [00:39:0985] [CHECK] BlacklistPath [00:40:0000] [CHECK] BlacklistMD5 [00:40:0000] [CHECK] MadeNumbers [00:40:0000] [CHECK] HasUnicode [00:40:0000] [CHECK] SuspPath [00:40:0000] [CHECK] ProcessResidue [00:40:0000] [CHECK] Not found! [00:40:0000] [Check Processes] [936][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [00:40:0000] [CHECK] WhiteDLL [00:40:0000] [CHECK] Whitelist [00:40:0000] [CHECK] WellKnown [00:41:0047] [Check Processes] [1576][_1024] WLIDSVC.EXE : C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [00:41:0047] [CHECK] WhiteDLL [00:41:0047] [CHECK] Whitelist [00:41:0047] [CHECK] WellKnown [00:41:0047] [CHECK] WhitelistPath [00:41:0047] [CHECK] HijackName [00:41:0047] [CHECK] Signature [00:41:0078] [PE] Mapping [00:41:0078] [PE] Parsing [00:41:0078] [PE] Dos header -> 0x27e0000 [00:41:0078] [PE] Nt header (offset : 0xf0) file size 0x175780 [00:41:0078] [PE] pNtHeadersx86 -> 0x27e00f0 [00:41:0078] [PE] Chars -> 0x102 [00:41:0078] [PE] Optional header [00:41:0078] [PE] Sections : 4 [00:41:0078] [PE] Section : 0 - .text [00:41:0078] [PE] Section : 1 - .data [00:41:0078] [PE] Section : 2 - .rsrc [00:41:0078] [PE] Section : 3 - .reloc [00:41:0078] [PE] File open : 1 [00:41:0078] [PE] Search sigs [00:41:0078] [PE] Section[0/3] : 0x27e0400 [00:41:0078] [PE] Init AhoCorasick [00:41:0078] [PE] Start AhoCorasick [00:41:0110] [PE] Looking results : 0 [00:41:0110] [PE] Section[1/3] : 0x293dc00 [00:41:0110] [PE] Init AhoCorasick [00:41:0110] [PE] Start AhoCorasick [00:41:0110] [PE] Looking results : 0 [00:41:0110] [PE] Section[2/3] : 0x2940600 [00:41:0110] [PE] Init AhoCorasick [00:41:0110] [PE] Start AhoCorasick [00:41:0110] [PE] Looking results : 0 [00:41:0110] [PE] Section[3/3] : 0x2941800 [00:41:0110] [PE] Init AhoCorasick [00:41:0110] [PE] Start AhoCorasick [00:41:0110] [PE] Looking results : 0 [00:41:0110] [CHECK] Blacklist [00:41:0110] [CHECK] BlacklistPath [00:41:0110] [CHECK] BlacklistMD5 [00:41:0110] [CHECK] MadeNumbers [00:41:0110] [CHECK] HasUnicode [00:41:0110] [CHECK] SuspPath [00:41:0110] [CHECK] ProcessResidue [00:41:0110] [CHECK] Not found! [00:41:0282] [Check Processes] [1984][_1024] YahooAUService.exe : C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [00:41:0282] [CHECK] WhiteDLL [00:41:0282] [CHECK] Whitelist [00:41:0282] [CHECK] WellKnown [00:41:0282] [CHECK] WhitelistPath [00:41:0282] [CHECK] HijackName [00:41:0282] [CHECK] Signature [00:41:0297] [PE] Mapping [00:41:0297] [PE] Parsing [00:41:0297] [PE] Dos header -> 0x1740000 [00:41:0297] [PE] Nt header (offset : 0xe8) file size 0x93118 [00:41:0297] [PE] pNtHeadersx86 -> 0x17400e8 [00:41:0297] [PE] Chars -> 0x103 [00:41:0297] [PE] Optional header [00:41:0297] [PE] Sections : 4 [00:41:0297] [PE] Section : 0 - .text [00:41:0297] [PE] Section : 1 - .rdata [00:41:0297] [PE] Section : 2 - .data [00:41:0297] [PE] Section : 3 - .rsrc [00:41:0297] [PE] File open : 1 [00:41:0297] [PE] Search sigs [00:41:0297] [PE] Section[0/3] : 0x1740400 [00:41:0297] [PE] Init AhoCorasick [00:41:0297] [PE] Start AhoCorasick [00:41:0313] [PE] Looking results : 0 [00:41:0313] [PE] Section[1/3] : 0x17a5e00 [00:41:0313] [PE] Init AhoCorasick [00:41:0313] [PE] Start AhoCorasick [00:41:0313] [PE] Looking results : 0 [00:41:0313] [PE] Section[2/3] : 0x17c7800 [00:41:0313] [PE] Init AhoCorasick [00:41:0313] [PE] Start AhoCorasick [00:41:0313] [PE] Looking results : 0 [00:41:0313] [PE] Section[3/3] : 0x17cd000 [00:41:0313] [PE] Init AhoCorasick [00:41:0313] [PE] Start AhoCorasick [00:41:0313] [PE] Looking results : 0 [00:41:0313] [CHECK] Blacklist [00:41:0313] [CHECK] BlacklistPath [00:41:0313] [CHECK] BlacklistMD5 [00:41:0313] [CHECK] MadeNumbers [00:41:0313] [CHECK] HasUnicode [00:41:0313] [CHECK] SuspPath [00:41:0313] [CHECK] ProcessResidue [00:41:0313] [CHECK] Not found! [00:41:0391] [Check Processes] [2000][_188] avgnsx.exe : C:\Program Files\AVG\AVG2013\avgnsx.exe [00:41:0391] [CHECK] WhiteDLL [00:41:0391] [CHECK] Whitelist [00:41:0391] [CHECK] WellKnown [00:41:0391] [CHECK] WhitelistPath [00:41:0391] [CHECK] HijackName [00:41:0391] [CHECK] Signature [00:41:0422] [PE] Mapping [00:41:0422] [PE] Parsing [00:41:0422] [PE] Dos header -> 0x27e0000 [00:41:0422] [PE] Nt header (offset : 0x100) file size 0x110e30 [00:41:0422] [PE] pNtHeadersx86 -> 0x27e0100 [00:41:0422] [PE] Chars -> 0x102 [00:41:0422] [PE] Optional header [00:41:0422] [PE] Sections : 6 [00:41:0422] [PE] Section : 0 - .text [00:41:0422] [PE] Section : 1 - .rdata [00:41:0422] [PE] Section : 2 - .data [00:41:0422] [PE] Section : 3 - .tls [00:41:0422] [PE] Section : 4 - .rsrc [00:41:0422] [PE] Section : 5 - .reloc [00:41:0422] [PE] File open : 1 [00:41:0422] [PE] Search sigs [00:41:0422] [PE] Section[0/5] : 0x27e0400 [00:41:0422] [PE] Init AhoCorasick [00:41:0422] [PE] Start AhoCorasick [00:41:0438] [PE] Looking results : 0 [00:41:0438] [PE] Section[1/5] : 0x28b7600 [00:41:0438] [PE] Init AhoCorasick [00:41:0438] [PE] Start AhoCorasick [00:41:0453] [PE] Looking results : 0 [00:41:0453] [PE] Section[2/5] : 0x28dbc00 [00:41:0453] [PE] Init AhoCorasick [00:41:0453] [PE] Start AhoCorasick [00:41:0453] [PE] Looking results : 0 [00:41:0453] [PE] Section[3/5] : 0x28dcc00 [00:41:0453] [PE] Init AhoCorasick [00:41:0453] [PE] Start AhoCorasick [00:41:0453] [PE] Looking results : 0 [00:41:0453] [PE] Section[4/5] : 0x28dce00 [00:41:0453] [PE] Init AhoCorasick [00:41:0453] [PE] Start AhoCorasick [00:41:0453] [PE] Looking results : 0 [00:41:0453] [PE] Section[5/5] : 0x28dd600 [00:41:0453] [PE] Init AhoCorasick [00:41:0453] [PE] Start AhoCorasick [00:41:0453] [PE] Looking results : 0 [00:41:0453] [CHECK] Blacklist [00:41:0453] [CHECK] BlacklistPath [00:41:0453] [CHECK] BlacklistMD5 [00:41:0453] [CHECK] MadeNumbers [00:41:0453] [CHECK] HasUnicode [00:41:0453] [CHECK] SuspPath [00:41:0453] [CHECK] ProcessResidue [00:41:0453] [CHECK] Not found! [00:42:0094] [Check Processes] [1956][_188] avgemcx.exe : C:\Program Files\AVG\AVG2013\avgemcx.exe [00:42:0094] [CHECK] WhiteDLL [00:42:0094] [CHECK] Whitelist [00:42:0094] [CHECK] WellKnown [00:42:0094] [CHECK] WhitelistPath [00:42:0094] [CHECK] HijackName [00:42:0094] [CHECK] Signature [00:42:0110] [PE] Mapping [00:42:0110] [PE] Parsing [00:42:0110] [PE] Dos header -> 0x1740000 [00:42:0110] [PE] Nt header (offset : 0x100) file size 0xc3230 [00:42:0110] [PE] pNtHeadersx86 -> 0x1740100 [00:42:0110] [PE] Chars -> 0x102 [00:42:0110] [PE] Optional header [00:42:0110] [PE] Sections : 5 [00:42:0110] [PE] Section : 0 - .text [00:42:0110] [PE] Section : 1 - .rdata [00:42:0110] [PE] Section : 2 - .data [00:42:0110] [PE] Section : 3 - .rsrc [00:42:0110] [PE] Section : 4 - .reloc [00:42:0110] [PE] File open : 1 [00:42:0110] [PE] Search sigs [00:42:0110] [PE] Section[0/4] : 0x1740400 [00:42:0110] [PE] Init AhoCorasick [00:42:0110] [PE] Start AhoCorasick [00:42:0125] [PE] Looking results : 0 [00:42:0125] [PE] Section[1/4] : 0x17bd400 [00:42:0125] [PE] Init AhoCorasick [00:42:0125] [PE] Start AhoCorasick [00:42:0125] [PE] Looking results : 0 [00:42:0125] [PE] Section[2/4] : 0x17dda00 [00:42:0125] [PE] Init AhoCorasick [00:42:0125] [PE] Start AhoCorasick [00:42:0125] [PE] Looking results : 0 [00:42:0125] [PE] Section[3/4] : 0x17dde00 [00:42:0125] [PE] Init AhoCorasick [00:42:0125] [PE] Start AhoCorasick [00:42:0125] [PE] Looking results : 0 [00:42:0125] [PE] Section[4/4] : 0x17f3800 [00:42:0125] [PE] Init AhoCorasick [00:42:0125] [PE] Start AhoCorasick [00:42:0125] [PE] Looking results : 0 [00:42:0125] [CHECK] Blacklist [00:42:0125] [CHECK] BlacklistPath [00:42:0125] [CHECK] BlacklistMD5 [00:42:0125] [CHECK] MadeNumbers [00:42:0125] [CHECK] HasUnicode [00:42:0125] [CHECK] SuspPath [00:42:0125] [CHECK] ProcessResidue [00:42:0125] [CHECK] Not found! [00:42:0219] [Check Processes] [2552][_2492] explorer.exe : C:\WINDOWS\explorer.exe [00:42:0235] [Check DLLs] Explorer.EXE : C:\WINDOWS\Explorer.EXE [00:42:0235] [Check DLLs] ntdll.dll : C:\WINDOWS\system32\ntdll.dll [00:42:0235] [CHECK] WhiteDLL [00:42:0235] [Check DLLs] kernel32.dll : C:\WINDOWS\system32\kernel32.dll [00:42:0235] [CHECK] WhiteDLL [00:42:0235] [Check DLLs] ADVAPI32.dll : C:\WINDOWS\system32\ADVAPI32.dll [00:42:0235] [CHECK] WhiteDLL [00:42:0235] [Check DLLs] RPCRT4.dll : C:\WINDOWS\system32\RPCRT4.dll [00:42:0235] [CHECK] WhiteDLL [00:42:0235] [CHECK] Whitelist [00:42:0235] [CHECK] WellKnown [00:42:0235] [CHECK] WhitelistPath [00:42:0235] [CHECK] HijackName [00:42:0235] [CHECK] Signature [00:42:0297] [PE] Mapping [00:42:0297] [PE] Parsing [00:42:0297] [PE] Dos header -> 0x1740000 [00:42:0297] [PE] Nt header (offset : 0xe8) file size 0x90400 [00:42:0297] [PE] pNtHeadersx86 -> 0x17400e8 [00:42:0297] [PE] Chars -> 0x210e [00:42:0297] [PE] Optional header [00:42:0297] [PE] Sections : 5 [00:42:0297] [PE] Section : 0 - .text [00:42:0297] [PE] Section : 1 - .orpc [00:42:0297] [PE] Section : 2 - .data [00:42:0297] [PE] Section : 3 - .rsrc [00:42:0297] [PE] Section : 4 - .reloc [00:42:0297] [PE] File open : 1 [00:42:0297] [PE] Search sigs [00:42:0297] [PE] Section[0/4] : 0x1740400 [00:42:0297] [PE] Init AhoCorasick [00:42:0297] [PE] Start AhoCorasick [00:42:0313] [PE] Looking results : 0 [00:42:0313] [PE] Section[1/4] : 0x17c4200 [00:42:0313] [PE] Init AhoCorasick [00:42:0313] [PE] Start AhoCorasick [00:42:0313] [PE] Looking results : 0 [00:42:0313] [PE] Section[2/4] : 0x17cac00 [00:42:0313] [PE] Init AhoCorasick [00:42:0313] [PE] Start AhoCorasick [00:42:0313] [PE] Looking results : 0 [00:42:0313] [PE] Section[3/4] : 0x17cb800 [00:42:0313] [PE] Init AhoCorasick [00:42:0313] [PE] Start AhoCorasick [00:42:0313] [PE] Looking results : 0 [00:42:0313] [PE] Section[4/4] : 0x17cbe00 [00:42:0313] [PE] Init AhoCorasick [00:42:0313] [PE] Start AhoCorasick [00:42:0313] [PE] Looking results : 0 [00:42:0313] [CHECK] Blacklist [00:42:0313] [CHECK] BlacklistPath [00:42:0313] [CHECK] BlacklistMD5 [00:42:0313] [CHECK] MadeNumbers [00:42:0313] [CHECK] HasUnicode [00:42:0313] [CHECK] SuspPath [00:42:0313] [CHECK] ProcessResidue [00:42:0313] [CHECK] Not found! [00:42:0313] [Check DLLs] Secur32.dll : C:\WINDOWS\system32\Secur32.dll [00:42:0313] [CHECK] WhiteDLL [00:42:0313] [CHECK] Whitelist [00:42:0313] [CHECK] WellKnown [00:42:0313] [CHECK] WhitelistPath [00:42:0313] [CHECK] HijackName [00:42:0313] [CHECK] Signature [00:42:0391] [PE] Mapping [00:42:0391] [PE] Parsing [00:42:0391] [PE] Dos header -> 0x1740000 [00:42:0391] [PE] Nt header (offset : 0xe0) file size 0xde00 [00:42:0391] [PE] pNtHeadersx86 -> 0x17400e0 [00:42:0391] [PE] Chars -> 0x210e [00:42:0391] [PE] Optional header [00:42:0391] [PE] Sections : 4 [00:42:0391] [PE] Section : 0 - .text [00:42:0391] [PE] Section : 1 - .data [00:42:0391] [PE] Section : 2 - .rsrc [00:42:0391] [PE] Section : 3 - .reloc [00:42:0391] [PE] File open : 1 [00:42:0391] [PE] Search sigs [00:42:0391] [PE] Section[0/3] : 0x1740400 [00:42:0391] [PE] Init AhoCorasick [00:42:0391] [PE] Start AhoCorasick [00:42:0391] [PE] Looking results : 0 [00:42:0391] [PE] Section[1/3] : 0x174c800 [00:42:0391] [PE] Init AhoCorasick [00:42:0391] [PE] Start AhoCorasick [00:42:0391] [PE] Looking results : 0 [00:42:0391] [PE] Section[2/3] : 0x174ce00 [00:42:0391] [PE] Init AhoCorasick [00:42:0391] [PE] Start AhoCorasick [00:42:0391] [PE] Looking results : 0 [00:42:0391] [PE] Section[3/3] : 0x174d400 [00:42:0391] [PE] Init AhoCorasick [00:42:0391] [PE] Start AhoCorasick [00:42:0391] [PE] Looking results : 0 [00:42:0391] [CHECK] Blacklist [00:42:0391] [CHECK] BlacklistPath [00:42:0391] [CHECK] BlacklistMD5 [00:42:0391] [CHECK] MadeNumbers [00:42:0391] [CHECK] HasUnicode [00:42:0391] [CHECK] SuspPath [00:42:0391] [CHECK] ProcessResidue [00:42:0391] [CHECK] Not found! [00:42:0391] [Check DLLs] BROWSEUI.dll : C:\WINDOWS\system32\BROWSEUI.dll [00:42:0391] [CHECK] WhiteDLL [00:42:0391] [CHECK] Whitelist [00:42:0391] [CHECK] WellKnown [00:42:0391] [CHECK] WhitelistPath [00:42:0391] [CHECK] HijackName [00:42:0391] [CHECK] Signature [00:43:0110] [PE] Mapping [00:43:0110] [PE] Parsing [00:43:0110] [PE] Dos header -> 0x1740000 [00:43:0110] [PE] Nt header (offset : 0xf0) file size 0xfa400 [00:43:0110] [PE] pNtHeadersx86 -> 0x17400f0 [00:43:0110] [PE] Chars -> 0x210e [00:43:0110] [PE] Optional header [00:43:0110] [PE] Sections : 4 [00:43:0110] [PE] Section : 0 - .text [00:43:0110] [PE] Section : 1 - .data [00:43:0110] [PE] Section : 2 - .rsrc [00:43:0110] [PE] Section : 3 - .reloc [00:43:0110] [PE] File open : 1 [00:43:0110] [PE] Search sigs [00:43:0110] [PE] Section[0/3] : 0x1740400 [00:43:0110] [PE] Init AhoCorasick [00:43:0110] [PE] Start AhoCorasick [00:43:0125] [PE] Looking results : 0 [00:43:0125] [PE] Section[1/3] : 0x17c6200 [00:43:0125] [PE] Init AhoCorasick [00:43:0125] [PE] Start AhoCorasick [00:43:0125] [PE] Looking results : 0 [00:43:0125] [PE] Section[2/3] : 0x17c7000 [00:43:0125] [PE] Init AhoCorasick [00:43:0125] [PE] Start AhoCorasick [00:43:0141] [PE] Looking results : 0 [00:43:0141] [PE] Section[3/3] : 0x1832a00 [00:43:0141] [PE] Init AhoCorasick [00:43:0141] [PE] Start AhoCorasick [00:43:0141] [PE] Looking results : 0 [00:43:0141] [CHECK] Blacklist [00:43:0141] [CHECK] BlacklistPath [00:43:0141] [CHECK] BlacklistMD5 [00:43:0141] [CHECK] MadeNumbers [00:43:0141] [CHECK] HasUnicode [00:43:0141] [CHECK] SuspPath [00:43:0141] [CHECK] ProcessResidue [00:43:0141] [CHECK] Not found! [00:43:0141] [Check DLLs] GDI32.dll : C:\WINDOWS\system32\GDI32.dll [00:43:0141] [CHECK] WhiteDLL [00:43:0141] [CHECK] Whitelist [00:43:0141] [CHECK] WellKnown [00:43:0141] [CHECK] WhitelistPath [00:43:0141] [CHECK] HijackName [00:43:0141] [CHECK] Signature [00:43:0203] [PE] Mapping [00:43:0203] [PE] Parsing [00:43:0203] [PE] Dos header -> 0x1740000 [00:43:0203] [PE] Nt header (offset : 0xe0) file size 0x46000 [00:43:0203] [PE] pNtHeadersx86 -> 0x17400e0 [00:43:0203] [PE] Chars -> 0x210e [00:43:0203] [PE] Optional header [00:43:0203] [PE] Sections : 4 [00:43:0203] [PE] Section : 0 - .text [00:43:0203] [PE] Section : 1 - .data [00:43:0203] [PE] Section : 2 - .rsrc [00:43:0203] [PE] Section : 3 - .reloc [00:43:0203] [PE] File open : 1 [00:43:0203] [PE] Search sigs [00:43:0203] [PE] Section[0/3] : 0x1740400 [00:43:0203] [PE] Init AhoCorasick [00:43:0203] [PE] Start AhoCorasick [00:43:0203] [PE] Looking results : 0 [00:43:0203] [PE] Section[1/3] : 0x1783000 [00:43:0203] [PE] Init AhoCorasick [00:43:0203] [PE] Start AhoCorasick [00:43:0203] [PE] Looking results : 0 [00:43:0203] [PE] Section[2/3] : 0x1784200 [00:43:0203] [PE] Init AhoCorasick [00:43:0203] [PE] Start AhoCorasick [00:43:0203] [PE] Looking results : 0 [00:43:0203] [PE] Section[3/3] : 0x1784600 [00:43:0203] [PE] Init AhoCorasick [00:43:0203] [PE] Start AhoCorasick [00:43:0203] [PE] Looking results : 0 [00:43:0203] [CHECK] Blacklist [00:43:0203] [CHECK] BlacklistPath [00:43:0219] [CHECK] BlacklistMD5 [00:43:0219] [CHECK] MadeNumbers [00:43:0219] [CHECK] HasUnicode [00:43:0219] [CHECK] SuspPath [00:43:0219] [CHECK] ProcessResidue [00:43:0219] [CHECK] Not found! [00:43:0219] [Check DLLs] USER32.dll : C:\WINDOWS\system32\USER32.dll [00:43:0219] [CHECK] WhiteDLL [00:43:0219] [Check DLLs] msvcrt.dll : C:\WINDOWS\system32\msvcrt.dll [00:43:0219] [CHECK] WhiteDLL [00:43:0219] [CHECK] Whitelist [00:43:0219] [CHECK] WellKnown [00:43:0219] [CHECK] WhitelistPath [00:43:0219] [CHECK] HijackName [00:43:0219] [CHECK] Signature [00:43:0453] [PE] Mapping [00:43:0469] [PE] Parsing [00:43:0469] [PE] Dos header -> 0x1740000 [00:43:0469] [PE] Nt header (offset : 0xe8) file size 0x53c00 [00:43:0469] [PE] pNtHeadersx86 -> 0x17400e8 [00:43:0469] [PE] Chars -> 0x210e [00:43:0469] [PE] Optional header [00:43:0469] [PE] Sections : 4 [00:43:0469] [PE] Section : 0 - .text [00:43:0469] [PE] Section : 1 - .data [00:43:0469] [PE] Section : 2 - .rsrc [00:43:0469] [PE] Section : 3 - .reloc [00:43:0469] [PE] File open : 1 [00:43:0469] [PE] Search sigs [00:43:0469] [PE] Section[0/3] : 0x1740400 [00:43:0469] [PE] Init AhoCorasick [00:43:0469] [PE] Start AhoCorasick [00:43:0469] [PE] Looking results : 0 [00:43:0469] [PE] Section[1/3] : 0x178c200 [00:43:0469] [PE] Init AhoCorasick [00:43:0469] [PE] Start AhoCorasick [00:43:0469] [PE] Looking results : 0 [00:43:0469] [PE] Section[2/3] : 0x1790a00 [00:43:0469] [PE] Init AhoCorasick [00:43:0469] [PE] Start AhoCorasick [00:43:0469] [PE] Looking results : 0 [00:43:0469] [PE] Section[3/3] : 0x1790e00 [00:43:0469] [PE] Init AhoCorasick [00:43:0469] [PE] Start AhoCorasick [00:43:0469] [PE] Looking results : 0 [00:43:0469] [CHECK] Blacklist [00:43:0469] [CHECK] BlacklistPath [00:43:0469] [CHECK] BlacklistMD5 [00:43:0469] [CHECK] MadeNumbers [00:43:0469] [CHECK] HasUnicode [00:43:0469] [CHECK] SuspPath [00:43:0469] [CHECK] ProcessResidue [00:43:0469] [CHECK] Not found! [00:43:0485] [Check DLLs] ole32.dll : C:\WINDOWS\system32\ole32.dll [00:43:0485] [CHECK] WhiteDLL [00:43:0485] [CHECK] Whitelist [00:43:0485] [CHECK] WellKnown [00:43:0485] [CHECK] WhitelistPath [00:43:0485] [CHECK] HijackName [00:43:0485] [CHECK] Signature [00:44:0250] [PE] Mapping [00:44:0250] [PE] Parsing [00:44:0250] [PE] Dos header -> 0x27e0000 [00:44:0250] [PE] Nt header (offset : 0xe8) file size 0x13a800 [00:44:0250] [PE] pNtHeadersx86 -> 0x27e00e8 [00:44:0250] [PE] Chars -> 0x210e [00:44:0250] [PE] Optional header [00:44:0250] [PE] Sections : 5 [00:44:0250] [PE] Section : 0 - .text [00:44:0250] [PE] Section : 1 - .orpc [00:44:0250] [PE] Section : 2 - .data [00:44:0250] [PE] Section : 3 - .rsrc [00:44:0250] [PE] Section : 4 - .reloc [00:44:0250] [PE] File open : 1 [00:44:0250] [PE] Search sigs [00:44:0250] [PE] Section[0/4] : 0x27e0400 [00:44:0250] [PE] Init AhoCorasick [00:44:0250] [PE] Start AhoCorasick [00:44:0282] [PE] Looking results : 0 [00:44:0282] [PE] Section[1/4] : 0x28ff600 [00:44:0282] [PE] Init AhoCorasick [00:44:0282] [PE] Start AhoCorasick [00:44:0282] [PE] Looking results : 0 [00:44:0282] [PE] Section[2/4] : 0x2905600 [00:44:0282] [PE] Init AhoCorasick [00:44:0282] [PE] Start AhoCorasick [00:44:0282] [PE] Looking results : 0 [00:44:0282] [PE] Section[3/4] : 0x290bc00 [00:44:0282] [PE] Init AhoCorasick [00:44:0282] [PE] Start AhoCorasick [00:44:0282] [PE] Looking results : 0 [00:44:0282] [PE] Section[4/4] : 0x290d600 [00:44:0282] [PE] Init AhoCorasick [00:44:0282] [PE] Start AhoCorasick [00:44:0282] [PE] Looking results : 0 [00:44:0282] [CHECK] Blacklist [00:44:0297] [CHECK] BlacklistPath [00:44:0297] [CHECK] BlacklistMD5 [00:44:0297] [CHECK] MadeNumbers [00:44:0297] [CHECK] HasUnicode [00:44:0297] [CHECK] SuspPath [00:44:0297] [CHECK] ProcessResidue [00:44:0297] [CHECK] Not found! [00:44:0297] [Check DLLs] SHLWAPI.dll : C:\WINDOWS\system32\SHLWAPI.dll [00:44:0297] [CHECK] WhiteDLL [00:44:0297] [CHECK] Whitelist [00:44:0297] [CHECK] WellKnown [00:44:0297] [CHECK] WhitelistPath [00:44:0297] [CHECK] HijackName [00:44:0297] [CHECK] Signature [00:44:0344] [PE] Mapping [00:44:0344] [PE] Parsing [00:44:0344] [PE] Dos header -> 0x1740000 [00:44:0344] [PE] Nt header (offset : 0xf8) file size 0x73c00 [00:44:0344] [PE] pNtHeadersx86 -> 0x17400f8 [00:44:0344] [PE] Chars -> 0x210e [00:44:0344] [PE] Optional header [00:44:0344] [PE] Sections : 4 [00:44:0360] [PE] Section : 0 - .text [00:44:0360] [PE] Section : 1 - .data [00:44:0360] [PE] Section : 2 - .rsrc [00:44:0360] [PE] Section : 3 - .reloc [00:44:0360] [PE] File open : 1 [00:44:0360] [PE] Search sigs [00:44:0360] [PE] Section[0/3] : 0x1740400 [00:44:0360] [PE] Init AhoCorasick [00:44:0360] [PE] Start AhoCorasick [00:44:0360] [PE] Looking results : 0 [00:44:0360] [PE] Section[1/3] : 0x17ac000 [00:44:0360] [PE] Init AhoCorasick [00:44:0360] [PE] Start AhoCorasick [00:44:0360] [PE] Looking results : 0 [00:44:0360] [PE] Section[2/3] : 0x17acc00 [00:44:0360] [PE] Init AhoCorasick [00:44:0360] [PE] Start AhoCorasick [00:44:0360] [PE] Looking results : 0 [00:44:0360] [PE] Section[3/3] : 0x17ae200 [00:44:0360] [PE] Init AhoCorasick [00:44:0360] [PE] Start AhoCorasick [00:44:0360] [PE] Looking results : 0 [00:44:0360] [CHECK] Blacklist [00:44:0360] [CHECK] BlacklistPath [00:44:0360] [CHECK] BlacklistMD5 [00:44:0360] [CHECK] MadeNumbers [00:44:0375] [CHECK] HasUnicode [00:44:0375] [CHECK] SuspPath [00:44:0375] [CHECK] ProcessResidue [00:44:0375] [CHECK] Not found! [00:44:0375] [Check DLLs] OLEAUT32.dll : C:\WINDOWS\system32\OLEAUT32.dll [00:44:0375] [CHECK] WhiteDLL [00:44:0375] [CHECK] Whitelist [00:44:0375] [CHECK] WellKnown [00:44:0375] [CHECK] WhitelistPath [00:44:0375] [CHECK] HijackName [00:44:0375] [CHECK] Signature [00:44:0407] [PE] Mapping [00:44:0407] [PE] Parsing [00:44:0407] [PE] Dos header -> 0x1740000 [00:44:0407] [PE] Nt header (offset : 0xe8) file size 0x86c00 [00:44:0407] [PE] pNtHeadersx86 -> 0x17400e8 [00:44:0407] [PE] Chars -> 0x210e [00:44:0407] [PE] Optional header [00:44:0407] [PE] Sections : 5 [00:44:0407] [PE] Section : 0 - .text [00:44:0407] [PE] Section : 1 - .orpc [00:44:0407] [PE] Section : 2 - .data [00:44:0407] [PE] Section : 3 - .rsrc [00:44:0407] [PE] Section : 4 - .reloc [00:44:0407] [PE] File open : 1 [00:44:0407] [PE] Search sigs [00:44:0407] [PE] Section[0/4] : 0x1740400 [00:44:0407] [PE] Init AhoCorasick [00:44:0407] [PE] Start AhoCorasick [00:44:0422] [PE] Looking results : 0 [00:44:0422] [PE] Section[1/4] : 0x17bee00 [00:44:0422] [PE] Init AhoCorasick [00:44:0422] [PE] Start AhoCorasick [00:44:0422] [PE] Looking results : 0 [00:44:0422] [PE] Section[2/4] : 0x17bf200 [00:44:0422] [PE] Init AhoCorasick [00:44:0422] [PE] Start AhoCorasick [00:44:0422] [PE] Looking results : 0 [00:44:0422] [PE] Section[3/4] : 0x17c1200 [00:44:0422] [PE] Init AhoCorasick [00:44:0422] [PE] Start AhoCorasick [00:44:0422] [PE] Looking results : 0 [00:44:0422] [PE] Section[4/4] : 0x17c1600 [00:44:0422] [PE] Init AhoCorasick [00:44:0422] [PE] Start AhoCorasick [00:44:0422] [PE] Looking results : 0 [00:44:0422] [CHECK] Blacklist [00:44:0422] [CHECK] BlacklistPath [00:44:0422] [CHECK] BlacklistMD5 [00:44:0422] [CHECK] MadeNumbers [00:44:0422] [CHECK] HasUnicode [00:44:0422] [CHECK] SuspPath [00:44:0422] [CHECK] ProcessResidue [00:44:0422] [CHECK] Not found! [00:44:0422] [Check DLLs] SHDOCVW.dll : C:\WINDOWS\system32\SHDOCVW.dll [00:44:0422] [CHECK] WhiteDLL [00:44:0422] [CHECK] Whitelist [00:44:0422] [CHECK] WellKnown [00:44:0422] [CHECK] WhitelistPath [00:44:0422] [CHECK] HijackName [00:44:0422] [CHECK] Signature [00:45:0547] [PE] Mapping [00:45:0547] [PE] Parsing [00:45:0547] [PE] Dos header -> 0x27e0000 [00:45:0547] [PE] Nt header (offset : 0xf0) file size 0x16e000

#4 krptd

New Member

Authentic Member
5 posts

Posted 30 August 2013 - 08:17 AM

[00:45:0547] [PE] pNtHeadersx86 -> 0x27e00f0 [00:45:0547] [PE] Chars -> 0x210e [00:45:0547] [PE] Optional header [00:45:0547] [PE] Sections : 4 [00:45:0547] [PE] Section : 0 - .text [00:45:0547] [PE] Section : 1 - .data [00:45:0547] [PE] Section : 2 - .rsrc [00:45:0547] [PE] Section : 3 - .reloc [00:45:0547] [PE] File open : 1 [00:45:0547] [PE] Search sigs [00:45:0547] [PE] Section[0/3] : 0x27e0400 [00:45:0547] [PE] Init AhoCorasick [00:45:0547] [PE] Start AhoCorasick [00:45:0578] [PE] Looking results : 0 [00:45:0578] [PE] Section[1/3] : 0x28b8a00 [00:45:0578] [PE] Init AhoCorasick [00:45:0578] [PE] Start AhoCorasick [00:45:0578] [PE] Looking results : 0 [00:45:0578] [PE] Section[2/3] : 0x28ba200 [00:45:0578] [PE] Init AhoCorasick [00:45:0578] [PE] Start AhoCorasick [00:45:0578] [PE] Looking results : 0 [00:45:0578] [PE] Section[3/3] : 0x2942e00 [00:45:0578] [PE] Init AhoCorasick [00:45:0578] [PE] Start AhoCorasick [00:45:0578] [PE] Looking results : 0 [00:45:0578] [CHECK] Blacklist [00:45:0578] [CHECK] BlacklistPath [00:45:0578] [CHECK] BlacklistMD5 [00:45:0578] [CHECK] MadeNumbers [00:45:0578] [CHECK] HasUnicode [00:45:0578] [CHECK] SuspPath [00:45:0578] [CHECK] ProcessResidue [00:45:0578] [CHECK] Not found! [00:45:0594] [Check DLLs] CRYPT32.dll : C:\WINDOWS\system32\CRYPT32.dll [00:45:0594] [CHECK] WhiteDLL [00:45:0594] [CHECK] Whitelist [00:45:0594] [CHECK] WellKnown [00:45:0594] [CHECK] WhitelistPath [00:45:0594] [CHECK] HijackName [00:45:0594] [CHECK] Signature [00:45:0641] [PE] Mapping [00:45:0641] [PE] Parsing [00:45:0641] [PE] Dos header -> 0x1740000 [00:45:0641] [PE] Nt header (offset : 0xf0) file size 0x92400 [00:45:0641] [PE] pNtHeadersx86 -> 0x17400f0 [00:45:0641] [PE] Chars -> 0x210e [00:45:0657] [PE] Optional header [00:45:0657] [PE] Sections : 4 [00:45:0657] [PE] Section : 0 - .text [00:45:0657] [PE] Section : 1 - .data [00:45:0657] [PE] Section : 2 - .rsrc [00:45:0657] [PE] Section : 3 - .reloc [00:45:0657] [PE] File open : 1 [00:45:0657] [PE] Search sigs [00:45:0657] [PE] Section[0/3] : 0x1740400 [00:45:0657] [PE] Init AhoCorasick [00:45:0657] [PE] Start AhoCorasick [00:45:0657] [PE] Looking results : 0 [00:45:0657] [PE] Section[1/3] : 0x17c4800 [00:45:0657] [PE] Init AhoCorasick [00:45:0657] [PE] Start AhoCorasick [00:45:0657] [PE] Looking results : 0 [00:45:0657] [PE] Section[2/3] : 0x17c6c00 [00:45:0672] [PE] Init AhoCorasick [00:45:0672] [PE] Start AhoCorasick [00:45:0672] [PE] Looking results : 0 [00:45:0672] [PE] Section[3/3] : 0x17cd400 [00:45:0672] [PE] Init AhoCorasick [00:45:0672] [PE] Start AhoCorasick [00:45:0672] [PE] Looking results : 0 [00:45:0672] [CHECK] Blacklist [00:45:0672] [CHECK] BlacklistPath [00:45:0672] [CHECK] BlacklistMD5 [00:45:0672] [CHECK] MadeNumbers [00:45:0672] [CHECK] HasUnicode [00:45:0672] [CHECK] SuspPath [00:45:0672] [CHECK] ProcessResidue [00:45:0672] [CHECK] Not found! [00:45:0672] [Check DLLs] MSASN1.dll : C:\WINDOWS\system32\MSASN1.dll [00:45:0672] [CHECK] WhiteDLL [00:45:0672] [CHECK] Whitelist [00:45:0672] [CHECK] WellKnown [00:45:0672] [CHECK] WhitelistPath [00:45:0672] [CHECK] HijackName [00:45:0672] [CHECK] Signature [00:45:0672] [PE] Mapping [00:45:0672] [PE] Parsing [00:45:0672] [PE] Dos header -> 0x1740000 [00:45:0672] [PE] Nt header (offset : 0xd8) file size 0xe600 [00:45:0672] [PE] pNtHeadersx86 -> 0x17400d8 [00:45:0672] [PE] Chars -> 0x210e [00:45:0672] [PE] Optional header [00:45:0672] [PE] Sections : 4 [00:45:0672] [PE] Section : 0 - .text [00:45:0672] [PE] Section : 1 - .data [00:45:0672] [PE] Section : 2 - .rsrc [00:45:0672] [PE] Section : 3 - .reloc [00:45:0672] [PE] File open : 1 [00:45:0672] [PE] Search sigs [00:45:0672] [PE] Section[0/3] : 0x1740400 [00:45:0672] [PE] Init AhoCorasick [00:45:0672] [PE] Start AhoCorasick [00:45:0672] [PE] Looking results : 0 [00:45:0672] [PE] Section[1/3] : 0x174dc00 [00:45:0672] [PE] Init AhoCorasick [00:45:0688] [PE] Start AhoCorasick [00:45:0688] [PE] Looking results : 0 [00:45:0688] [PE] Section[2/3] : 0x174de00 [00:45:0688] [PE] Init AhoCorasick [00:45:0688] [PE] Start AhoCorasick [00:45:0688] [PE] Looking results : 0 [00:45:0688] [PE] Section[3/3] : 0x174e200 [00:45:0688] [PE] Init AhoCorasick [00:45:0688] [PE] Start AhoCorasick [00:45:0688] [PE] Looking results : 0 [00:45:0688] [CHECK] Blacklist [00:45:0688] [CHECK] BlacklistPath [00:45:0688] [CHECK] BlacklistMD5 [00:45:0688] [CHECK] MadeNumbers [00:45:0688] [CHECK] HasUnicode [00:45:0688] [CHECK] SuspPath [00:45:0688] [CHECK] ProcessResidue [00:45:0688] [CHECK] Not found! [00:45:0688] [Check DLLs] CRYPTUI.dll : C:\WINDOWS\system32\CRYPTUI.dll [00:45:0688] [CHECK] WhiteDLL [00:45:0688] [CHECK] Whitelist [00:45:0688] [CHECK] WellKnown [00:45:0688] [CHECK] WhitelistPath [00:45:0688] [CHECK] HijackName [00:45:0688] [CHECK] Signature [00:45:0719] [PE] Mapping [00:45:0719] [PE] Parsing [00:45:0719] [PE] Dos header -> 0x1740000 [00:45:0719] [PE] Nt header (offset : 0xe8) file size 0x7d200 [00:45:0735] [PE] pNtHeadersx86 -> 0x17400e8 [00:45:0735] [PE] Chars -> 0x210e [00:45:0735] [PE] Optional header [00:45:0735] [PE] Sections : 4 [00:45:0735] [PE] Section : 0 - .text [00:45:0735] [PE] Section : 1 - .data [00:45:0735] [PE] Section : 2 - .rsrc [00:45:0735] [PE] Section : 3 - .reloc [00:45:0735] [PE] File open : 1 [00:45:0735] [PE] Search sigs [00:45:0735] [PE] Section[0/3] : 0x1740400 [00:45:0735] [PE] Init AhoCorasick [00:45:0735] [PE] Start AhoCorasick [00:45:0735] [PE] Looking results : 0 [00:45:0735] [PE] Section[1/3] : 0x1787800 [00:45:0735] [PE] Init AhoCorasick [00:45:0735] [PE] Start AhoCorasick [00:45:0735] [PE] Looking results : 0 [00:45:0735] [PE] Section[2/3] : 0x1787c00 [00:45:0735] [PE] Init AhoCorasick [00:45:0735] [PE] Start AhoCorasick [00:45:0735] [PE] Looking results : 0 [00:45:0735] [PE] Section[3/3] : 0x17ba600 [00:45:0735] [PE] Init AhoCorasick [00:45:0750] [PE] Start AhoCorasick [00:45:0750] [PE] Looking results : 0 [00:45:0750] [CHECK] Blacklist [00:45:0750] [CHECK] BlacklistPath [00:45:0750] [CHECK] BlacklistMD5 [00:45:0750] [CHECK] MadeNumbers [00:45:0750] [CHECK] HasUnicode [00:45:0750] [CHECK] SuspPath [00:45:0750] [CHECK] ProcessResidue [00:45:0750] [CHECK] Not found! [00:45:0750] [Check DLLs] NETAPI32.dll : C:\WINDOWS\system32\NETAPI32.dll [00:45:0750] [CHECK] WhiteDLL [00:45:0750] [CHECK] Whitelist [00:45:0750] [CHECK] WellKnown [00:45:0750] [CHECK] WhitelistPath [00:45:0750] [CHECK] HijackName [00:45:0750] [CHECK] Signature [00:45:0813] [PE] Mapping [00:45:0813] [PE] Parsing [00:45:0813] [PE] Dos header -> 0x1740000 [00:45:0813] [PE] Nt header (offset : 0xe0) file size 0x52600 [00:45:0813] [PE] pNtHeadersx86 -> 0x17400e0 [00:45:0813] [PE] Chars -> 0x210e [00:45:0813] [PE] Optional header [00:45:0813] [PE] Sections : 4 [00:45:0813] [PE] Section : 0 - .text [00:45:0813] [PE] Section : 1 - .data [00:45:0813] [PE] Section : 2 - .rsrc [00:45:0813] [PE] Section : 3 - .reloc [00:45:0813] [PE] File open : 1 [00:45:0813] [PE] Search sigs [00:45:0813] [PE] Section[0/3] : 0x1740400 [00:45:0813] [PE] Init AhoCorasick [00:45:0813] [PE] Start AhoCorasick [00:45:0828] [PE] Looking results : 0 [00:45:0828] [PE] Section[1/3] : 0x178d000 [00:45:0828] [PE] Init AhoCorasick [00:45:0828] [PE] Start AhoCorasick [00:45:0828] [PE] Looking results : 0 [00:45:0828] [PE] Section[2/3] : 0x178f800 [00:45:0828] [PE] Init AhoCorasick [00:45:0828] [PE] Start AhoCorasick [00:45:0828] [PE] Looking results : 0 [00:45:0828] [PE] Section[3/3] : 0x178fc00 [00:45:0828] [PE] Init AhoCorasick [00:45:0828] [PE] Start AhoCorasick [00:45:0828] [PE] Looking results : 0 [00:45:0828] [CHECK] Blacklist [00:45:0828] [CHECK] BlacklistPath [00:45:0828] [CHECK] BlacklistMD5 [00:45:0828] [CHECK] MadeNumbers [00:45:0828] [CHECK] HasUnicode [00:45:0828] [CHECK] SuspPath [00:45:0828] [CHECK] ProcessResidue [00:45:0828] [CHECK] Not found! [00:45:0828] [Check DLLs] VERSION.dll : C:\WINDOWS\system32\VERSION.dll [00:45:0828] [CHECK] WhiteDLL [00:45:0828] [CHECK] Whitelist [00:45:0828] [CHECK] WellKnown [00:45:0828] [CHECK] WhitelistPath [00:45:0828] [CHECK] HijackName [00:45:0828] [CHECK] Signature [00:45:0938] [PE] Mapping [00:45:0938] [PE] Parsing [00:45:0938] [PE] Dos header -> 0x1740000 [00:45:0938] [PE] Nt header (offset : 0xd8) file size 0x4a00 [00:45:0938] [PE] pNtHeadersx86 -> 0x17400d8 [00:45:0938] [PE] Chars -> 0x210e [00:45:0938] [PE] Optional header [00:45:0938] [PE] Sections : 4 [00:45:0938] [PE] Section : 0 - .text [00:45:0938] [PE] Section : 1 - .data [00:45:0938] [PE] Section : 2 - .rsrc [00:45:0938] [PE] Section : 3 - .reloc [00:45:0938] [PE] File open : 1 [00:45:0938] [PE] Search sigs [00:45:0938] [PE] Section[0/3] : 0x1740400 [00:45:0938] [PE] Init AhoCorasick [00:45:0938] [PE] Start AhoCorasick [00:45:0938] [PE] Looking results : 0 [00:45:0938] [PE] Section[1/3] : 0x1743e00 [00:45:0938] [PE] Init AhoCorasick [00:45:0938] [PE] Start AhoCorasick [00:45:0938] [PE] Looking results : 0 [00:45:0938] [PE] Section[2/3] : 0x1744000 [00:45:0938] [PE] Init AhoCorasick [00:45:0938] [PE] Start AhoCorasick [00:45:0938] [PE] Looking results : 0 [00:45:0938] [PE] Section[3/3] : 0x1744600 [00:45:0938] [PE] Init AhoCorasick [00:45:0938] [PE] Start AhoCorasick [00:45:0938] [PE] Looking results : 0 [00:45:0938] [CHECK] Blacklist [00:45:0938] [CHECK] BlacklistPath [00:45:0938] [CHECK] BlacklistMD5 [00:45:0938] [CHECK] MadeNumbers [00:45:0938] [CHECK] HasUnicode [00:45:0938] [CHECK] SuspPath [00:45:0938] [CHECK] ProcessResidue [00:45:0938] [CHECK] Not found! [00:45:0938] [Check DLLs] WININET.dll : C:\WINDOWS\system32\WININET.dll [00:45:0938] [CHECK] WhiteDLL [00:45:0938] [CHECK] Whitelist [00:45:0938] [CHECK] WellKnown [00:45:0938] [CHECK] WhitelistPath [00:45:0938] [CHECK] HijackName [00:45:0938] [CHECK] Signature [00:46:0485] [PE] Mapping [00:46:0485] [PE] Parsing [00:46:0485] [PE] Dos header -> 0x1740000 [00:46:0485] [PE] Nt header (offset : 0xf8) file size 0xdfc00 [00:46:0485] [PE] pNtHeadersx86 -> 0x17400f8 [00:46:0485] [PE] Chars -> 0x2102 [00:46:0500] [PE] Optional header [00:46:0500] [PE] Sections : 4 [00:46:0500] [PE] Section : 0 - .text [00:46:0500] [PE] Section : 1 - .data [00:46:0500] [PE] Section : 2 - .rsrc [00:46:0500] [PE] Section : 3 - .reloc [00:46:0500] [PE] File open : 1 [00:46:0500] [PE] Search sigs [00:46:0500] [PE] Section[0/3] : 0x1740400 [00:46:0500] [PE] Init AhoCorasick [00:46:0500] [PE] Start AhoCorasick [00:46:0516] [PE] Looking results : 0 [00:46:0516] [PE] Section[1/3] : 0x17efe00 [00:46:0516] [PE] Init AhoCorasick [00:46:0516] [PE] Start AhoCorasick [00:46:0516] [PE] Looking results : 0 [00:46:0516] [PE] Section[2/3] : 0x17f3200 [00:46:0516] [PE] Init AhoCorasick [00:46:0516] [PE] Start AhoCorasick [00:46:0516] [PE] Looking results : 0 [00:46:0516] [PE] Section[3/3] : 0x1819400 [00:46:0516] [PE] Init AhoCorasick [00:46:0516] [PE] Start AhoCorasick [00:46:0516] [PE] Looking results : 0 [00:46:0516] [CHECK] Blacklist [00:46:0516] [CHECK] BlacklistPath [00:46:0516] [CHECK] BlacklistMD5 [00:46:0516] [CHECK] MadeNumbers [00:46:0516] [CHECK] HasUnicode [00:46:0516] [CHECK] SuspPath [00:46:0516] [CHECK] ProcessResidue [00:46:0516] [CHECK] Not found! [00:46:0516] [Check DLLs] Normaliz.dll : C:\WINDOWS\system32\Normaliz.dll [00:46:0516] [CHECK] WhiteDLL [00:46:0516] [CHECK] Whitelist [00:46:0516] [CHECK] WellKnown [00:46:0516] [CHECK] WhitelistPath [00:46:0516] [CHECK] HijackName [00:46:0516] [CHECK] Signature [00:46:0578] [PE] Mapping [00:46:0578] [PE] Parsing [00:46:0578] [PE] Dos header -> 0x1740000 [00:46:0578] [PE] Nt header (offset : 0xe8) file size 0x5c00 [00:46:0578] [PE] pNtHeadersx86 -> 0x17400e8 [00:46:0578] [PE] Chars -> 0x2102 [00:46:0578] [PE] Optional header [00:46:0578] [PE] Sections : 4 [00:46:0578] [PE] Section : 0 - .text [00:46:0578] [PE] Section : 1 - .data [00:46:0578] [PE] Section : 2 - .rsrc [00:46:0578] [PE] Section : 3 - .reloc [00:46:0578] [PE] File open : 1 [00:46:0578] [PE] Search sigs [00:46:0578] [PE] Section[0/3] : 0x1740400 [00:46:0578] [PE] Init AhoCorasick [00:46:0578] [PE] Start AhoCorasick [00:46:0578] [PE] Looking results : 0 [00:46:0578] [PE] Section[1/3] : 0x1744e00 [00:46:0578] [PE] Init AhoCorasick [00:46:0578] [PE] Start AhoCorasick [00:46:0578] [PE] Looking results : 0 [00:46:0578] [PE] Section[2/3] : 0x1745200 [00:46:0578] [PE] Init AhoCorasick [00:46:0578] [PE] Start AhoCorasick [00:46:0578] [PE] Looking results : 0 [00:46:0578] [PE] Section[3/3] : 0x1745600 [00:46:0578] [PE] Init AhoCorasick [00:46:0578] [PE] Start AhoCorasick [00:46:0578] [PE] Looking results : 0 [00:46:0578] [CHECK] Blacklist [00:46:0578] [CHECK] BlacklistPath [00:46:0578] [CHECK] BlacklistMD5 [00:46:0578] [CHECK] MadeNumbers [00:46:0578] [CHECK] HasUnicode [00:46:0578] [CHECK] SuspPath [00:46:0578] [CHECK] ProcessResidue [00:46:0578] [CHECK] Not found! [00:46:0578] [Check DLLs] urlmon.dll : C:\WINDOWS\system32\urlmon.dll [00:46:0578] [CHECK] WhiteDLL [00:46:0578] [CHECK] Whitelist [00:46:0578] [CHECK] WellKnown [00:46:0594] [CHECK] WhitelistPath [00:46:0594] [CHECK] HijackName [00:46:0594] [CHECK] Signature [00:46:0672] [PE] Mapping [00:46:0672] [PE] Parsing [00:46:0672] [PE] Dos header -> 0x27e0000 [00:46:0672] [PE] Nt header (offset : 0xe8) file size 0x127a00 [00:46:0672] [PE] pNtHeadersx86 -> 0x27e00e8 [00:46:0672] [PE] Chars -> 0x2102 [00:46:0672] [PE] Optional header [00:46:0672] [PE] Sections : 5 [00:46:0672] [PE] Section : 0 - .text [00:46:0672] [PE] Section : 1 - .orpc [00:46:0672] [PE] Section : 2 - .data [00:46:0672] [PE] Section : 3 - .rsrc [00:46:0672] [PE] Section : 4 - .reloc [00:46:0672] [PE] File open : 1 [00:46:0672] [PE] Search sigs [00:46:0672] [PE] Section[0/4] : 0x27e0400 [00:46:0672] [PE] Init AhoCorasick [00:46:0672] [PE] Start AhoCorasick [00:46:0688] [PE] Looking results : 0 [00:46:0688] [PE] Section[1/4] : 0x28a6800 [00:46:0688] [PE] Init AhoCorasick [00:46:0703] [PE] Start AhoCorasick [00:46:0703] [PE] Looking results : 0 [00:46:0703] [PE] Section[2/4] : 0x28a7a00 [00:46:0703] [PE] Init AhoCorasick [00:46:0703] [PE] Start AhoCorasick [00:46:0703] [PE] Looking results : 0 [00:46:0703] [PE] Section[3/4] : 0x28ab600 [00:46:0703] [PE] Init AhoCorasick [00:46:0703] [PE] Start AhoCorasick [00:46:0703] [PE] Looking results : 0 [00:46:0703] [PE] Section[4/4] : 0x2900200 [00:46:0703] [PE] Init AhoCorasick [00:46:0703] [PE] Start AhoCorasick [00:46:0703] [PE] Looking results : 0 [00:46:0703] [CHECK] Blacklist [00:46:0703] [CHECK] BlacklistPath [00:46:0703] [CHECK] BlacklistMD5 [00:46:0703] [CHECK] MadeNumbers [00:46:0703] [CHECK] HasUnicode [00:46:0703] [CHECK] SuspPath [00:46:0703] [CHECK] ProcessResidue [00:46:0703] [CHECK] Not found! [00:46:0703] [Check DLLs] iertutil.dll : C:\WINDOWS\system32\iertutil.dll [00:46:0703] [CHECK] WhiteDLL [00:46:0703] [CHECK] Whitelist [00:46:0703] [CHECK] WellKnown [00:46:0703] [CHECK] WhitelistPath [00:46:0703] [CHECK] HijackName [00:46:0703] [CHECK] Signature [00:47:0344] [PE] Mapping [00:47:0344] [PE] Parsing [00:47:0344] [PE] Dos header -> 0x27e0000 [00:47:0344] [PE] Nt header (offset : 0xe8) file size 0x1e6400 [00:47:0344] [PE] pNtHeadersx86 -> 0x27e00e8 [00:47:0344] [PE] Chars -> 0x2102 [00:47:0344] [PE] Optional header [00:47:0344] [PE] Sections : 4 [00:47:0360] [PE] Section : 0 - .text [00:47:0360] [PE] Section : 1 - .data [00:47:0360] [PE] Section : 2 - .rsrc [00:47:0360] [PE] Section : 3 - .reloc [00:47:0360] [PE] File open : 1 [00:47:0360] [PE] Search sigs [00:47:0360] [PE] Section[0/3] : 0x27e0400 [00:47:0360] [PE] Init AhoCorasick [00:47:0360] [PE] Start AhoCorasick [00:47:0391] [PE] Looking results : 0 [00:47:0391] [PE] Section[1/3] : 0x29aae00 [00:47:0391] [PE] Init AhoCorasick [00:47:0391] [PE] Start AhoCorasick [00:47:0391] [PE] Looking results : 0 [00:47:0391] [PE] Section[2/3] : 0x29af000 [00:47:0391] [PE] Init AhoCorasick [00:47:0391] [PE] Start AhoCorasick [00:47:0391] [PE] Looking results : 0 [00:47:0391] [PE] Section[3/3] : 0x29af600 [00:47:0391] [PE] Init AhoCorasick [00:47:0391] [PE] Start AhoCorasick [00:47:0391] [PE] Looking results : 0 [00:47:0391] [CHECK] Blacklist [00:47:0391] [CHECK] BlacklistPath [00:47:0391] [CHECK] BlacklistMD5 [00:47:0391] [CHECK] MadeNumbers [00:47:0391] [CHECK] HasUnicode [00:47:0391] [CHECK] SuspPath [00:47:0391] [CHECK] ProcessResidue [00:47:0391] [CHECK] Not found! [00:47:0391] [Check DLLs] WINTRUST.dll : C:\WINDOWS\system32\WINTRUST.dll [00:47:0391] [CHECK] WhiteDLL [00:47:0391] [CHECK] Whitelist [00:47:0391] [CHECK] WellKnown [00:47:0391] [CHECK] WhitelistPath [00:47:0391] [CHECK] HijackName [00:47:0391] [CHECK] Signature [00:47:0453] [PE] Mapping [00:47:0453] [PE] Parsing [00:47:0453] [PE] Dos header -> 0x1740000 [00:47:0453] [PE] Nt header (offset : 0xf0) file size 0x2b600 [00:47:0453] [PE] pNtHeadersx86 -> 0x17400f0 [00:47:0453] [PE] Chars -> 0x210e [00:47:0453] [PE] Optional header [00:47:0453] [PE] Sections : 4 [00:47:0453] [PE] Section : 0 - .text [00:47:0453] [PE] Section : 1 - .data [00:47:0453] [PE] Section : 2 - .rsrc [00:47:0453] [PE] Section : 3 - .reloc [00:47:0453] [PE] File open : 1 [00:47:0453] [PE] Search sigs [00:47:0453] [PE] Section[0/3] : 0x1740400 [00:47:0453] [PE] Init AhoCorasick [00:47:0453] [PE] Start AhoCorasick [00:47:0453] [PE] Looking results : 0 [00:47:0453] [PE] Section[1/3] : 0x1768c00 [00:47:0453] [PE] Init AhoCorasick [00:47:0453] [PE] Start AhoCorasick [00:47:0453] [PE] Looking results : 0 [00:47:0453] [PE] Section[2/3] : 0x1769000 [00:47:0453] [PE] Init AhoCorasick [00:47:0453] [PE] Start AhoCorasick [00:47:0453] [PE] Looking results : 0 [00:47:0453] [PE] Section[3/3] : 0x176a000 [00:47:0453] [PE] Init AhoCorasick [00:47:0453] [PE] Start AhoCorasick [00:47:0453] [PE] Looking results : 0 [00:47:0453] [CHECK] Blacklist [00:47:0453] [CHECK] BlacklistPath [00:47:0453] [CHECK] BlacklistMD5 [00:47:0453] [CHECK] MadeNumbers [00:47:0453] [CHECK] HasUnicode [00:47:0453] [CHECK] SuspPath [00:47:0453] [CHECK] ProcessResidue [00:47:0453] [CHECK] Not found! [00:47:0453] [Check DLLs] IMAGEHLP.dll : C:\WINDOWS\system32\IMAGEHLP.dll [00:47:0453] [CHECK] WhiteDLL [00:47:0453] [CHECK] Whitelist [00:47:0453] [CHECK] WellKnown [00:47:0453] [CHECK] WhitelistPath [00:47:0453] [CHECK] HijackName [00:47:0469] [CHECK] Signature [00:47:0672] [PE] Mapping [00:47:0735] [PE] Parsing [00:47:0735] [PE] Dos header -> 0x1740000 [00:47:0735] [PE] Nt header (offset : 0x108) file size 0x23400 [00:47:0735] [PE] pNtHeadersx86 -> 0x1740108 [00:47:0735] [PE] Chars -> 0x210e [00:47:0735] [PE] Optional header [00:47:0735] [PE] Sections : 4 [00:47:0735] [PE] Section : 0 - .text [00:47:0735] [PE] Section : 1 - .data [00:47:0735] [PE] Section : 2 - .rsrc [00:47:0735] [PE] Section : 3 - .reloc [00:47:0735] [PE] File open : 1 [00:47:0735] [PE] Search sigs [00:47:0735] [PE] Section[0/3] : 0x1740400 [00:47:0735] [PE] Init AhoCorasick [00:47:0735] [PE] Start AhoCorasick [00:47:0735] [PE] Looking results : 0 [00:47:0750] [PE] Section[1/3] : 0x1761600 [00:47:0750] [PE] Init AhoCorasick [00:47:0750] [PE] Start AhoCorasick [00:47:0750] [PE] Looking results : 0 [00:47:0750] [PE] Section[2/3] : 0x1761e00 [00:47:0750] [PE] Init AhoCorasick [00:47:0750] [PE] Start AhoCorasick [00:47:0750] [PE] Looking results : 0 [00:47:0750] [PE] Section[3/3] : 0x1762200 [00:47:0750] [PE] Init AhoCorasick [00:47:0750] [PE] Start AhoCorasick [00:47:0750] [PE] Looking results : 0 [00:47:0750] [CHECK] Blacklist [00:47:0750] [CHECK] BlacklistPath [00:47:0750] [CHECK] BlacklistMD5 [00:47:0750] [CHECK] MadeNumbers [00:47:0750] [CHECK] HasUnicode [00:47:0750] [CHECK] SuspPath [00:47:0750] [CHECK] ProcessResidue [00:47:0750] [CHECK] Not found! [00:47:0750] [Check DLLs] WLDAP32.dll : C:\WINDOWS\system32\WLDAP32.dll [00:47:0750] [CHECK] WhiteDLL [00:47:0750] [CHECK] Whitelist [00:47:0750] [CHECK] WellKnown [00:47:0750] [CHECK] WhitelistPath [00:47:0750] [CHECK] HijackName [00:47:0750] [CHECK] Signature [00:47:0782] [PE] Mapping [00:47:0782] [PE] Parsing [00:47:0782] [PE] Dos header -> 0x1740000 [00:47:0782] [PE] Nt header (offset : 0xf0) file size 0x2a000 [00:47:0782] [PE] pNtHeadersx86 -> 0x17400f0 [00:47:0782] [PE] Chars -> 0x210e [00:47:0782] [PE] Optional header [00:47:0782] [PE] Sections : 4 [00:47:0782] [PE] Section : 0 - .text [00:47:0782] [PE] Section : 1 - .data [00:47:0782] [PE] Section : 2 - .rsrc [00:47:0782] [PE] Section : 3 - .reloc [00:47:0782] [PE] File open : 1 [00:47:0782] [PE] Search sigs [00:47:0782] [PE] Section[0/3] : 0x1740400 [00:47:0782] [PE] Init AhoCorasick [00:47:0782] [PE] Start AhoCorasick [00:47:0782] [PE] Looking results : 0 [00:47:0782] [PE] Section[1/3] : 0x1760400 [00:47:0782] [PE] Init AhoCorasick [00:47:0782] [PE] Start AhoCorasick [00:47:0782] [PE] Looking results : 0 [00:47:0782] [PE] Section[2/3] : 0x1767c00 [00:47:0782] [PE] Init AhoCorasick [00:47:0782] [PE] Start AhoCorasick [00:47:0782] [PE] Looking results : 0 [00:47:0782] [PE] Section[3/3] : 0x1768c00 [00:47:0782] [PE] Init AhoCorasick [00:47:0782] [PE] Start AhoCorasick [00:47:0782] [PE] Looking results : 0 [00:47:0782] [CHECK] Blacklist [00:47:0797] [CHECK] BlacklistPath [00:47:0797] [CHECK] BlacklistMD5 [00:47:0797] [CHECK] MadeNumbers [00:47:0797] [CHECK] HasUnicode [00:47:0797] [CHECK] SuspPath [00:47:0797] [CHECK] ProcessResidue [00:47:0797] [CHECK] Not found! [00:47:0797] [Check DLLs] SHELL32.dll : C:\WINDOWS\system32\SHELL32.dll [00:47:0797] [CHECK] WhiteDLL [00:47:0797] [CHECK] Whitelist [00:47:0797] [CHECK] WellKnown [00:47:0797] [CHECK] WhitelistPath [00:47:0797] [CHECK] HijackName [00:47:0797] [CHECK] Signature [00:53:0532] [CHECK] Blacklist [00:53:0532] [CHECK] BlacklistPath [00:53:0532] [CHECK] BlacklistMD5 [00:53:0532] [CHECK] MadeNumbers [00:53:0532] [CHECK] HasUnicode [00:53:0532] [CHECK] SuspPath [00:53:0532] [CHECK] ProcessResidue [00:53:0532] [CHECK] Not found! [00:53:0532] [Check DLLs] UxTheme.dll : C:\WINDOWS\system32\UxTheme.dll [00:53:0532] [CHECK] WhiteDLL [00:53:0532] [CHECK] Whitelist [00:53:0532] [CHECK] WellKnown [00:53:0532] [CHECK] WhitelistPath [00:53:0547] [CHECK] HijackName [00:53:0547] [CHECK] Signature [00:53:0860] [PE] Mapping [00:53:0860] [PE] Parsing [00:53:0860] [PE] Dos header -> 0x1740000 [00:53:0860] [PE] Nt header (offset : 0xe8) file size 0x35600 [00:53:0860] [PE] pNtHeadersx86 -> 0x17400e8 [00:53:0860] [PE] Chars -> 0x210e [00:53:0860] [PE] Optional header [00:53:0860] [PE] Sections : 4 [00:53:0860] [PE] Section : 0 - .text [00:53:0860] [PE] Section : 1 - .data [00:53:0860] [PE] Section : 2 - .rsrc [00:53:0860] [PE] Section : 3 - .reloc [00:53:0860] [PE] File open : 1 [00:53:0860] [PE] Search sigs [00:53:0860] [PE] Section[0/3] : 0x1740400 [00:53:0860] [PE] Init AhoCorasick [00:53:0860] [PE] Start AhoCorasick [00:53:0860] [PE] Looking results : 0 [00:53:0907] [PE] Section[1/3] : 0x176f600 [00:53:0907] [PE] Init AhoCorasick [00:53:0907] [PE] Start AhoCorasick [00:53:0907] [PE] Looking results : 0 [00:53:0907] [PE] Section[2/3] : 0x1770600 [00:53:0907] [PE] Init AhoCorasick [00:53:0907] [PE] Start AhoCorasick [00:53:0907] [PE] Looking results : 0 [00:53:0907] [PE] Section[3/3] : 0x1773c00 [00:53:0907] [PE] Init AhoCorasick [00:53:0907] [PE] Start AhoCorasick [00:53:0907] [PE] Looking results : 0 [00:53:0907] [CHECK] Blacklist [00:53:0907] [CHECK] BlacklistPath [00:53:0907] [CHECK] BlacklistMD5 [00:53:0907] [CHECK] MadeNumbers [00:53:0907] [CHECK] HasUnicode [00:53:0907] [CHECK] SuspPath [00:53:0907] [CHECK] ProcessResidue [00:53:0907] [CHECK] Not found! [00:53:0907] [Check DLLs] ShimEng.dll : C:\WINDOWS\system32\ShimEng.dll [00:53:0907] [CHECK] WhiteDLL [00:53:0907] [CHECK] Whitelist [00:53:0907] [CHECK] WellKnown [00:53:0907] [CHECK] WhitelistPath [00:53:0907] [CHECK] HijackName [00:53:0907] [CHECK] Signature [00:53:0985] [PE] Mapping [00:53:0985] [PE] Parsing [00:53:0985] [PE] Dos header -> 0x1740000 [00:53:0985] [PE] Nt header (offset : 0xe8) file size 0xfe00 [00:53:0985] [PE] pNtHeadersx86 -> 0x17400e8 [00:53:0985] [PE] Chars -> 0x210e [00:53:0985] [PE] Optional header [00:53:0985] [PE] Sections : 4 [00:53:0985] [PE] Section : 0 - .text [00:53:0985] [PE] Section : 1 - .data [00:53:0985] [PE] Section : 2 - .rsrc [00:53:0985] [PE] Section : 3 - .reloc [00:53:0985] [PE] File open : 1 [00:53:0985] [PE] Search sigs [00:53:0985] [PE] Section[0/3] : 0x1740400 [00:53:0985] [PE] Init AhoCorasick [00:53:0985] [PE] Start AhoCorasick [00:53:0985] [PE] Looking results : 0 [00:53:0985] [PE] Section[1/3] : 0x174de00 [00:53:0985] [PE] Init AhoCorasick [00:53:0985] [PE] Start AhoCorasick [00:53:0985] [PE] Looking results : 0 [00:53:0985] [PE] Section[2/3] : 0x174e400 [00:53:0985] [PE] Init AhoCorasick [00:53:0985] [PE] Start AhoCorasick [00:53:0985] [PE] Looking results : 0 [00:53:0985] [PE] Section[3/3] : 0x174e800 [00:54:0000] [PE] Init AhoCorasick [00:54:0000] [PE] Start AhoCorasick [00:54:0000] [PE] Looking results : 0 [00:54:0000] [CHECK] Blacklist [00:54:0000] [CHECK] BlacklistPath [00:54:0000] [CHECK] BlacklistMD5 [00:54:0000] [CHECK] MadeNumbers [00:54:0000] [CHECK] HasUnicode [00:54:0000] [CHECK] SuspPath [00:54:0000] [CHECK] ProcessResidue [00:54:0000] [CHECK] Not found! [00:54:0032] [Check DLLs] AcGenral.DLL : C:\WINDOWS\AppPatch\AcGenral.DLL [00:54:0032] [CHECK] WhiteDLL [00:54:0032] [CHECK] Whitelist [00:54:0032] [CHECK] WellKnown [00:54:0032] [CHECK] WhitelistPath [00:54:0032] [CHECK] HijackName [00:54:0032] [CHECK] Signature [00:56:0657] [PE] Mapping [00:56:0657] [PE] Parsing [00:56:0657] [PE] Dos header -> 0x27e0000 [00:56:0657] [PE] Nt header (offset : 0xe8) file size 0x1c4600 [00:56:0657] [PE] pNtHeadersx86 -> 0x27e00e8 [00:56:0657] [PE] Chars -> 0x210e [00:56:0657] [PE] Optional header [00:56:0657] [PE] Sections : 4 [00:56:0657] [PE] Section : 0 - .text [00:56:0657] [PE] Section : 1 - .data [00:56:0657] [PE] Section : 2 - .rsrc [00:56:0657] [PE] Section : 3 - .reloc [00:56:0657] [PE] File open : 1 [00:56:0657] [PE] Search sigs [00:56:0657] [PE] Section[0/3] : 0x27e0400 [00:56:0657] [PE] Init AhoCorasick [00:56:0657] [PE] Start AhoCorasick [00:56:0657] [PE] Looking results : 0 [00:56:0657] [PE] Section[1/3] : 0x2812400 [00:56:0657] [PE] Init AhoCorasick [00:56:0672] [PE] Start AhoCorasick [00:56:0672] [PE] Looking results : 0 [00:56:0672] [PE] Section[2/3] : 0x2818000 [00:56:0672] [PE] Init AhoCorasick [00:56:0672] [PE] Start AhoCorasick [00:56:0735] [PE] Looking results : 0 [00:56:0735] [PE] Section[3/3] : 0x299f200 [00:56:0735] [PE] Init AhoCorasick [00:56:0735] [PE] Start AhoCorasick [00:56:0735] [PE] Looking results : 0 [00:56:0735] [CHECK] Blacklist [00:56:0735] [CHECK] BlacklistPath [00:56:0735] [CHECK] BlacklistMD5 [00:56:0750] [CHECK] MadeNumbers [00:56:0750] [CHECK] HasUnicode [00:56:0750] [CHECK] SuspPath [00:56:0750] [CHECK] ProcessResidue [00:56:0750] [CHECK] Not found! [00:56:0750] [Check DLLs] WINMM.dll : C:\WINDOWS\system32\WINMM.dll [00:56:0750] [CHECK] WhiteDLL [00:56:0750] [CHECK] Whitelist [00:56:0750] [CHECK] WellKnown [00:56:0750] [CHECK] WhitelistPath [00:56:0750] [CHECK] HijackName [00:56:0750] [CHECK] Signature [00:57:0063] [PE] Mapping [00:57:0063] [PE] Parsing [00:57:0063] [PE] Dos header -> 0x1740000 [00:57:0063] [PE] Nt header (offset : 0xf0) file size 0x2b000 [00:57:0063] [PE] pNtHeadersx86 -> 0x17400f0 [00:57:0063] [PE] Chars -> 0x210e [00:57:0063] [PE] Optional header [00:57:0063] [PE] Sections : 4 [00:57:0063] [PE] Section : 0 - .text [00:57:0063] [PE] Section : 1 - .data [00:57:0063] [PE] Section : 2 - .rsrc [00:57:0063] [PE] Section : 3 - .reloc [00:57:0063] [PE] File open : 1 [00:57:0063] [PE] Search sigs [00:57:0063] [PE] Section[0/3] : 0x1740400 [00:57:0063] [PE] Init AhoCorasick [00:57:0063] [PE] Start AhoCorasick [00:57:0063] [PE] Looking results : 0 [00:57:0063] [PE] Section[1/3] : 0x175f200 [00:57:0063] [PE] Init AhoCorasick [00:57:0063] [PE] Start AhoCorasick [00:57:0063] [PE] Looking results : 0 [00:57:0063] [PE] Section[2/3] : 0x1760600 [00:57:0063] [PE] Init AhoCorasick [00:57:0063] [PE] Start AhoCorasick [00:57:0063] [PE] Looking results : 0 [00:57:0063] [PE] Section[3/3] : 0x1769600 [00:57:0063] [PE] Init AhoCorasick [00:57:0063] [PE] Start AhoCorasick [00:57:0063] [PE] Looking results : 0 [00:57:0063] [CHECK] Blacklist [00:57:0078] [CHECK] BlacklistPath [00:57:0078] [CHECK] BlacklistMD5 [00:57:0078] [CHECK] MadeNumbers [00:57:0078] [CHECK] HasUnicode [00:57:0078] [CHECK] SuspPath [00:57:0078] [CHECK] ProcessResidue [00:57:0078] [CHECK] Not found! [00:57:0078] [Check DLLs] MSACM32.dll : C:\WINDOWS\system32\MSACM32.dll [00:57:0078] [CHECK] WhiteDLL [00:57:0078] [CHECK] Whitelist [00:57:0078] [CHECK] WellKnown [00:57:0078] [CHECK] WhitelistPath [00:57:0078] [CHECK] HijackName [00:57:0078] [CHECK] Signature [00:57:0282] [PE] Mapping [00:57:0282] [PE] Parsing [00:57:0282] [PE] Dos header -> 0x1740000 [00:57:0282] [PE] Nt header (offset : 0xe8) file size 0x11800 [00:57:0282] [PE] pNtHeadersx86 -> 0x17400e8 [00:57:0282] [PE] Chars -> 0x210e [00:57:0282] [PE] Optional header [00:57:0282] [PE] Sections : 4 [00:57:0282] [PE] Section : 0 - .text [00:57:0282] [PE] Section : 1 - .data [00:57:0282] [PE] Section : 2 - .rsrc [00:57:0282] [PE] Section : 3 - .reloc [00:57:0282] [PE] File open : 1 [00:57:0282] [PE] Search sigs [00:57:0282] [PE] Section[0/3] : 0x1740400 [00:57:0282] [PE] Init AhoCorasick [00:57:0282] [PE] Start AhoCorasick [00:57:0282] [PE] Looking results : 0 [00:57:0282] [PE] Section[1/3] : 0x174f800 [00:57:0282] [PE] Init AhoCorasick [00:57:0282] [PE] Start AhoCorasick [00:57:0282] [PE] Looking results : 0 [00:57:0282] [PE] Section[2/3] : 0x174fa00 [00:57:0282] [PE] Init AhoCorasick [00:57:0297] [PE] Start AhoCorasick [00:57:0297] [PE] Looking results : 0 [00:57:0297] [PE] Section[3/3] : 0x1751000 [00:57:0297] [PE] Init AhoCorasick [00:57:0297] [PE] Start AhoCorasick [00:57:0297] [PE] Looking results : 0 [00:57:0297] [CHECK] Blacklist [00:57:0297] [CHECK] BlacklistPath [00:57:0297] [CHECK] BlacklistMD5 [00:57:0297] [CHECK] MadeNumbers [00:57:0297] [CHECK] HasUnicode [00:57:0297] [CHECK] SuspPath [00:57:0297] [CHECK] ProcessResidue [00:57:0297] [CHECK] Not found! [00:57:0297] [Check DLLs] USERENV.dll : C:\WINDOWS\system32\USERENV.dll [00:57:0297] [CHECK] WhiteDLL [00:57:0297] [CHECK] Whitelist [00:57:0297] [CHECK] WellKnown [00:57:0297] [CHECK] WhitelistPath [00:57:0297] [CHECK] HijackName [00:57:0297] [CHECK] Signature [00:57:0922] [PE] Mapping [00:57:0922] [PE] Parsing [00:57:0922] [PE] Dos header -> 0x1740000 [00:57:0922] [PE] Nt header (offset : 0xf0) file size 0xb1800 [00:57:0922] [PE] pNtHeadersx86 -> 0x17400f0 [00:57:0922] [PE] Chars -> 0x210e [00:57:0922] [PE] Optional header [00:57:0922] [PE] Sections : 4 [00:57:0922] [PE] Section : 0 - .text [00:57:0922] [PE] Section : 1 - .data [00:57:0938] [PE] Section : 2 - .rsrc [00:57:0938] [PE] Section : 3 - .reloc [00:57:0938] [PE] File open : 1 [00:57:0938] [PE] Search sigs [00:57:0938] [PE] Section[0/3] : 0x1740400 [00:57:0938] [PE] Init AhoCorasick [00:57:0938] [PE] Start AhoCorasick [00:57:0938] [PE] Looking results : 0 [00:57:0938] [PE] Section[1/3] : 0x17dfa00 [00:57:0938] [PE] Init AhoCorasick [00:57:0938] [PE] Start AhoCorasick [00:57:0953] [PE] Looking results : 0 [00:57:0953] [PE] Section[2/3] : 0x17e1800 [00:57:0953] [PE] Init AhoCorasick [00:57:0953] [PE] Start AhoCorasick [00:57:0953] [PE] Looking results : 0 [00:57:0953] [PE] Section[3/3] : 0x17eb000 [00:57:0953] [PE] Init AhoCorasick [00:57:0953] [PE] Start AhoCorasick [00:57:0953] [PE] Looking results : 0 [00:57:0953] [CHECK] Blacklist [00:57:0953] [CHECK] BlacklistPath [00:57:0953] [CHECK] BlacklistMD5 [00:57:0953] [CHECK] MadeNumbers [00:57:0953] [CHECK] HasUnicode [00:57:0953] [CHECK] SuspPath [00:57:0953] [CHECK] ProcessResidue [00:57:0953] [CHECK] Not found! [00:57:0953] [Check DLLs] IMM32.DLL : C:\WINDOWS\system32\IMM32.DLL [00:57:0953] [CHECK] WhiteDLL [00:57:0953] [CHECK] Whitelist [00:57:0953] [CHECK] WellKnown [00:57:0953] [CHECK] WhitelistPath [00:57:0953] [CHECK] HijackName [00:57:0953] [CHECK] Signature [00:58:0078] [PE] Mapping [00:58:0078] [PE] Parsing [00:58:0078] [PE] Dos header -> 0x1740000 [00:58:0078] [PE] Nt header (offset : 0xe8) file size 0x1ae00 [00:58:0078] [PE] pNtHeadersx86 -> 0x17400e8 [00:58:0094] [PE] Chars -> 0x210e [00:58:0094] [PE] Optional header [00:58:0094] [PE] Sections : 4 [00:58:0094] [PE] Section : 0 - .text [00:58:0094] [PE] Section : 1 - .data [00:58:0094] [PE] Section : 2 - .rsrc [00:58:0094] [PE] Section : 3 - .reloc [00:58:0094] [PE] File open : 1 [00:58:0094] [PE] Search sigs [00:58:0094] [PE] Section[0/3] : 0x1740400 [00:58:0094] [PE] Init AhoCorasick [00:58:0094] [PE] Start AhoCorasick [00:58:0094] [PE] Looking results : 0 [00:58:0094] [PE] Section[1/3] : 0x1755000 [00:58:0094] [PE] Init AhoCorasick [00:58:0094] [PE] Start AhoCorasick [00:58:0094] [PE] Looking results : 0 [00:58:0094] [PE] Section[2/3] : 0x1755200 [00:58:0094] [PE] Init AhoCorasick [00:58:0094] [PE] Start AhoCorasick [00:58:0094] [PE] Looking results : 0 [00:58:0094] [PE] Section[3/3] : 0x175a000 [00:58:0094] [PE] Init AhoCorasick [00:58:0094] [PE] Start AhoCorasick [00:58:0094] [PE] Looking results : 0 [00:58:0094] [CHECK] Blacklist [00:58:0094] [CHECK] BlacklistPath [00:58:0094] [CHECK] BlacklistMD5 [00:58:0094] [CHECK] MadeNumbers [00:58:0094] [CHECK] HasUnicode [00:58:0094] [CHECK] SuspPath [00:58:0094] [CHECK] ProcessResidue [00:58:0094] [CHECK] Not found! [00:58:0094] [Check DLLs] comctl32.dll : C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Commo n-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_ 61e65202\comctl32.dll [00:58:0094] [CHECK] WhiteDLL [00:58:0094] [CHECK] Whitelist [00:58:0094] [CHECK] WellKnown [00:58:0094] [CHECK] WhitelistPath [00:58:0094] [CHECK] HijackName [00:58:0094] [CHECK] Signature [00:59:0047] [PE] Mapping [00:59:0047] [PE] Parsing [00:59:0047] [PE] Dos header -> 0x27e0000 [00:59:0047] [PE] Nt header (offset : 0xf0) file size 0x101600 [00:59:0047] [PE] pNtHeadersx86 -> 0x27e00f0 [00:59:0047] [PE] Chars -> 0x210e [00:59:0047] [PE] Optional header [00:59:0047] [PE] Sections : 4 [00:59:0047] [PE] Section : 0 - .text [00:59:0047] [PE] Section : 1 - .data [00:59:0047] [PE] Section : 2 - .rsrc [00:59:0047] [PE] Section : 3 - .reloc [00:59:0047] [PE] File open : 1 [00:59:0047] [PE] Search sigs [00:59:0047] [PE] Section[0/3] : 0x27e0400 [00:59:0047] [PE] Init AhoCorasick [00:59:0047] [PE] Start AhoCorasick [00:59:0063] [PE] Looking results : 0 [00:59:0063] [PE] Section[1/3] : 0x2871000 [00:59:0063] [PE] Init AhoCorasick [00:59:0063] [PE] Start AhoCorasick [00:59:0063] [PE] Looking results : 0 [00:59:0063] [PE] Section[2/3] : 0x2871600 [00:59:0063] [PE] Init AhoCorasick [00:59:0063] [PE] Start AhoCorasick [00:59:0078] [PE] Looking results : 0 [00:59:0078] [PE] Section[3/3] : 0x28db600 [00:59:0078] [PE] Init AhoCorasick [00:59:0078] [PE] Start AhoCorasick [00:59:0078] [PE] Looking results : 0 [00:59:0078] [CHECK] Blacklist [00:59:0078] [CHECK] BlacklistPath [00:59:0078] [CHECK] BlacklistMD5 [00:59:0078] [CHECK] MadeNumbers [00:59:0078] [CHECK] HasUnicode [00:59:0078] [CHECK] SuspPath [00:59:0078] [CHECK] ProcessResidue [00:59:0078] [CHECK] Not found! [00:59:0078] [Check DLLs] comctl32.dll : C:\WINDOWS\system32\comctl32.dll [00:59:0078] [CHECK] WhiteDLL [00:59:0078] [CHECK] Whitelist [00:59:0078] [CHECK] WellKnown [00:59:0078] [CHECK] WhitelistPath [00:59:0078] [CHECK] HijackName [00:59:0078] [CHECK] Signature

#5 krptd

New Member

Authentic Member
5 posts

Posted 30 August 2013 - 01:31 PM

[01:00:0141] [PE] Mapping [01:00:0141] [PE] Parsing [01:00:0141] [PE] Dos header -> 0x1740000 [01:00:0141] [PE] Nt header (offset : 0xf0) file size 0x96c00 [01:00:0141] [PE] pNtHeadersx86 -> 0x17400f0 [01:00:0141] [PE] Chars -> 0x210e [01:00:0141] [PE] Optional header [01:00:0141] [PE] Sections : 4 [01:00:0141] [PE] Section : 0 - .text [01:00:0141] [PE] Section : 1 - .data [01:00:0141] [PE] Section : 2 - .rsrc [01:00:0141] [PE] Section : 3 - .reloc [01:00:0141] [PE] File open : 1 [01:00:0141] [PE] Search sigs [01:00:0141] [PE] Section[0/3] : 0x1740400 [01:00:0141] [PE] Init AhoCorasick [01:00:0141] [PE] Start AhoCorasick [01:00:0157] [PE] Looking results : 0 [01:00:0157] [PE] Section[1/3] : 0x17b1000 [01:00:0157] [PE] Init AhoCorasick [01:00:0157] [PE] Start AhoCorasick [01:00:0157] [PE] Looking results : 0 [01:00:0157] [PE] Section[2/3] : 0x17b3600 [01:00:0157] [PE] Init AhoCorasick [01:00:0157] [PE] Start AhoCorasick [01:00:0157] [PE] Looking results : 0 [01:00:0157] [PE] Section[3/3] : 0x17d2a00 [01:00:0157] [PE] Init AhoCorasick [01:00:0157] [PE] Start AhoCorasick [01:00:0157] [PE] Looking results : 0 [01:00:0157] [CHECK] Blacklist [01:00:0157] [CHECK] BlacklistPath [01:00:0157] [CHECK] BlacklistMD5 [01:00:0157] [CHECK] MadeNumbers [01:00:0157] [CHECK] HasUnicode [01:00:0157] [CHECK] SuspPath [01:00:0157] [CHECK] ProcessResidue [01:00:0157] [CHECK] Not found! [01:00:0157] [Check DLLs] apphelp.dll : C:\WINDOWS\system32\apphelp.dll [01:00:0157] [CHECK] WhiteDLL [01:00:0157] [Check DLLs] msctfime.ime : C:\WINDOWS\system32\msctfime.ime [01:00:0157] [CHECK] WhiteDLL [01:00:0157] [CHECK] Whitelist [01:00:0157] [CHECK] WellKnown [01:00:0157] [CHECK] WhitelistPath [01:00:0157] [CHECK] HijackName [01:00:0157] [CHECK] Signature [01:00:0360] [PE] Mapping [01:00:0360] [PE] Parsing [01:00:0360] [PE] Dos header -> 0x1740000 [01:00:0360] [PE] Nt header (offset : 0xe8) file size 0x2b400 [01:00:0360] [PE] pNtHeadersx86 -> 0x17400e8 [01:00:0360] [PE] Chars -> 0x210e [01:00:0360] [PE] Optional header [01:00:0360] [PE] Sections : 4 [01:00:0360] [PE] Section : 0 - .text [01:00:0360] [PE] Section : 1 - .data [01:00:0360] [PE] Section : 2 - .rsrc [01:00:0360] [PE] Section : 3 - .reloc [01:00:0360] [PE] File open : 1 [01:00:0360] [PE] Search sigs [01:00:0360] [PE] Section[0/3] : 0x1740400 [01:00:0360] [PE] Init AhoCorasick [01:00:0360] [PE] Start AhoCorasick [01:00:0360] [PE] Looking results : 0 [01:00:0360] [PE] Section[1/3] : 0x1767000 [01:00:0360] [PE] Init AhoCorasick [01:00:0360] [PE] Start AhoCorasick [01:00:0360] [PE] Looking results : 0 [01:00:0360] [PE] Section[2/3] : 0x1767200 [01:00:0360] [PE] Init AhoCorasick [01:00:0360] [PE] Start AhoCorasick [01:00:0360] [PE] Looking results : 0 [01:00:0360] [PE] Section[3/3] : 0x1768800 [01:00:0360] [PE] Init AhoCorasick [01:00:0360] [PE] Start AhoCorasick [01:00:0360] [PE] Looking results : 0 [01:00:0360] [CHECK] Blacklist [01:00:0360] [CHECK] BlacklistPath [01:00:0360] [CHECK] BlacklistMD5 [01:00:0360] [CHECK] MadeNumbers [01:00:0360] [CHECK] HasUnicode [01:00:0360] [CHECK] SuspPath [01:00:0360] [CHECK] ProcessResidue [01:00:0360] [CHECK] Not found! [01:00:0360] [Check DLLs] CLBCATQ.DLL : C:\WINDOWS\system32\CLBCATQ.DLL [01:00:0360] [CHECK] WhiteDLL [01:00:0360] [CHECK] Whitelist [01:00:0360] [CHECK] WellKnown [01:00:0375] [CHECK] WhitelistPath [01:00:0375] [CHECK] HijackName [01:00:0375] [CHECK] Signature [01:00:0875] [PE] Mapping [01:00:0891] [PE] Parsing [01:00:0891] [PE] Dos header -> 0x1740000 [01:00:0891] [PE] Nt header (offset : 0xe0) file size 0x79c00 [01:00:0891] [PE] pNtHeadersx86 -> 0x17400e0 [01:00:0891] [PE] Chars -> 0x210e [01:00:0891] [PE] Optional header [01:00:0891] [PE] Sections : 4 [01:00:0891] [PE] Section : 0 - .text [01:00:0891] [PE] Section : 1 - .data [01:00:0891] [PE] Section : 2 - .rsrc [01:00:0891] [PE] Section : 3 - .reloc [01:00:0891] [PE] File open : 1 [01:00:0891] [PE] Search sigs [01:00:0891] [PE] Section[0/3] : 0x1740400 [01:00:0891] [PE] Init AhoCorasick [01:00:0891] [PE] Start AhoCorasick [01:00:0891] [PE] Looking results : 0 [01:00:0891] [PE] Section[1/3] : 0x17b1a00 [01:00:0891] [PE] Init AhoCorasick [01:00:0891] [PE] Start AhoCorasick [01:00:0891] [PE] Looking results : 0 [01:00:0891] [PE] Section[2/3] : 0x17b3800 [01:00:0891] [PE] Init AhoCorasick [01:00:0891] [PE] Start AhoCorasick [01:00:0891] [PE] Looking results : 0 [01:00:0891] [PE] Section[3/3] : 0x17b5800 [01:00:0891] [PE] Init AhoCorasick [01:00:0891] [PE] Start AhoCorasick [01:00:0907] [PE] Looking results : 0 [01:00:0907] [CHECK] Blacklist [01:00:0907] [CHECK] BlacklistPath [01:00:0907] [CHECK] BlacklistMD5 [01:00:0907] [CHECK] MadeNumbers [01:00:0907] [CHECK] HasUnicode [01:00:0907] [CHECK] SuspPath [01:00:0907] [CHECK] ProcessResidue [01:00:0907] [CHECK] Not found! [01:00:0907] [Check DLLs] COMRes.dll : C:\WINDOWS\system32\COMRes.dll [01:00:0907] [CHECK] WhiteDLL [01:00:0907] [CHECK] Whitelist [01:00:0907] [CHECK] WellKnown [01:00:0907] [CHECK] WhitelistPath [01:00:0907] [CHECK] HijackName [01:00:0907] [CHECK] Signature [01:01:0328] [PE] Mapping [01:01:0328] [PE] Parsing [01:01:0328] [PE] Dos header -> 0x1740000 [01:01:0328] [PE] Nt header (offset : 0xe0) file size 0xc1600 [01:01:0328] [PE] pNtHeadersx86 -> 0x17400e0 [01:01:0328] [PE] Chars -> 0x210e [01:01:0328] [PE] Optional header [01:01:0328] [PE] Sections : 4 [01:01:0328] [PE] Section : 0 - .text [01:01:0328] [PE] Section : 1 - .data [01:01:0328] [PE] Section : 2 - .rsrc [01:01:0328] [PE] Section : 3 - .reloc [01:01:0328] [PE] File open : 1 [01:01:0328] [PE] Search sigs [01:01:0328] [PE] Section[0/3] : 0x1740400 [01:01:0328] [PE] Init AhoCorasick [01:01:0328] [PE] Start AhoCorasick [01:01:0328] [PE] Looking results : 0 [01:01:0328] [PE] Section[1/3] : 0x1740000 [01:01:0328] [PE] Init AhoCorasick [01:01:0328] [PE] Start AhoCorasick [01:01:0328] [PE] Looking results : 0 [01:01:0328] [PE] Section[2/3] : 0x1740600 [01:01:0328] [PE] Init AhoCorasick [01:01:0328] [PE] Start AhoCorasick [01:01:0344] [PE] Looking results : 0 [01:01:0344] [PE] Section[3/3] : 0x1801400 [01:01:0344] [PE] Init AhoCorasick [01:01:0344] [PE] Start AhoCorasick [01:01:0344] [PE] Looking results : 0 [01:01:0344] [CHECK] Blacklist [01:01:0344] [CHECK] BlacklistPath [01:01:0344] [CHECK] BlacklistMD5 [01:01:0344] [CHECK] MadeNumbers [01:01:0344] [CHECK] HasUnicode [01:01:0344] [CHECK] SuspPath [01:01:0344] [CHECK] ProcessResidue [01:01:0344] [CHECK] Not found! [01:01:0344] [Check DLLs] cscui.dll : C:\WINDOWS\System32\cscui.dll [01:01:0344] [CHECK] WhiteDLL [01:01:0344] [CHECK] Whitelist [01:01:0344] [CHECK] WellKnown [01:01:0344] [CHECK] WhitelistPath [01:01:0344] [CHECK] HijackName [01:01:0344] [CHECK] Signature [01:01:0657] [PE] Mapping [01:01:0657] [PE] Parsing [01:01:0657] [PE] Dos header -> 0x1740000 [01:01:0657] [PE] Nt header (offset : 0xe8) file size 0x4fc00 [01:01:0657] [PE] pNtHeadersx86 -> 0x17400e8 [01:01:0657] [PE] Chars -> 0x210e [01:01:0657] [PE] Optional header [01:01:0657] [PE] Sections : 4 [01:01:0657] [PE] Section : 0 - .text [01:01:0657] [PE] Section : 1 - .data [01:01:0657] [PE] Section : 2 - .rsrc [01:01:0657] [PE] Section : 3 - .reloc [01:01:0657] [PE] File open : 1 [01:01:0657] [PE] Search sigs [01:01:0657] [PE] Section[0/3] : 0x1740400 [01:01:0657] [PE] Init AhoCorasick [01:01:0657] [PE] Start AhoCorasick [01:01:0657] [PE] Looking results : 0 [01:01:0657] [PE] Section[1/3] : 0x1762c00 [01:01:0657] [PE] Init AhoCorasick [01:01:0657] [PE] Start AhoCorasick [01:01:0657] [PE] Looking results : 0 [01:01:0657] [PE] Section[2/3] : 0x1763200 [01:01:0657] [PE] Init AhoCorasick [01:01:0672] [PE] Start AhoCorasick [01:01:0672] [PE] Looking results : 0 [01:01:0672] [PE] Section[3/3] : 0x178e400 [01:01:0672] [PE] Init AhoCorasick [01:01:0672] [PE] Start AhoCorasick [01:01:0672] [PE] Looking results : 0 [01:01:0672] [CHECK] Blacklist [01:01:0672] [CHECK] BlacklistPath [01:01:0672] [CHECK] BlacklistMD5 [01:01:0672] [CHECK] MadeNumbers [01:01:0672] [CHECK] HasUnicode [01:01:0672] [CHECK] SuspPath [01:01:0672] [CHECK] ProcessResidue [01:01:0672] [CHECK] Not found! [01:01:0672] [Check DLLs] CSCDLL.dll : C:\WINDOWS\System32\CSCDLL.dll [01:01:0672] [CHECK] WhiteDLL [01:01:0672] [CHECK] Whitelist [01:01:0672] [CHECK] WellKnown [01:01:0672] [CHECK] WhitelistPath [01:01:0672] [CHECK] HijackName [01:01:0672] [CHECK] Signature [01:01:0750] [PE] Mapping [01:01:0750] [PE] Parsing [01:01:0750] [PE] Dos header -> 0x1740000 [01:01:0750] [PE] Nt header (offset : 0xe8) file size 0x18e00 [01:01:0750] [PE] pNtHeadersx86 -> 0x17400e8 [01:01:0750] [PE] Chars -> 0x210e [01:01:0750] [PE] Optional header [01:01:0750] [PE] Sections : 5 [01:01:0750] [PE] Section : 0 - .text [01:01:0750] [PE] Section : 1 - PAGE [01:01:0750] [PE] Section : 2 - .data [01:01:0750] [PE] Section : 3 - .rsrc [01:01:0750] [PE] Section : 4 - .reloc [01:01:0750] [PE] File open : 1 [01:01:0750] [PE] Search sigs [01:01:0750] [PE] Section[0/4] : 0x1740400 [01:01:0750] [PE] Init AhoCorasick [01:01:0750] [PE] Start AhoCorasick [01:01:0750] [PE] Looking results : 0 [01:01:0766] [PE] Section[1/4] : 0x174e600 [01:01:0766] [PE] Init AhoCorasick [01:01:0766] [PE] Start AhoCorasick [01:01:0766] [PE] Looking results : 0 [01:01:0766] [PE] Section[2/4] : 0x1750c00 [01:01:0766] [PE] Init AhoCorasick [01:01:0766] [PE] Start AhoCorasick [01:01:0766] [PE] Looking results : 0 [01:01:0766] [PE] Section[3/4] : 0x1752000 [01:01:0766] [PE] Init AhoCorasick [01:01:0766] [PE] Start AhoCorasick [01:01:0766] [PE] Looking results : 0 [01:01:0766] [PE] Section[4/4] : 0x1758200 [01:01:0766] [PE] Init AhoCorasick [01:01:0766] [PE] Start AhoCorasick [01:01:0766] [PE] Looking results : 0 [01:01:0766] [CHECK] Blacklist [01:01:0766] [CHECK] BlacklistPath [01:01:0766] [CHECK] BlacklistMD5 [01:01:0766] [CHECK] MadeNumbers [01:01:0766] [CHECK] HasUnicode [01:01:0766] [CHECK] SuspPath [01:01:0766] [CHECK] ProcessResidue [01:01:0766] [CHECK] Not found! [01:01:0766] [Check DLLs] themeui.dll : C:\WINDOWS\System32\themeui.dll [01:01:0766] [CHECK] WhiteDLL [01:01:0766] [CHECK] Whitelist [01:01:0766] [CHECK] WellKnown [01:01:0766] [CHECK] WhitelistPath [01:01:0766] [CHECK] HijackName [01:01:0766] [CHECK] Signature [01:01:0875] [PE] Mapping [01:01:0875] [PE] Parsing [01:01:0875] [PE] Dos header -> 0x1740000 [01:01:0875] [PE] Nt header (offset : 0xe0) file size 0x5e200 [01:01:0875] [PE] pNtHeadersx86 -> 0x17400e0 [01:01:0875] [PE] Chars -> 0x210e [01:01:0875] [PE] Optional header [01:01:0875] [PE] Sections : 4 [01:01:0875] [PE] Section : 0 - .text [01:01:0875] [PE] Section : 1 - .data [01:01:0875] [PE] Section : 2 - .rsrc [01:01:0875] [PE] Section : 3 - .reloc [01:01:0875] [PE] File open : 1 [01:01:0875] [PE] Search sigs [01:01:0875] [PE] Section[0/3] : 0x1740400 [01:01:0875] [PE] Init AhoCorasick [01:01:0875] [PE] Start AhoCorasick [01:01:0875] [PE] Looking results : 0 [01:01:0875] [PE] Section[1/3] : 0x1776a00 [01:01:0875] [PE] Init AhoCorasick [01:01:0875] [PE] Start AhoCorasick [01:01:0875] [PE] Looking results : 0 [01:01:0875] [PE] Section[2/3] : 0x1777800 [01:01:0875] [PE] Init AhoCorasick [01:01:0875] [PE] Start AhoCorasick [01:01:0875] [PE] Looking results : 0 [01:01:0875] [PE] Section[3/3] : 0x179a600 [01:01:0875] [PE] Init AhoCorasick [01:01:0875] [PE] Start AhoCorasick [01:01:0875] [PE] Looking results : 0 [01:01:0875] [CHECK] Blacklist [01:01:0875] [CHECK] BlacklistPath [01:01:0875] [CHECK] BlacklistMD5 [01:01:0875] [CHECK] MadeNumbers [01:01:0891] [CHECK] HasUnicode [01:01:0891] [CHECK] SuspPath [01:01:0891] [CHECK] ProcessResidue [01:01:0891] [CHECK] Not found! [01:01:0891] [Check DLLs] MSIMG32.dll : C:\WINDOWS\System32\MSIMG32.dll [01:01:0891] [CHECK] WhiteDLL [01:01:0891] [CHECK] Whitelist [01:01:0891] [CHECK] WellKnown [01:01:0891] [CHECK] WhitelistPath [01:01:0891] [CHECK] HijackName [01:01:0891] [CHECK] Signature [01:01:0938] [PE] Mapping [01:01:0938] [PE] Parsing [01:01:0938] [PE] Dos header -> 0x1740000 [01:01:0938] [PE] Nt header (offset : 0xe0) file size 0x1200 [01:01:0938] [PE] pNtHeadersx86 -> 0x17400e0 [01:01:0938] [PE] Chars -> 0x210e [01:01:0938] [PE] Optional header [01:01:0938] [PE] Sections : 4 [01:01:0938] [PE] Section : 0 - .text [01:01:0938] [PE] Section : 1 - .data [01:01:0938] [PE] Section : 2 - .rsrc [01:01:0938] [PE] Section : 3 - .reloc [01:01:0938] [PE] File open : 1 [01:01:0938] [PE] Search sigs [01:01:0938] [PE] Section[0/3] : 0x1740400 [01:01:0938] [PE] Init AhoCorasick [01:01:0938] [PE] Start AhoCorasick [01:01:0938] [PE] Looking results : 0 [01:01:0938] [PE] Section[1/3] : 0x1740a00 [01:01:0938] [PE] Init AhoCorasick [01:01:0938] [PE] Start AhoCorasick [01:01:0938] [PE] Looking results : 0 [01:01:0938] [PE] Section[2/3] : 0x1740c00 [01:01:0938] [PE] Init AhoCorasick [01:01:0938] [PE] Start AhoCorasick [01:01:0938] [PE] Looking results : 0 [01:01:0938] [PE] Section[3/3] : 0x1741000 [01:01:0938] [PE] Init AhoCorasick [01:01:0938] [PE] Start AhoCorasick [01:01:0938] [PE] Looking results : 0 [01:01:0938] [CHECK] Blacklist [01:01:0938] [CHECK] BlacklistPath [01:01:0938] [CHECK] BlacklistMD5 [01:01:0938] [CHECK] MadeNumbers [01:01:0938] [CHECK] HasUnicode [01:01:0938] [CHECK] SuspPath [01:01:0938] [CHECK] ProcessResidue [01:01:0938] [CHECK] Not found! [01:01:0938] [Check DLLs] xpsp2res.dll : C:\WINDOWS\system32\xpsp2res.dll [01:01:0938] [CHECK] WhiteDLL [01:01:0938] [CHECK] Whitelist [01:01:0938] [CHECK] WellKnown [01:01:0938] [CHECK] WhitelistPath [01:01:0938] [CHECK] HijackName [01:01:0938] [CHECK] Signature [01:04:0047] [PE] Mapping [01:04:0047] [PE] Parsing [01:04:0047] [PE] Dos header -> 0x2aa0000 [01:04:0047] [PE] Nt header (offset : 0xc0) file size 0x2c3800 [01:04:0047] [PE] pNtHeadersx86 -> 0x2aa00c0 [01:04:0047] [PE] Chars -> 0x210e [01:04:0047] [PE] Optional header [01:04:0047] [PE] Sections : 1 [01:04:0047] [PE] Section : 0 - .rsrc [01:04:0047] [PE] File open : 1 [01:04:0047] [PE] Search sigs [01:04:0047] [PE] Section[0/0] : 0x2aa0200 [01:04:0047] [PE] Init AhoCorasick [01:04:0047] [PE] Start AhoCorasick [01:04:0094] [PE] Looking results : 0 [01:04:0094] [CHECK] Blacklist [01:04:0094] [CHECK] BlacklistPath [01:04:0094] [CHECK] BlacklistMD5 [01:04:0094] [CHECK] MadeNumbers [01:04:0094] [CHECK] HasUnicode [01:04:0094] [CHECK] SuspPath [01:04:0094] [CHECK] ProcessResidue [01:04:0094] [CHECK] Not found! [01:04:0094] [Check DLLs] SAMLIB.dll : C:\WINDOWS\system32\SAMLIB.dll [01:04:0094] [CHECK] WhiteDLL [01:04:0094] [CHECK] Whitelist [01:04:0094] [CHECK] WellKnown [01:04:0094] [CHECK] WhitelistPath [01:04:0094] [CHECK] HijackName [01:04:0094] [CHECK] Signature [01:04:0203] [PE] Mapping [01:04:0203] [PE] Parsing [01:04:0203] [PE] Dos header -> 0x1740000 [01:04:0203] [PE] Nt header (offset : 0xf0) file size 0xfa00 [01:04:0203] [PE] pNtHeadersx86 -> 0x17400f0 [01:04:0203] [PE] Chars -> 0x210e [01:04:0203] [PE] Optional header [01:04:0219] [PE] Sections : 4 [01:04:0219] [PE] Section : 0 - .text [01:04:0219] [PE] Section : 1 - .data [01:04:0219] [PE] Section : 2 - .rsrc [01:04:0219] [PE] Section : 3 - .reloc [01:04:0219] [PE] File open : 1 [01:04:0219] [PE] Search sigs [01:04:0219] [PE] Section[0/3] : 0x1740400 [01:04:0219] [PE] Init AhoCorasick [01:04:0219] [PE] Start AhoCorasick [01:04:0219] [PE] Looking results : 0 [01:04:0219] [PE] Section[1/3] : 0x174ec00 [01:04:0219] [PE] Init AhoCorasick [01:04:0219] [PE] Start AhoCorasick [01:04:0219] [PE] Looking results : 0 [01:04:0219] [PE] Section[2/3] : 0x174ee00 [01:04:0219] [PE] Init AhoCorasick [01:04:0219] [PE] Start AhoCorasick [01:04:0219] [PE] Looking results : 0 [01:04:0219] [PE] Section[3/3] : 0x174f200 [01:04:0219] [PE] Init AhoCorasick [01:04:0219] [PE] Start AhoCorasick [01:04:0219] [PE] Looking results : 0 [01:04:0219] [CHECK] Blacklist [01:04:0219] [CHECK] BlacklistPath [01:04:0219] [CHECK] BlacklistMD5 [01:04:0219] [CHECK] MadeNumbers [01:04:0219] [CHECK] HasUnicode [01:04:0219] [CHECK] SuspPath [01:04:0219] [CHECK] ProcessResidue [01:04:0219] [CHECK] Not found! [01:04:0219] [Check DLLs] ieframe.dll : C:\WINDOWS\system32\ieframe.dll [01:04:0219] [CHECK] WhiteDLL [01:04:0219] [CHECK] Whitelist [01:04:0219] [CHECK] WellKnown [01:04:0219] [CHECK] WhitelistPath [01:04:0219] [CHECK] HijackName [01:04:0219] [CHECK] Signature [01:12:0813] [CHECK] Blacklist [01:12:0813] [CHECK] BlacklistPath [01:12:0828] [CHECK] BlacklistMD5 [01:12:0828] [CHECK] MadeNumbers [01:12:0828] [CHECK] HasUnicode [01:12:0828] [CHECK] SuspPath [01:12:0828] [CHECK] ProcessResidue [01:12:0828] [CHECK] Not found! [01:12:0828] [Check DLLs] mshtml.dll : C:\WINDOWS\system32\mshtml.dll [01:12:0828] [CHECK] WhiteDLL [01:12:0828] [CHECK] Whitelist [01:12:0828] [CHECK] WellKnown [01:12:0828] [CHECK] WhitelistPath [01:12:0828] [CHECK] HijackName [01:12:0828] [CHECK] Signature [01:19:0375] [CHECK] Blacklist [01:19:0375] [CHECK] BlacklistPath [01:19:0375] [CHECK] BlacklistMD5 [01:19:0375] [CHECK] MadeNumbers [01:19:0375] [CHECK] HasUnicode [01:19:0375] [CHECK] SuspPath [01:19:0375] [CHECK] ProcessResidue [01:19:0375] [CHECK] Not found! [01:19:0375] [Check DLLs] msls31.dll : C:\WINDOWS\system32\msls31.dll [01:19:0375] [CHECK] WhiteDLL [01:19:0375] [CHECK] Whitelist [01:19:0375] [CHECK] WellKnown [01:19:0375] [CHECK] WhitelistPath [01:19:0375] [CHECK] HijackName [01:19:0375] [CHECK] Signature [01:19:0657] [PE] Mapping [01:19:0657] [PE] Parsing [01:19:0657] [PE] Dos header -> 0x24e0000 [01:19:0657] [PE] Nt header (offset : 0xf8) file size 0x26200 [01:19:0657] [PE] pNtHeadersx86 -> 0x24e00f8 [01:19:0657] [PE] Chars -> 0x2102 [01:19:0657] [PE] Optional header [01:19:0657] [PE] Sections : 4 [01:19:0657] [PE] Section : 0 - .text [01:19:0657] [PE] Section : 1 - .data [01:19:0657] [PE] Section : 2 - .rsrc [01:19:0657] [PE] Section : 3 - .reloc [01:19:0657] [PE] File open : 1 [01:19:0657] [PE] Search sigs [01:19:0657] [PE] Section[0/3] : 0x24e0400 [01:19:0657] [PE] Init AhoCorasick [01:19:0657] [PE] Start AhoCorasick [01:19:0657] [PE] Looking results : 0 [01:19:0657] [PE] Section[1/3] : 0x2505400 [01:19:0657] [PE] Init AhoCorasick [01:19:0657] [PE] Start AhoCorasick [01:19:0657] [PE] Looking results : 0 [01:19:0657] [PE] Section[2/3] : 0x2505800 [01:19:0657] [PE] Init AhoCorasick [01:19:0657] [PE] Start AhoCorasick [01:19:0657] [PE] Looking results : 0 [01:19:0657] [PE] Section[3/3] : 0x2505e00 [01:19:0657] [PE] Init AhoCorasick [01:19:0657] [PE] Start AhoCorasick [01:19:0657] [PE] Looking results : 0 [01:19:0657] [CHECK] Blacklist [01:19:0657] [CHECK] BlacklistPath [01:19:0657] [CHECK] BlacklistMD5 [01:19:0657] [CHECK] MadeNumbers [01:19:0657] [CHECK] HasUnicode [01:19:0657] [CHECK] SuspPath [01:19:0657] [CHECK] ProcessResidue [01:19:0657] [CHECK] Not found! [01:19:0657] [Check DLLs] PSAPI.DLL : C:\WINDOWS\system32\PSAPI.DLL [01:19:0672] [CHECK] WhiteDLL [01:19:0672] [CHECK] Whitelist [01:19:0672] [CHECK] WellKnown [01:19:0672] [CHECK] WhitelistPath [01:19:0672] [CHECK] HijackName [01:19:0672] [CHECK] Signature [01:19:0797] [PE] Mapping [01:19:0797] [PE] Parsing [01:19:0797] [PE] Dos header -> 0x24e0000 [01:19:0797] [PE] Nt header (offset : 0xe0) file size 0x5a00 [01:19:0797] [PE] pNtHeadersx86 -> 0x24e00e0 [01:19:0797] [PE] Chars -> 0x210e [01:19:0797] [PE] Optional header [01:19:0797] [PE] Sections : 4 [01:19:0797] [PE] Section : 0 - .text [01:19:0797] [PE] Section : 1 - .data [01:19:0797] [PE] Section : 2 - .rsrc [01:19:0797] [PE] Section : 3 - .reloc [01:19:0797] [PE] File open : 1 [01:19:0797] [PE] Search sigs [01:19:0797] [PE] Section[0/3] : 0x24e0400 [01:19:0797] [PE] Init AhoCorasick [01:19:0797] [PE] Start AhoCorasick [01:19:0797] [PE] Looking results : 0 [01:19:0797] [PE] Section[1/3] : 0x24e4400 [01:19:0797] [PE] Init AhoCorasick [01:19:0797] [PE] Start AhoCorasick [01:19:0797] [PE] Looking results : 0 [01:19:0797] [PE] Section[2/3] : 0x24e5200 [01:19:0797] [PE] Init AhoCorasick [01:19:0797] [PE] Start AhoCorasick [01:19:0797] [PE] Looking results : 0 [01:19:0797] [PE] Section[3/3] : 0x24e5600 [01:19:0797] [PE] Init AhoCorasick [01:19:0797] [PE] Start AhoCorasick [01:19:0797] [PE] Looking results : 0 [01:19:0797] [CHECK] Blacklist [01:19:0797] [CHECK] BlacklistPath [01:19:0797] [CHECK] BlacklistMD5 [01:19:0797] [CHECK] MadeNumbers [01:19:0797] [CHECK] HasUnicode [01:19:0797] [CHECK] SuspPath [01:19:0797] [CHECK] ProcessResidue [01:19:0797] [CHECK] Not found! [01:19:0813] [Check DLLs] MLANG.dll : C:\WINDOWS\system32\MLANG.dll [01:19:0813] [CHECK] WhiteDLL [01:19:0813] [CHECK] Whitelist [01:19:0813] [CHECK] WellKnown [01:19:0813] [CHECK] WhitelistPath [01:19:0813] [CHECK] HijackName [01:19:0813] [CHECK] Signature [01:20:0469] [PE] Mapping [01:20:0500] [PE] Parsing [01:20:0500] [PE] Dos header -> 0x24e0000 [01:20:0500] [PE] Nt header (offset : 0xf0) file size 0x8f200 [01:20:0500] [PE] pNtHeadersx86 -> 0x24e00f0 [01:20:0500] [PE] Chars -> 0x210e [01:20:0500] [PE] Optional header [01:20:0516] [PE] Sections : 4 [01:20:0516] [PE] Section : 0 - .text [01:20:0516] [PE] Section : 1 - .data [01:20:0516] [PE] Section : 2 - .rsrc [01:20:0516] [PE] Section : 3 - .reloc [01:20:0516] [PE] File open : 1 [01:20:0516] [PE] Search sigs [01:20:0516] [PE] Section[0/3] : 0x24e0400 [01:20:0516] [PE] Init AhoCorasick [01:20:0516] [PE] Start AhoCorasick [01:20:0516] [PE] Looking results : 0 [01:20:0516] [PE] Section[1/3] : 0x2501400 [01:20:0516] [PE] Init AhoCorasick [01:20:0516] [PE] Start AhoCorasick [01:20:0516] [PE] Looking results : 0 [01:20:0516] [PE] Section[2/3] : 0x2505c00 [01:20:0516] [PE] Init AhoCorasick [01:20:0516] [PE] Start AhoCorasick [01:20:0516] [PE] Looking results : 0 [01:20:0516] [PE] Section[3/3] : 0x256d200 [01:20:0516] [PE] Init AhoCorasick [01:20:0516] [PE] Start AhoCorasick [01:20:0516] [PE] Looking results : 0 [01:20:0532] [CHECK] Blacklist [01:20:0532] [CHECK] BlacklistPath [01:20:0532] [CHECK] BlacklistMD5 [01:20:0532] [CHECK] MadeNumbers [01:20:0532] [CHECK] HasUnicode [01:20:0532] [CHECK] SuspPath [01:20:0532] [CHECK] ProcessResidue [01:20:0532] [CHECK] Not found! [01:20:0532] [Check DLLs] IPHLPAPI.DLL : C:\WINDOWS\system32\IPHLPAPI.DLL [01:20:0532] [CHECK] WhiteDLL [01:20:0532] [CHECK] Whitelist [01:20:0532] [CHECK] WellKnown [01:20:0532] [CHECK] WhitelistPath [01:20:0532] [CHECK] HijackName [01:20:0532] [CHECK] Signature [01:20:0719] [PE] Mapping [01:20:0719] [PE] Parsing [01:20:0719] [PE] Dos header -> 0x24e0000 [01:20:0719] [PE] Nt header (offset : 0xe0) file size 0x17200 [01:20:0719] [PE] pNtHeadersx86 -> 0x24e00e0 [01:20:0719] [PE] Chars -> 0x210e [01:20:0719] [PE] Optional header [01:20:0719] [PE] Sections : 4 [01:20:0719] [PE] Section : 0 - .text [01:20:0719] [PE] Section : 1 - .data [01:20:0719] [PE] Section : 2 - .rsrc [01:20:0719] [PE] Section : 3 - .reloc [01:20:0719] [PE] File open : 1 [01:20:0719] [PE] Search sigs [01:20:0719] [PE] Section[0/3] : 0x24e0400 [01:20:0719] [PE] Init AhoCorasick [01:20:0719] [PE] Start AhoCorasick [01:20:0719] [PE] Looking results : 0 [01:20:0719] [PE] Section[1/3] : 0x24f3200 [01:20:0719] [PE] Init AhoCorasick [01:20:0719] [PE] Start AhoCorasick [01:20:0719] [PE] Looking results : 0 [01:20:0719] [PE] Section[2/3] : 0x24f4200 [01:20:0719] [PE] Init AhoCorasick [01:20:0719] [PE] Start AhoCorasick [01:20:0719] [PE] Looking results : 0 [01:20:0719] [PE] Section[3/3] : 0x24f6400 [01:20:0719] [PE] Init AhoCorasick [01:20:0719] [PE] Start AhoCorasick [01:20:0719] [PE] Looking results : 0 [01:20:0719] [CHECK] Blacklist [01:20:0735] [CHECK] BlacklistPath [01:20:0735] [CHECK] BlacklistMD5 [01:20:0735] [CHECK] MadeNumbers [01:20:0735] [CHECK] HasUnicode [01:20:0735] [CHECK] SuspPath [01:20:0735] [CHECK] ProcessResidue [01:20:0735] [CHECK] Not found! [01:20:0735] [Check DLLs] WS2_32.dll : C:\WINDOWS\system32\WS2_32.dll [01:20:0735] [CHECK] WhiteDLL [01:20:0735] [CHECK] Whitelist [01:20:0735] [CHECK] WellKnown [01:20:0735] [CHECK] WhitelistPath [01:20:0735] [CHECK] HijackName [01:20:0735] [CHECK] Signature [01:20:0985] [PE] Mapping [01:20:0985] [PE] Parsing [01:20:0985] [PE] Dos header -> 0x24e0000 [01:20:0985] [PE] Nt header (offset : 0xf0) file size 0x14200 [01:20:0985] [PE] pNtHeadersx86 -> 0x24e00f0 [01:20:0985] [PE] Chars -> 0x210e [01:20:0985] [PE] Optional header [01:20:0985] [PE] Sections : 4 [01:20:0985] [PE] Section : 0 - .text [01:20:0985] [PE] Section : 1 - .data [01:20:0985] [PE] Section : 2 - .rsrc [01:20:0985] [PE] Section : 3 - .reloc [01:20:0985] [PE] File open : 1 [01:20:0985] [PE] Search sigs [01:20:0985] [PE] Section[0/3] : 0x24e0400 [01:20:0985] [PE] Init AhoCorasick [01:20:0985] [PE] Start AhoCorasick [01:20:0985] [PE] Looking results : 0 [01:20:0985] [PE] Section[1/3] : 0x24f2600 [01:20:0985] [PE] Init AhoCorasick [01:20:0985] [PE] Start AhoCorasick [01:20:0985] [PE] Looking results : 0 [01:20:0985] [PE] Section[2/3] : 0x24f3000 [01:20:0985] [PE] Init AhoCorasick [01:20:0985] [PE] Start AhoCorasick [01:20:0985] [PE] Looking results : 0 [01:20:0985] [PE] Section[3/3] : 0x24f3400 [01:20:0985] [PE] Init AhoCorasick [01:20:0985] [PE] Start AhoCorasick [01:20:0985] [PE] Looking results : 0 [01:20:0985] [CHECK] Blacklist [01:20:0985] [CHECK] BlacklistPath [01:20:0985] [CHECK] BlacklistMD5 [01:20:0985] [CHECK] MadeNumbers [01:20:0985] [CHECK] HasUnicode [01:20:0985] [CHECK] SuspPath [01:20:0985] [CHECK] ProcessResidue [01:20:0985] [CHECK] Not found! [01:20:0985] [Check DLLs] WS2HELP.dll : C:\WINDOWS\system32\WS2HELP.dll [01:20:0985] [CHECK] WhiteDLL [01:20:0985] [CHECK] Whitelist [01:20:0985] [CHECK] WellKnown [01:20:0985] [CHECK] WhitelistPath [01:20:0985] [CHECK] HijackName [01:20:0985] [CHECK] Signature [01:21:0110] [PE] Mapping [01:21:0110] [PE] Parsing [01:21:0110] [PE] Dos header -> 0x24e0000 [01:21:0125] [PE] Nt header (offset : 0xd8) file size 0x4e00 [01:21:0125] [PE] pNtHeadersx86 -> 0x24e00d8 [01:21:0125] [PE] Chars -> 0x210e [01:21:0125] [PE] Optional header [01:21:0125] [PE] Sections : 4 [01:21:0125] [PE] Section : 0 - .text [01:21:0125] [PE] Section : 1 - .data [01:21:0125] [PE] Section : 2 - .rsrc [01:21:0125] [PE] Section : 3 - .reloc [01:21:0125] [PE] File open : 1 [01:21:0125] [PE] Search sigs [01:21:0125] [PE] Section[0/3] : 0x24e0400 [01:21:0125] [PE] Init AhoCorasick [01:21:0125] [PE] Start AhoCorasick [01:21:0125] [PE] Looking results : 0 [01:21:0125] [PE] Section[1/3] : 0x24e4200 [01:21:0125] [PE] Init AhoCorasick [01:21:0125] [PE] Start AhoCorasick [01:21:0125] [PE] Looking results : 0 [01:21:0125] [PE] Section[2/3] : 0x24e4400 [01:21:0125] [PE] Init AhoCorasick [01:21:0125] [PE] Start AhoCorasick [01:21:0125] [PE] Looking results : 0 [01:21:0125] [PE] Section[3/3] : 0x24e4a00 [01:21:0125] [PE] Init AhoCorasick [01:21:0125] [PE] Start AhoCorasick [01:21:0125] [PE] Looking results : 0 [01:21:0125] [CHECK] Blacklist [01:21:0125] [CHECK] BlacklistPath [01:21:0125] [CHECK] BlacklistMD5 [01:21:0125] [CHECK] MadeNumbers [01:21:0125] [CHECK] HasUnicode [01:21:0125] [CHECK] SuspPath [01:21:0125] [CHECK] ProcessResidue [01:21:0125] [CHECK] Not found! [01:21:0125] [Check DLLs] netman.dll : C:\WINDOWS\system32\netman.dll [01:21:0125] [CHECK] WhiteDLL [01:21:0125] [CHECK] Whitelist [01:21:0125] [CHECK] WellKnown [01:21:0125] [CHECK] WhitelistPath [01:21:0125] [CHECK] HijackName [01:21:0125] [CHECK] Signature [01:21:0453] [PE] Mapping [01:21:0469] [PE] Parsing [01:21:0469] [PE] Dos header -> 0x24e0000 [01:21:0469] [PE] Nt header (offset : 0xe0) file size 0x30600 [01:21:0469] [PE] pNtHeadersx86 -> 0x24e00e0 [01:21:0469] [PE] Chars -> 0x210e [01:21:0469] [PE] Optional header [01:21:0469] [PE] Sections : 4 [01:21:0469] [PE] Section : 0 - .text [01:21:0469] [PE] Section : 1 - .data [01:21:0469] [PE] Section : 2 - .rsrc [01:21:0469] [PE] Section : 3 - .reloc [01:21:0469] [PE] File open : 1 [01:21:0469] [PE] Search sigs [01:21:0469] [PE] Section[0/3] : 0x24e0600 [01:21:0469] [PE] Init AhoCorasick [01:21:0469] [PE] Start AhoCorasick [01:21:0469] [PE] Looking results : 0 [01:21:0469] [PE] Section[1/3] : 0x250ac00 [01:21:0469] [PE] Init AhoCorasick [01:21:0469] [PE] Start AhoCorasick [01:21:0469] [PE] Looking results : 0 [01:21:0469] [PE] Section[2/3] : 0x250b400 [01:21:0469] [PE] Init AhoCorasick [01:21:0469] [PE] Start AhoCorasick [01:21:0469] [PE] Looking results : 0 [01:21:0469] [PE] Section[3/3] : 0x250e200 [01:21:0469] [PE] Init AhoCorasick [01:21:0469] [PE] Start AhoCorasick [01:21:0469] [PE] Looking results : 0 [01:21:0469] [CHECK] Blacklist [01:21:0469] [CHECK] BlacklistPath [01:21:0469] [CHECK] BlacklistMD5 [01:21:0469] [CHECK] MadeNumbers [01:21:0469] [CHECK] HasUnicode [01:21:0469] [CHECK] SuspPath [01:21:0469] [CHECK] ProcessResidue [01:21:0469] [CHECK] Not found! [01:21:0469] [Check DLLs] MPRAPI.dll : C:\WINDOWS\system32\MPRAPI.dll [01:21:0469] [CHECK] WhiteDLL [01:21:0469] [CHECK] Whitelist [01:21:0485] [CHECK] WellKnown [01:21:0485] [CHECK] WhitelistPath [01:21:0485] [CHECK] HijackName [01:21:0485] [CHECK] Signature [01:21:0625] [PE] Mapping [01:21:0625] [PE] Parsing [01:21:0625] [PE] Dos header -> 0x24e0000 [01:21:0625] [PE] Nt header (offset : 0xe0) file size 0x15400 [01:21:0625] [PE] pNtHeadersx86 -> 0x24e00e0 [01:21:0625] [PE] Chars -> 0x210e [01:21:0625] [PE] Optional header [01:21:0625] [PE] Sections : 4 [01:21:0625] [PE] Section : 0 - .text [01:21:0625] [PE] Section : 1 - .data [01:21:0625] [PE] Section : 2 - .rsrc [01:21:0625] [PE] Section : 3 - .reloc [01:21:0625] [PE] File open : 1 [01:21:0625] [PE] Search sigs [01:21:0625] [PE] Section[0/3] : 0x24e0400 [01:21:0625] [PE] Init AhoCorasick [01:21:0625] [PE] Start AhoCorasick [01:21:0625] [PE] Looking results : 0 [01:21:0625] [PE] Section[1/3] : 0x24f3e00 [01:21:0625] [PE] Init AhoCorasick [01:21:0625] [PE] Start AhoCorasick [01:21:0625] [PE] Looking results : 0 [01:21:0625] [PE] Section[2/3] : 0x24f4000 [01:21:0625] [PE] Init AhoCorasick [01:21:0625] [PE] Start AhoCorasick [01:21:0625] [PE] Looking results : 0 [01:21:0625] [PE] Section[3/3] : 0x24f4600 [01:21:0625] [PE] Init AhoCorasick [01:21:0625] [PE] Start AhoCorasick [01:21:0625] [PE] Looking results : 0 [01:21:0625] [CHECK] Blacklist [01:21:0625] [CHECK] BlacklistPath [01:21:0625] [CHECK] BlacklistMD5 [01:21:0625] [CHECK] MadeNumbers [01:21:0625] [CHECK] HasUnicode [01:21:0625] [CHECK] SuspPath [01:21:0641] [CHECK] ProcessResidue [01:21:0641] [CHECK] Not found! [01:21:0641] [Check DLLs] ACTIVEDS.dll : C:\WINDOWS\system32\ACTIVEDS.dll [01:21:0641] [CHECK] WhiteDLL [01:21:0641] [CHECK] Whitelist [01:21:0641] [CHECK] WellKnown [01:21:0641] [CHECK] WhitelistPath [01:21:0641] [CHECK] HijackName [01:21:0641] [CHECK] Signature [01:21:0875] [PE] Mapping [01:21:0875] [PE] Parsing [01:21:0875] [PE] Dos header -> 0x24e0000 [01:21:0875] [PE] Nt header (offset : 0xe0) file size 0x2f400 [01:21:0875] [PE] pNtHeadersx86 -> 0x24e00e0 [01:21:0875] [PE] Chars -> 0x210e [01:21:0875] [PE] Optional header [01:21:0875] [PE] Sections : 4 [01:21:0875] [PE] Section : 0 - .text [01:21:0875] [PE] Section : 1 - .data [01:21:0875] [PE] Section : 2 - .rsrc [01:21:0875] [PE] Section : 3 - .reloc [01:21:0875] [PE] File open : 1 [01:21:0875] [PE] Search sigs [01:21:0875] [PE] Section[0/3] : 0x24e0400 [01:21:0875] [PE] Init AhoCorasick [01:21:0875] [PE] Start AhoCorasick [01:21:0875] [PE] Looking results : 0 [01:21:0875] [PE] Section[1/3] : 0x2505c00 [01:21:0875] [PE] Init AhoCorasick [01:21:0875] [PE] Start AhoCorasick [01:21:0875] [PE] Looking results : 0 [01:21:0891] [PE] Section[2/3] : 0x250ca00 [01:21:0891] [PE] Init AhoCorasick [01:21:0891] [PE] Start AhoCorasick [01:21:0891] [PE] Looking results : 0 [01:21:0891] [PE] Section[3/3] : 0x250da00 [01:21:0891] [PE] Init AhoCorasick [01:21:0891] [PE] Start AhoCorasick [01:21:0891] [PE] Looking results : 0 [01:21:0891] [CHECK] Blacklist [01:21:0891] [CHECK] BlacklistPath [01:21:0891] [CHECK] BlacklistMD5 [01:21:0891] [CHECK] MadeNumbers [01:21:0891] [CHECK] HasUnicode [01:21:0891] [CHECK] SuspPath [01:21:0891] [CHECK] ProcessResidue [01:21:0891] [CHECK] Not found! [01:21:0891] [Check DLLs] adsldpc.dll : C:\WINDOWS\system32\adsldpc.dll [01:21:0891] [CHECK] WhiteDLL [01:21:0891] [CHECK] Whitelist [01:21:0891] [CHECK] WellKnown [01:21:0891] [CHECK] WhitelistPath [01:21:0891] [CHECK] HijackName [01:21:0891] [CHECK] Signature [01:22:0219] [PE] Mapping [01:22:0235] [PE] Parsing [01:22:0235] [PE] Dos header -> 0x24e0000 [01:22:0235] [PE] Nt header (offset : 0xf0) file size 0x23000 [01:22:0235] [PE] pNtHeadersx86 -> 0x24e00f0 [01:22:0235] [PE] Chars -> 0x210e [01:22:0235] [PE] Optional header [01:22:0235] [PE] Sections : 4 [01:22:0235] [PE] Section : 0 - .text [01:22:0235] [PE] Section : 1 - .data [01:22:0235] [PE] Section : 2 - .rsrc [01:22:0235] [PE] Section : 3 - .reloc [01:22:0235] [PE] File open : 1 [01:22:0235] [PE] Search sigs [01:22:0235] [PE] Section[0/3] : 0x24e0400 [01:22:0235] [PE] Init AhoCorasick [01:22:0235] [PE] Start AhoCorasick [01:22:0235] [PE] Looking results : 0 [01:22:0235] [PE] Section[1/3] : 0x2501400 [01:22:0235] [PE] Init AhoCorasick [01:22:0235] [PE] Start AhoCorasick [01:22:0235] [PE] Looking results : 0 [01:22:0235] [PE] Section[2/3] : 0x2501e00 [01:22:0235] [PE] Init AhoCorasick [01:22:0235] [PE] Start AhoCorasick [01:22:0235] [PE] Looking results : 0 [01:22:0235] [PE] Section[3/3] : 0x2502400 [01:22:0235] [PE] Init AhoCorasick [01:22:0235] [PE] Start AhoCorasick [01:22:0235] [PE] Looking results : 0 [01:22:0235] [CHECK] Blacklist [01:22:0235] [CHECK] BlacklistPath [01:22:0235] [CHECK] BlacklistMD5 [01:22:0235] [CHECK] MadeNumbers [01:22:0235] [CHECK] HasUnicode [01:22:0235] [CHECK] SuspPath [01:22:0235] [CHECK] ProcessResidue [01:22:0235] [CHECK] Not found! [01:22:0235] [Check DLLs] ATL.DLL : C:\WINDOWS\system32\ATL.DLL [01:22:0235] [CHECK] WhiteDLL [01:22:0235] [CHECK] Whitelist [01:22:0235] [CHECK] WellKnown [01:22:0235] [CHECK] WhitelistPath [01:22:0235] [CHECK] HijackName [01:22:0235] [CHECK] Signature [01:22:0375] [PE] Mapping [01:22:0469] [PE] Parsing [01:22:0657] [PE] Dos header -> 0x24e0000 [01:22:0657] [PE] Nt header (offset : 0xf0) file size 0xe600 [01:22:0657] [PE] pNtHeadersx86 -> 0x24e00f0 [01:22:0657] [PE] Chars -> 0x210e [01:22:0672] [PE] Optional header [01:22:0672] [PE] Sections : 4 [01:22:0672] [PE] Section : 0 - .text [01:22:0672] [PE] Section : 1 - .data [01:22:0672] [PE] Section : 2 - .rsrc [01:22:0672] [PE] Section : 3 - .reloc [01:22:0672] [PE] File open : 1 [01:22:0672] [PE] Search sigs [01:22:0672] [PE] Section[0/3] : 0x24e0400 [01:22:0672] [PE] Init AhoCorasick [01:22:0672] [PE] Start AhoCorasick [01:22:0672] [PE] Looking results : 0 [01:22:0672] [PE] Section[1/3] : 0x24eb200 [01:22:0672] [PE] Init AhoCorasick [01:22:0672] [PE] Start AhoCorasick [01:22:0672] [PE] Looking results : 0 [01:22:0672] [PE] Section[2/3] : 0x24eb600 [01:22:0672] [PE] Init AhoCorasick [01:22:0672] [PE] Start AhoCorasick [01:22:0672] [PE] Looking results : 0 [01:22:0672] [PE] Section[3/3] : 0x24eda00 [01:22:0672] [PE] Init AhoCorasick [01:22:0672] [PE] Start AhoCorasick [01:22:0672] [PE] Looking results : 0 [01:22:0672] [CHECK] Blacklist [01:22:0672] [CHECK] BlacklistPath [01:22:0672] [CHECK] BlacklistMD5 [01:22:0672] [CHECK] MadeNumbers [01:22:0672] [CHECK] HasUnicode [01:22:0672] [CHECK] SuspPath [01:22:0672] [CHECK] ProcessResidue [01:22:0672] [CHECK] Not found! [01:22:0672] [Check DLLs] rtutils.dll : C:\WINDOWS\system32\rtutils.dll [01:22:0672] [CHECK] WhiteDLL [01:22:0672] [CHECK] Whitelist [01:22:0672] [CHECK] WellKnown [01:22:0672] [CHECK] WhitelistPath [01:22:0672] [CHECK] HijackName [01:22:0672] [CHECK] Signature [01:22:0844] [PE] Mapping [01:22:0844] [PE] Parsing [01:22:0844] [PE] Dos header -> 0x24e0000 [01:22:0844] [PE] Nt header (offset : 0xd8) file size 0xac00 [01:22:0844] [PE] pNtHeadersx86 -> 0x24e00d8 [01:22:0844] [PE] Chars -> 0x210e [01:22:0844] [PE] Optional header [01:22:0844] [PE] Sections : 4 [01:22:0844] [PE] Section : 0 - .text [01:22:0844] [PE] Section : 1 - .data [01:22:0844] [PE] Section : 2 - .rsrc [01:22:0844] [PE] Section : 3 - .reloc [01:22:0844] [PE] File open : 1 [01:22:0844] [PE] Search sigs [01:22:0844] [PE] Section[0/3] : 0x24e0400 [01:22:0844] [PE] Init AhoCorasick [01:22:0844] [PE] Start AhoCorasick [01:22:0844] [PE] Looking results : 0 [01:22:0844] [PE] Section[1/3] : 0x24e9c00 [01:22:0844] [PE] Init AhoCorasick [01:22:0844] [PE] Start AhoCorasick [01:22:0844] [PE] Looking results : 0 [01:22:0844] [PE] Section[2/3] : 0x24e9e00 [01:22:0844] [PE] Init AhoCorasick [01:22:0844] [PE] Start AhoCorasick [01:22:0844] [PE] Looking results : 0 [01:22:0844] [PE] Section[3/3] : 0x24ea200 [01:22:0844] [PE] Init AhoCorasick [01:22:0844] [PE] Start AhoCorasick [01:22:0844] [PE] Looking results : 0 [01:22:0844] [CHECK] Blacklist [01:22:0844] [CHECK] BlacklistPath [01:22:0844] [CHECK] BlacklistMD5 [01:22:0844] [CHECK] MadeNumbers [01:22:0844] [CHECK] HasUnicode [01:22:0844] [CHECK] SuspPath [01:22:0844] [CHECK] ProcessResidue [01:22:0844] [CHECK] Not found! [01:22:0844] [Check DLLs] SETUPAPI.dll : C:\WINDOWS\system32\SETUPAPI.dll [01:22:0844] [CHECK] WhiteDLL [01:22:0844] [CHECK] Whitelist [01:22:0844] [CHECK] WellKnown [01:22:0860] [CHECK] WhitelistPath [01:22:0860] [CHECK] HijackName [01:22:0860] [CHECK] Signature [01:24:0078] [PE] Mapping [01:24:0094] [PE] Parsing [01:24:0094] [PE] Dos header -> 0x24e0000 [01:24:0094] [PE] Nt header (offset : 0xd8) file size 0xf0800 [01:24:0094] [PE] pNtHeadersx86 -> 0x24e00d8 [01:24:0094] [PE] Chars -> 0x2d0e [01:24:0094] [PE] Optional header [01:24:0094] [PE] Sections : 4 [01:24:0094] [PE] Section : 0 - .text [01:24:0094] [PE] Section : 1 - .data [01:24:0094] [PE] Section : 2 - .rsrc [01:24:0094] [PE] Section : 3 - .reloc [01:24:0094] [PE] File open : 1 [01:24:0094] [PE] Search sigs [01:24:0094] [PE] Section[0/3] : 0x24e0400 [01:24:0094] [PE] Init AhoCorasick [01:24:0094] [PE] Start AhoCorasick [01:24:0110] [PE] Looking results : 0 [01:24:0110] [PE] Section[1/3] : 0x255d400 [01:24:0110] [PE] Init AhoCorasick [01:24:0110] [PE] Start AhoCorasick [01:24:0110] [PE] Looking results : 0 [01:24:0110] [PE] Section[2/3] : 0x255ec00 [01:24:0110] [PE] Init AhoCorasick [01:24:0110] [PE] Start AhoCorasick [01:24:0125] [PE] Looking results : 0 [01:24:0125] [PE] Section[3/3] : 0x25cc200 [01:24:0125] [PE] Init AhoCorasick [01:24:0125] [PE] Start AhoCorasick [01:24:0125] [PE] Looking results : 0 [01:24:0125] [CHECK] Blacklist [01:24:0125] [CHECK] BlacklistPath [01:24:0125] [CHECK] BlacklistMD5 [01:24:0125] [CHECK] MadeNumbers [01:24:0125] [CHECK] HasUnicode [01:24:0125] [CHECK] SuspPath [01:24:0125] [CHECK] ProcessResidue [01:24:0125] [CHECK] Not found! [01:24:0125] [Check DLLs] netshell.dll : C:\WINDOWS\system32\netshell.dll [01:24:0125] [CHECK] WhiteDLL [01:24:0125] [CHECK] Whitelist [01:24:0125] [CHECK] WellKnown [01:24:0125] [CHECK] WhitelistPath [01:24:0125] [CHECK] HijackName [01:24:0125] [CHECK] Signature [01:26:0000] [PE] Mapping [01:26:0000] [PE] Parsing [01:26:0000] [PE] Dos header -> 0x27e0000 [01:26:0000] [PE] Nt header (offset : 0xf0) file size 0x1a0000 [01:26:0000] [PE] pNtHeadersx86 -> 0x27e00f0 [01:26:0000] [PE] Chars -> 0x210e [01:26:0016] [PE] Optional header [01:26:0016] [PE] Sections : 5 [01:26:0016] [PE] Section : 0 - .text [01:26:0016] [PE] Section : 1 - .orpc [01:26:0016] [PE] Section : 2 - .data [01:26:0016] [PE] Section : 3 - .rsrc [01:26:0016] [PE] Section : 4 - .reloc [01:26:0016] [PE] File open : 1 [01:26:0016] [PE] Search sigs [01:26:0016] [PE] Section[0/4] : 0x27e0600 [01:26:0016] [PE] Init AhoCorasick [01:26:0016] [PE] Start AhoCorasick [01:26:0016] [PE] Looking results : 0 [01:26:0016] [PE] Section[1/4] : 0x2852800 [01:26:0016] [PE] Init AhoCorasick [01:26:0016] [PE] Start AhoCorasick [01:26:0016] [PE] Looking results : 0 [01:26:0016] [PE] Section[2/4] : 0x2852a00 [01:26:0016] [PE] Init AhoCorasick [01:26:0016] [PE] Start AhoCorasick [01:26:0016] [PE] Looking results : 0 [01:26:0016] [PE] Section[3/4] : 0x2854c00 [01:26:0016] [PE] Init AhoCorasick [01:26:0016] [PE] Start AhoCorasick [01:26:0047] [PE] Looking results : 0 [01:26:0047] [PE] Section[4/4] : 0x297aa00 [01:26:0047] [PE] Init AhoCorasick [01:26:0047] [PE] Start AhoCorasick [01:26:0047] [PE] Looking results : 0 [01:26:0047] [CHECK] Blacklist [01:26:0047] [CHECK] BlacklistPath [01:26:0047] [CHECK] BlacklistMD5 [01:26:0047] [CHECK] MadeNumbers [01:26:0047] [CHECK] HasUnicode [01:26:0047] [CHECK] SuspPath [01:26:0047] [CHECK] ProcessResidue [01:26:0047] [CHECK] Not found! [01:26:0047] [Check DLLs] credui.dll : C:\WINDOWS\system32\credui.dll [01:26:0047] [CHECK] WhiteDLL [01:26:0047] [CHECK] Whitelist [01:26:0047] [CHECK] WellKnown [01:26:0047] [CHECK] WhitelistPath [01:26:0047] [CHECK] HijackName [01:26:0047] [CHECK] Signature [01:26:0313] [PE] Mapping [01:26:0313] [PE] Parsing [01:26:0313] [PE] Dos header -> 0x24e0000 [01:26:0313] [PE] Nt header (offset : 0xe0) file size 0x28000 [01:26:0313] [PE] pNtHeadersx86 -> 0x24e00e0 [01:26:0313] [PE] Chars -> 0x210e [01:26:0313] [PE] Optional header [01:26:0313] [PE] Sections : 4 [01:26:0313] [PE] Section : 0 - .text [01:26:0313] [PE] Section : 1 - .data [01:26:0313] [PE] Section : 2 - .rsrc [01:26:0313] [PE] Section : 3 - .reloc [01:26:0313] [PE] File open : 1 [01:26:0313] [PE] Search sigs [01:26:0313] [PE] Section[0/3] : 0x24e0400 [01:26:0313] [PE] Init AhoCorasick [01:26:0313] [PE] Start AhoCorasick [01:26:0313] [PE] Looking results : 0 [01:26:0313] [PE] Section[1/3] : 0x24eea00 [01:26:0313] [PE] Init AhoCorasick [01:26:0313] [PE] Start AhoCorasick [01:26:0313] [PE] Looking results : 0 [01:26:0313] [PE] Section[2/3] : 0x24ef000 [01:26:0313] [PE] Init AhoCorasick [01:26:0313] [PE] Start AhoCorasick [01:26:0313] [PE] Looking results : 0 [01:26:0313] [PE] Section[3/3] : 0x2506c00 [01:26:0313] [PE] Init AhoCorasick [01:26:0313] [PE] Start AhoCorasick [01:26:0313] [PE] Looking results : 0 [01:26:0313] [CHECK] Blacklist [01:26:0313] [CHECK] BlacklistPath [01:26:0313] [CHECK] BlacklistMD5 [01:26:0313] [CHECK] MadeNumbers [01:26:0313] [CHECK] HasUnicode [01:26:0313] [CHECK] SuspPath [01:26:0313] [CHECK] ProcessResidue [01:26:0313] [CHECK] Not found! [01:26:0313] [Check DLLs] dot3api.dll : C:\WINDOWS\system32\dot3api.dll [01:26:0313] [CHECK] WhiteDLL [01:26:0313] [CHECK] Whitelist [01:26:0313] [CHECK] WellKnown [01:26:0313] [CHECK] WhitelistPath [01:26:0313] [CHECK] HijackName [01:26:0313] [CHECK] Signature [01:26:0469] [PE] Mapping [01:26:0469] [PE] Parsing [01:26:0469] [PE] Dos header -> 0x24e0000 [01:26:0469] [PE] Nt header (offset : 0xe8) file size 0x6600 [01:26:0469] [PE] pNtHeadersx86 -> 0x24e00e8 [01:26:0469] [PE] Chars -> 0x210e [01:26:0469] [PE] Optional header [01:26:0469] [PE] Sections : 4 [01:26:0469] [PE] Section : 0 - .text [01:26:0469] [PE] Section : 1 - .data [01:26:0469] [PE] Section : 2 - .rsrc [01:26:0469] [PE] Section : 3 - .reloc [01:26:0469] [PE] File open : 1 [01:26:0469] [PE] Search sigs [01:26:0469] [PE] Section[0/3] : 0x24e0400 [01:26:0469] [PE] Init AhoCorasick [01:26:0469] [PE] Start AhoCorasick [01:26:0469] [PE] Looking results : 0 [01:26:0469] [PE] Section[1/3] : 0x24e5600 [01:26:0469] [PE] Init AhoCorasick [01:26:0469] [PE] Start AhoCorasick [01:26:0469] [PE] Looking results : 0 [01:26:0469] [PE] Section[2/3] : 0x24e5800 [01:26:0469] [PE] Init AhoCorasick [01:26:0469] [PE] Start AhoCorasick [01:26:0469] [PE] Looking results : 0 [01:26:0469] [PE] Section[3/3] : 0x24e6000 [01:26:0469] [PE] Init AhoCorasick [01:26:0469] [PE] Start AhoCorasick [01:26:0469] [PE] Looking results : 0 [01:26:0469] [CHECK] Blacklist [01:26:0469] [CHECK] BlacklistPath [01:26:0469] [CHECK] BlacklistMD5 [01:26:0469] [CHECK] MadeNumbers [01:26:0469] [CHECK] HasUnicode [01:26:0469] [CHECK] SuspPath [01:26:0469] [CHECK] ProcessResidue [01:26:0469] [CHECK] Not found! [01:26:0469] [Check DLLs] dot3dlg.dll : C:\WINDOWS\system32\dot3dlg.dll [01:26:0469] [CHECK] WhiteDLL [01:26:0469] [CHECK] Whitelist [01:26:0469] [CHECK] WellKnown [01:26:0469] [CHECK] WhitelistPath [01:26:0469] [CHECK] HijackName [01:26:0469] [CHECK] Signature [01:26:0594] [PE] Mapping [01:26:0594] [PE] Parsing [01:26:0594] [PE] Dos header -> 0x24e0000 [01:26:0594] [PE] Nt header (offset : 0xe0) file size 0x2400 [01:26:0594] [PE] pNtHeadersx86 -> 0x24e00e0 [01:26:0594] [PE] Chars -> 0x210e [01:26:0594] [PE] Optional header [01:26:0594] [PE] Sections : 4 [01:26:0594] [PE] Section : 0 - .text [01:26:0594] [PE] Section : 1 - .data [01:26:0594] [PE] Section : 2 - .rsrc [01:26:0594] [PE] Section : 3 - .reloc [01:26:0594] [PE] File open : 1 [01:26:0594] [PE] Search sigs [01:26:0594] [PE] Section[0/3] : 0x24e0400 [01:26:0594] [PE] Init AhoCorasick [01:26:0594] [PE] Start AhoCorasick [01:26:0594] [PE] Looking results : 0 [01:26:0594] [PE] Section[1/3] : 0x24e1a00 [01:26:0594] [PE] Init AhoCorasick [01:26:0594] [PE] Start AhoCorasick [01:26:0594] [PE] Looking results : 0 [01:26:0594] [PE] Section[2/3] : 0x24e1c00 [01:26:0594] [PE] Init AhoCorasick [01:26:0594] [PE] Start AhoCorasick [01:26:0594] [PE] Looking results : 0 [01:26:0594] [PE] Section[3/3] : 0x24e2200 [01:26:0594] [PE] Init AhoCorasick [01:26:0610] [PE] Start AhoCorasick [01:26:0610] [PE] Looking results : 0 [01:26:0610] [CHECK] Blacklist [01:26:0610] [CHECK] BlacklistPath [01:26:0610] [CHECK] BlacklistMD5 [01:26:0610] [CHECK] MadeNumbers [01:26:0610] [CHECK] HasUnicode [01:26:0610] [CHECK] SuspPath [01:26:0610] [CHECK] ProcessResidue [01:26:0610] [CHECK] Not found! [01:26:0610] [Check DLLs] OneX.DLL : C:\WINDOWS\system32\OneX.DLL [01:26:0610] [CHECK] WhiteDLL [01:26:0610] [CHECK] Whitelist [01:26:0610] [CHECK] WellKnown [01:26:0610] [CHECK] WhitelistPath [01:26:0610] [CHECK] HijackName [01:26:0610] [CHECK] Signature [01:26:0907] [PE] Mapping [01:26:0907] [PE] Parsing [01:26:0907] [PE] Dos header -> 0x24e0000 [01:26:0907] [PE] Nt header (offset : 0xe0) file size 0x23400 [01:26:0907] [PE] pNtHeadersx86 -> 0x24e00e0 [01:26:0907] [PE] Chars -> 0x210e [01:26:0907] [PE] Optional header [01:26:0907] [PE] Sections : 4 [01:26:0907] [PE] Section : 0 - .text [01:26:0907] [PE] Section : 1 - .data [01:26:0907] [PE] Section : 2 - .rsrc [01:26:0907] [PE] Section : 3 - .reloc [01:26:0907] [PE] File open : 1 [01:26:0907] [PE] Search sigs [01:26:0907] [PE] Section[0/3] : 0x24e0400 [01:26:0907] [PE] Init AhoCorasick [01:26:0907] [PE] Start AhoCorasick [01:26:0907] [PE] Looking results : 0 [01:26:0907] [PE] Section[1/3] : 0x24fb400 [01:26:0907] [PE] Init AhoCorasick [01:26:0907] [PE] Start AhoCorasick [01:26:0907] [PE] Looking results : 0 [01:26:0907] [PE] Section[2/3] : 0x24fb800 [01:26:0907] [PE] Init AhoCorasick [01:26:0907] [PE] Start AhoCorasick [01:26:0907] [PE] Looking results : 0 [01:26:0907] [PE] Section[3/3] : 0x2502200 [01:26:0907] [PE] Init AhoCorasick [01:26:0907] [PE] Start AhoCorasick [01:26:0907] [PE] Looking results : 0 [01:26:0907] [CHECK] Blacklist [01:26:0907] [CHECK] BlacklistPath [01:26:0907] [CHECK] BlacklistMD5 [01:26:0907] [CHECK] MadeNumbers [01:26:0907] [CHECK] HasUnicode [01:26:0907] [CHECK] SuspPath [01:26:0907] [CHECK] ProcessResidue [01:26:0907] [CHECK] Not found! [01:26:0907] [Check DLLs] WTSAPI32.dll : C:\WINDOWS\system32\WTSAPI32.dll [01:26:0907] [CHECK] WhiteDLL [01:26:0907] [CHECK] Whitelist [01:26:0907] [CHECK] WellKnown [01:26:0907] [CHECK] WhitelistPath [01:26:0907] [CHECK] HijackName [01:26:0907] [CHECK] Signature [01:27:0032] [PE] Mapping [01:27:0032] [PE] Parsing [01:27:0032] [PE] Dos header -> 0x24e0000 [01:27:0032] [PE] Nt header (offset : 0xe8) file size 0x4800 [01:27:0047] [PE] pNtHeadersx86 -> 0x24e00e8 [01:27:0047] [PE] Chars -> 0x210e [01:27:0047] [PE] Optional header [01:27:0047] [PE] Sections : 4 [01:27:0047] [PE] Section : 0 - .text [01:27:0047] [PE] Section : 1 - .data [01:27:0047] [PE] Section : 2 - .rsrc [01:27:0047] [PE] Section : 3 - .reloc [01:27:0047] [PE] File open : 1 [01:27:0047] [PE] Search sigs [01:27:0047] [PE] Section[0/3] : 0x24e0400 [01:27:0047] [PE] Init AhoCorasick [01:27:0047] [PE] Start AhoCorasick [01:27:0047] [PE] Looking results : 0 [01:27:0047] [PE] Section[1/3] : 0x24e3c00 [01:27:0047] [PE] Init AhoCorasick [01:27:0047] [PE] Start AhoCorasick [01:27:0047] [PE] Looking results : 0 [01:27:0047] [PE] Section[2/3] : 0x24e3e00 [01:27:0047] [PE] Init AhoCorasick [01:27:0047] [PE] Start AhoCorasick [01:27:0047] [PE] Looking results : 0 [01:27:0047] [PE] Section[3/3] : 0x24e4400 [01:27:0047] [PE] Init AhoCorasick [01:27:0047] [PE] Start AhoCorasick [01:27:0047] [PE] Looking results : 0 [01:27:0047] [CHECK] Blacklist [01:27:0047] [CHECK] BlacklistPath [01:27:0047] [CHECK] BlacklistMD5 [01:27:0047] [CHECK] MadeNumbers [01:27:0047] [CHECK] HasUnicode [01:27:0047] [CHECK] SuspPath [01:27:0047] [CHECK] ProcessResidue [01:27:0047] [CHECK] Not found! [01:27:0047] [Check DLLs] WINSTA.dll : C:\WINDOWS\system32\WINSTA.dll [01:27:0047] [CHECK] WhiteDLL [01:27:0047] [CHECK] Whitelist [01:27:0047] [CHECK] WellKnown [01:27:0047] [CHECK] WhitelistPath [01:27:0047] [CHECK] HijackName [01:27:0047] [CHECK] Signature [01:27:0235] [PE] Mapping [01:27:0235] [PE] Parsing [01:27:0235] [PE] Dos header -> 0x24e0000 [01:27:0235] [PE] Nt header (offset : 0xe8) file size 0xd200 [01:27:0235] [PE] pNtHeadersx86 -> 0x24e00e8 [01:27:0235] [PE] Chars -> 0x210e [01:27:0235] [PE] Optional header [01:27:0235] [PE] Sections : 4 [01:27:0235] [PE] Section : 0 - .text [01:27:0235] [PE] Section : 1 - .data [01:27:0235] [PE] Section : 2 - .rsrc [01:27:0235] [PE] Section : 3 - .reloc [01:27:0235] [PE] File open : 1 [01:27:0235] [PE] Search sigs [01:27:0235] [PE] Section[0/3] : 0x24e0400 [01:27:0235] [PE] Init AhoCorasick [01:27:0235] [PE] Start AhoCorasick [01:27:0235] [PE] Looking results : 0 [01:27:0235] [PE] Section[1/3] : 0x24ec200 [01:27:0235] [PE] Init AhoCorasick [01:27:0235] [PE] Start AhoCorasick [01:27:0235] [PE] Looking results : 0 [01:27:0235] [PE] Section[2/3] : 0x24ec400 [01:27:0235] [PE] Init AhoCorasick [01:27:0235] [PE] Start AhoCorasick [01:27:0235] [PE] Looking results : 0 [01:27:0235] [PE] Section[3/3] : 0x24ec800 [01:27:0235] [PE] Init AhoCorasick [01:27:0235] [PE] Start AhoCorasick [01:27:0235] [PE] Looking results : 0 [01:27:0235] [CHECK] Blacklist [01:27:0235] [CHECK] BlacklistPath [01:27:0235] [CHECK] BlacklistMD5 [01:27:0235] [CHECK] MadeNumbers [01:27:0235] [CHECK] HasUnicode [01:27:0235] [CHECK] SuspPath [01:27:0235] [CHECK] ProcessResidue [01:27:0235] [CHECK] Not found! [01:27:0235] [Check DLLs] eappcfg.dll : C:\WINDOWS\system32\eappcfg.dll [01:27:0235] [CHECK] WhiteDLL [01:27:0235] [CHECK] Whitelist [01:27:0250] [CHECK] WellKnown [01:27:0250] [CHECK] WhitelistPath [01:27:0250] [CHECK] HijackName [01:27:0250] [CHECK] Signature [01:27:0453] [PE] Mapping [01:27:0563] [PE] Parsing [01:27:0563] [PE] Dos header -> 0x24e0000 [01:27:0578] [PE] Nt header (offset : 0xe8) file size 0x1f000 [01:27:0578] [PE] pNtHeadersx86 -> 0x24e00e8 [01:27:0578] [PE] Chars -> 0x210e [01:27:0578] [PE] Optional header [01:27:0578] [PE] Sections : 4 [01:27:0578] [PE] Section : 0 - .text [01:27:0578] [PE] Section : 1 - .data [01:27:0578] [PE] Section : 2 - .rsrc [01:27:0578] [PE] Section : 3 - .reloc [01:27:0578] [PE] File open : 1 [01:27:0578] [PE] Search sigs [01:27:0578] [PE] Section[0/3] : 0x24e0400 [01:27:0578] [PE] Init AhoCorasick [01:27:0578] [PE] Start AhoCorasick [01:27:0578] [PE] Looking results : 0 [01:27:0578] [PE] Section[1/3] : 0x24fb400 [01:27:0578] [PE] Init AhoCorasick [01:27:0578] [PE] Start AhoCorasick [01:27:0578] [PE] Looking results : 0 [01:27:0578] [PE] Section[2/3] : 0x24fc200 [01:27:0578] [PE] Init AhoCorasick [01:27:0578] [PE] Start AhoCorasick [01:27:0578] [PE] Looking results : 0 [01:27:0578] [PE] Section[3/3] : 0x24fc800 [01:27:0578] [PE] Init AhoCorasick [01:27:0578] [PE] Start AhoCorasick [01:27:0578] [PE] Looking results : 0 [01:27:0578] [CHECK] Blacklist [01:27:0578] [CHECK] BlacklistPath [01:27:0578] [CHECK] BlacklistMD5 [01:27:0578] [CHECK] MadeNumbers [01:27:0578] [CHECK] HasUnicode [01:27:0578] [CHECK] SuspPath [01:27:0578] [CHECK] ProcessResidue [01:27:0578] [CHECK] Not found! [01:27:0578] [Check DLLs] MSVCP60.dll : C:\WINDOWS\system32\MSVCP60.dll [01:27:0578] [CHECK] WhiteDLL [01:27:0578] [Check DLLs] eappprxy.dll : C:\WINDOWS\system32\eappprxy.dll [01:27:0578] [CHECK] WhiteDLL [01:27:0578] [CHECK] Whitelist [01:27:0578] [CHECK] WellKnown [01:27:0578] [CHECK] WhitelistPath [01:27:0578] [CHECK] HijackName [01:27:0578] [CHECK] Signature [01:27:0688] [PE] Mapping [01:27:0703] [PE] Parsing [01:27:0703] [PE] Dos header -> 0x24e0000 [01:27:0703] [PE] Nt header (offset : 0xf8) file size 0xa000 [01:27:0703] [PE] pNtHeadersx86 -> 0x24e00f8 [01:27:0703] [PE] Chars -> 0x210e [01:27:0703] [PE] Optional header [01:27:0735] [PE] Sections : 4 [01:27:0735] [PE] Section : 0 - .text [01:27:0735] [PE] Section : 1 - .data [01:27:0735] [PE] Section : 2 - .rsrc [01:27:0735] [PE] Section : 3 - .reloc [01:27:0735] [PE] File open : 1 [01:27:0735] [PE] Search sigs [01:27:0735] [PE] Section[0/3] : 0x24e0400 [01:27:0735] [PE] Init AhoCorasick [01:27:0735] [PE] Start AhoCorasick [01:27:0735] [PE] Looking results : 0 [01:27:0735] [PE] Section[1/3] : 0x24e7a00 [01:27:0735] [PE] Init AhoCorasick [01:27:0735] [PE] Start AhoCorasick [01:27:0735] [PE] Looking results : 0 [01:27:0735] [PE] Section[2/3] : 0x24e8600 [01:27:0735] [PE] Init AhoCorasick [01:27:0735] [PE] Start AhoCorasick [01:27:0735] [PE] Looking results : 0 [01:27:0735] [PE] Section[3/3] : 0x24e8c00 [01:27:0735] [PE] Init AhoCorasick [01:27:0735] [PE] Start AhoCorasick [01:27:0735] [PE] Looking results : 0 [01:27:0735] [CHECK] Blacklist [01:27:0735] [CHECK] BlacklistPath [01:27:0735] [CHECK] BlacklistMD5 [01:27:0735] [CHECK] MadeNumbers [01:27:0735] [CHECK] HasUnicode [01:27:0735] [CHECK] SuspPath [01:27:0735] [CHECK] ProcessResidue [01:27:0735] [CHECK] Not found! [01:27:0735] [Check DLLs] RASAPI32.dll : C:\WINDOWS\system32\RASAPI32.dll [01:27:0735] [CHECK] WhiteDLL [01:27:0735] [CHECK] Whitelist [01:27:0735] [CHECK] WellKnown [01:27:0735] [CHECK] WhitelistPath [01:27:0735] [CHECK] HijackName [01:27:0735] [CHECK] Signature [01:28:0063] [PE] Mapping [01:28:0063] [PE] Parsing [01:28:0063] [PE] Dos header -> 0x24e0000 [01:28:0063] [PE] Nt header (offset : 0xd8) file size 0x39e00 [01:28:0063] [PE] pNtHeadersx86 -> 0x24e00d8 [01:28:0063] [PE] Chars -> 0x210e [01:28:0063] [PE] Optional header [01:28:0063] [PE] Sections : 4 [01:28:0063] [PE] Section : 0 - .text [01:28:0063] [PE] Section : 1 - .data [01:28:0063] [PE] Section : 2 - .rsrc [01:28:0063] [PE] Section : 3 - .reloc [01:28:0063] [PE] File open : 1 [01:28:0063] [PE] Search sigs [01:28:0063] [PE] Section[0/3] : 0x24e0400 [01:28:0063] [PE] Init AhoCorasick [01:28:0063] [PE] Start AhoCorasick [01:28:0078] [PE] Looking results : 0 [01:28:0078] [PE] Section[1/3] : 0x2516000 [01:28:0078] [PE] Init AhoCorasick [01:28:0078] [PE] Start AhoCorasick [01:28:0078] [PE] Looking results : 0 [01:28:0078] [PE] Section[2/3] : 0x2516400 [01:28:0078] [PE] Init AhoCorasick [01:28:0078] [PE] Start AhoCorasick [01:28:0078] [PE] Looking results : 0 [01:28:0078] [PE] Section[3/3] : 0x2517200 [01:28:0078] [PE] Init AhoCorasick [01:28:0078] [PE] Start AhoCorasick [01:28:0078] [PE] Looking results : 0 [01:28:0078] [CHECK] Blacklist [01:28:0078] [CHECK] BlacklistPath [01:28:0078] [CHECK] BlacklistMD5 [01:28:0078] [CHECK] MadeNumbers [01:28:0078] [CHECK] HasUnicode [01:28:0078] [CHECK] SuspPath [01:28:0078] [CHECK] ProcessResidue [01:28:0078] [CHECK] Not found! [01:28:0078] [Check DLLs] rasman.dll : C:\WINDOWS\system32\rasman.dll [01:28:0078] [CHECK] WhiteDLL [01:28:0078] [CHECK] Whitelist [01:28:0078] [CHECK] WellKnown [01:28:0078] [CHECK] WhitelistPath [01:28:0078] [CHECK] HijackName [01:28:0078] [CHECK] Signature [01:28:0219] [PE] Mapping [01:28:0219] [PE] Parsing [01:28:0219] [PE] Dos header -> 0x24e0000 [01:28:0219] [PE] Nt header (offset : 0xe0) file size 0xf000 [01:28:0219] [PE] pNtHeadersx86 -> 0x24e00e0 [01:28:0219] [PE] Chars -> 0x210e [01:28:0219] [PE] Optional header [01:28:0219] [PE] Sections : 4 [01:28:0219] [PE] Section : 0 - .text [01:28:0219] [PE] Section : 1 - .data [01:28:0219] [PE] Section : 2 - .rsrc [01:28:0219] [PE] Section : 3 - .reloc [01:28:0219] [PE] File open : 1 [01:28:0219] [PE] Search sigs [01:28:0219] [PE] Section[0/3] : 0x24e0400 [01:28:0219] [PE] Init AhoCorasick [01:28:0219] [PE] Start AhoCorasick [01:28:0219] [PE] Looking results : 0 [01:28:0219] [PE] Section[1/3] : 0x24ede00 [01:28:0219] [PE] Init AhoCorasick [01:28:0219] [PE] Start AhoCorasick [01:28:0219] [PE] Looking results : 0 [01:28:0219] [PE] Section[2/3] : 0x24ee000 [01:28:0219] [PE] Init AhoCorasick [01:28:0219] [PE] Start AhoCorasick [01:28:0219] [PE] Looking results : 0 [01:28:0219] [PE] Section[3/3] : 0x24ee400 [01:28:0219] [PE] Init AhoCorasick [01:28:0219] [PE] Start AhoCorasick [01:28:0219] [PE] Looking results : 0 [01:28:0219] [CHECK] Blacklist [01:28:0235] [CHECK] BlacklistPath [01:28:0235] [CHECK] BlacklistMD5 [01:28:0235] [CHECK] MadeNumbers [01:28:0235] [CHECK] HasUnicode [01:28:0235] [CHECK] SuspPath [01:28:0235] [CHECK] ProcessResidue [01:28:0235] [CHECK] Not found! [01:28:0235] [Check DLLs] TAPI32.dll : C:\WINDOWS\system32\TAPI32.dll [01:28:0235] [CHECK] WhiteDLL [01:28:0235] [CHECK] Whitelist [01:28:0235] [CHECK] WellKnown [01:28:0235] [CHECK] WhitelistPath [01:28:0235] [CHECK] HijackName [01:28:0235] [CHECK] Signature [01:28:0532] [PE] Mapping [01:28:0594] [PE] Parsing [01:28:0594] [PE] Dos header -> 0x24e0000 [01:28:0594] [PE] Nt header (offset : 0xe8) file size 0x2c600 [01:28:0594] [PE] pNtHeadersx86 -> 0x24e00e8 [01:28:0594] [PE] Chars -> 0x210e [01:28:0594] [PE] Optional header [01:28:0594] [PE] Sections : 4 [01:28:0594] [PE] Section : 0 - .text [01:28:0594] [PE] Section : 1 - .data [01:28:0594] [PE] Section : 2 - .rsrc [01:28:0594] [PE] Section : 3 - .reloc [01:28:0594] [PE] File open : 1 [01:28:0594] [PE] Search sigs [01:28:0594] [PE] Section[0/3] : 0x24e0400 [01:28:0594] [PE] Init AhoCorasick [01:28:0594] [PE] Start AhoCorasick [01:28:0610] [PE] Looking results : 0 [01:28:0610] [PE] Section[1/3] : 0x2509a00 [01:28:0610] [PE] Init AhoCorasick [01:28:0610] [PE] Start AhoCorasick [01:28:0610] [PE] Looking results : 0 [01:28:0610] [PE] Section[2/3] : 0x250a000 [01:28:0610] [PE] Init AhoCorasick [01:28:0610] [PE] Start AhoCorasick [01:28:0610] [PE] Looking results : 0 [01:28:0610] [PE] Section[3/3] : 0x250a800 [01:28:0610] [PE] Init AhoCorasick [01:28:0610] [PE] Start AhoCorasick [01:28:0610] [PE] Looking results : 0 [01:28:0610] [CHECK] Blacklist [01:28:0610] [CHECK] BlacklistPath [01:28:0610] [CHECK] BlacklistMD5 [01:28:0610] [CHECK] MadeNumbers [01:28:0610] [CHECK] HasUnicode [01:28:0610] [CHECK] SuspPath [01:28:0610] [CHECK] ProcessResidue [01:28:0610] [CHECK] Not found! [01:28:0610] [Check DLLs] WZCSAPI.DLL : C:\WINDOWS\system32\WZCSAPI.DLL [01:28:0610] [CHECK] WhiteDLL [01:28:0610] [CHECK] Whitelist [01:28:0610] [CHECK] WellKnown [01:28:0610] [CHECK] WhitelistPath [01:28:0610] [CHECK] HijackName [01:28:0610] [CHECK] Signature [01:28:0719] [PE] Mapping [01:28:0719] [PE] Parsing [01:28:0719] [PE] Dos header -> 0x24e0000 [01:28:0719] [PE] Nt header (offset : 0xf0) file size 0xce00 [01:28:0719] [PE] pNtHeadersx86 -> 0x24e00f0 [01:28:0719] [PE] Chars -> 0x210e [01:28:0719] [PE] Optional header [01:28:0719] [PE] Sections : 4 [01:28:0719] [PE] Section : 0 - .text [01:28:0719] [PE] Section : 1 - .data [01:28:0719] [PE] Section : 2 - .rsrc [01:28:0719] [PE] Section : 3 - .reloc [01:28:0719] [PE] File open : 1 [01:28:0719] [PE] Search sigs [01:28:0719] [PE] Section[0/3] : 0x24e0400 [01:28:0719] [PE] Init AhoCorasick [01:28:0719] [PE] Start AhoCorasick [01:28:0719] [PE] Looking results : 0 [01:28:0719] [PE] Section[1/3] : 0x24eba00 [01:28:0719] [PE] Init AhoCorasick [01:28:0719] [PE] Start AhoCorasick [01:28:0719] [PE] Looking results : 0 [01:28:0719] [PE] Section[2/3] : 0x24ec000 [01:28:0719] [PE] Init AhoCorasick [01:28:0719] [PE] Start AhoCorasick [01:28:0719] [PE] Looking results : 0 [01:28:0719] [PE] Section[3/3] : 0x24ec600 [01:28:0719] [PE] Init AhoCorasick [01:28:0719] [PE] Start AhoCorasick [01:28:0719] [PE] Looking results : 0 [01:28:0719] [CHECK] Blacklist [01:28:0719] [CHECK] BlacklistPath [01:28:0719] [CHECK] BlacklistMD5 [01:28:0719] [CHECK] MadeNumbers [01:28:0719] [CHECK] HasUnicode [01:28:0719] [CHECK] SuspPath [01:28:0735] [CHECK] ProcessResidue [01:28:0735] [CHECK] Not found! [01:28:0735] [Check DLLs] WZCSvc.DLL : C:\WINDOWS\system32\WZCSvc.DLL [01:28:0735] [CHECK] WhiteDLL [01:28:0735] [CHECK] Whitelist [01:28:0735] [CHECK] WellKnown [01:28:0735] [CHECK] WhitelistPath [01:28:0735] [CHECK] HijackName [01:28:0735] [CHECK] Signature [01:29:0422] [PE] Mapping [01:29:0422] [PE] Parsing [01:29:0422] [PE] Dos header -> 0x24e0000 [01:29:0422] [PE] Nt header (offset : 0xe0) file size 0x76200 [01:29:0422] [PE] pNtHeadersx86 -> 0x24e00e0 [01:29:0422] [PE] Chars -> 0x210e [01:29:0422] [PE] Optional header [01:29:0422] [PE] Sections : 4 [01:29:0422] [PE] Section : 0 - .text [01:29:0422] [PE] Section : 1 - .data [01:29:0422] [PE] Section : 2 - .rsrc [01:29:0422] [PE] Section : 3 - .reloc [01:29:0422] [PE] File open : 1 [01:29:0422] [PE] Search sigs [01:29:0422] [PE] Section[0/3] : 0x24e0600 [01:29:0422] [PE] Init AhoCorasick [01:29:0422] [PE] Start AhoCorasick [01:29:0438] [PE] Looking results : 0 [01:29:0438] [PE] Section[1/3] : 0x254a600 [01:29:0438] [PE] Init AhoCorasick [01:29:0438] [PE] Start AhoCorasick [01:29:0438] [PE] Looking results : 0 [01:29:0438] [PE] Section[2/3] : 0x254ae00 [01:29:0438] [PE] Init AhoCorasick [01:29:0438] [PE] Start AhoCorasick [01:29:0438] [PE] Looking results : 0 [01:29:0438] [PE] Section[3/3] : 0x2550c00 [01:29:0438] [PE] Init AhoCorasick [01:29:0438] [PE] Start AhoCorasick [01:29:0438] [PE] Looking results : 0 [01:29:0438] [CHECK] Blacklist [01:29:0438] [CHECK] BlacklistPath [01:29:0438] [CHECK] BlacklistMD5 [01:29:0438] [CHECK] MadeNumbers [01:29:0438] [CHECK] HasUnicode [01:29:0438] [CHECK] SuspPath [01:29:0438] [CHECK] ProcessResidue [01:29:0438] [CHECK] Not found! [01:29:0438] [Check DLLs] WMI.dll : C:\WINDOWS\system32\WMI.dll [01:29:0438] [CHECK] WhiteDLL [01:29:0438] [CHECK] Whitelist [01:29:0438] [CHECK] WellKnown [01:29:0438] [CHECK] WhitelistPath [01:29:0453] [CHECK] HijackName [01:29:0453] [CHECK] Signature [01:29:0563] [PE] Mapping [01:29:0875] [PE] Parsing [01:29:0875] [PE] Dos header -> 0x24e0000 [01:29:0875] [PE] Nt header (offset : 0xc0) file size 0x1600 [01:29:0875] [PE] pNtHeadersx86 -> 0x24e00c0 [01:29:0875] [PE] Chars -> 0x210e [01:29:0875] [PE] Optional header [01:29:0875] [PE] Sections : 3 [01:29:0875] [PE] Section : 0 - .text [01:29:0875] [PE] Section : 1 - .rsrc [01:29:0875] [PE] Section : 2 - .reloc [01:29:0875] [PE] File open : 1 [01:29:0875] [PE] Search sigs [01:29:0875] [PE] Section[0/2] : 0x24e0400 [01:29:0875] [PE] Init AhoCorasick [01:29:0875] [PE] Start AhoCorasick [01:29:0875] [PE] Looking results : 0 [01:29:0875] [PE] Section[1/2] : 0x24e1000 [01:29:0875] [PE] Init AhoCorasick [01:29:0875] [PE] Start AhoCorasick [01:29:0875] [PE] Looking results : 0 [01:29:0875] [PE] Section[2/2] : 0x24e1400 [01:29:0875] [PE] Init AhoCorasick [01:29:0875] [PE] Start AhoCorasick [01:29:0875] [PE] Looking results : 0 [01:29:0875] [CHECK] Blacklist [01:29:0875] [CHECK] BlacklistPath [01:29:0875] [CHECK] BlacklistMD5 [01:29:0875] [CHECK] MadeNumbers [01:29:0875] [CHECK] HasUnicode [01:29:0875] [CHECK] SuspPath [01:29:0875] [CHECK] ProcessResidue [01:29:0875] [CHECK] Not found! [01:29:0875] [Check DLLs] DHCPCSVC.DLL : C:\WINDOWS\system32\DHCPCSVC.DLL [01:29:0875] [CHECK] WhiteDLL [01:29:0875] [CHECK] Whitelist [01:29:0875] [CHECK] WellKnown [01:29:0875] [CHECK] WhitelistPath [01:29:0875] [CHECK] HijackName [01:29:0875] [CHECK] Signature [01:30:0047] [PE] Mapping [01:30:0047] [PE] Parsing [01:30:0047] [PE] Dos header -> 0x24e0000 [01:30:0047] [PE] Nt header (offset : 0xd8) file size 0x1f000 [01:30:0047] [PE] pNtHeadersx86 -> 0x24e00d8 [01:30:0047] [PE] Chars -> 0x210e [01:30:0047] [PE] Optional header [01:30:0047] [PE] Sections : 4 [01:30:0047] [PE] Section : 0 - .text [01:30:0047] [PE] Section : 1 - .data [01:30:0047] [PE] Section : 2 - .rsrc [01:30:0047] [PE] Section : 3 - .reloc [01:30:0047] [PE] File open : 1 [01:30:0047] [PE] Search sigs [01:30:0047] [PE] Section[0/3] : 0x24e0400 [01:30:0047] [PE] Init AhoCorasick [01:30:0047] [PE] Start AhoCorasick [01:30:0063] [PE] Looking results : 0 [01:30:0063] [PE] Section[1/3] : 0x24fbe00 [01:30:0063] [PE] Init AhoCorasick [01:30:0063] [PE] Start AhoCorasick [01:30:0063] [PE] Looking results : 0 [01:30:0063] [PE] Section[2/3] : 0x24fc800 [01:30:0063] [PE] Init AhoCorasick [01:30:0063] [PE] Start AhoCorasick [01:30:0063] [PE] Looking results : 0 [01:30:0063] [PE] Section[3/3] : 0x24fde00 [01:30:0063] [PE] Init AhoCorasick [01:30:0063] [PE] Start AhoCorasick [01:30:0063] [PE] Looking results : 0 [01:30:0063] [CHECK] Blacklist [01:30:0063] [CHECK] BlacklistPath [01:30:0063] [CHECK] BlacklistMD5 [01:30:0063] [CHECK] MadeNumbers [01:30:0063] [CHECK] HasUnicode [01:30:0063] [CHECK] SuspPath [01:30:0063] [CHECK] ProcessResidue [01:30:0063] [CHECK] Not found! [01:30:0063] [Check DLLs] DNSAPI.dll : C:\WINDOWS\system32\DNSAPI.dll [01:30:0063] [CHECK] WhiteDLL [01:30:0063] [CHECK] Whitelist [01:30:0063] [CHECK] WellKnown [01:30:0063] [CHECK] WhitelistPath [01:30:0063] [CHECK] HijackName [01:30:0063] [CHECK] Signature [01:30:0344] [PE] Mapping [01:30:0344] [PE] Parsing [01:30:0344] [PE] Dos header -> 0x24e0000 [01:30:0344] [PE] Nt header (offset : 0xe0) file size 0x24800 [01:30:0344] [PE] pNtHeadersx86 -> 0x24e00e0 [01:30:0344] [PE] Chars -> 0x210e [01:30:0344] [PE] Optional header [01:30:0344] [PE] Sections : 4 [01:30:0344] [PE] Section : 0 - .text [01:30:0344] [PE] Section : 1 - .data [01:30:0344] [PE] Section : 2 - .rsrc [01:30:0344] [PE] Section : 3 - .reloc [01:30:0344] [PE] File open : 1 [01:30:0344] [PE] Search sigs [01:30:0344] [PE] Section[0/3] : 0x24e0400 [01:30:0344] [PE] Init AhoCorasick [01:30:0344] [PE] Start AhoCorasick [01:30:0344] [PE] Looking results : 0 [01:30:0344] [PE] Section[1/3] : 0x2500400 [01:30:0344] [PE] Init AhoCorasick [01:30:0344] [PE] Start AhoCorasick [01:30:0360] [PE] Looking results : 0 [01:30:0360] [PE] Section[2/3] : 0x2502400 [01:30:0360] [PE] Init AhoCorasick [01:30:0360] [PE] Start AhoCorasick [01:30:0360] [PE] Looking results : 0 [01:30:0360] [PE] Section[3/3] : 0x2503400 [01:30:0360] [PE] Init AhoCorasick [01:30:0360] [PE] Start AhoCorasick [01:30:0360] [PE] Looking results : 0 [01:30:0360] [CHECK] Blacklist [01:30:0360] [CHECK] BlacklistPath [01:30:0360] [CHECK] BlacklistMD5 [01:30:0360] [CHECK] MadeNumbers [01:30:0360] [CHECK] HasUnicode [01:30:0360] [CHECK] SuspPath [01:30:0360] [CHECK] ProcessResidue [01:30:0360] [CHECK] Not found! [01:30:0360] [Check DLLs] EapolQec.dll : C:\WINDOWS\system32\EapolQec.dll [01:30:0360] [CHECK] WhiteDLL [01:30:0360] [CHECK] Whitelist [01:30:0360] [CHECK] WellKnown [01:30:0360] [CHECK] WhitelistPath [01:30:0360] [CHECK] HijackName [01:30:0360] [CHECK] Signature [01:30:0485] [PE] Mapping [01:30:0485] [PE] Parsing [01:30:0485] [PE] Dos header -> 0x24e0000 [01:30:0485] [PE] Nt header (offset : 0xe0) file size 0x7800 [01:30:0485] [PE] pNtHeadersx86 -> 0x24e00e0 [01:30:0485] [PE] Chars -> 0x210e [01:30:0485] [PE] Optional header [01:30:0485] [PE] Sections : 4 [01:30:0485] [PE] Section : 0 - .text [01:30:0485] [PE] Section : 1 - .data [01:30:0485] [PE] Section : 2 - .rsrc [01:30:0485] [PE] Section : 3 - .reloc [01:30:0485] [PE] File open : 1 [01:30:0485] [PE] Search sigs [01:30:0485] [PE] Section[0/3] : 0x24e0400 [01:30:0485] [PE] Init AhoCorasick [01:30:0485] [PE] Start AhoCorasick [01:30:0485] [PE] Looking results : 0 [01:30:0485] [PE] Section[1/3] : 0x24e6600 [01:30:0485] [PE] Init AhoCorasick [01:30:0485] [PE] Start AhoCorasick [01:30:0485] [PE] Looking results : 0 [01:30:0485] [PE] Section[2/3] : 0x24e6a00 [01:30:0485] [PE] Init AhoCorasick [01:30:0485] [PE] Start AhoCorasick [01:30:0485] [PE] Looking results : 0 [01:30:0485] [PE] Section[3/3] : 0x24e7200 [01:30:0485] [PE] Init AhoCorasick [01:30:0485] [PE] Start AhoCorasick [01:30:0485] [PE] Looking results : 0 [01:30:0485] [CHECK] Blacklist [01:30:0485] [CHECK] BlacklistPath [01:30:0485] [CHECK] BlacklistMD5 [01:30:0485] [CHECK] MadeNumbers [01:30:0485] [CHECK] HasUnicode [01:30:0485] [CHECK] SuspPath [01:30:0485] [CHECK] ProcessResidue [01:30:0485] [CHECK] Not found! [01:30:0485] [Check DLLs] QUtil.dll : C:\WINDOWS\system32\QUtil.dll [01:30:0485] [CHECK] WhiteDLL [01:30:0485] [CHECK] Whitelist [01:30:0485] [CHECK] WellKnown [01:30:0485] [CHECK] WhitelistPath [01:30:0485] [CHECK] HijackName [01:30:0485] [CHECK] Signature [01:30:0703] [PE] Mapping [01:30:0703] [PE] Parsing [01:30:0735] [PE] Dos header -> 0x24e0000 [01:30:0735] [PE] Nt header (offset : 0xe8) file size 0x12c00 [01:30:0735] [PE] pNtHeadersx86 -> 0x24e00e8 [01:30:0735] [PE] Chars -> 0x210e [01:30:0735] [PE] Optional header [01:30:0735] [PE] Sections : 5 [01:30:0735] [PE] Section : 0 - .text [01:30:0735] [PE] Section : 1 - .orpc [01:30:0735] [PE] Section : 2 - .data [01:30:0735] [PE] Section : 3 - .rsrc [01:30:0735] [PE] Section : 4 - .reloc [01:30:0735] [PE] File open : 1 [01:30:0735] [PE] Search sigs [01:30:0735] [PE] Section[0/4] : 0x24e0400 [01:30:0735] [PE] Init AhoCorasick [01:30:0735] [PE] Start AhoCorasick [01:30:0735] [PE] Looking results : 0 [01:30:0735] [PE] Section[1/4] : 0x24ef400 [01:30:0735] [PE] Init AhoCorasick [01:30:0735] [PE] Start AhoCorasick [01:30:0735] [PE] Looking results : 0 [01:30:0735] [PE] Section[2/4] : 0x24ef600 [01:30:0735] [PE] Init AhoCorasick [01:30:0735] [PE] Start AhoCorasick [01:30:0735] [PE] Looking results : 0 [01:30:0735] [PE] Section[3/4] : 0x24f0600 [01:30:0735] [PE] Init AhoCorasick [01:30:0735] [PE] Start AhoCorasick [01:30:0735] [PE] Looking results : 0 [01:30:0735] [PE] Section[4/4] : 0x24f1000 [01:30:0735] [PE] Init AhoCorasick [01:30:0735] [PE] Start AhoCorasick [01:30:0735] [PE] Looking results : 0 [01:30:0735] [CHECK] Blacklist [01:30:0735] [CHECK] BlacklistPath [01:30:0735] [CHECK] BlacklistMD5 [01:30:0735] [CHECK] MadeNumbers [01:30:0735] [CHECK] HasUnicode [01:30:0735] [CHECK] SuspPath [01:30:0750] [CHECK] ProcessResidue [01:30:0750] [CHECK] Not found! [01:30:0750] [Check DLLs] ESENT.dll : C:\WINDOWS\system32\ESENT.dll [01:30:0750] [CHECK] WhiteDLL [01:30:0750] [CHECK] Whitelist [01:30:0750] [CHECK] WellKnown [01:30:0750] [CHECK] WhitelistPath [01:30:0750] [CHECK] HijackName [01:30:0750] [CHECK] Signature [01:32:0078] [PE] Mapping [01:32:0078] [PE] Parsing [01:32:0078] [PE] Dos header -> 0x27e0000 [01:32:0078] [PE] Nt header (offset : 0xf0) file size 0x108400 [01:32:0078] [PE] pNtHeadersx86 -> 0x27e00f0 [01:32:0078] [PE] Chars -> 0x210e [01:32:0078] [PE] Optional header [01:32:0078] [PE] Sections : 5 [01:32:0078] [PE] Section : 0 - .text [01:32:0094] [PE] Section : 1 - .data [01:32:0094] [PE] Section : 2 - cachelin [01:32:0094] [PE] Section : 3 - .rsrc [01:32:0094] [PE] Section : 4 - .reloc [01:32:0094] [PE] File open : 1 [01:32:0094] [PE] Search sigs [01:32:0094] [PE] Section[0/4] : 0x27e0400 [01:32:0094] [PE] Init AhoCorasick [01:32:0094] [PE] Start AhoCorasick [01:32:0110] [PE] Looking results : 0 [01:32:0110] [PE] Section[1/4] : 0x28cc800 [01:32:0110] [PE] Init AhoCorasick [01:32:0110] [PE] Start AhoCorasick [01:32:0110] [PE] Looking results : 0 [01:32:0110] [PE] Section[2/4] : 0x28d2800 [01:32:0110] [PE] Init AhoCorasick [01:32:0110] [PE] Start AhoCorasick [01:32:0110] [PE] Looking results : 0 [01:32:0110] [PE] Section[3/4] : 0x28d2a00 [01:32:0110] [PE] Init AhoCorasick [01:32:0110] [PE] Start AhoCorasick [01:32:0110] [PE] Looking results : 0 [01:32:0110] [PE] Section[4/4] : 0x28e0400 [01:32:0110] [PE] Init AhoCorasick [01:32:0110] [PE] Start AhoCorasick [01:32:0110] [PE] Looking results : 0 [01:32:0110] [CHECK] Blacklist [01:32:0110] [CHECK] BlacklistPath [01:32:0110] [CHECK] BlacklistMD5 [01:32:0110] [CHECK] MadeNumbers [01:32:0110] [CHECK] HasUnicode [01:32:0110] [CHECK] SuspPath [01:32:0110] [CHECK] ProcessResidue [01:32:0110] [CHECK] Not found! [01:32:0110] [Check DLLs] mswsock.dll : C:\WINDOWS\system32\mswsock.dll [01:32:0110] [CHECK] WhiteDLL [01:32:0110] [CHECK] Whitelist [01:32:0125] [CHECK] WellKnown [01:32:0125] [CHECK] WhitelistPath [01:32:0125] [CHECK] HijackName [01:32:0125] [CHECK] Signature [01:32:0516] [PE] Mapping [01:32:0547] [PE] Parsing [01:32:0547] [PE] Dos header -> 0x24e0000 [01:32:0547] [PE] Nt header (offset : 0xe8) file size 0x3be00 [01:32:0547] [PE] pNtHeadersx86 -> 0x24e00e8 [01:32:0547] [PE] Chars -> 0x210e [01:32:0547] [PE] Optional header [01:32:0547] [PE] Sections : 5 [01:32:0547] [PE] Section : 0 - .text [01:32:0547] [PE] Section : 1 - SANONTCP [01:32:0547] [PE] Section : 2 - .data [01:32:0547] [PE] Section : 3 - .rsrc [01:32:0547] [PE] Section : 4 - .reloc [01:32:0547] [PE] File open : 1 [01:32:0547] [PE] Search sigs [01:32:0547] [PE] Section[0/4] : 0x24e0400 [01:32:0547] [PE] Init AhoCorasick [01:32:0547] [PE] Start AhoCorasick [01:32:0547] [PE] Looking results : 0 [01:32:0547] [PE] Section[1/4] : 0x2509800 [01:32:0547] [PE] Init AhoCorasick [01:32:0547] [PE] Start AhoCorasick [01:32:0547] [PE] Looking results : 0 [01:32:0547] [PE] Section[2/4] : 0x2515600 [01:32:0547] [PE] Init AhoCorasick [01:32:0547] [PE] Start AhoCorasick [01:32:0547] [PE] Looking results : 0 [01:32:0547] [PE] Section[3/4] : 0x2516400 [01:32:0547] [PE] Init AhoCorasick [01:32:0547] [PE] Start AhoCorasick [01:32:0547] [PE] Looking results : 0 [01:32:0547] [PE] Section[4/4] : 0x2519000 [01:32:0547] [PE] Init AhoCorasick [01:32:0547] [PE] Start AhoCorasick [01:32:0563] [PE] Looking results : 0 [01:32:0563] [CHECK] Blacklist [01:32:0563] [CHECK] BlacklistPath [01:32:0563] [CHECK] BlacklistMD5 [01:32:0563] [CHECK] MadeNumbers [01:32:0563] [CHECK] HasUnicode [01:32:0563] [CHECK] SuspPath [01:32:0563] [CHECK] ProcessResidue [01:32:0563] [CHECK] Not found! [01:32:0563] [Check DLLs] hnetcfg.dll : C:\WINDOWS\system32\hnetcfg.dll [01:32:0563] [CHECK] WhiteDLL [01:32:0563] [CHECK] Whitelist [01:32:0563] [CHECK] WellKnown [01:32:0563] [CHECK] WhitelistPath [01:32:0563] [CHECK] HijackName [01:32:0563] [CHECK] Signature [01:33:0016] [PE] Mapping [01:33:0016] [PE] Parsing [01:33:0016] [PE] Dos header -> 0x24e0000 [01:33:0016] [PE] Nt header (offset : 0xe0) file size 0x54000 [01:33:0016] [PE] pNtHeadersx86 -> 0x24e00e0 [01:33:0016] [PE] Chars -> 0x210e [01:33:0016] [PE] Optional header [01:33:0016] [PE] Sections : 5 [01:33:0016] [PE] Section : 0 - .text [01:33:0016] [PE] Section : 1 - .orpc [01:33:0016] [PE] Section : 2 - .data [01:33:0016] [PE] Section : 3 - .rsrc [01:33:0016] [PE] Section : 4 - .reloc [01:33:0016] [PE] File open : 1 [01:33:0016] [PE] Search sigs [01:33:0016] [PE] Section[0/4] : 0x24e0400 [01:33:0016] [PE] Init AhoCorasick [01:33:0016] [PE] Start AhoCorasick [01:33:0032] [PE] Looking results : 0 [01:33:0032] [PE] Section[1/4] : 0x251e600 [01:33:0032] [PE] Init AhoCorasick [01:33:0032] [PE] Start AhoCorasick [01:33:0032] [PE] Looking results : 0 [01:33:0032] [PE] Section[2/4] : 0x251e800 [01:33:0032] [PE] Init AhoCorasick [01:33:0032] [PE] Start AhoCorasick [01:33:0032] [PE] Looking results : 0 [01:33:0032] [PE] Section[3/4] : 0x251f200 [01:33:0032] [PE] Init AhoCorasick [01:33:0032] [PE] Start AhoCorasick [01:33:0032] [PE] Looking results : 0 [01:33:0032] [PE] Section[4/4] : 0x252f800 [01:33:0032] [PE] Init AhoCorasick [01:33:0032] [PE] Start AhoCorasick [01:33:0032] [PE] Looking results : 0 [01:33:0032] [CHECK] Blacklist [01:33:0032] [CHECK] BlacklistPath [01:33:0032] [CHECK] BlacklistMD5 [01:33:0032] [CHECK] MadeNumbers [01:33:0032] [CHECK] HasUnicode [01:33:0032] [CHECK] SuspPath [01:33:0032] [CHECK] ProcessResidue [01:33:0032] [CHECK] Not found! [01:33:0032] [Check DLLs] wship6.dll : C:\WINDOWS\System32\wship6.dll [01:33:0032] [CHECK] WhiteDLL [01:33:0032] [CHECK] Whitelist [01:33:0032] [CHECK] WellKnown [01:33:0032] [CHECK] WhitelistPath [01:33:0032] [CHECK] HijackName [01:33:0032] [CHECK] Signature [01:33:0203] [PE] Mapping [01:33:0203] [PE] Parsing [01:33:0203] [PE] Dos header -> 0x24e0000 [01:33:0203] [PE] Nt header (offset : 0xd0) file size 0x3800 [01:33:0203] [PE] pNtHeadersx86 -> 0x24e00d0 [01:33:0203] [PE] Chars -> 0x210e [01:33:0203] [PE] Optional header [01:33:0203] [PE] Sections : 4 [01:33:0203] [PE] Section : 0 - .text [01:33:0203] [PE] Section : 1 - .data [01:33:0203] [PE] Section : 2 - .rsrc [01:33:0203] [PE] Section : 3 - .reloc [01:33:0203] [PE] File open : 1 [01:33:0203] [PE] Search sigs [01:33:0203] [PE] Section[0/3] : 0x24e0400 [01:33:0203] [PE] Init AhoCorasick [01:33:0203] [PE] Start AhoCorasick [01:33:0203] [PE] Looking results : 0 [01:33:0203] [PE] Section[1/3] : 0x24e2a00 [01:33:0203] [PE] Init AhoCorasick [01:33:0203] [PE] Start AhoCorasick [01:33:0203] [PE] Looking results : 0 [01:33:0203] [PE] Section[2/3] : 0x24e3200 [01:33:0203] [PE] Init AhoCorasick [01:33:0203] [PE] Start AhoCorasick [01:33:0203] [PE] Looking results : 0 [01:33:0203] [PE] Section[3/3] : 0x24e3600 [01:33:0203] [PE] Init AhoCorasick [01:33:0203] [PE] Start AhoCorasick [01:33:0203] [PE] Looking results : 0 [01:33:0203] [CHECK] Blacklist [01:33:0203] [CHECK] BlacklistPath [01:33:0203] [CHECK] BlacklistMD5 [01:33:0203] [CHECK] MadeNumbers [01:33:0203] [CHECK] HasUnicode [01:33:0203] [CHECK] SuspPath [01:33:0203] [CHECK] ProcessResidue [01:33:0203] [CHECK] Not found! [01:33:0203] [Check DLLs] msimtf.dll : C:\WINDOWS\System32\msimtf.dll [01:33:0203] [CHECK] WhiteDLL [01:33:0203] [CHECK] Whitelist [01:33:0203] [CHECK] WellKnown [01:33:0203] [CHECK] WhitelistPath [01:33:0203] [CHECK] HijackName [01:33:0203] [CHECK] Signature [01:33:0563] [PE] Mapping [01:33:0578] [PE] Parsing [01:33:0578] [PE] Dos header -> 0x24e0000 [01:33:0578] [PE] Nt header (offset : 0xe0) file size 0x26e00 [01:33:0578] [PE] pNtHeadersx86 -> 0x24e00e0 [01:33:0578] [PE] Chars -> 0x210e [01:33:0578] [PE] Optional header [01:33:0594] [PE] Sections : 4 [01:33:0594] [PE] Section : 0 - .text [01:33:0594] [PE] Section : 1 - .data [01:33:0594] [PE] Section : 2 - .rsrc [01:33:0594] [PE] Section : 3 - .reloc [01:33:0594] [PE] File open : 1 [01:33:0594] [PE] Search sigs [01:33:0594] [PE] Section[0/3] : 0x24e0400 [01:33:0594] [PE] Init AhoCorasick [01:33:0594] [PE] Start AhoCorasick [01:33:0594] [PE] Looking results : 0 [01:33:0594] [PE] Section[1/3] : 0x2504c00 [01:33:0594] [PE] Init AhoCorasick [01:33:0594] [PE] Start AhoCorasick [01:33:0594] [PE] Looking results : 0 [01:33:0594] [PE] Section[2/3] : 0x2504e00 [01:33:0594] [PE] Init AhoCorasick [01:33:0594] [PE] Start AhoCorasick [01:33:0594] [PE] Looking results : 0 [01:33:0594] [PE] Section[3/3] : 0x2505400 [01:33:0594] [PE] Init AhoCorasick [01:33:0594] [PE] Start AhoCorasick [01:33:0594] [PE] Looking results : 0 [01:33:0594] [CHECK] Blacklist [01:33:0594] [CHECK] BlacklistPath [01:33:0594] [CHECK] BlacklistMD5 [01:33:0594] [CHECK] MadeNumbers [01:33:0594] [CHECK] HasUnicode [01:33:0594] [CHECK] SuspPath [01:33:0594] [CHECK] ProcessResidue [01:33:0594] [CHECK] Not found! [01:33:0594] [Check DLLs] MSCTF.dll : C:\WINDOWS\System32\MSCTF.dll [01:33:0594] [CHECK] WhiteDLL [01:33:0594] [CHECK] Whitelist [01:33:0594] [CHECK] WellKnown [01:33:0594] [CHECK] WhitelistPath [01:33:0594] [CHECK] HijackName [01:33:0594] [CHECK] Signature [01:33:0969] [PE] Mapping [01:33:0969] [PE] Parsing [01:33:0969] [PE] Dos header -> 0x24e0000 [01:33:0969] [PE] Nt header (offset : 0xe0) file size 0x48c00 [01:33:0969] [PE] pNtHeadersx86 -> 0x24e00e0 [01:33:0969] [PE] Chars -> 0x210e [01:33:0969] [PE] Optional header [01:33:0969] [PE] Sections : 4 [01:33:0969] [PE] Section : 0 - .text [01:33:0969] [PE] Section : 1 - .data [01:33:0969] [PE] Section : 2 - .rsrc [01:33:0969] [PE] Section : 3 - .reloc [01:33:0969] [PE] File open : 1 [01:33:0969] [PE] Search sigs [01:33:0969] [PE] Section[0/3] : 0x24e0400 [01:33:0969] [PE] Init AhoCorasick [01:33:0969] [PE] Start AhoCorasick [01:33:0969] [PE] Looking results : 0 [01:33:0969] [PE] Section[1/3] : 0x2521c00 [01:33:0969] [PE] Init AhoCorasick [01:33:0969] [PE] Start AhoCorasick [01:33:0969] [PE] Looking results : 0 [01:33:0969] [PE] Section[2/3] : 0x2522800 [01:33:0969] [PE] Init AhoCorasick [01:33:0985] [PE] Start AhoCorasick [01:33:0985] [PE] Looking results : 0 [01:33:0985] [PE] Section[3/3] : 0x2525e00 [01:33:0985] [PE] Init AhoCorasick [01:33:0985] [PE] Start AhoCorasick [01:33:0985] [PE] Looking results : 0 [01:33:0985] [CHECK] Blacklist [01:33:0985] [CHECK] BlacklistPath [01:33:0985] [CHECK] BlacklistMD5 [01:33:0985] [CHECK] MadeNumbers [01:33:0985] [CHECK] HasUnicode [01:33:0985] [CHECK] SuspPath [01:33:0985] [CHECK] ProcessResidue [01:33:0985] [CHECK] Not found! [01:33:0985] [Check DLLs] gdiplus.dll : C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\gdiplus.dll [01:33:0985] [CHECK] WhiteDLL [01:33:0985] [CHECK] Whitelist [01:33:0985] [CHECK] WellKnown [01:33:0985] [CHECK] WhitelistPath [01:33:0985] [CHECK] HijackName [01:33:0985] [CHECK] Signature [01:36:0532] [PE] Mapping [01:36:0532] [PE] Parsing [01:36:0532] [PE] Dos header -> 0x27e0000 [01:36:0532] [PE] Nt header (offset : 0xf0) file size 0x1ab000 [01:36:0532] [PE] pNtHeadersx86 -> 0x27e00f0 [01:36:0532] [PE] Chars -> 0x2102 [01:36:0532] [PE] Optional header [01:36:0532] [PE] Sections : 5 [01:36:0532] [PE] Section : 0 - .text [01:36:0532] [PE] Section : 1 - .data [01:36:0532] [PE] Section : 2 - Shared [01:36:0532] [PE] Section : 3 - .rsrc [01:36:0532] [PE] Section : 4 - .reloc [01:36:0532] [PE] File open : 1 [01:36:0532] [PE] Search sigs [01:36:0532] [PE] Section[0/4] : 0x27e1000 [01:36:0532] [PE] Init AhoCorasick [01:36:0532] [PE] Start AhoCorasick [01:36:0563] [PE] Looking results : 0 [01:36:0563] [PE] Section[1/4] : 0x2967000 [01:36:0563] [PE] Init AhoCorasick [01:36:0563] [PE] Start AhoCorasick [01:36:0563] [PE] Looking results : 0 [01:36:0563] [PE] Section[2/4] : 0x2970000 [01:36:0563] [PE] Init AhoCorasick [01:36:0563] [PE] Start AhoCorasick [01:36:0563] [PE] Looking results : 0 [01:36:0563] [PE] Section[3/4] : 0x2971000 [01:36:0563] [PE] Init AhoCorasick [01:36:0563] [PE] Start AhoCorasick [01:36:0563] [PE] Looking results : 0 [01:36:0563] [PE] Section[4/4] : 0x2983000 [01:36:0563] [PE] Init AhoCorasick [01:36:0563] [PE] Start AhoCorasick [01:36:0563] [PE] Looking results : 0 [01:36:0563] [CHECK] Blacklist [01:36:0563] [CHECK] BlacklistPath [01:36:0578] [CHECK] BlacklistMD5 [01:36:0578] [CHECK] MadeNumbers [01:36:0578] [CHECK] HasUnicode [01:36:0578] [CHECK] SuspPath [01:36:0578] [CHECK] ProcessResidue [01:36:0578] [CHECK] Not found! [01:36:0578] [Check DLLs] dciman32.dll : C:\WINDOWS\system32\dciman32.dll [01:36:0578] [CHECK] WhiteDLL [01:36:0578] [CHECK] Whitelist [01:36:0578] [CHECK] WellKnown [01:36:0578] [CHECK] WhitelistPath [01:36:0578] [CHECK] HijackName [01:36:0578] [CHECK] Signature [01:36:0672] [PE] Mapping [01:36:0672] [PE] Parsing [01:36:0672] [PE] Dos header -> 0x24e0000 [01:36:0672] [PE] Nt header (offset : 0xe0) file size 0x2200 [01:36:0672] [PE] pNtHeadersx86 -> 0x24e00e0 [01:36:0672] [PE] Chars -> 0x210e [01:36:0672] [PE] Optional header [01:36:0672] [PE] Sections : 4 [01:36:0672] [PE] Section : 0 - .text [01:36:0672] [PE] Section : 1 - .data [01:36:0672] [PE] Section : 2 - .rsrc [01:36:0672] [PE] Section : 3 - .reloc [01:36:0672] [PE] File open : 1 [01:36:0672] [PE] Search sigs [01:36:0672] [PE] Section[0/3] : 0x24e0400 [01:36:0672] [PE] Init AhoCorasick [01:36:0672] [PE] Start AhoCorasick [01:36:0672] [PE] Looking results : 0 [01:36:0672] [PE] Section[1/3] : 0x24e1a00 [01:36:0672] [PE] Init AhoCorasick [01:36:0672] [PE] Start AhoCorasick [01:36:0672] [PE] Looking results : 0 [01:36:0672] [PE] Section[2/3] : 0x24e1c00 [01:36:0672] [PE] Init AhoCorasick [01:36:0672] [PE] Start AhoCorasick [01:36:0672] [PE] Looking results : 0 [01:36:0672] [PE] Section[3/3] : 0x24e2000 [01:36:0672] [PE] Init AhoCorasick [01:36:0672] [PE] Start AhoCorasick [01:36:0672] [PE] Looking results : 0 [01:36:0672] [CHECK] Blacklist [01:36:0672] [CHECK] BlacklistPath [01:36:0672] [CHECK] BlacklistMD5 [01:36:0672] [CHECK] MadeNumbers [01:36:0672] [CHECK] HasUnicode [01:36:0672] [CHECK] SuspPath [01:36:0672] [CHECK] ProcessResidue [01:36:0672] [CHECK] Not found! [01:36:0672] [Check DLLs] ntshrui.dll : C:\WINDOWS\system32\ntshrui.dll [01:36:0672] [CHECK] WhiteDLL [01:36:0672] [CHECK] Whitelist [01:36:0672] [CHECK] WellKnown [01:36:0672] [CHECK] WhitelistPath [01:36:0688] [CHECK] HijackName [01:36:0688] [CHECK] Signature [01:36:0969] [PE] Mapping [01:36:0969] [PE] Parsing [01:36:0969] [PE] Dos header -> 0x24e0000 [01:36:0969] [PE] Nt header (offset : 0xe8) file size 0x23000 [01:36:0969] [PE] pNtHeadersx86 -> 0x24e00e8 [01:36:0969] [PE] Chars -> 0x210e [01:36:0969] [PE] Optional header [01:36:0969] [PE] Sections : 4 [01:36:0969] [PE] Section : 0 - .text [01:36:0969] [PE] Section : 1 - .data [01:36:0969] [PE] Section : 2 - .rsrc [01:36:0969] [PE] Section : 3 - .reloc [01:36:0969] [PE] File open : 1 [01:36:0969] [PE] Search sigs [01:36:0969] [PE] Section[0/3] : 0x24e0400 [01:36:0969] [PE] Init AhoCorasick [01:36:0969] [PE] Start AhoCorasick [01:36:0969] [PE] Looking results : 0 [01:36:0969] [PE] Section[1/3] : 0x24eb400 [01:36:0969] [PE] Init AhoCorasick [01:36:0969] [PE] Start AhoCorasick [01:36:0969] [PE] Looking results : 0 [01:36:0969] [PE] Section[2/3] : 0x24eb800 [01:36:0969] [PE] Init AhoCorasick [01:36:0969] [PE] Start AhoCorasick [01:36:0969] [PE] Looking results : 0 [01:36:0969] [PE] Section[3/3] : 0x2502600 [01:36:0969] [PE] Init AhoCorasick [01:36:0969] [PE] Start AhoCorasick [01:36:0969] [PE] Looking results : 0 [01:36:0969] [CHECK] Blacklist [01:36:0969] [CHECK] BlacklistPath [01:36:0969] [CHECK] BlacklistMD5 [01:36:0969] [CHECK] MadeNumbers [01:36:0985] [CHECK] HasUnicode [01:36:0985] [CHECK] SuspPath [01:36:0985] [CHECK] ProcessResidue [01:36:0985] [CHECK] Not found! [01:36:0985] [Check DLLs] LINKINFO.dll : C:\WINDOWS\system32\LINKINFO.dll [01:36:0985] [CHECK] WhiteDLL [01:36:0985] [CHECK] Whitelist [01:36:0985] [CHECK] WellKnown [01:36:0985] [CHECK] WhitelistPath [01:36:0985] [CHECK] HijackName [01:36:0985] [CHECK] Signature [01:37:0328] [PE] Mapping [01:37:0328] [PE] Parsing [01:37:0328] [PE] Dos header -> 0x24e0000 [01:37:0328] [PE] Nt header (offset : 0xe8) file size 0x4e00 [01:37:0328] [PE] pNtHeadersx86 -> 0x24e00e8 [01:37:0328] [PE] Chars -> 0x210e [01:37:0328] [PE] Optional header [01:37:0328] [PE] Sections : 4 [01:37:0328] [PE] Section : 0 - .text [01:37:0328] [PE] Section : 1 - .data [01:37:0328] [PE] Section : 2 - .rsrc [01:37:0328] [PE] Section : 3 - .reloc [01:37:0328] [PE] File open : 1 [01:37:0328] [PE] Search sigs [01:37:0328] [PE] Section[0/3] : 0x24e0400 [01:37:0328] [PE] Init AhoCorasick [01:37:0328] [PE] Start AhoCorasick [01:37:0328] [PE] Looking results : 0 [01:37:0328] [PE] Section[1/3] : 0x24e4400 [01:37:0328] [PE] Init AhoCorasick [01:37:0328] [PE] Start AhoCorasick [01:37:0328] [PE] Looking results : 0 [01:37:0328] [PE] Section[2/3] : 0x24e4600 [01:37:0328] [PE] Init AhoCorasick [01:37:0328] [PE] Start AhoCorasick [01:37:0328] [PE] Looking results : 0 [01:37:0328] [PE] Section[3/3] : 0x24e4a00 [01:37:0328] [PE] Init AhoCorasick [01:37:0328] [PE] Start AhoCorasick [01:37:0328] [PE] Looking results : 0 [01:37:0328] [CHECK] Blacklist [01:37:0328] [CHECK] BlacklistPath [01:37:0328] [CHECK] BlacklistMD5 [01:37:0328] [CHECK] MadeNumbers [01:37:0328] [CHECK] HasUnicode [01:37:0328] [CHECK] SuspPath [01:37:0328] [CHECK] ProcessResidue [01:37:0328] [CHECK] Not found! [01:37:0328] [Check DLLs] webcheck.dll : C:\WINDOWS\system32\webcheck.dll [01:37:0328] [CHECK] WhiteDLL [01:37:0328] [CHECK] Whitelist [01:37:0328] [CHECK] WellKnown [01:37:0328] [CHECK] WhitelistPath [01:37:0328] [CHECK] HijackName [01:37:0344] [CHECK] Signature [01:37:0766] [PE] Mapping [01:37:0782] [PE] Parsing [01:37:0782] [PE] Dos header -> 0x24e0000 [01:37:0782] [PE] Nt header (offset : 0xf0) file size 0x39c00 [01:37:0782] [PE] pNtHeadersx86 -> 0x24e00f0 [01:37:0782] [PE] Chars -> 0x2102 [01:37:0782] [PE] Optional header [01:37:0782] [PE] Sections : 4 [01:37:0782] [PE] Section : 0 - .text [01:37:0782] [PE] Section : 1 - .data [01:37:0782] [PE] Section : 2 - .rsrc [01:37:0797] [PE] Section : 3 - .reloc [01:37:0797] [PE] File open : 1 [01:37:0797] [PE] Search sigs [01:37:0797] [PE] Section[0/3] : 0x24e0400 [01:37:0797] [PE] Init AhoCorasick [01:37:0797] [PE] Start AhoCorasick [01:37:0797] [PE] Looking results : 0 [01:37:0797] [PE] Section[1/3] : 0x2509800 [01:37:0797] [PE] Init AhoCorasick [01:37:0797] [PE] Start AhoCorasick [01:37:0797] [PE] Looking results : 0 [01:37:0797] [PE] Section[2/3] : 0x250a200 [01:37:0797] [PE] Init AhoCorasick [01:37:0797] [PE] Start AhoCorasick [01:37:0797] [PE] Looking results : 0 [01:37:0797] [PE] Section[3/3] : 0x2517a00 [01:37:0797] [PE] Init AhoCorasick [01:37:0797] [PE] Start AhoCorasick [01:37:0797] [PE] Looking results : 0 [01:37:0797] [CHECK] Blacklist [01:37:0797] [CHECK] BlacklistPath [01:37:0797] [CHECK] BlacklistMD5 [01:37:0797] [CHECK] MadeNumbers [01:37:0797] [CHECK] HasUnicode [01:37:0797] [CHECK] SuspPath [01:37:0797] [CHECK] ProcessResidue [01:37:0797] [CHECK] Not found! [01:37:0797] [Check DLLs] stobject.dll : C:\WINDOWS\System32\stobject.dll [01:37:0797] [CHECK] WhiteDLL [01:37:0797] [CHECK] Whitelist [01:37:0797] [CHECK] WellKnown [01:37:0797] [CHECK] WhitelistPath [01:37:0797] [CHECK] HijackName [01:37:0797] [CHECK] Signature [01:37:0969] [PE] Mapping [01:37:0969] [PE] Parsing [01:37:0969] [PE] Dos header -> 0x24e0000 [01:37:0969] [PE] Nt header (offset : 0xe0) file size 0x1dc00 [01:37:0969] [PE] pNtHeadersx86 -> 0x24e00e0 [01:37:0969] [PE] Chars -> 0x210e [01:37:0969] [PE] Optional header [01:37:0969] [PE] Sections : 4 [01:37:0969] [PE] Section : 0 - .text [01:37:0985] [PE] Section : 1 - .data [01:37:0985] [PE] Section : 2 - .rsrc [01:37:0985] [PE] Section : 3 - .reloc [01:37:0985] [PE] File open : 1 [01:37:0985] [PE] Search sigs [01:37:0985] [PE] Section[0/3] : 0x24e0400 [01:37:0985] [PE] Init AhoCorasick [01:37:0985] [PE] Start AhoCorasick [01:37:0985] [PE] Looking results : 0 [01:37:0985] [PE] Section[1/3] : 0x24e7e00 [01:37:0985] [PE] Init AhoCorasick [01:37:0985] [PE] Start AhoCorasick [01:37:0985] [PE] Looking results : 0 [01:37:0985] [PE] Section[2/3] : 0x24e8200 [01:37:0985] [PE] Init AhoCorasick [01:37:0985] [PE] Start AhoCorasick [01:37:0985] [PE] Looking results : 0 [01:37:0985] [PE] Section[3/3] : 0x24fd400 [01:37:0985] [PE] Init AhoCorasick [01:37:0985] [PE] Start AhoCorasick [01:37:0985] [PE] Looking results : 0 [01:37:0985] [CHECK] Blacklist [01:37:0985] [CHECK] BlacklistPath [01:37:0985] [CHECK] BlacklistMD5 [01:37:0985] [CHECK] MadeNumbers [01:37:0985] [CHECK] HasUnicode [01:37:0985] [CHECK] SuspPath [01:37:0985] [CHECK] ProcessResidue [01:37:0985] [CHECK] Not found! [01:37:0985] [Check DLLs] BatMeter.dll : C:\WINDOWS\System32\BatMeter.dll [01:37:0985] [CHECK] WhiteDLL [01:37:0985] [CHECK] Whitelist [01:37:0985] [CHECK] WellKnown [01:37:0985] [CHECK] WhitelistPath [01:37:0985] [CHECK] HijackName [01:37:0985] [CHECK] Signature [01:38:0157] [PE] Mapping [01:38:0157] [PE] Parsing [01:38:0157] [PE] Dos header -> 0x24e0000 [01:38:0157] [PE] Nt header (offset : 0xe8) file size 0x7200 [01:38:0157] [PE] pNtHeadersx86 -> 0x24e00e8 [01:38:0157] [PE] Chars -> 0x210e [01:38:0157] [PE] Optional header [01:38:0157] [PE] Sections : 4 [01:38:0157] [PE] Section : 0 - .text [01:38:0157] [PE] Section : 1 - .data [01:38:0157] [PE] Section : 2 - .rsrc [01:38:0157] [PE] Section : 3 - .reloc [01:38:0157] [PE] File open : 1 [01:38:0157] [PE] Search sigs [01:38:0157] [PE] Section[0/3] : 0x24e0400 [01:38:0157] [PE] Init AhoCorasick [01:38:0157] [PE] Start AhoCorasick [01:38:0157] [PE] Looking results : 0 [01:38:0157] [PE] Section[1/3] : 0x24e3c00 [01:38:0157] [PE] Init AhoCorasick [01:38:0157] [PE] Start AhoCorasick [01:38:0157] [PE] Looking results : 0 [01:38:0157] [PE] Section[2/3] : 0x24e4000 [01:38:0157] [PE] Init AhoCorasick [01:38:0157] [PE] Start AhoCorasick [01:38:0157] [PE] Looking results : 0 [01:38:0172] [PE] Section[3/3] : 0x24e6e00 [01:38:0172] [PE] Init AhoCorasick [01:38:0172] [PE] Start AhoCorasick [01:38:0172] [PE] Looking results : 0 [01:38:0172] [CHECK] Blacklist [01:38:0172] [CHECK] BlacklistPath [01:38:0172] [CHECK] BlacklistMD5 [01:38:0172] [CHECK] MadeNumbers [01:38:0172] [CHECK] HasUnicode [01:38:0172] [CHECK] SuspPath [01:38:0172] [CHECK] ProcessResidue [01:38:0172] [CHECK] Not found! [01:38:0172] [Check DLLs] POWRPROF.dll : C:\WINDOWS\System32\POWRPROF.dll [01:38:0172] [CHECK] WhiteDLL [01:38:0172] [CHECK] Whitelist [01:38:0172] [CHECK] WellKnown [01:38:0172] [CHECK] WhitelistPath [01:38:0172] [CHECK] HijackName [01:38:0172] [CHECK] Signature [01:38:0313] [PE] Mapping [01:38:0313] [PE] Parsing [01:38:0313] [PE] Dos header -> 0x24e0000 [01:38:0313] [PE] Nt header (offset : 0xd8) file size 0x4400 [01:38:0313] [PE] pNtHeadersx86 -> 0x24e00d8 [01:38:0313] [PE] Chars -> 0x210e [01:38:0313] [PE] Optional header [01:38:0313] [PE] Sections : 4 [01:38:0313] [PE] Section : 0 - .text [01:38:0313] [PE] Section : 1 - .data [01:38:0313] [PE] Section : 2 - .rsrc [01:38:0313] [PE] Section : 3 - .reloc [01:38:0313] [PE] File open : 1 [01:38:0313] [PE] Search sigs [01:38:0313] [PE] Section[0/3] : 0x24e0400 [01:38:0313] [PE] Init AhoCorasick [01:38:0313] [PE] Start AhoCorasick [01:38:0313] [PE] Looking results : 0 [01:38:0313] [PE] Section[1/3] : 0x24e3800 [01:38:0313] [PE] Init AhoCorasick [01:38:0313] [PE] Start AhoCorasick [01:38:0313] [PE] Looking results : 0 [01:38:0328] [PE] Section[2/3] : 0x24e3c00 [01:38:0328] [PE] Init AhoCorasick [01:38:0328] [PE] Start AhoCorasick [01:38:0328] [PE] Looking results : 0 [01:38:0328] [PE] Section[3/3] : 0x24e4000 [01:38:0328] [PE] Init AhoCorasick [01:38:0328] [PE] Start AhoCorasick [01:38:0328] [PE] Looking results : 0 [01:38:0328] [CHECK] Blacklist [01:38:0328] [CHECK] BlacklistPath [01:38:0328] [CHECK] BlacklistMD5 [01:38:0328] [CHECK] MadeNumbers [01:38:0328] [CHECK] HasUnicode [01:38:0328] [CHECK] SuspPath [01:38:0328] [CHECK] ProcessResidue [01:38:0328] [CHECK] Not found! [01:38:0328] [Check DLLs] WPDShServiceObj.dll : C:\WINDOWS\system32\WPDShServiceObj.dll [01:38:0328] [CHECK] WhiteDLL [01:38:0328] [CHECK] Whitelist [01:38:0328] [CHECK] WellKnown [01:38:0328] [CHECK] WhitelistPath [01:38:0328] [CHECK] HijackName [01:38:0328] [CHECK] Signature [01:38:0641] [PE] Mapping [01:38:0641] [PE] Parsing [01:38:0641] [PE] Dos header -> 0x24e0000 [01:38:0641] [PE] Nt header (offset : 0xe8) file size 0x20a00 [01:38:0641] [PE] pNtHeadersx86 -> 0x24e00e8 [01:38:0641] [PE] Chars -> 0x2102 [01:38:0641] [PE] Optional header [01:38:0641] [PE] Sections : 4 [01:38:0641] [PE] Section : 0 - .text [01:38:0641] [PE] Section : 1 - .data [01:38:0641] [PE] Section : 2 - .rsrc [01:38:0641] [PE] Section : 3 - .reloc [01:38:0641] [PE] File open : 1 [01:38:0641] [PE] Search sigs [01:38:0641] [PE] Section[0/3] : 0x24e0400 [01:38:0641] [PE] Init AhoCorasick [01:38:0641] [PE] Start AhoCorasick [01:38:0641] [PE] Looking results : 0 [01:38:0641] [PE] Section[1/3] : 0x24fce00 [01:38:0641] [PE] Init AhoCorasick [01:38:0641] [PE] Start AhoCorasick [01:38:0641] [PE] Looking results : 0 [01:38:0641] [PE] Section[2/3] : 0x24fd200 [01:38:0641] [PE] Init AhoCorasick [01:38:0641] [PE] Start AhoCorasick [01:38:0641] [PE] Looking results : 0 [01:38:0641] [PE] Section[3/3] : 0x24fda00 [01:38:0641] [PE] Init AhoCorasick [01:38:0641] [PE] Start AhoCorasick [01:38:0641] [PE] Looking results : 0 [01:38:0641] [CHECK] Blacklist [01:38:0641] [CHECK] BlacklistPath [01:38:0641] [CHECK] BlacklistMD5 [01:38:0641] [CHECK] MadeNumbers [01:38:0641] [CHECK] HasUnicode [01:38:0641] [CHECK] SuspPath [01:38:0641] [CHECK] ProcessResidue [01:38:0641] [CHECK] Not found! [01:38:0641] [Check DLLs] WINHTTP.dll : C:\WINDOWS\system32\WINHTTP.dll [01:38:0641] [CHECK] WhiteDLL [01:38:0641] [CHECK] Whitelist [01:38:0641] [CHECK] WellKnown [01:38:0641] [CHECK] WhitelistPath [01:38:0641] [CHECK] HijackName [01:38:0641] [CHECK] Signature [01:39:0157] [PE] Mapping [01:39:0157] [PE] Parsing [01:39:0157] [PE] Dos header -> 0x24e0000 [01:39:0157] [PE] Nt header (offset : 0xe8) file size 0x56a00 [01:39:0157] [PE] pNtHeadersx86 -> 0x24e00e8 [01:39:0157] [PE] Chars -> 0x210e [01:39:0157] [PE] Optional header [01:39:0157] [PE] Sections : 4 [01:39:0157] [PE] Section : 0 - .text [01:39:0157] [PE] Section : 1 - .data [01:39:0157] [PE] Section : 2 - .rsrc [01:39:0157] [PE] Section : 3 - .reloc [01:39:0157] [PE] File open : 1 [01:39:0157] [PE] Search sigs [01:39:0157] [PE] Section[0/3] : 0x24e0400 [01:39:0157] [PE] Init AhoCorasick [01:39:0157] [PE] Start AhoCorasick [01:39:0172] [PE] Looking results : 0 [01:39:0172] [PE] Section[1/3] : 0x252e200 [01:39:0172] [PE] Init AhoCorasick [01:39:0172] [PE] Start AhoCorasick [01:39:0172] [PE] Looking results : 0 [01:39:0172] [PE] Section[2/3] : 0x252ea00 [01:39:0172] [PE] Init AhoCorasick [01:39:0172] [PE] Start AhoCorasick [01:39:0172] [PE] Looking results : 0 [01:39:0172] [PE] Section[3/3] : 0x2533400 [01:39:0172] [PE] Init AhoCorasick [01:39:0172] [PE] Start AhoCorasick [01:39:0172] [PE] Looking results : 0 [01:39:0172] [CHECK] Blacklist [01:39:0172] [CHECK] BlacklistPath [01:39:0172] [CHECK] BlacklistMD5 [01:39:0172] [CHECK] MadeNumbers [01:39:0172] [CHECK] HasUnicode [01:39:0172] [CHECK] SuspPath [01:39:0172] [CHECK] ProcessResidue [01:39:0172] [CHECK] Not found! [01:39:0172] [Check DLLs] upnpui.dll : C:\WINDOWS\system32\upnpui.dll [01:39:0172] [CHECK] WhiteDLL [01:39:0172] [CHECK] Whitelist [01:39:0172] [CHECK] WellKnown [01:39:0172] [CHECK] WhitelistPath [01:39:0172] [CHECK] HijackName [01:39:0172] [CHECK] Signature [01:39:0485] [PE] Mapping [01:39:0485] [PE] Parsing [01:39:0485] [PE] Dos header -> 0x24e0000 [01:39:0485] [PE] Nt header (offset : 0xe8) file size 0x3a800 [01:39:0485] [PE] pNtHeadersx86 -> 0x24e00e8 [01:39:0485] [PE] Chars -> 0x210e [01:39:0485] [PE] Optional header [01:39:0485] [PE] Sections : 4 [01:39:0485] [PE] Section : 0 - .text [01:39:0485] [PE] Section : 1 - .data [01:39:0485] [PE] Section : 2 - .rsrc [01:39:0485] [PE] Section : 3 - .reloc [01:39:0485] [PE] File open : 1 [01:39:0485] [PE] Search sigs [01:39:0485] [PE] Section[0/3] : 0x24e0400 [01:39:0485] [PE] Init AhoCorasick [01:39:0500] [PE] Start AhoCorasick [01:39:0500] [PE] Looking results : 0 [01:39:0500] [PE] Section[1/3] : 0x24eaa00 [01:39:0500] [PE] Init AhoCorasick [01:39:0500] [PE] Start AhoCorasick [01:39:0500] [PE] Looking results : 0 [01:39:0500] [PE] Section[2/3] : 0x24eac00 [01:39:0500] [PE] Init AhoCorasick [01:39:0500] [PE] Start AhoCorasick [01:39:0500] [PE] Looking results : 0 [01:39:0500] [PE] Section[3/3] : 0x2519c00 [01:39:0500] [PE] Init AhoCorasick [01:39:0500] [PE] Start AhoCorasick [01:39:0500] [PE] Looking results : 0 [01:39:0500] [CHECK] Blacklist [01:39:0500] [CHECK] BlacklistPath [01:39:0500] [CHECK] BlacklistMD5 [01:39:0500] [CHECK] MadeNumbers [01:39:0500] [CHECK] HasUnicode [01:39:0500] [CHECK] SuspPath [01:39:0500] [CHECK] ProcessResidue [01:39:0500] [CHECK] Not found! [01:39:0500] [Check DLLs] upnp.dll : C:\WINDOWS\System32\upnp.dll [01:39:0500] [CHECK] WhiteDLL [01:39:0500] [CHECK] Whitelist [01:39:0500] [CHECK] WellKnown [01:39:0500] [CHECK] WhitelistPath [01:39:0500] [CHECK] HijackName [01:39:0500] [CHECK] Signature [01:39:0657] [PE] Mapping [01:39:0657] [PE] Parsing [01:39:0657] [PE] Dos header -> 0x24e0000 [01:39:0657] [PE] Nt header (offset : 0xe8) file size 0x20a00 [01:39:0657] [PE] pNtHeadersx86 -> 0x24e00e8 [01:39:0657] [PE] Chars -> 0x210e [01:39:0657] [PE] Optional header [01:39:0657] [PE] Sections : 5 [01:39:0657] [PE] Section : 0 - .text [01:39:0657] [PE] Section : 1 - .orpc [01:39:0657] [PE] Section : 2 - .data [01:39:0657] [PE] Section : 3 - .rsrc [01:39:0657] [PE] Section : 4 - .reloc [01:39:0657] [PE] File open : 1 [01:39:0657] [PE] Search sigs [01:39:0657] [PE] Section[0/4] : 0x24e0400 [01:39:0657] [PE] Init AhoCorasick [01:39:0657] [PE] Start AhoCorasick [01:39:0657] [PE] Looking results : 0 [01:39:0657] [PE] Section[1/4] : 0x24f9800 [01:39:0657] [PE] Init AhoCorasick [01:39:0657] [PE] Start AhoCorasick [01:39:0657] [PE] Looking results : 0 [01:39:0657] [PE] Section[2/4] : 0x24f9a00 [01:39:0657] [PE] Init AhoCorasick [01:39:0657] [PE] Start AhoCorasick [01:39:0657] [PE] Looking results : 0 [01:39:0657] [PE] Section[3/4] : 0x24fa600 [01:39:0657] [PE] Init AhoCorasick [01:39:0657] [PE] Start AhoCorasick [01:39:0657] [PE] Looking results : 0 [01:39:0657] [PE] Section[4/4] : 0x24ff000 [01:39:0657] [PE] Init AhoCorasick [01:39:0657] [PE] Start AhoCorasick [01:39:0657] [PE] Looking results : 0 [01:39:0657] [CHECK] Blacklist [01:39:0657] [CHECK] BlacklistPath [01:39:0672] [CHECK] BlacklistMD5 [01:39:0672] [CHECK] MadeNumbers [01:39:0672] [CHECK] HasUnicode [01:39:0672] [CHECK] SuspPath [01:39:0672] [CHECK] ProcessResidue [01:39:0672] [CHECK] Not found! [01:39:0672] [Check DLLs] SSDPAPI.dll : C:\WINDOWS\System32\SSDPAPI.dll [01:39:0672] [CHECK] WhiteDLL [01:39:0672] [CHECK] Whitelist [01:39:0672] [CHECK] WellKnown [01:39:0672] [CHECK] WhitelistPath [01:39:0672] [CHECK] HijackName [01:39:0672] [CHECK] Signature [01:39:0750] [PE] Mapping [01:39:0750] [PE] Parsing [01:39:0750] [PE] Dos header -> 0x24e0000 [01:39:0750] [PE] Nt header (offset : 0xe0) file size 0x8800 [01:39:0750] [PE] pNtHeadersx86 -> 0x24e00e0 [01:39:0750] [PE] Chars -> 0x210e [01:39:0750] [PE] Optional header [01:39:0750] [PE] Sections : 4 [01:39:0750] [PE] Section : 0 - .text [01:39:0750] [PE] Section : 1 - .data [01:39:0750] [PE] Section : 2 - .rsrc [01:39:0750] [PE] Section : 3 - .reloc [01:39:0750] [PE] File open : 1 [01:39:0750] [PE] Search sigs [01:39:0750] [PE] Section[0/3] : 0x24e0400 [01:39:0750] [PE] Init AhoCorasick [01:39:0750] [PE] Start AhoCorasick [01:39:0750] [PE] Looking results : 0 [01:39:0750] [PE] Section[1/3] : 0x24e7800 [01:39:0750] [PE] Init AhoCorasick [01:39:0750] [PE] Start AhoCorasick [01:39:0750] [PE] Looking results : 0 [01:39:0750] [PE] Section[2/3] : 0x24e7a00 [01:39:0750] [PE] Init AhoCorasick [01:39:0750] [PE] Start AhoCorasick [01:39:0750] [PE] Looking results : 0 [01:39:0766] [PE] Section[3/3] : 0x24e7e00 [01:39:0766] [PE] Init AhoCorasick [01:39:0766] [PE] Start AhoCorasick [01:39:0766] [PE] Looking results : 0 [01:39:0766] [CHECK] Blacklist [01:39:0766] [CHECK] BlacklistPath [01:39:0766] [CHECK] BlacklistMD5 [01:39:0766] [CHECK] MadeNumbers [01:39:0766] [CHECK] HasUnicode [01:39:0766] [CHECK] SuspPath [01:39:0766] [CHECK] ProcessResidue [01:39:0766] [CHECK] Not found! [01:39:0766] [Check DLLs] msv1_0.dll : C:\WINDOWS\system32\msv1_0.dll [01:39:0766] [CHECK] WhiteDLL [01:39:0766] [CHECK] Whitelist [01:39:0766] [CHECK] WellKnown [01:39:0766] [CHECK] WhitelistPath [01:39:0766] [CHECK] HijackName [01:39:0766] [CHECK] Signature [01:39:0860] [PE] Mapping [01:39:0860] [PE] Parsing [01:39:0860] [PE] Dos header -> 0x24e0000 [01:39:0860] [PE] Nt header (offset : 0xf8) file size 0x21400 [01:39:0860] [PE] pNtHeadersx86 -> 0x24e00f8 [01:39:0860] [PE] Chars -> 0x210e [01:39:0860] [PE] Optional header [01:39:0860] [PE] Sections : 4 [01:39:0860] [PE] Section : 0 - .text [01:39:0860] [PE] Section : 1 - .data [01:39:0860] [PE] Section : 2 - .rsrc [01:39:0860] [PE] Section : 3 - .reloc [01:39:0860] [PE] File open : 1 [01:39:0860] [PE] Search sigs [01:39:0860] [PE] Section[0/3] : 0x24e0400 [01:39:0860] [PE] Init AhoCorasick [01:39:0860] [PE] Start AhoCorasick [01:39:0860] [PE] Looking results : 0 [01:39:0860] [PE] Section[1/3] : 0x24fdc00 [01:39:0860] [PE] Init AhoCorasick [01:39:0860] [PE] Start AhoCorasick [01:39:0860] [PE] Looking results : 0 [01:39:0860] [PE] Section[2/3] : 0x24fee00 [01:39:0860] [PE] Init AhoCorasick [01:39:0860] [PE] Start AhoCorasick [01:39:0860] [PE] Looking results : 0 [01:39:0860] [PE] Section[3/3] : 0x2500000 [01:39:0860] [PE] Init AhoCorasick [01:39:0860] [PE] Start AhoCorasick [01:39:0860] [PE] Looking results : 0 [01:39:0860] [CHECK] Blacklist [01:39:0860] [CHECK] BlacklistPath [01:39:0860] [CHECK] BlacklistMD5 [01:39:0860] [CHECK] MadeNumbers [01:39:0860] [CHECK] HasUnicode [01:39:0860] [CHECK] SuspPath [01:39:0860] [CHECK] ProcessResidue [01:39:0860] [CHECK] Not found! [01:39:0860] [Check DLLs] cryptdll.dll : C:\WINDOWS\system32\cryptdll.dll [01:39:0860] [CHECK] WhiteDLL [01:39:0860] [CHECK] Whitelist [01:39:0860] [CHECK] WellKnown [01:39:0860] [CHECK] WhitelistPath [01:39:0860] [CHECK] HijackName [01:39:0875] [CHECK] Signature [01:39:0922] [PE] Mapping [01:39:0922] [PE] Parsing [01:39:0922] [PE] Dos header -> 0x24e0000 [01:39:0922] [PE] Nt header (offset : 0xd8) file size 0x8200 [01:39:0922] [PE] pNtHeadersx86 -> 0x24e00d8 [01:39:0922] [PE] Chars -> 0x210e [01:39:0922] [PE] Optional header [01:39:0922] [PE] Sections : 4 [01:39:0922] [PE] Section : 0 - .text [01:39:0922] [PE] Section : 1 - .data [01:39:0922] [PE] Section : 2 - .rsrc [01:39:0922] [PE] Section : 3 - .reloc [01:39:0922] [PE] File open : 1 [01:39:0922] [PE] Search sigs [01:39:0922] [PE] Section[0/3] : 0x24e0400 [01:39:0922] [PE] Init AhoCorasick [01:39:0922] [PE] Start AhoCorasick [01:39:0922] [PE] Looking results : 0 [01:39:0922] [PE] Section[1/3] : 0x24e6600 [01:39:0922] [PE] Init AhoCorasick [01:39:0922] [PE] Start AhoCorasick [01:39:0922] [PE] Looking results : 0 [01:39:0922] [PE] Section[2/3] : 0x24e7800 [01:39:0922] [PE] Init AhoCorasick [01:39:0922] [PE] Start AhoCorasick [01:39:0922] [PE] Looking results : 0 [01:39:0922] [PE] Section[3/3] : 0x24e7c00 [01:39:0922] [PE] Init AhoCorasick [01:39:0922] [PE] Start AhoCorasick [01:39:0922] [PE] Looking results : 0 [01:39:0922] [CHECK] Blacklist [01:39:0922] [CHECK] BlacklistPath [01:39:0922] [CHECK] BlacklistMD5 [01:39:0922] [CHECK] MadeNumbers [01:39:0922] [CHECK] HasUnicode [01:39:0922] [CHECK] SuspPath [01:39:0922] [CHECK] ProcessResidue [01:39:0922] [CHECK] Not found! [01:39:0922] [Check DLLs] mydocs.dll : C:\WINDOWS\System32\mydocs.dll [01:39:0922] [CHECK] WhiteDLL [01:39:0922] [CHECK] Whitelist [01:39:0922] [CHECK] WellKnown [01:39:0922] [CHECK] WhitelistPath [01:39:0922] [CHECK] HijackName [01:39:0922] [CHECK] Signature [01:40:0000] [PE] Mapping [01:40:0000] [PE] Parsing [01:40:0000] [PE] Dos header -> 0x24e0000 [01:40:0016] [PE] Nt header (offset : 0xe8) file size 0x16200 [01:40:0016] [PE] pNtHeadersx86 -> 0x24e00e8 [01:40:0016] [PE] Chars -> 0x210e [01:40:0016] [PE] Optional header [01:40:0016] [PE] Sections : 4 [01:40:0016] [PE] Section : 0 - .text [01:40:0016] [PE] Section : 1 - .data [01:40:0016] [PE] Section : 2 - .rsrc [01:40:0016] [PE] Section : 3 - .reloc [01:40:0016] [PE] File open : 1 [01:40:0016] [PE] Search sigs [01:40:0016] [PE] Section[0/3] : 0x24e0400 [01:40:0016] [PE] Init AhoCorasick [01:40:0016] [PE] Start AhoCorasick [01:40:0016] [PE] Looking results : 0 [01:40:0016] [PE] Section[1/3] : 0x24e4a00 [01:40:0016] [PE] Init AhoCorasick [01:40:0016] [PE] Start AhoCorasick [01:40:0016] [PE] Looking results : 0 [01:40:0016] [PE] Section[2/3] : 0x24e4c00 [01:40:0016] [PE] Init AhoCorasick [01:40:0016] [PE] Start AhoCorasick [01:40:0016] [PE] Looking results : 0 [01:40:0016] [PE] Section[3/3] : 0x24f5e00 [01:40:0016] [PE] Init AhoCorasick [01:40:0016] [PE] Start AhoCorasick [01:40:0016] [PE] Looking results : 0 [01:40:0016] [CHECK] Blacklist [01:40:0016] [CHECK] BlacklistPath [01:40:0016] [CHECK] BlacklistMD5 [01:40:0016] [CHECK] MadeNumbers [01:40:0016] [CHECK] HasUnicode [01:40:0016] [CHECK] SuspPath [01:40:0016] [CHECK] ProcessResidue [01:40:0016] [CHECK] Not found! [01:40:0016] [Check DLLs] sensapi.dll : C:\WINDOWS\system32\sensapi.dll [01:40:0016] [CHECK] WhiteDLL [01:40:0016] [CHECK] Whitelist [01:40:0016] [CHECK] WellKnown [01:40:0016] [CHECK] WhitelistPath [01:40:0016] [CHECK] HijackName [01:40:0016] [CHECK] Signature [01:40:0078] [PE] Mapping [01:40:0078] [PE] Parsing [01:40:0078] [PE] Dos header -> 0x24e0000 [01:40:0078] [PE] Nt header (offset : 0xd8) file size 0x1c00 [01:40:0078] [PE] pNtHeadersx86 -> 0x24e00d8 [01:40:0078] [PE] Chars -> 0x210e [01:40:0078] [PE] Optional header [01:40:0078] [PE] Sections : 4 [01:40:0078] [PE] Section : 0 - .text [01:40:0078] [PE] Section : 1 - .data [01:40:0078] [PE] Section : 2 - .rsrc [01:40:0078] [PE] Section : 3 - .reloc [01:40:0078] [PE] File open : 1 [01:40:0078] [PE] Search sigs [01:40:0078] [PE] Section[0/3] : 0x24e0400 [01:40:0078] [PE] Init AhoCorasick [01:40:0078] [PE] Start AhoCorasick [01:40:0078] [PE] Looking results : 0 [01:40:0078] [PE] Section[1/3] : 0x24e1400 [01:40:0078] [PE] Init AhoCorasick [01:40:0078] [PE] Start AhoCorasick [01:40:0078] [PE] Looking results : 0 [01:40:0078] [PE] Section[2/3] : 0x24e1600 [01:40:0078] [PE] Init AhoCorasick [01:40:0078] [PE] Start AhoCorasick [01:40:0078] [PE] Looking results : 0 [01:40:0078] [PE] Section[3/3] : 0x24e1a00 [01:40:0078] [PE] Init AhoCorasick [01:40:0078] [PE] Start AhoCorasick [01:40:0078] [PE] Looking results : 0 [01:40:0078] [CHECK] Blacklist [01:40:0078] [CHECK] BlacklistPath [01:40:0078] [CHECK] BlacklistMD5 [01:40:0078] [CHECK] MadeNumbers [01:40:0078] [CHECK] HasUnicode [01:40:0078] [CHECK] SuspPath [01:40:0078] [CHECK] ProcessResidue [01:40:0078] [CHECK] Not found! [01:40:0078] [Check DLLs] PortableDeviceTypes.dll : C:\WINDOWS\system32\PortableDeviceTypes.dll [01:40:0078] [CHECK] WhiteDLL [01:40:0078] [CHECK] Whitelist [01:40:0078] [CHECK] WellKnown [01:40:0078] [CHECK] WhitelistPath [01:40:0078] [CHECK] HijackName [01:40:0078] [CHECK] Signature [01:40:0141] [PE] Mapping [01:40:0141] [PE] Parsing [01:40:0141] [PE] Dos header -> 0x24e0000 [01:40:0141] [PE] Nt header (offset : 0xf0) file size 0x28c00 [01:40:0141] [PE] pNtHeadersx86 -> 0x24e00f0 [01:40:0141] [PE] Chars -> 0x2102 [01:40:0141] [PE] Optional header [01:40:0141] [PE] Sections : 5 [01:40:0141] [PE] Section : 0 - .text [01:40:0141] [PE] Section : 1 - .orpc [01:40:0141] [PE] Section : 2 - .data [01:40:0141] [PE] Section : 3 - .rsrc [01:40:0141] [PE] Section : 4 - .reloc [01:40:0141] [PE] File open : 1 [01:40:0141] [PE] Search sigs [01:40:0141] [PE] Section[0/4] : 0x24e0400 [01:40:0141] [PE] Init AhoCorasick [01:40:0141] [PE] Start AhoCorasick [01:40:0141] [PE] Looking results : 0 [01:40:0141] [PE] Section[1/4] : 0x24f9e00 [01:40:0141] [PE] Init AhoCorasick [01:40:0141] [PE] Start AhoCorasick [01:40:0141] [PE] Looking results : 0 [01:40:0141] [PE] Section[2/4] : 0x24fa000 [01:40:0141] [PE] Init AhoCorasick [01:40:0141] [PE] Start AhoCorasick [01:40:0141] [PE] Looking results : 0 [01:40:0141] [PE] Section[3/4] : 0x24fa600 [01:40:0141] [PE] Init AhoCorasick [01:40:0141] [PE] Start AhoCorasick [01:40:0141] [PE] Looking results : 0 [01:40:0141] [PE] Section[4/4] : 0x2506c00 [01:40:0141] [PE] Init AhoCorasick [01:40:0141] [PE] Start AhoCorasick [01:40:0157] [PE] Looking results : 0 [01:40:0157] [CHECK] Blacklist [01:40:0157] [CHECK] BlacklistPath [01:40:0157] [CHECK] BlacklistMD5 [01:40:0157] [CHECK] MadeNumbers [01:40:0157] [CHECK] HasUnicode [01:40:0157] [CHECK] SuspPath [01:40:0157] [CHECK] ProcessResidue [01:40:0157] [CHECK] Not found! [01:40:0157] [Check DLLs] PortableDeviceApi.dll : C:\WINDOWS\system32\PortableDeviceApi.dll [01:40:0157] [CHECK] WhiteDLL [01:40:0157] [CHECK] Whitelist [01:40:0157] [CHECK] WellKnown [01:40:0157] [CHECK] WhitelistPath [01:40:0157] [CHECK] HijackName [01:40:0157] [CHECK] Signature [01:40:0532] [PE] Mapping [01:40:0532] [PE] Parsing [01:40:0532] [PE] Dos header -> 0x24e0000 [01:40:0532] [PE] Nt header (offset : 0xe8) file size 0x3e400 [01:40:0532] [PE] pNtHeadersx86 -> 0x24e00e8 [01:40:0532] [PE] Chars -> 0x2102 [01:40:0532] [PE] Optional header [01:40:0532] [PE] Sections : 5 [01:40:0532] [PE] Section : 0 - .text [01:40:0532] [PE] Section : 1 - .orpc [01:40:0532] [PE] Section : 2 - .data [01:40:0532] [PE] Section : 3 - .rsrc [01:40:0532] [PE] Section : 4 - .reloc [01:40:0532] [PE] File open : 1 [01:40:0532] [PE] Search sigs [01:40:0532] [PE] Section[0/4] : 0x24e0400 [01:40:0532] [PE] Init AhoCorasick [01:40:0532] [PE] Start AhoCorasick [01:40:0532] [PE] Looking results : 0 [01:40:0532] [PE] Section[1/4] : 0x250a400 [01:40:0532] [PE] Init AhoCorasick [01:40:0532] [PE] Start AhoCorasick [01:40:0532] [PE] Looking results : 0 [01:40:0532] [PE] Section[2/4] : 0x250a600 [01:40:0532] [PE] Init AhoCorasick [01:40:0532] [PE] Start AhoCorasick [01:40:0532] [PE] Looking results : 0 [01:40:0532] [PE] Section[3/4] : 0x250b800 [01:40:0532] [PE] Init AhoCorasick [01:40:0532] [PE] Start AhoCorasick [01:40:0532] [PE] Looking results : 0 [01:40:0532] [PE] Section[4/4] : 0x2519400 [01:40:0532] [PE] Init AhoCorasick [01:40:0532] [PE] Start AhoCorasick [01:40:0547] [PE] Looking results : 0 [01:40:0547] [CHECK] Blacklist [01:40:0547] [CHECK] BlacklistPath [01:40:0547] [CHECK] BlacklistMD5 [01:40:0547] [CHECK] MadeNumbers [01:40:0547] [CHECK] HasUnicode [01:40:0547] [CHECK] SuspPath [01:40:0547] [CHECK] ProcessResidue [01:40:0547] [CHECK] Not found! [01:40:0547] [Check DLLs] wshtcpip.dll : C:\WINDOWS\System32\wshtcpip.dll [01:40:0547] [CHECK] WhiteDLL [01:40:0547] [CHECK] Whitelist [01:40:0547] [CHECK] WellKnown [01:40:0547] [CHECK] WhitelistPath [01:40:0547] [CHECK] HijackName [01:40:0547] [CHECK] Signature [01:40:0641] [PE] Mapping [01:40:0641] [PE] Parsing [01:40:0641] [PE] Dos header -> 0x24e0000 [01:40:0641] [PE] Nt header (offset : 0xe0) file size 0x4c00 [01:40:0641] [PE] pNtHeadersx86 -> 0x24e00e0 [01:40:0641] [PE] Chars -> 0x210e [01:40:0641] [PE] Optional header [01:40:0641] [PE] Sections : 4 [01:40:0641] [PE] Section : 0 - .text [01:40:0641] [PE] Section : 1 - .data [01:40:0641] [PE] Section : 2 - .rsrc [01:40:0641] [PE] Section : 3 - .reloc [01:40:0641] [PE] File open : 1 [01:40:0641] [PE] Search sigs [01:40:0641] [PE] Section[0/3] : 0x24e0400 [01:40:0641] [PE] Init AhoCorasick [01:40:0641] [PE] Start AhoCorasick [01:40:0641] [PE] Looking results : 0 [01:40:0641] [PE] Section[1/3] : 0x24e3e00 [01:40:0641] [PE] Init AhoCorasick [01:40:0641] [PE] Start AhoCorasick [01:40:0641] [PE] Looking results : 0 [01:40:0641] [PE] Section[2/3] : 0x24e4600 [01:40:0641] [PE] Init AhoCorasick [01:40:0641] [PE] Start AhoCorasick [01:40:0641] [PE] Looking results : 0 [01:40:0641] [PE] Section[3/3] : 0x24e4a00 [01:40:0641] [PE] Init AhoCorasick [01:40:0641] [PE] Start AhoCorasick [01:40:0641] [PE] Looking results : 0 [01:40:0641] [CHECK] Blacklist [01:40:0641] [CHECK] BlacklistPath [01:40:0641] [CHECK] BlacklistMD5 [01:40:0641] [CHECK] MadeNumbers [01:40:0641] [CHECK] HasUnicode [01:40:0641] [CHECK] SuspPath [01:40:0641] [CHECK] ProcessResidue [01:40:0641] [CHECK] Not found! [01:40:0641] [Check DLLs] rsaenh.dll : C:\WINDOWS\system32\rsaenh.dll [01:40:0641] [CHECK] WhiteDLL [01:40:0641] [CHECK] Whitelist [01:40:0641] [CHECK] WellKnown [01:40:0641] [CHECK] WhitelistPath [01:40:0641] [CHECK] HijackName [01:40:0641] [CHECK] Signature [01:40:0922] [PE] Mapping [01:40:0922] [PE] Parsing [01:40:0922] [PE] Dos header -> 0x24e0000 [01:40:0922] [PE] Nt header (offset : 0xf8) file size 0x32e00 [01:40:0922] [PE] pNtHeadersx86 -> 0x24e00f8 [01:40:0922] [PE] Chars -> 0x210e [01:40:0922] [PE] Optional header [01:40:0922] [PE] Sections : 4 [01:40:0922] [PE] Section : 0 - .text [01:40:0922] [PE] Section : 1 - .data [01:40:0922] [PE] Section : 2 - .rsrc [01:40:0922] [PE] Section : 3 - .reloc [01:40:0922] [PE] File open : 1 [01:40:0922] [PE] Search sigs [01:40:0922] [PE] Section[0/3] : 0x24e0400 [01:40:0922] [PE] Init AhoCorasick [01:40:0922] [PE] Start AhoCorasick [01:40:0938] [PE] Looking results : 0 [01:40:0938] [PE] Section[1/3] : 0x250e200 [01:40:0938] [PE] Init AhoCorasick [01:40:0938] [PE] Start AhoCorasick [01:40:0938] [PE] Looking results : 0 [01:40:0938] [PE] Section[2/3] : 0x2510c00 [01:40:0938] [PE] Init AhoCorasick [01:40:0938] [PE] Start AhoCorasick [01:40:0938] [PE] Looking results : 0 [01:40:0938] [PE] Section[3/3] : 0x2511a00 [01:40:0938] [PE] Init AhoCorasick [01:40:0938] [PE] Start AhoCorasick [01:40:0938] [PE] Looking results : 0 [01:40:0938] [CHECK] Blacklist [01:40:0938] [CHECK] BlacklistPath [01:40:0938] [CHECK] BlacklistMD5 [01:40:0938] [CHECK] MadeNumbers [01:40:0938] [CHECK] HasUnicode [01:40:0938] [CHECK] SuspPath [01:40:0938] [CHECK] ProcessResidue [01:40:0938] [CHECK] Not found! [01:40:0938] [Check DLLs] msi.dll : C:\WINDOWS\system32\msi.dll [01:40:0938] [CHECK] WhiteDLL [01:40:0938] [CHECK] Whitelist [01:40:0938] [CHECK] WellKnown [01:40:0938] [CHECK] WhitelistPath [01:40:0938] [CHECK] HijackName [01:40:0938] [CHECK] Signature [01:43:0782] [PE] Mapping [01:43:0797] [PE] Parsing [01:43:0797] [PE] Dos header -> 0x26e0000 [01:43:0797] [PE] Nt header (offset : 0xe8) file size 0x2b6200 [01:43:0797] [PE] pNtHeadersx86 -> 0x26e00e8 [01:43:0797] [PE] Chars -> 0x210e [01:43:0797] [PE] Optional header [01:43:0797] [PE] Sections : 5 [01:43:0797] [PE] Section : 0 - .orpc [01:43:0797] [PE] Section : 1 - .text [01:43:0797] [PE] Section : 2 - .data [01:43:0797] [PE] Section : 3 - .rsrc [01:43:0797] [PE] Section : 4 - .reloc [01:43:0797] [PE] File open : 1 [01:43:0797] [PE] Search sigs [01:43:0797] [PE] Section[0/4] : 0x26e0400 [01:43:0797] [PE] Init AhoCorasick [01:43:0797] [PE] Start AhoCorasick [01:43:0797] [PE] Looking results : 0 [01:43:0797] [PE] Section[1/4] : 0x26e0600 [01:43:0797] [PE] Init AhoCorasick [01:43:0797] [PE] Start AhoCorasick [01:43:0828] [PE] Looking results : 0 [01:43:0828] [PE] Section[2/4] : 0x2891c00 [01:43:0828] [PE] Init AhoCorasick [01:43:0828] [PE] Start AhoCorasick [01:43:0828] [PE] Looking results : 0 [01:43:0828] [PE] Section[3/4] : 0x289b000 [01:43:0828] [PE] Init AhoCorasick [01:43:0828] [PE] Start AhoCorasick [01:43:0844] [PE] Looking results : 0 [01:43:0844] [PE] Section[4/4] : 0x2989e00 [01:43:0860] [PE] Init AhoCorasick [01:43:0860] [PE] Start AhoCorasick [01:43:0860] [PE] Looking results : 0 [01:43:0860] [CHECK] Blacklist [01:43:0860] [CHECK] BlacklistPath [01:43:0860] [CHECK] BlacklistMD5 [01:43:0860] [CHECK] MadeNumbers [01:43:0860] [CHECK] HasUnicode [01:43:0860] [CHECK] SuspPath [01:43:0860] [CHECK] ProcessResidue [01:43:0860] [CHECK] Not found! [01:43:0860] [Check DLLs] wdmaud.drv : C:\WINDOWS\system32\wdmaud.drv [01:43:0860] [CHECK] WhiteDLL [01:43:0860] [CHECK] Whitelist [01:43:0860] [CHECK] WellKnown [01:43:0860] [CHECK] WhitelistPath [01:43:0860] [CHECK] HijackName [01:43:0860] [CHECK] Signature [01:43:0969] [PE] Mapping [01:43:0969] [PE] Parsing [01:43:0969] [PE] Dos header -> 0x24e0000 [01:43:0969] [PE] Nt header (offset : 0xe8) file size 0x5c00 [01:43:0969] [PE] pNtHeadersx86 -> 0x24e00e8 [01:43:0969] [PE] Chars -> 0x210e [01:43:0969] [PE] Optional header [01:43:0969] [PE] Sections : 4 [01:43:0969] [PE] Section : 0 - .text [01:43:0969] [PE] Section : 1 - .data [01:43:0969] [PE] Section : 2 - .rsrc [01:43:0969] [PE] Section : 3 - .reloc [01:43:0969] [PE] File open : 1 [01:43:0969] [PE] Search sigs [01:43:0969] [PE] Section[0/3] : 0x24e0400 [01:43:0969] [PE] Init AhoCorasick [01:43:0969] [PE] Start AhoCorasick [01:43:0969] [PE] Looking results : 0 [01:43:0969] [PE] Section[1/3] : 0x24e5000 [01:43:0969] [PE] Init AhoCorasick [01:43:0969] [PE] Start AhoCorasick [01:43:0969] [PE] Looking results : 0 [01:43:0969] [PE] Section[2/3] : 0x24e5200 [01:43:0969] [PE] Init AhoCorasick [01:43:0969] [PE] Start AhoCorasick [01:43:0969] [PE] Looking results : 0 [01:43:0969] [PE] Section[3/3] : 0x24e5600 [01:43:0969] [PE] Init AhoCorasick [01:43:0969] [PE] Start AhoCorasick [01:43:0969] [PE] Looking results : 0 [01:43:0969] [CHECK] Blacklist [01:43:0969] [CHECK] BlacklistPath [01:43:0969] [CHECK] BlacklistMD5 [01:43:0969] [CHECK] MadeNumbers [01:43:0969] [CHECK] HasUnicode [01:43:0969] [CHECK] SuspPath [01:43:0969] [CHECK] ProcessResidue [01:43:0969] [CHECK] Not found! [01:43:0969] [Check DLLs] msacm32.drv : C:\WINDOWS\system32\msacm32.drv [01:43:0969] [CHECK] WhiteDLL [01:43:0969] [CHECK] Whitelist [01:43:0969] [CHECK] WellKnown [01:43:0969] [CHECK] WhitelistPath [01:43:0969] [CHECK] HijackName [01:43:0969] [CHECK] Signature [01:44:0141] [PE] Mapping [01:44:0141] [PE] Parsing [01:44:0141] [PE] Dos header -> 0x24e0000 [01:44:0141] [PE] Nt header (offset : 0xe0) file size 0x5000 [01:44:0141] [PE] pNtHeadersx86 -> 0x24e00e0 [01:44:0141] [PE] Chars -> 0x210e [01:44:0141] [PE] Optional header [01:44:0141] [PE] Sections : 4 [01:44:0141] [PE] Section : 0 - .text [01:44:0141] [PE] Section : 1 - .data [01:44:0141] [PE] Section : 2 - .rsrc [01:44:0141] [PE] Section : 3 - .reloc [01:44:0141] [PE] File open : 1 [01:44:0157] [PE] Search sigs [01:44:0157] [PE] Section[0/3] : 0x24e0400 [01:44:0157] [PE] Init AhoCorasick [01:44:0157] [PE] Start AhoCorasick [01:44:0157] [PE] Looking results : 0 [01:44:0157] [PE] Section[1/3] : 0x24e2c00 [01:44:0157] [PE] Init AhoCorasick [01:44:0157] [PE] Start AhoCorasick [01:44:0157] [PE] Looking results : 0 [01:44:0157] [PE] Section[2/3] : 0x24e2e00 [01:44:0157] [PE] Init AhoCorasick [01:44:0157] [PE] Start AhoCorasick [01:44:0157] [PE] Looking results : 0 [01:44:0157] [PE] Section[3/3] : 0x24e4c00 [01:44:0157] [PE] Init AhoCorasick [01:44:0157] [PE] Start AhoCorasick [01:44:0157] [PE] Looking results : 0 [01:44:0157] [CHECK] Blacklist [01:44:0157] [CHECK] BlacklistPath [01:44:0157] [CHECK] BlacklistMD5 [01:44:0157] [CHECK] MadeNumbers [01:44:0157] [CHECK] HasUnicode [01:44:0157] [CHECK] SuspPath [01:44:0157] [CHECK] ProcessResidue [01:44:0157] [CHECK] Not found! [01:44:0157] [Check DLLs] midimap.dll : C:\WINDOWS\system32\midimap.dll [01:44:0157] [CHECK] WhiteDLL [01:44:0157] [CHECK] Whitelist [01:44:0157] [CHECK] WellKnown [01:44:0157] [CHECK] WhitelistPath [01:44:0157] [CHECK] HijackName [01:44:0157] [CHECK] Signature [01:44:0328] [PE] Mapping [01:44:0328] [PE] Parsing [01:44:0328] [PE] Dos header -> 0x24e0000 [01:44:0328] [PE] Nt header (offset : 0xd0) file size 0x4a00 [01:44:0328] [PE] pNtHeadersx86 -> 0x24e00d0 [01:44:0328] [PE] Chars -> 0x210e [01:44:0328] [PE] Optional header [01:44:0328] [PE] Sections : 4 [01:44:0328] [PE] Section : 0 - .text [01:44:0328] [PE] Section : 1 - .data [01:44:0328] [PE] Section : 2 - .rsrc [01:44:0328] [PE] Section : 3 - .reloc [01:44:0328] [PE] File open : 1 [01:44:0328] [PE] Search sigs [01:44:0328] [PE] Section[0/3] : 0x24e0400 [01:44:0328] [PE] Init AhoCorasick [01:44:0328] [PE] Start AhoCorasick [01:44:0328] [PE] Looking results : 0 [01:44:0344] [PE] Section[1/3] : 0x24e3000 [01:44:0344] [PE] Init AhoCorasick [01:44:0344] [PE] Start AhoCorasick [01:44:0344] [PE] Looking results : 0 [01:44:0344] [PE] Section[2/3] : 0x24e3600 [01:44:0344] [PE] Init AhoCorasick [01:44:0344] [PE] Start AhoCorasick [01:44:0344] [PE] Looking results : 0 [01:44:0344] [PE] Section[3/3] : 0x24e4400 [01:44:0344] [PE] Init AhoCorasick [01:44:0344] [PE] Start AhoCorasick [01:44:0344] [PE] Looking results : 0 [01:44:0344] [CHECK] Blacklist [01:44:0344] [CHECK] BlacklistPath [01:44:0344] [CHECK] BlacklistMD5 [01:44:0344] [CHECK] MadeNumbers [01:44:0344] [CHECK] HasUnicode [01:44:0344] [CHECK] SuspPath [01:44:0344] [CHECK] ProcessResidue [01:44:0344] [CHECK] Not found! [01:44:0344] [Check DLLs] fxsst.dll : C:\WINDOWS\system32\fxsst.dll [01:44:0344] [CHECK] WhiteDLL [01:44:0344] [CHECK] Whitelist [01:44:0344] [CHECK] WellKnown [01:44:0344] [CHECK] WhitelistPath [01:44:0344] [CHECK] HijackName [01:44:0344] [CHECK] Signature [01:45:0047] [PE] Mapping [01:45:0063] [PE] Parsing [01:45:0110] [PE] Dos header -> 0x24e0000 [01:45:0110] [PE] Nt header (offset : 0xe8) file size 0x89400 [01:45:0110] [PE] pNtHeadersx86 -> 0x24e00e8 [01:45:0110] [PE] Chars -> 0x210e [01:45:0110] [PE] Optional header [01:45:0110] [PE] Sections : 4 [01:45:0110] [PE] Section : 0 - .text [01:45:0110] [PE] Section : 1 - .data [01:45:0110] [PE] Section : 2 - .rsrc [01:45:0110] [PE] Section : 3 - .reloc [01:45:0110] [PE] File open : 1 [01:45:0110] [PE] Search sigs [01:45:0110] [PE] Section[0/3] : 0x24e0400 [01:45:0110] [PE] Init AhoCorasick [01:45:0110] [PE] Start AhoCorasick [01:45:0110] [PE] Looking results : 0 [01:45:0110] [PE] Section[1/3] : 0x24e6e00 [01:45:0110] [PE] Init AhoCorasick [01:45:0110] [PE] Start AhoCorasick [01:45:0110] [PE] Looking results : 0 [01:45:0110] [PE] Section[2/3] : 0x24e7800 [01:45:0110] [PE] Init AhoCorasick [01:45:0110] [PE] Start AhoCorasick [01:45:0125] [PE] Looking results : 0 [01:45:0125] [PE] Section[3/3] : 0x2568200 [01:45:0125] [PE] Init AhoCorasick [01:45:0125] [PE] Start AhoCorasick [01:45:0125] [PE] Looking results : 0 [01:45:0125] [CHECK] Blacklist [01:45:0125] [CHECK] BlacklistPath [01:45:0125] [CHECK] BlacklistMD5 [01:45:0125] [CHECK] MadeNumbers [01:45:0125] [CHECK] HasUnicode [01:45:0125] [CHECK] SuspPath [01:45:0125] [CHECK] ProcessResidue [01:45:0125] [CHECK] Not found! [01:45:0125] [Check DLLs] WINSPOOL.DRV : C:\WINDOWS\system32\WINSPOOL.DRV [01:45:0125] [CHECK] WhiteDLL [01:45:0125] [CHECK] Whitelist [01:45:0125] [CHECK] WellKnown [01:45:0125] [CHECK] WhitelistPath [01:45:0125] [CHECK] HijackName [01:45:0125] [CHECK] Signature [01:45:0344] [PE] Mapping [01:45:0344] [PE] Parsing [01:45:0344] [PE] Dos header -> 0x24e0000 [01:45:0344] [PE] Nt header (offset : 0xe0) file size 0x23c00 [01:45:0344] [PE] pNtHeadersx86 -> 0x24e00e0 [01:45:0344] [PE] Chars -> 0x210e [01:45:0344] [PE] Optional header [01:45:0344] [PE] Sections : 4 [01:45:0344] [PE] Section : 0 - .text [01:45:0344] [PE] Section : 1 - .data [01:45:0344] [PE] Section : 2 - .rsrc [01:45:0344] [PE] Section : 3 - .reloc [01:45:0344] [PE] File open : 1 [01:45:0344] [PE] Search sigs [01:45:0344] [PE] Section[0/3] : 0x24e0400 [01:45:0344] [PE] Init AhoCorasick [01:45:0344] [PE] Start AhoCorasick [01:45:0344] [PE] Looking results : 0 [01:45:0344] [PE] Section[1/3] : 0x2500400 [01:45:0344] [PE] Init AhoCorasick [01:45:0344] [PE] Start AhoCorasick [01:45:0344] [PE] Looking results : 0 [01:45:0344] [PE] Section[2/3] : 0x2501c00 [01:45:0344] [PE] Init AhoCorasick [01:45:0344] [PE] Start AhoCorasick [01:45:0344] [PE] Looking results : 0 [01:45:0344] [PE] Section[3/3] : 0x2502600 [01:45:0344] [PE] Init AhoCorasick [01:45:0344] [PE] Start AhoCorasick [01:45:0344] [PE] Looking results : 0 [01:45:0344] [CHECK] Blacklist [01:45:0344] [CHECK] BlacklistPath [01:45:0344] [CHECK] BlacklistMD5 [01:45:0344] [CHECK] MadeNumbers [01:45:0344] [CHECK] HasUnicode [01:45:0344] [CHECK] SuspPath [01:45:0344] [CHECK] ProcessResidue [01:45:0344] [CHECK] Not found! [01:45:0344] [Check DLLs] FXSAPI.dll : C:\WINDOWS\system32\FXSAPI.dll [01:45:0344] [CHECK] WhiteDLL [01:45:0344] [CHECK] Whitelist [01:45:0344] [CHECK] WellKnown [01:45:0344] [CHECK] WhitelistPath [01:45:0344] [CHECK] HijackName [01:45:0344] [CHECK] Signature [01:45:0750] [PE] Mapping [01:45:0750] [PE] Parsing [01:45:0750] [PE] Dos header -> 0x24e0000 [01:45:0750] [PE] Nt header (offset : 0xe0) file size 0x6e400 [01:45:0750] [PE] pNtHeadersx86 -> 0x24e00e0 [01:45:0750] [PE] Chars -> 0x210e [01:45:0750] [PE] Optional header [01:45:0750] [PE] Sections : 4 [01:45:0750] [PE] Section : 0 - .text [01:45:0750] [PE] Section : 1 - .data [01:45:0750] [PE] Section : 2 - .rsrc [01:45:0750] [PE] Section : 3 - .reloc [01:45:0750] [PE] File open : 1 [01:45:0750] [PE] Search sigs [01:45:0750] [PE] Section[0/3] : 0x24e0400 [01:45:0750] [PE] Init AhoCorasick [01:45:0766] [PE] Start AhoCorasick [01:45:0766] [PE] Looking results : 0 [01:45:0766] [PE] Section[1/3] : 0x254c600 [01:45:0766] [PE] Init AhoCorasick [01:45:0766] [PE] Start AhoCorasick [01:45:0766] [PE] Looking results : 0 [01:45:0766] [PE] Section[2/3] : 0x254c800 [01:45:0766] [PE] Init AhoCorasick [01:45:0766] [PE] Start AhoCorasick [01:45:0766] [PE] Looking results : 0 [01:45:0766] [PE] Section[3/3] : 0x254cc00 [01:45:0766] [PE] Init AhoCorasick [01:45:0766] [PE] Start AhoCorasick [01:45:0766] [PE] Looking results : 0 [01:45:0766] [CHECK] Blacklist [01:45:0766] [CHECK] BlacklistPath [01:45:0766] [CHECK] BlacklistMD5 [01:45:0766] [CHECK] MadeNumbers [01:45:0766] [CHECK] HasUnicode [01:45:0766] [CHECK] SuspPath [01:45:0766] [CHECK] ProcessResidue [01:45:0766] [CHECK] Not found! [01:45:0766] [Check DLLs] NTMARTA.DLL : C:\WINDOWS\system32\NTMARTA.DLL [01:45:0766] [CHECK] WhiteDLL [01:45:0766] [CHECK] Whitelist [01:45:0766] [CHECK] WellKnown [01:45:0766] [CHECK] WhitelistPath [01:45:0782] [CHECK] HijackName [01:45:0782] [CHECK] Signature [01:45:0922] [PE] Mapping [01:45:0922] [PE] Parsing [01:45:0922] [PE] Dos header -> 0x24e0000 [01:45:0922] [PE] Nt header (offset : 0xe8) file size 0x1d000 [01:45:0922] [PE] pNtHeadersx86 -> 0x24e00e8 [01:45:0922] [PE] Chars -> 0x210e [01:45:0922] [PE] Optional header [01:45:0922] [PE] Sections : 4 [01:45:0922] [PE] Section : 0 - .text [01:45:0922] [PE] Section : 1 - .data [01:45:0922] [PE] Section : 2 - .rsrc [01:45:0922] [PE] Section : 3 - .reloc [01:45:0922] [PE] File open : 1 [01:45:0922] [PE] Search sigs [01:45:0922] [PE] Section[0/3] : 0x24e0400 [01:45:0922] [PE] Init AhoCorasick [01:45:0922] [PE] Start AhoCorasick [01:45:0922] [PE] Looking results : 0 [01:45:0922] [PE] Section[1/3] : 0x24f9a00 [01:45:0922] [PE] Init AhoCorasick [01:45:0922] [PE] Start AhoCorasick [01:45:0922] [PE] Looking results : 0 [01:45:0922] [PE] Section[2/3] : 0x24fa800 [01:45:0922] [PE] Init AhoCorasick [01:45:0922] [PE] Start AhoCorasick [01:45:0922] [PE] Looking results : 0 [01:45:0922] [PE] Section[3/3] : 0x24fbe00 [01:45:0922] [PE] Init AhoCorasick [01:45:0922] [PE] Start AhoCorasick [01:45:0922] [PE] Looking results : 0 [01:45:0922] [CHECK] Blacklist [01:45:0922] [CHECK] BlacklistPath [01:45:0922] [CHECK] BlacklistMD5 [01:45:0922] [CHECK] MadeNumbers [01:45:0922] [CHECK] HasUnicode [01:45:0922] [CHECK] SuspPath [01:45:0938] [CHECK] ProcessResidue [01:45:0938] [CHECK] Not found! [01:45:0938] [Check DLLs] MPR.dll : C:\WINDOWS\system32\MPR.dll [01:45:0938] [CHECK] WhiteDLL [01:45:0938] [CHECK] Whitelist [01:45:0938] [CHECK] WellKnown [01:45:0938] [CHECK] WhitelistPath [01:45:0938] [CHECK] HijackName [01:45:0938] [CHECK] Signature [01:46:0016] [PE] Mapping [01:46:0016] [PE] Parsing [01:46:0016] [PE] Dos header -> 0x24e0000 [01:46:0016] [PE] Nt header (offset : 0xf0) file size 0xea00 [01:46:0016] [PE] pNtHeadersx86 -> 0x24e00f0 [01:46:0016] [PE] Chars -> 0x210e [01:46:0016] [PE] Optional header [01:46:0016] [PE] Sections : 4 [01:46:0016] [PE] Section : 0 - .text [01:46:0016] [PE] Section : 1 - .data [01:46:0016] [PE] Section : 2 - .rsrc [01:46:0016] [PE] Section : 3 - .reloc [01:46:0016] [PE] File open : 1 [01:46:0016] [PE] Search sigs [01:46:0016] [PE] Section[0/3] : 0x24e0400 [01:46:0016] [PE] Init AhoCorasick [01:46:0016] [PE] Start AhoCorasick [01:46:0016] [PE] Looking results : 0 [01:46:0016] [PE] Section[1/3] : 0x24ed800 [01:46:0016] [PE] Init AhoCorasick [01:46:0016] [PE] Start AhoCorasick [01:46:0016] [PE] Looking results : 0 [01:46:0016] [PE] Section[2/3] : 0x24eda00 [01:46:0016] [PE] Init AhoCorasick [01:46:0016] [PE] Start AhoCorasick [01:46:0016] [PE] Looking results : 0 [01:46:0016] [PE] Section[3/3] : 0x24ee000 [01:46:0016] [PE] Init AhoCorasick [01:46:0016] [PE] Start AhoCorasick [01:46:0016] [PE] Looking results : 0 [01:46:0016] [CHECK] Blacklist [01:46:0016] [CHECK] BlacklistPath [01:46:0016] [CHECK] BlacklistMD5 [01:46:0016] [CHECK] MadeNumbers [01:46:0016] [CHECK] HasUnicode [01:46:0016] [CHECK] SuspPath [01:46:0016] [CHECK] ProcessResidue [01:46:0016] [CHECK] Not found! [01:46:0016] [Check DLLs] drprov.dll : C:\WINDOWS\System32\drprov.dll [01:46:0016] [CHECK] WhiteDLL [01:46:0016] [CHECK] Whitelist [01:46:0016] [CHECK] WellKnown [01:46:0016] [CHECK] WhitelistPath [01:46:0016] [CHECK] HijackName [01:46:0016] [CHECK] Signature [01:46:0141] [PE] Mapping [01:46:0141] [PE] Parsing [01:46:0141] [PE] Dos header -> 0x24e0000 [01:46:0141] [PE] Nt header (offset : 0xd0) file size 0x3800 [01:46:0141] [PE] pNtHeadersx86 -> 0x24e00d0 [01:46:0141] [PE] Chars -> 0x210e [01:46:0141] [PE] Optional header [01:46:0141] [PE] Sections : 4 [01:46:0141] [PE] Section : 0 - .text [01:46:0141] [PE] Section : 1 - .data [01:46:0141] [PE] Section : 2 - .rsrc [01:46:0141] [PE] Section : 3 - .reloc [01:46:0141] [PE] File open : 1 [01:46:0141] [PE] Search sigs [01:46:0141] [PE] Section[0/3] : 0x24e0400 [01:46:0141] [PE] Init AhoCorasick [01:46:0141] [PE] Start AhoCorasick [01:46:0141] [PE] Looking results : 0 [01:46:0141] [PE] Section[1/3] : 0x24e2c00 [01:46:0141] [PE] Init AhoCorasick [01:46:0141] [PE] Start AhoCorasick [01:46:0141] [PE] Looking results : 0 [01:46:0141] [PE] Section[2/3] : 0x24e3000 [01:46:0141] [PE] Init AhoCorasick [01:46:0141] [PE] Start AhoCorasick [01:46:0141] [PE] Looking results : 0 [01:46:0141] [PE] Section[3/3] : 0x24e3600 [01:46:0141] [PE] Init AhoCorasick [01:46:0141] [PE] Start AhoCorasick [01:46:0141] [PE] Looking results : 0 [01:46:0141] [CHECK] Blacklist [01:46:0141] [CHECK] BlacklistPath [01:46:0157] [CHECK] BlacklistMD5 [01:46:0157] [CHECK] MadeNumbers [01:46:0157] [CHECK] HasUnicode [01:46:0157] [CHECK] SuspPath [01:46:0157] [CHECK] ProcessResidue [01:46:0157] [CHECK] Not found! [01:46:0157] [Check DLLs] ntlanman.dll : C:\WINDOWS\System32\ntlanman.dll [01:46:0157] [CHECK] WhiteDLL [01:46:0157] [CHECK] Whitelist [01:46:0157] [CHECK] WellKnown [01:46:0157] [CHECK] WhitelistPath [01:46:0157] [CHECK] HijackName [01:46:0157] [CHECK] Signature [01:46:0172] [PE] Mapping [01:46:0172] [PE] Parsing [01:46:0172] [PE] Dos header -> 0x24e0000 [01:46:0172] [PE] Nt header (offset : 0xd8) file size 0xac00 [01:46:0172] [PE] pNtHeadersx86 -> 0x24e00d8 [01:46:0172] [PE] Chars -> 0x210e [01:46:0172] [PE] Optional header [01:46:0172] [PE] Sections : 4 [01:46:0172] [PE] Section : 0 - .text [01:46:0172] [PE] Section : 1 - .data [01:46:0172] [PE] Section : 2 - .rsrc [01:46:0172] [PE] Section : 3 - .reloc [01:46:0172] [PE] File open : 1 [01:46:0172] [PE] Search sigs [01:46:0172] [PE] Section[0/3] : 0x24e0400 [01:46:0172] [PE] Init AhoCorasick [01:46:0172] [PE] Start AhoCorasick [01:46:0188] [PE] Looking results : 0 [01:46:0188] [PE] Section[1/3] : 0x24e9e00 [01:46:0188] [PE] Init AhoCorasick [01:46:0188] [PE] Start AhoCorasick [01:46:0188] [PE] Looking results : 0 [01:46:0188] [PE] Section[2/3] : 0x24ea000 [01:46:0188] [PE] Init AhoCorasick [01:46:0188] [PE] Start AhoCorasick [01:46:0188] [PE] Looking results : 0 [01:46:0188] [PE] Section[3/3] : 0x24ea600 [01:46:0188] [PE] Init AhoCorasick [01:46:0188] [PE] Start AhoCorasick [01:46:0188] [PE] Looking results : 0 [01:46:0188] [CHECK] Blacklist [01:46:0188] [CHECK] BlacklistPath [01:46:0188] [CHECK] BlacklistMD5 [01:46:0188] [CHECK] MadeNumbers [01:46:0188] [CHECK] HasUnicode [01:46:0188] [CHECK] SuspPath [01:46:0188] [CHECK] ProcessResidue [01:46:0188] [CHECK] Not found! [01:46:0188] [Check DLLs] NETUI0.dll : C:\WINDOWS\System32\NETUI0.dll [01:46:0188] [CHECK] WhiteDLL [01:46:0188] [CHECK] Whitelist [01:46:0188] [CHECK] WellKnown [01:46:0188] [CHECK] WhitelistPath [01:46:0188] [CHECK] HijackName [01:46:0188] [CHECK] Signature [01:46:0313] [PE] Mapping [01:46:0313] [PE] Parsing [01:46:0313] [PE] Dos header -> 0x24e0000 [01:46:0313] [PE] Nt header (offset : 0xe8) file size 0x13c00 [01:46:0313] [PE] pNtHeadersx86 -> 0x24e00e8 [01:46:0313] [PE] Chars -> 0x210e [01:46:0313] [PE] Optional header [01:46:0313] [PE] Sections : 4 [01:46:0313] [PE] Section : 0 - .text [01:46:0313] [PE] Section : 1 - .data [01:46:0313] [PE] Section : 2 - .rsrc [01:46:0313] [PE] Section : 3 - .reloc [01:46:0313] [PE] File open : 1 [01:46:0313] [PE] Search sigs [01:46:0313] [PE] Section[0/3] : 0x24e0400 [01:46:0313] [PE] Init AhoCorasick [01:46:0313] [PE] Start AhoCorasick [01:46:0313] [PE] Looking results : 0 [01:46:0313] [PE] Section[1/3] : 0x24f0000 [01:46:0313] [PE] Init AhoCorasick [01:46:0313] [PE] Start AhoCorasick [01:46:0313] [PE] Looking results : 0 [01:46:0313] [PE] Section[2/3] : 0x24f0200 [01:46:0313] [PE] Init AhoCorasick [01:46:0313] [PE] Start AhoCorasick [01:46:0313] [PE] Looking results : 0 [01:46:0313] [PE] Section[3/3] : 0x24f3600 [01:46:0313] [PE] Init AhoCorasick [01:46:0313] [PE] Start AhoCorasick [01:46:0313] [PE] Looking results : 0 [01:46:0313] [CHECK] Blacklist [01:46:0313] [CHECK] BlacklistPath [01:46:0313] [CHECK] BlacklistMD5 [01:46:0313] [CHECK] MadeNumbers [01:46:0313] [CHECK] HasUnicode [01:46:0313] [CHECK] SuspPath [01:46:0328] [CHECK] ProcessResidue [01:46:0328] [CHECK] Not found! [01:46:0328] [Check DLLs] NETUI1.dll : C:\WINDOWS\System32\NETUI1.dll [01:46:0328] [CHECK] WhiteDLL [01:46:0328] [CHECK] Whitelist [01:46:0328] [CHECK] WellKnown [01:46:0328] [CHECK] WhitelistPath [01:46:0328] [CHECK] HijackName [01:46:0328] [CHECK] Signature [01:46:0500] [PE] Mapping [01:46:0500] [PE] Parsing [01:46:0500] [PE] Dos header -> 0x24e0000 [01:46:0500] [PE] Nt header (offset : 0xe0) file size 0x3c000 [01:46:0500] [PE] pNtHeadersx86 -> 0x24e00e0 [01:46:0500] [PE] Chars -> 0x210e [01:46:0500] [PE] Optional header [01:46:0500] [PE] Sections : 4 [01:46:0500] [PE] Section : 0 - .text [01:46:0500] [PE] Section : 1 - .data [01:46:0500] [PE] Section : 2 - .rsrc [01:46:0500] [PE] Section : 3 - .reloc [01:46:0500] [PE] File open : 1 [01:46:0500] [PE] Search sigs [01:46:0500] [PE] Section[0/3] : 0x24e0400 [01:46:0500] [PE] Init AhoCorasick [01:46:0500] [PE] Start AhoCorasick [01:46:0516] [PE] Looking results : 0 [01:46:0516] [PE] Section[1/3] : 0x251a600 [01:46:0516] [PE] Init AhoCorasick [01:46:0516] [PE] Start AhoCorasick [01:46:0516] [PE] Looking results : 0 [01:46:0516] [PE] Section[2/3] : 0x251a800 [01:46:0516] [PE] Init AhoCorasick [01:46:0516] [PE] Start AhoCorasick [01:46:0516] [PE] Looking results : 0 [01:46:0516] [PE] Section[3/3] : 0x251ae00 [01:46:0516] [PE] Init AhoCorasick [01:46:0516] [PE] Start AhoCorasick [01:46:0516] [PE] Looking results : 0 [01:46:0516] [CHECK] Blacklist [01:46:0516] [CHECK] BlacklistPath [01:46:0516] [CHECK] BlacklistMD5 [01:46:0516] [CHECK] MadeNumbers [01:46:0516] [CHECK] HasUnicode [01:46:0516] [CHECK] SuspPath [01:46:0516] [CHECK] ProcessResidue [01:46:0516] [CHECK] Not found! [01:46:0516] [Check DLLs] NETRAP.dll : C:\WINDOWS\System32\NETRAP.dll [01:46:0516] [CHECK] WhiteDLL [01:46:0516] [CHECK] Whitelist [01:46:0516] [CHECK] WellKnown [01:46:0516] [CHECK] WhitelistPath [01:46:0516] [CHECK] HijackName [01:46:0516] [CHECK] Signature [01:46:0532] [PE] Mapping [01:46:0532] [PE] Parsing [01:46:0532] [PE] Dos header -> 0x24e0000 [01:46:0532] [PE] Nt header (offset : 0xd8) file size 0x2e00 [01:46:0532] [PE] pNtHeadersx86 -> 0x24e00d8 [01:46:0532] [PE] Chars -> 0x210e [01:46:0532] [PE] Optional header [01:46:0532] [PE] Sections : 4 [01:46:0532] [PE] Section : 0 - .text [01:46:0532] [PE] Section : 1 - .data [01:46:0532] [PE] Section : 2 - .rsrc [01:46:0532] [PE] Section : 3 - .reloc [01:46:0532] [PE] File open : 1 [01:46:0532] [PE] Search sigs [01:46:0532] [PE] Section[0/3] : 0x24e0400 [01:46:0532] [PE] Init AhoCorasick [01:46:0532] [PE] Start AhoCorasick [01:46:0532] [PE] Looking results : 0 [01:46:0532] [PE] Section[1/3] : 0x24e2600 [01:46:0532] [PE] Init AhoCorasick [01:46:0532] [PE] Start AhoCorasick [01:46:0532] [PE] Looking results : 0 [01:46:0532] [PE] Section[2/3] : 0x24e2800 [01:46:0532] [PE] Init AhoCorasick [01:46:0532] [PE] Start AhoCorasick [01:46:0532] [PE] Looking results : 0 [01:46:0532] [PE] Section[3/3] : 0x24e2c00 [01:46:0532] [PE] Init AhoCorasick [01:46:0547] [PE] Start AhoCorasick [01:46:0547] [PE] Looking results : 0 [01:46:0547] [CHECK] Blacklist [01:46:0547] [CHECK] BlacklistPath [01:46:0547] [CHECK] BlacklistMD5 [01:46:0547] [CHECK] MadeNumbers [01:46:0547] [CHECK] HasUnicode [01:46:0547] [CHECK] SuspPath [01:46:0547] [CHECK] ProcessResidue [01:46:0547] [CHECK] Not found! [01:46:0547] [Check DLLs] davclnt.dll : C:\WINDOWS\System32\davclnt.dll [01:46:0547] [CHECK] WhiteDLL [01:46:0547] [CHECK] Whitelist [01:46:0547] [CHECK] WellKnown [01:46:0547] [CHECK] WhitelistPath [01:46:0547] [CHECK] HijackName [01:46:0547] [CHECK] Signature [01:46:0719] [PE] Mapping [01:46:0719] [PE] Parsing [01:46:0719] [PE] Dos header -> 0x24e0000 [01:46:0719] [PE] Nt header (offset : 0xe0) file size 0x6200 [01:46:0719] [PE] pNtHeadersx86 -> 0x24e00e0 [01:46:0719] [PE] Chars -> 0x210e [01:46:0719] [PE] Optional header [01:46:0719] [PE] Sections : 4 [01:46:0719] [PE] Section : 0 - .text [01:46:0719] [PE] Section : 1 - .data [01:46:0719] [PE] Section : 2 - .rsrc [01:46:0719] [PE] Section : 3 - .reloc [01:46:0719] [PE] File open : 1 [01:46:0719] [PE] Search sigs [01:46:0719] [PE] Section[0/3] : 0x24e0400 [01:46:0719] [PE] Init AhoCorasick [01:46:0719] [PE] Start AhoCorasick [01:46:0719] [PE] Looking results : 0 [01:46:0719] [PE] Section[1/3] : 0x24e5600 [01:46:0719] [PE] Init AhoCorasick [01:46:0719] [PE] Start AhoCorasick [01:46:0719] [PE] Looking results : 0 [01:46:0719] [PE] Section[2/3] : 0x24e5800 [01:46:0719] [PE] Init AhoCorasick [01:46:0719] [PE] Start AhoCorasick [01:46:0719] [PE] Looking results : 0 [01:46:0719] [PE] Section[3/3] : 0x24e5e00 [01:46:0719] [PE] Init AhoCorasick [01:46:0719] [PE] Start AhoCorasick [01:46:0719] [PE] Looking results : 0 [01:46:0719] [CHECK] Blacklist [01:46:0719] [CHECK] BlacklistPath [01:46:0719] [CHECK] BlacklistMD5 [01:46:0719] [CHECK] MadeNumbers [01:46:0719] [CHECK] HasUnicode [01:46:0719] [CHECK] SuspPath [01:46:0719] [CHECK] ProcessResidue [01:46:0719] [CHECK] Not found! [01:46:0719] [Check DLLs] wzcdlg.dll : C:\WINDOWS\system32\wzcdlg.dll [01:46:0719] [CHECK] WhiteDLL [01:46:0719] [CHECK] Whitelist [01:46:0719] [CHECK] WellKnown [01:46:0719] [CHECK] WhitelistPath [01:46:0719] [CHECK] HijackName [01:46:0719] [CHECK] Signature [01:47:0110] [PE] Mapping [01:47:0110] [PE] Parsing [01:47:0110] [PE] Dos header -> 0x24e0000 [01:47:0110] [PE] Nt header (offset : 0xe0) file size 0x5da00 [01:47:0110] [PE] pNtHeadersx86 -> 0x24e00e0 [01:47:0110] [PE] Chars -> 0x210e [01:47:0110] [PE] Optional header [01:47:0110] [PE] Sections : 4 [01:47:0110] [PE] Section : 0 - .text [01:47:0110] [PE] Section : 1 - .data [01:47:0110] [PE] Section : 2 - .rsrc [01:47:0110] [PE] Section : 3 - .reloc [01:47:0110] [PE] File open : 1 [01:47:0110] [PE] Search sigs [01:47:0110] [PE] Section[0/3] : 0x24e0400 [01:47:0110] [PE] Init AhoCorasick [01:47:0110] [PE] Start AhoCorasick [01:47:0125] [PE] Looking results : 0 [01:47:0125] [PE] Section[1/3] : 0x252f800 [01:47:0125] [PE] Init AhoCorasick [01:47:0125] [PE] Start AhoCorasick [01:47:0125] [PE] Looking results : 0 [01:47:0125] [PE] Section[2/3] : 0x252fc00 [01:47:0125] [PE] Init AhoCorasick [01:47:0125] [PE] Start AhoCorasick [01:47:0125] [PE] Looking results : 0 [01:47:0125] [PE] Section[3/3] : 0x2537c00 [01:47:0125] [PE] Init AhoCorasick [01:47:0125] [PE] Start AhoCorasick [01:47:0125] [PE] Looking results : 0 [01:47:0125] [CHECK] Blacklist [01:47:0125] [CHECK] BlacklistPath [01:47:0125] [CHECK] BlacklistMD5 [01:47:0125] [CHECK] MadeNumbers [01:47:0125] [CHECK] HasUnicode [01:47:0125] [CHECK] SuspPath [01:47:0125] [CHECK] ProcessResidue [01:47:0125] [CHECK] Not found! [01:47:0125] [Check DLLs] xpsp3res.dll : C:\WINDOWS\system32\xpsp3res.dll [01:47:0125] [CHECK] WhiteDLL [01:47:0125] [CHECK] Whitelist [01:47:0125] [CHECK] WellKnown [01:47:0125] [CHECK] WhitelistPath [01:47:0125] [CHECK] HijackName [01:47:0125] [CHECK] Signature [01:47:0907] [PE] Mapping [01:47:0907] [PE] Parsing [01:47:0907] [PE] Dos header -> 0x24e0000 [01:47:0907] [PE] Nt header (offset : 0xc0) file size 0xa8400 [01:47:0907] [PE] pNtHeadersx86 -> 0x24e00c0 [01:47:0907] [PE] Chars -> 0x210e [01:47:0907] [PE] Optional header [01:47:0907] [PE] Sections : 1 [01:47:0907] [PE] Section : 0 - .rsrc [01:47:0907] [PE] File open : 1 [01:47:0907] [PE] Search sigs [01:47:0907] [PE] Section[0/0] : 0x24e0200 [01:47:0907] [PE] Init AhoCorasick [01:47:0907] [PE] Start AhoCorasick [01:47:0922] [PE] Looking results : 0 [01:47:0922] [CHECK] Blacklist [01:47:0922] [CHECK] BlacklistPath [01:47:0922] [CHECK] BlacklistMD5 [01:47:0922] [CHECK] MadeNumbers [01:47:0922] [CHECK] HasUnicode [01:47:0922] [CHECK] SuspPath [01:47:0922] [CHECK] ProcessResidue [01:47:0922] [CHECK] Not found! [01:47:0922] [Check DLLs] xmlprovi.dll : C:\WINDOWS\System32\xmlprovi.dll [01:47:0922] [CHECK] WhiteDLL [01:47:0922] [CHECK] Whitelist [01:47:0922] [CHECK] WellKnown [01:47:0922] [CHECK] WhitelistPath [01:47:0922] [CHECK] HijackName [01:47:0922] [CHECK] Signature [01:47:0985] [PE] Mapping [01:47:0985] [PE] Parsing [01:47:0985] [PE] Dos header -> 0x24e0000 [01:47:0985] [PE] Nt header (offset : 0xf0) file size 0xc400 [01:47:0985] [PE] pNtHeadersx86 -> 0x24e00f0 [01:47:0985] [PE] Chars -> 0x210e [01:47:0985] [PE] Optional header [01:47:0985] [PE] Sections : 5 [01:47:0985] [PE] Section : 0 - .text [01:47:0985] [PE] Section : 1 - .orpc [01:47:0985] [PE] Section : 2 - .data [01:47:0985] [PE] Section : 3 - .rsrc [01:47:0985] [PE] Section : 4 - .reloc [01:47:0985] [PE] File open : 1 [01:47:0985] [PE] Search sigs [01:47:0985] [PE] Section[0/4] : 0x24e0400 [01:47:0985] [PE] Init AhoCorasick [01:47:0985] [PE] Start AhoCorasick [01:48:0000] [PE] Looking results : 0 [01:48:0000] [PE] Section[1/4] : 0x24eaa00 [01:48:0000] [PE] Init AhoCorasick [01:48:0000] [PE] Start AhoCorasick [01:48:0000] [PE] Looking results : 0 [01:48:0000] [PE] Section[2/4] : 0x24eac00 [01:48:0000] [PE] Init AhoCorasick [01:48:0000] [PE] Start AhoCorasick [01:48:0000] [PE] Looking results : 0 [01:48:0000] [PE] Section[3/4] : 0x24eae00 [01:48:0000] [PE] Init AhoCorasick [01:48:0000] [PE] Start AhoCorasick [01:48:0000] [PE] Looking results : 0 [01:48:0000] [PE] Section[4/4] : 0x24eb800 [01:48:0000] [PE] Init AhoCorasick [01:48:0000] [PE] Start AhoCorasick [01:48:0000] [PE] Looking results : 0 [01:48:0000] [CHECK] Blacklist [01:48:0000] [CHECK] BlacklistPath [01:48:0000] [CHECK] BlacklistMD5 [01:48:0000] [CHECK] MadeNumbers [01:48:0000] [CHECK] HasUnicode [01:48:0000] [CHECK] SuspPath [01:48:0000] [CHECK] ProcessResidue [01:48:0000] [CHECK] Not found! [01:48:0000] [Check DLLs] msxml3.dll : C:\WINDOWS\system32\msxml3.dll [01:48:0000] [CHECK] WhiteDLL [01:48:0000] [CHECK] Whitelist [01:48:0000] [CHECK] WellKnown [01:48:0000] [CHECK] WhitelistPath [01:48:0000] [CHECK] HijackName [01:48:0000] [CHECK] Signature [01:48:0891] [PE] Mapping [01:48:0907] [PE] Parsing [01:48:0907] [PE] Dos header -> 0x26e0000 [01:48:0907] [PE] Nt header (offset : 0xf0) file size 0x11e400 [01:48:0907] [PE] pNtHeadersx86 -> 0x26e00f0 [01:48:0907] [PE] Chars -> 0x210e [01:48:0907] [PE] Optional header [01:48:0907] [PE] Sections : 4 [01:48:0907] [PE] Section : 0 - .text [01:48:0907] [PE] Section : 1 - .data [01:48:0907] [PE] Section : 2 - .rsrc [01:48:0907] [PE] Section : 3 - .reloc [01:48:0907] [PE] File open : 1 [01:48:0907] [PE] Search sigs [01:48:0907] [PE] Section[0/3] : 0x26e0400 [01:48:0907] [PE] Init AhoCorasick [01:48:0907] [PE] Start AhoCorasick [01:48:0922] [PE] Looking results : 0 [01:48:0922] [PE] Section[1/3] : 0x27a9200 [01:48:0922] [PE] Init AhoCorasick [01:48:0922] [PE] Start AhoCorasick [01:48:0922] [PE] Looking results : 0 [01:48:0922] [PE] Section[2/3] : 0x27b6e00 [01:48:0938] [PE] Init AhoCorasick [01:48:0938] [PE] Start AhoCorasick [01:48:0938] [PE] Looking results : 0 [01:48:0953] [PE] Section[3/3] : 0x27f2a00 [01:48:0953] [PE] Init AhoCorasick [01:48:0953] [PE] Start AhoCorasick [01:48:0953] [PE] Looking results : 0 [01:48:0953] [CHECK] Blacklist [01:48:0953] [CHECK] BlacklistPath [01:48:0953] [CHECK] BlacklistMD5 [01:48:0953] [CHECK] MadeNumbers [01:48:0953] [CHECK] HasUnicode [01:48:0953] [CHECK] SuspPath [01:48:0953] [CHECK] ProcessResidue [01:48:0953] [CHECK] Not found! [01:48:0953] [Check DLLs] netcfgx.dll : C:\WINDOWS\System32\netcfgx.dll [01:48:0953] [CHECK] WhiteDLL [01:48:0953] [CHECK] Whitelist [01:48:0953] [CHECK] WellKnown [01:48:0953] [CHECK] WhitelistPath [01:48:0953] [CHECK] HijackName [01:48:0953] [CHECK] Signature [01:49:0641] [PE] Mapping [01:49:0641] [PE] Parsing [01:49:0641] [PE] Dos header -> 0x24e0000 [01:49:0641] [PE] Nt header (offset : 0xf0) file size 0x98000 [01:49:0641] [PE] pNtHeadersx86 -> 0x24e00f0 [01:49:0641] [PE] Chars -> 0x210e [01:49:0641] [PE] Optional header [01:49:0641] [PE] Sections : 4 [01:49:0641] [PE] Section : 0 - .text [01:49:0641] [PE] Section : 1 - .data [01:49:0641] [PE] Section : 2 - .rsrc [01:49:0641] [PE] Section : 3 - .reloc [01:49:0641] [PE] File open : 1 [01:49:0641] [PE] Search sigs [01:49:0641] [PE] Section[0/3] : 0x24e0400 [01:49:0641] [PE] Init AhoCorasick [01:49:0641] [PE] Start AhoCorasick [01:49:0657] [PE] Looking results : 0 [01:49:0657] [PE] Section[1/3] : 0x2558200 [01:49:0657] [PE] Init AhoCorasick [01:49:0657] [PE] Start AhoCorasick [01:49:0657] [PE] Looking results : 0 [01:49:0657] [PE] Section[2/3] : 0x2558a00 [01:49:0657] [PE] Init AhoCorasick [01:49:0657] [PE] Start AhoCorasick [01:49:0657] [PE] Looking results : 0 [01:49:0657] [PE] Section[3/3] : 0x2571600 [01:49:0657] [PE] Init AhoCorasick [01:49:0657] [PE] Start AhoCorasick [01:49:0657] [PE] Looking results : 0 [01:49:0672] [CHECK] Blacklist [01:49:0672] [CHECK] BlacklistPath [01:49:0672] [CHECK] BlacklistMD5 [01:49:0672] [CHECK] MadeNumbers [01:49:0672] [CHECK] HasUnicode [01:49:0672] [CHECK] SuspPath [01:49:0672] [CHECK] ProcessResidue [01:49:0672] [CHECK] Not found! [01:49:0672] [Check DLLs] CLUSAPI.dll : C:\WINDOWS\System32\CLUSAPI.dll [01:49:0672] [CHECK] WhiteDLL [01:49:0672] [CHECK] Whitelist [01:49:0672] [CHECK] WellKnown [01:49:0672] [CHECK] WhitelistPath [01:49:0672] [CHECK] HijackName [01:49:0672] [CHECK] Signature [01:49:0875] [PE] Mapping [01:49:0875] [PE] Parsing [01:49:0875] [PE] Dos header -> 0x24e0000 [01:49:0875] [PE] Nt header (offset : 0xf0) file size 0xe400 [01:49:0875] [PE] pNtHeadersx86 -> 0x24e00f0 [01:49:0875] [PE] Chars -> 0x210e [01:49:0875] [PE] Optional header [01:49:0875] [PE] Sections : 4 [01:49:0875] [PE] Section : 0 - .text [01:49:0875] [PE] Section : 1 - .data [01:49:0875] [PE] Section : 2 - .rsrc [01:49:0875] [PE] Section : 3 - .reloc [01:49:0875] [PE] File open : 1 [01:49:0875] [PE] Search sigs [01:49:0875] [PE] Section[0/3] : 0x24e0400 [01:49:0875] [PE] Init AhoCorasick [01:49:0875] [PE] Start AhoCorasick [01:49:0875] [PE] Looking results : 0 [01:49:0875] [PE] Section[1/3] : 0x24ed600 [01:49:0875] [PE] Init AhoCorasick [01:49:0875] [PE] Start AhoCorasick [01:49:0875] [PE] Looking results : 0 [01:49:0875] [PE] Section[2/3] : 0x24ed800 [01:49:0891] [PE] Init AhoCorasick [01:49:0891] [PE] Start AhoCorasick [01:49:0891] [PE] Looking results : 0 [01:49:0891] [PE] Section[3/3] : 0x24edc00 [01:49:0891] [PE] Init AhoCorasick [01:49:0891] [PE] Start AhoCorasick [01:49:0891] [PE] Looking results : 0 [01:49:0891] [CHECK] Blacklist [01:49:0891] [CHECK] BlacklistPath [01:49:0891] [CHECK] BlacklistMD5 [01:49:0891] [CHECK] MadeNumbers [01:49:0891] [CHECK] HasUnicode [01:49:0891] [CHECK] SuspPath [01:49:0891] [CHECK] ProcessResidue [01:49:0891] [CHECK] Not found! [01:49:0891] [Check DLLs] Cabinet.dll : C:\WINDOWS\system32\Cabinet.dll [01:49:0891] [CHECK] WhiteDLL [01:49:0891] [CHECK] Whitelist [01:49:0891] [CHECK] WellKnown [01:49:0891] [CHECK] WhitelistPath [01:49:0891] [CHECK] HijackName [01:49:0891] [CHECK] Signature [01:50:0078] [PE] Mapping [01:50:0078] [PE] Parsing [01:50:0078] [PE] Dos header -> 0x24e0000 [01:50:0078] [PE] Nt header (offset : 0xe8) file size 0xec00 [01:50:0078] [PE] pNtHeadersx86 -> 0x24e00e8 [01:50:0078] [PE] Chars -> 0x2d0e [01:50:0078] [PE] Optional header [01:50:0078] [PE] Sections : 4 [01:50:0078] [PE] Section : 0 - .text [01:50:0078] [PE] Section : 1 - .data [01:50:0078] [PE] Section : 2 - .rsrc [01:50:0078] [PE] Section : 3 - .reloc [01:50:0078] [PE] File open : 1 [01:50:0078] [PE] Search sigs [01:50:0078] [PE] Section[0/3] : 0x24e0400 [01:50:0078] [PE] Init AhoCorasick [01:50:0078] [PE] Start AhoCorasick [01:50:0078] [PE] Looking results : 0 [01:50:0078] [PE] Section[1/3] : 0x24ee200 [01:50:0078] [PE] Init AhoCorasick [01:50:0078] [PE] Start AhoCorasick [01:50:0078] [PE] Looking results : 0 [01:50:0078] [PE] Section[2/3] : 0x24ee400 [01:50:0078] [PE] Init AhoCorasick [01:50:0078] [PE] Start AhoCorasick [01:50:0078] [PE] Looking results : 0 [01:50:0078] [PE] Section[3/3] : 0x24ee800 [01:50:0078] [PE] Init AhoCorasick [01:50:0078] [PE] Start AhoCorasick [01:50:0078] [PE] Looking results : 0 [01:50:0078] [CHECK] Blacklist [01:50:0078] [CHECK] BlacklistPath [01:50:0078] [CHECK] BlacklistMD5 [01:50:0078] [CHECK] MadeNumbers [01:50:0078] [CHECK] HasUnicode [01:50:0078] [CHECK] SuspPath [01:50:0078] [CHECK] ProcessResidue [01:50:0078] [CHECK] Not found! [01:50:0078] [Check DLLs] PDFShell.dll : C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll [01:50:0078] [CHECK] WhiteDLL [01:50:0078] [CHECK] Whitelist [01:50:0078] [CHECK] WellKnown [01:50:0078] [CHECK] WhitelistPath [01:50:0078] [CHECK] HijackName [01:50:0078] [CHECK] Signature [01:50:0297] [PE] Mapping [01:50:0297] [PE] Parsing [01:50:0297] [PE] Dos header -> 0x24e0000 [01:50:0297] [PE] Nt header (offset : 0x100) file size 0x1b000 [01:50:0297] [PE] pNtHeadersx86 -> 0x24e0100 [01:50:0297] [PE] Chars -> 0x210e [01:50:0297] [PE] Optional header [01:50:0297] [PE] Sections : 5 [01:50:0297] [PE] Section : 0 - .text [01:50:0297] [PE] Section : 1 - .rdata [01:50:0297] [PE] Section : 2 - .data [01:50:0297] [PE] Section : 3 - .rsrc [01:50:0297] [PE] Section : 4 - .reloc [01:50:0297] [PE] File open : 1 [01:50:0297] [PE] Search sigs [01:50:0297] [PE] Section[0/4] : 0x24e1000 [01:50:0297] [PE] Init AhoCorasick [01:50:0297] [PE] Start AhoCorasick [01:50:0297] [PE] Looking results : 0 [01:50:0297] [PE] Section[1/4] : 0x24ed000 [01:50:0297] [PE] Init AhoCorasick [01:50:0297] [PE] Start AhoCorasick [01:50:0297] [PE] Looking results : 0 [01:50:0297] [PE] Section[2/4] : 0x24f1000 [01:50:0297] [PE] Init AhoCorasick [01:50:0297] [PE] Start AhoCorasick [01:50:0297] [PE] Looking results : 0 [01:50:0297] [PE] Section[3/4] : 0x24f2000 [01:50:0297] [PE] Init AhoCorasick [01:50:0297] [PE] Start AhoCorasick [01:50:0297] [PE] Looking results : 0 [01:50:0297] [PE] Section[4/4] : 0x24f9000 [01:50:0297] [PE] Init AhoCorasick [01:50:0297] [PE] Start AhoCorasick [01:50:0297] [PE] Looking results : 0 [01:50:0297] [CHECK] Blacklist [01:50:0297] [CHECK] BlacklistPath [01:50:0297] [CHECK] BlacklistMD5 [01:50:0297] [CHECK] MadeNumbers [01:50:0297] [CHECK] HasUnicode [01:50:0297] [CHECK] SuspPath [01:50:0297] [CHECK] ProcessResidue [01:50:0297] [CHECK] Not found! [01:50:0297] [Check DLLs] xpsp1res.dll : C:\WINDOWS\system32\xpsp1res.dll [01:50:0297] [CHECK] WhiteDLL [01:50:0297] [CHECK] Whitelist [01:50:0297] [CHECK] WellKnown [01:50:0297] [CHECK] WhitelistPath [01:50:0313] [CHECK] HijackName [01:50:0313] [CHECK] Signature [01:50:0641] [PE] Mapping [01:50:0641] [PE] Parsing [01:50:0641] [PE] Dos header -> 0x24e0000 [01:50:0641] [PE] Nt header (offset : 0xc0) file size 0x2dc00 [01:50:0641] [PE] pNtHeadersx86 -> 0x24e00c0 [01:50:0641] [PE] Chars -> 0x210e [01:50:0641] [PE] Optional header [01:50:0641] [PE] Sections : 1 [01:50:0641] [PE] Section : 0 - .rsrc [01:50:0641] [PE] File open : 1 [01:50:0641] [PE] Search sigs [01:50:0641] [PE] Section[0/0] : 0x24e0200 [01:50:0641] [PE] Init AhoCorasick [01:50:0641] [PE] Start AhoCorasick [01:50:0657] [PE] Looking results : 0 [01:50:0657] [CHECK] Blacklist [01:50:0657] [CHECK] BlacklistPath [01:50:0657] [CHECK] BlacklistMD5 [01:50:0657] [CHECK] MadeNumbers [01:50:0657] [CHECK] HasUnicode [01:50:0657] [CHECK] SuspPath [01:50:0657] [CHECK] ProcessResidue [01:50:0657] [CHECK] Not found! [01:50:0657] [Check DLLs] usbui.dll : C:\WINDOWS\system32\usbui.dll [01:50:0657] [CHECK] WhiteDLL [01:50:0657] [CHECK] Whitelist [01:50:0657] [CHECK] WellKnown [01:50:0657] [CHECK] WhitelistPath [01:50:0657] [CHECK] HijackName [01:50:0657] [CHECK] Signature [01:50:0719] [PE] Mapping [01:50:0719] [PE] Parsing [01:50:0719] [PE] Dos header -> 0x24e0000 [01:50:0719] [PE] Nt header (offset : 0xe8) file size 0x12200 [01:50:0719] [PE] pNtHeadersx86 -> 0x24e00e8 [01:50:0719] [PE] Chars -> 0x210e [01:50:0719] [PE] Optional header [01:50:0719] [PE] Sections : 4 [01:50:0719] [PE] Section : 0 - .text [01:50:0719] [PE] Section : 1 - .data [01:50:0719] [PE] Section : 2 - .rsrc [01:50:0719] [PE] Section : 3 - .reloc [01:50:0719] [PE] File open : 1 [01:50:0719] [PE] Search sigs [01:50:0719] [PE] Section[0/3] : 0x24e0400 [01:50:0719] [PE] Init AhoCorasick [01:50:0719] [PE] Start AhoCorasick [01:50:0719] [PE] Looking results : 0 [01:50:0719] [PE] Section[1/3] : 0x24ec000 [01:50:0719] [PE] Init AhoCorasick [01:50:0719] [PE] Start AhoCorasick [01:50:0719] [PE] Looking results : 0 [01:50:0719] [PE] Section[2/3] : 0x24ec200 [01:50:0719] [PE] Init AhoCorasick [01:50:0719] [PE] Start AhoCorasick [01:50:0719] [PE] Looking results : 0 [01:50:0719] [PE] Section[3/3] : 0x24f1600 [01:50:0719] [PE] Init AhoCorasick [01:50:0719] [PE] Start AhoCorasick [01:50:0719] [PE] Looking results : 0 [01:50:0735] [CHECK] Blacklist [01:50:0735] [CHECK] BlacklistPath [01:50:0735] [CHECK] BlacklistMD5 [01:50:0735] [CHECK] MadeNumbers [01:50:0735] [CHECK] HasUnicode [01:50:0735] [CHECK] SuspPath [01:50:0735] [CHECK] ProcessResidue [01:50:0735] [CHECK] Not found! [01:50:0735] [Check DLLs] SXS.DLL : C:\WINDOWS\system32\SXS.DLL [01:50:0735] [CHECK] WhiteDLL [01:50:0735] [CHECK] Whitelist [01:50:0735] [CHECK] WellKnown [01:50:0735] [CHECK] WhitelistPath [01:50:0735] [CHECK] HijackName [01:50:0735] [CHECK] Signature [01:51:0172] [PE] Mapping [01:51:0172] [PE] Parsing [01:51:0172] [PE] Dos header -> 0x24e0000 [01:51:0172] [PE] Nt header (offset : 0xf0) file size 0xae200 [01:51:0172] [PE] pNtHeadersx86 -> 0x24e00f0 [01:51:0172] [PE] Chars -> 0x210e [01:51:0172] [PE] Optional header [01:51:0172] [PE] Sections : 4 [01:51:0172] [PE] Section : 0 - .text [01:51:0172] [PE] Section : 1 - .data [01:51:0172] [PE] Section : 2 - .rsrc [01:51:0172] [PE] Section : 3 - .reloc [01:51:0172] [PE] File open : 1 [01:51:0172] [PE] Search sigs [01:51:0172] [PE] Section[0/3] : 0x24e0400 [01:51:0172] [PE] Init AhoCorasick [01:51:0172] [PE] Start AhoCorasick [01:51:0188] [PE] Looking results : 0 [01:51:0188] [PE] Section[1/3] : 0x2579200 [01:51:0188] [PE] Init AhoCorasick [01:51:0188] [PE] Start AhoCorasick [01:51:0188] [PE] Looking results : 0 [01:51:0188] [PE] Section[2/3] : 0x257ba00 [01:51:0188] [PE] Init AhoCorasick [01:51:0188] [PE] Start AhoCorasick [01:51:0188] [PE] Looking results : 0 [01:51:0188] [PE] Section[3/3] : 0x2585200 [01:51:0188] [PE] Init AhoCorasick [01:51:0188] [PE] Start AhoCorasick [01:51:0203] [PE] Looking results : 0 [01:51:0203] [CHECK] Blacklist [01:51:0203] [CHECK] BlacklistPath [01:51:0203] [CHECK] BlacklistMD5 [01:51:0203] [CHECK] MadeNumbers [01:51:0203] [CHECK] HasUnicode [01:51:0203] [CHECK] SuspPath [01:51:0203] [CHECK] ProcessResidue [01:51:0203] [CHECK] Not found! [01:51:0203] [Check DLLs] browselc.dll : C:\WINDOWS\system32\browselc.dll [01:51:0203] [CHECK] WhiteDLL [01:51:0203] [CHECK] Whitelist [01:51:0203] [CHECK] WellKnown [01:51:0203] [CHECK] WhitelistPath [01:51:0203] [CHECK] HijackName [01:51:0203] [CHECK] Signature [01:51:0360] [PE] Mapping [01:51:0360] [PE] Parsing [01:51:0360] [PE] Dos header -> 0x24e0000 [01:51:0360] [PE] Nt header (offset : 0xc0) file size 0xf800 [01:51:0360] [PE] pNtHeadersx86 -> 0x24e00c0 [01:51:0360] [PE] Chars -> 0x210e [01:51:0360] [PE] Optional header [01:51:0360] [PE] Sections : 2 [01:51:0360] [PE] Section : 0 - .rsrc [01:51:0360] [PE] Section : 1 - .reloc [01:51:0360] [PE] File open : 1 [01:51:0360] [PE] Search sigs [01:51:0360] [PE] Section[0/1] : 0x24e0400 [01:51:0360] [PE] Init AhoCorasick [01:51:0360] [PE] Start AhoCorasick [01:51:0360] [PE] Looking results : 0 [01:51:0360] [PE] Section[1/1] : 0x24ef600 [01:51:0360] [PE] Init AhoCorasick [01:51:0360] [PE] Start AhoCorasick [01:51:0360] [PE] Looking results : 0 [01:51:0360] [CHECK] Blacklist [01:51:0360] [CHECK] BlacklistPath [01:51:0360] [CHECK] BlacklistMD5 [01:51:0360] [CHECK] MadeNumbers [01:51:0360] [CHECK] HasUnicode [01:51:0360] [CHECK] SuspPath [01:51:0360] [CHECK] ProcessResidue [01:51:0360] [CHECK] Not found! [01:51:0360] [Check DLLs] AcroIEHelper.dll : C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [01:51:0360] [CHECK] WhiteDLL [01:51:0360] [CHECK] Whitelist [01:51:0360] [CHECK] WellKnown [01:51:0375] [CHECK] WhitelistPath [01:51:0375] [CHECK] HijackName [01:51:0375] [CHECK] Signature [01:51:0953] [PE] Mapping [01:51:0953] [PE] Parsing [01:51:0953] [PE] Dos header -> 0x24e0000 [01:51:0953] [PE] Nt header (offset : 0x110) file size 0xf6a0 [01:51:0953] [PE] pNtHeadersx86 -> 0x24e0110 [01:51:0953] [PE] Chars -> 0x210e [01:51:0953] [PE] Optional header [01:51:0953] [PE] Sections : 5 [01:51:0953] [PE] Section : 0 - .text [01:51:0953] [PE] Section : 1 - .rdata [01:51:0953] [PE] Section : 2 - .data [01:51:0953] [PE] Section : 3 - .rsrc [01:51:0953] [PE] Section : 4 - .reloc [01:51:0953] [PE] File open : 1 [01:51:0953] [PE] Search sigs [01:51:0953] [PE] Section[0/4] : 0x24e1000 [01:51:0953] [PE] Init AhoCorasick [01:51:0953] [PE] Start AhoCorasick [01:51:0953] [PE] Looking results : 0 [01:51:0953] [PE] Section[1/4] : 0x24e8000 [01:51:0953] [PE] Init AhoCorasick [01:51:0953] [PE] Start AhoCorasick [01:51:0953] [PE] Looking results : 0 [01:51:0953] [PE] Section[2/4] : 0x24ea000 [01:51:0953] [PE] Init AhoCorasick [01:51:0953] [PE] Start AhoCorasick [01:51:0953] [PE] Looking results : 0 [01:51:0953] [PE] Section[3/4] : 0x24eb000 [01:51:0953] [PE] Init AhoCorasick [01:51:0953] [PE] Start AhoCorasick [01:51:0953] [PE] Looking results : 0 [01:51:0953] [PE] Section[4/4] : 0x24ed000 [01:51:0953] [PE] Init AhoCorasick [01:51:0953] [PE] Start AhoCorasick [01:51:0953] [PE] Looking results : 0 [01:51:0953] [CHECK] Blacklist [01:51:0969] [CHECK] BlacklistPath [01:51:0969] [CHECK] BlacklistMD5 [01:51:0969] [CHECK] MadeNumbers [01:51:0969] [CHECK] HasUnicode [01:51:0969] [CHECK] SuspPath [01:51:0969] [CHECK] ProcessResidue [01:51:0969] [CHECK] Not found! [01:51:0969] [Check DLLs] MSVCR71.dll : C:\WINDOWS\system32\MSVCR71.dll [01:51:0969] [CHECK] WhiteDLL [01:51:0969] [Check DLLs] rasadhlp.dll : C:\WINDOWS\system32\rasadhlp.dll [01:51:0969] [CHECK] WhiteDLL [01:51:0969] [CHECK] Whitelist [01:51:0969] [CHECK] WellKnown [01:51:0969] [CHECK] WhitelistPath [01:51:0969] [CHECK] HijackName [01:51:0969] [CHECK] Signature [01:52:0016] [PE] Mapping [01:52:0016] [PE] Parsing [01:52:0016] [PE] Dos header -> 0x24e0000 [01:52:0016] [PE] Nt header (offset : 0xd8) file size 0x1e00 [01:52:0016] [PE] pNtHeadersx86 -> 0x24e00d8 [01:52:0016] [PE] Chars -> 0x210e [01:52:0016] [PE] Optional header [01:52:0016] [PE] Sections : 4 [01:52:0016] [PE] Section : 0 - .text [01:52:0016] [PE] Section : 1 - .data [01:52:0016] [PE] Section : 2 - .rsrc [01:52:0016] [PE] Section : 3 - .reloc [01:52:0016] [PE] File open : 1 [01:52:0016] [PE] Search sigs [01:52:0016] [PE] Section[0/3] : 0x24e0400 [01:52:0016] [PE] Init AhoCorasick [01:52:0016] [PE] Start AhoCorasick [01:52:0016] [PE] Looking results : 0 [01:52:0016] [PE] Section[1/3] : 0x24e1600 [01:52:0032] [PE] Init AhoCorasick [01:52:0032] [PE] Start AhoCorasick [01:52:0032] [PE] Looking results : 0 [01:52:0032] [PE] Section[2/3] : 0x24e1800 [01:52:0032] [PE] Init AhoCorasick [01:52:0032] [PE] Start AhoCorasick [01:52:0032] [PE] Looking results : 0 [01:52:0032] [PE] Section[3/3] : 0x24e1c00 [01:52:0032] [PE] Init AhoCorasick [01:52:0032] [PE] Start AhoCorasick [01:52:0032] [PE] Looking results : 0 [01:52:0032] [CHECK] Blacklist [01:52:0032] [CHECK] BlacklistPath [01:52:0032] [CHECK] BlacklistMD5 [01:52:0032] [CHECK] MadeNumbers [01:52:0032] [CHECK] HasUnicode [01:52:0032] [CHECK] SuspPath [01:52:0032] [CHECK] ProcessResidue [01:52:0032] [CHECK] Not found! [01:52:0032] [Check DLLs] jscript.dll : C:\WINDOWS\system32\jscript.dll [01:52:0032] [CHECK] WhiteDLL [01:52:0032] [CHECK] Whitelist [01:52:0032] [CHECK] WellKnown [01:52:0032] [CHECK] WhitelistPath [01:52:0032] [CHECK] HijackName [01:52:0032] [CHECK] Signature [01:52:0625] [PE] Mapping [01:52:0625] [PE] Parsing [01:52:0625] [PE] Dos header -> 0x24e0000 [01:52:0641] [PE] Nt header (offset : 0xf0) file size 0xb1600 [01:52:0641] [PE] pNtHeadersx86 -> 0x24e00f0 [01:52:0641] [PE] Chars -> 0x2102 [01:52:0641] [PE] Optional header [01:52:0641] [PE] Sections : 4 [01:52:0641] [PE] Section : 0 - .text [01:52:0641] [PE] Section : 1 - .data [01:52:0641] [PE] Section : 2 - .rsrc [01:52:0641] [PE] Section : 3 - .reloc [01:52:0641] [PE] File open : 1 [01:52:0641] [PE] Search sigs [01:52:0641] [PE] Section[0/3] : 0x24e0400 [01:52:0641] [PE] Init AhoCorasick [01:52:0641] [PE] Start AhoCorasick [01:52:0657] [PE] Looking results : 0 [01:52:0657] [PE] Section[1/3] : 0x257dc00 [01:52:0657] [PE] Init AhoCorasick [01:52:0657] [PE] Start AhoCorasick [01:52:0657] [PE] Looking results : 0 [01:52:0657] [PE] Section[2/3] : 0x2583400 [01:52:0657] [PE] Init AhoCorasick [01:52:0657] [PE] Start AhoCorasick [01:52:0657] [PE] Looking results : 0 [01:52:0657] [PE] Section[3/3] : 0x258b400 [01:52:0657] [PE] Init AhoCorasick [01:52:0657] [PE] Start AhoCorasick [01:52:0657] [PE] Looking results : 0 [01:52:0657] [CHECK] Blacklist [01:52:0657] [CHECK] BlacklistPath [01:52:0657] [CHECK] BlacklistMD5 [01:52:0657] [CHECK] MadeNumbers [01:52:0657] [CHECK] HasUnicode [01:52:0657] [CHECK] SuspPath [01:52:0657] [CHECK] ProcessResidue [01:52:0657] [CHECK] Not found! [01:52:0657] [Check DLLs] MSGINA.dll : C:\WINDOWS\system32\MSGINA.dll [01:52:0657] [CHECK] WhiteDLL [01:52:0657] [CHECK] Whitelist [01:52:0657] [CHECK] WellKnown [01:52:0657] [CHECK] WhitelistPath [01:52:0657] [CHECK] HijackName [01:52:0657] [CHECK] Signature [01:54:0094] [PE] Mapping [01:54:0094] [PE] Parsing [01:54:0094] [PE] Dos header -> 0x24e0000 [01:54:0094] [PE] Nt header (offset : 0xf0) file size 0xf3800 [01:54:0094] [PE] pNtHeadersx86 -> 0x24e00f0 [01:54:0094] [PE] Chars -> 0x210e [01:54:0094] [PE] Optional header [01:54:0094] [PE] Sections : 4 [01:54:0094] [PE] Section : 0 - .text [01:54:0094] [PE] Section : 1 - .data [01:54:0094] [PE] Section : 2 - .rsrc [01:54:0094] [PE] Section : 3 - .reloc [01:54:0094] [PE] File open : 1 [01:54:0094] [PE] Search sigs [01:54:0094] [PE] Section[0/3] : 0x24e0400 [01:54:0094] [PE] Init AhoCorasick [01:54:0094] [PE] Start AhoCorasick [01:54:0110] [PE] Looking results : 0 [01:54:0110] [PE] Section[1/3] : 0x250b800 [01:54:0110] [PE] Init AhoCorasick [01:54:0110] [PE] Start AhoCorasick [01:54:0110] [PE] Looking results : 0 [01:54:0110] [PE] Section[2/3] : 0x250cc00 [01:54:0110] [PE] Init AhoCorasick [01:54:0110] [PE] Start AhoCorasick [01:54:0110] [PE] Looking results : 0 [01:54:0110] [PE] Section[3/3] : 0x25d1400 [01:54:0110] [PE] Init AhoCorasick [01:54:0110] [PE] Start AhoCorasick [01:54:0110] [PE] Looking results : 0 [01:54:0110] [CHECK] Blacklist [01:54:0125] [CHECK] BlacklistPath [01:54:0125] [CHECK] BlacklistMD5 [01:54:0125] [CHECK] MadeNumbers [01:54:0125] [CHECK] HasUnicode [01:54:0125] [CHECK] SuspPath [01:54:0125] [CHECK] ProcessResidue [01:54:0125] [CHECK] Not found! [01:54:0125] [Check DLLs] ODBC32.dll : C:\WINDOWS\system32\ODBC32.dll [01:54:0125] [CHECK] WhiteDLL [01:54:0125] [CHECK] Whitelist [01:54:0125] [CHECK] WellKnown [01:54:0125] [CHECK] WhitelistPath [01:54:0125] [CHECK] HijackName [01:54:0125] [CHECK] Signature [01:54:0266] [PE] Mapping [01:54:0266] [PE] Parsing [01:54:0266] [PE] Dos header -> 0x24e0000 [01:54:0266] [PE] Nt header (offset : 0xe0) file size 0x3d000 [01:54:0266] [PE] pNtHeadersx86 -> 0x24e00e0 [01:54:0266] [PE] Chars -> 0x210e [01:54:0266] [PE] Optional header [01:54:0266] [PE] Sections : 5 [01:54:0266] [PE] Section : 0 - .text [01:54:0266] [PE] Section : 1 - .data [01:54:0266] [PE] Section : 2 - .sdbid [01:54:0266] [PE] Section : 3 - .rsrc [01:54:0266] [PE] Section : 4 - .reloc [01:54:0266] [PE] File open : 1 [01:54:0266] [PE] Search sigs [01:54:0266] [PE] Section[0/4] : 0x24e1000 [01:54:0266] [PE] Init AhoCorasick [01:54:0266] [PE] Start AhoCorasick [01:54:0266] [PE] Looking results : 0 [01:54:0266] [PE] Section[1/4] : 0x2518000 [01:54:0266] [PE] Init AhoCorasick [01:54:0266] [PE] Start AhoCorasick [01:54:0282] [PE] Looking results : 0 [01:54:0282] [PE] Section[2/4] : 0x2519000 [01:54:0282] [PE] Init AhoCorasick [01:54:0282] [PE] Start AhoCorasick [01:54:0282] [PE] Looking results : 0 [01:54:0282] [PE] Section[3/4] : 0x251a000 [01:54:0282] [PE] Init AhoCorasick [01:54:0282] [PE] Start AhoCorasick [01:54:0282] [PE] Looking results : 0 [01:54:0282] [PE] Section[4/4] : 0x251b000 [01:54:0282] [PE] Init AhoCorasick [01:54:0282] [PE] Start AhoCorasick [01:54:0282] [PE] Looking results : 0 [01:54:0282] [CHECK] Blacklist [01:54:0282] [CHECK] BlacklistPath [01:54:0282] [CHECK] BlacklistMD5 [01:54:0282] [CHECK] MadeNumbers [01:54:0282] [CHECK] HasUnicode [01:54:0282] [CHECK] SuspPath [01:54:0282] [CHECK] ProcessResidue [01:54:0282] [CHECK] Not found! [01:54:0282] [Check DLLs] comdlg32.dll : C:\WINDOWS\system32\comdlg32.dll [01:54:0282] [CHECK] WhiteDLL [01:54:0282] [CHECK] Whitelist [01:54:0282] [CHECK] WellKnown [01:54:0282] [CHECK] WhitelistPath [01:54:0282] [CHECK] HijackName [01:54:0282] [CHECK] Signature [01:54:0625] [PE] Mapping [01:54:0625] [PE] Parsing [01:54:0625] [PE] Dos header -> 0x24e0000 [01:54:0625] [PE] Nt header (offset : 0xe0) file size 0x43a00 [01:54:0625] [PE] pNtHeadersx86 -> 0x24e00e0 [01:54:0625] [PE] Chars -> 0x210e [01:54:0625] [PE] Optional header [01:54:0625] [PE] Sections : 4 [01:54:0625] [PE] Section : 0 - .text [01:54:0625] [PE] Section : 1 - .data [01:54:0625] [PE] Section : 2 - .rsrc [01:54:0625] [PE] Section : 3 - .reloc [01:54:0625] [PE] File open : 1 [01:54:0625] [PE] Search sigs [01:54:0625] [PE] Section[0/3] : 0x24e0400 [01:54:0625] [PE] Init AhoCorasick [01:54:0625] [PE] Start AhoCorasick [01:54:0625] [PE] Looking results : 0 [01:54:0625] [PE] Section[1/3] : 0x2510400 [01:54:0625] [PE] Init AhoCorasick [01:54:0625] [PE] Start AhoCorasick [01:54:0625] [PE] Looking results : 0 [01:54:0625] [PE] Section[2/3] : 0x2511200 [01:54:0625] [PE] Init AhoCorasick [01:54:0625] [PE] Start AhoCorasick [01:54:0625] [PE] Looking results : 0 [01:54:0625] [PE] Section[3/3] : 0x2521400 [01:54:0625] [PE] Init AhoCorasick [01:54:0625] [PE] Start AhoCorasick [01:54:0625] [PE] Looking results : 0 [01:54:0625] [CHECK] Blacklist [01:54:0625] [CHECK] BlacklistPath [01:54:0625] [CHECK] BlacklistMD5 [01:54:0625] [CHECK] MadeNumbers [01:54:0625] [CHECK] HasUnicode [01:54:0625] [CHECK] SuspPath [01:54:0625] [CHECK] ProcessResidue [01:54:0625] [CHECK] Not found! [01:54:0625] [Check DLLs] odbcint.dll : C:\WINDOWS\system32\odbcint.dll [01:54:0625] [CHECK] WhiteDLL [01:54:0625] [CHECK] Whitelist [01:54:0641] [CHECK] WellKnown [01:54:0641] [CHECK] WhitelistPath [01:54:0641] [CHECK] HijackName [01:54:0641] [CHECK] Signature [01:54:0782] [PE] Mapping [01:54:0797] [PE] Parsing [01:54:0797] [PE] Dos header -> 0x24e0000 [01:54:0797] [PE] Nt header (offset : 0xc0) file size 0x17000 [01:54:0797] [PE] pNtHeadersx86 -> 0x24e00c0 [01:54:0797] [PE] Chars -> 0x210e [01:54:0797] [PE] Optional header [01:54:0797] [PE] Sections : 2 [01:54:0797] [PE] Section : 0 - .rsrc [01:54:0797] [PE] Section : 1 - .reloc [01:54:0797] [PE] File open : 1 [01:54:0797] [PE] Search sigs [01:54:0797] [PE] Section[0/1] : 0x24e1000 [01:54:0797] [PE] Init AhoCorasick [01:54:0797] [PE] Start AhoCorasick [01:54:0797] [PE] Looking results : 0 [01:54:0797] [PE] Section[1/1] : 0x24f6000 [01:54:0797] [PE] Init AhoCorasick [01:54:0797] [PE] Start AhoCorasick [01:54:0797] [PE] Looking results : 0 [01:54:0797] [CHECK] Blacklist [01:54:0797] [CHECK] BlacklistPath [01:54:0797] [CHECK] BlacklistMD5 [01:54:0797] [CHECK] MadeNumbers [01:54:0797] [CHECK] HasUnicode [01:54:0797] [CHECK] SuspPath [01:54:0797] [CHECK] ProcessResidue [01:54:0797] [CHECK] Not found! [01:54:0797] [Check DLLs] dfshim.dll : c:\WINDOWS\system32\dfshim.dll [01:54:0797] [CHECK] WhiteDLL [01:54:0797] [CHECK] Whitelist [01:54:0797] [CHECK] WellKnown [01:54:0797] [CHECK] WhitelistPath [01:54:0797] [CHECK] HijackName [01:54:0797] [CHECK] Signature [01:55:0594] [PE] Mapping [01:55:0594] [PE] Parsing [01:55:0594] [PE] Dos header -> 0x26e0000 [01:55:0594] [PE] Nt header (offset : 0x118) file size 0x114148 [01:55:0594] [PE] pNtHeadersx86 -> 0x26e0118 [01:55:0594] [PE] Chars -> 0x2102 [01:55:0594] [PE] Optional header [01:55:0594] [PE] Sections : 4 [01:55:0594] [PE] Section : 0 - .text [01:55:0594] [PE] Section : 1 - .data [01:55:0594] [PE] Section : 2 - .rsrc [01:55:0594] [PE] Section : 3 - .reloc [01:55:0594] [PE] File open : 1 [01:55:0594] [PE] Search sigs [01:55:0594] [PE] Section[0/3] : 0x26e0400 [01:55:0594] [PE] Init AhoCorasick [01:55:0594] [PE] Start AhoCorasick [01:55:0625] [PE] Looking results : 0 [01:55:0625] [PE] Section[1/3] : 0x27dda00 [01:55:0625] [PE] Init AhoCorasick [01:55:0625] [PE] Start AhoCorasick [01:55:0625] [PE] Looking results : 0 [01:55:0625] [PE] Section[2/3] : 0x27e2a00 [01:55:0625] [PE] Init AhoCorasick [01:55:0625] [PE] Start AhoCorasick [01:55:0625] [PE] Looking results : 0 [01:55:0625] [PE] Section[3/3] : 0x27eae00 [01:55:0625] [PE] Init AhoCorasick [01:55:0625] [PE] Start AhoCorasick [01:55:0625] [PE] Looking results : 0 [01:55:0625] [CHECK] Blacklist [01:55:0625] [CHECK] BlacklistPath [01:55:0625] [CHECK] BlacklistMD5 [01:55:0625] [CHECK] MadeNumbers [01:55:0625] [CHECK] HasUnicode [01:55:0625] [CHECK] SuspPath [01:55:0625] [CHECK] ProcessResidue [01:55:0625] [CHECK] Not found! [01:55:0625] [Check DLLs] mscoree.dll : c:\WINDOWS\system32\mscoree.dll [01:55:0625] [CHECK] WhiteDLL [01:55:0625] [CHECK] Whitelist [01:55:0625] [CHECK] WellKnown [01:55:0625] [CHECK] WhitelistPath [01:55:0625] [CHECK] HijackName [01:55:0625] [CHECK] Signature [01:55:0953] [PE] Mapping [01:55:0953] [PE] Parsing [01:55:0953] [PE] Dos header -> 0x24e0000 [01:55:0953] [PE] Nt header (offset : 0x100) file size 0x48b50 [01:55:0953] [PE] pNtHeadersx86 -> 0x24e0100 [01:55:0953] [PE] Chars -> 0x2102 [01:55:0953] [PE] Optional header [01:55:0953] [PE] Sections : 4 [01:55:0953] [PE] Section : 0 - .text [01:55:0953] [PE] Section : 1 - .data [01:55:0953] [PE] Section : 2 - .rsrc [01:55:0953] [PE] Section : 3 - .reloc [01:55:0953] [PE] File open : 1 [01:55:0953] [PE] Search sigs [01:55:0953] [PE] Section[0/3] : 0x24e0400 [01:55:0953] [PE] Init AhoCorasick [01:55:0953] [PE] Start AhoCorasick [01:55:0953] [PE] Looking results : 0 [01:55:0953] [PE] Section[1/3] : 0x2520400 [01:55:0953] [PE] Init AhoCorasick [01:55:0953] [PE] Start AhoCorasick [01:55:0953] [PE] Looking results : 0 [01:55:0953] [PE] Section[2/3] : 0x2523600 [01:55:0953] [PE] Init AhoCorasick [01:55:0953] [PE] Start AhoCorasick [01:55:0953] [PE] Looking results : 0 [01:55:0953] [PE] Section[3/3] : 0x2523e00 [01:55:0953] [PE] Init AhoCorasick [01:55:0953] [PE] Start AhoCorasick [01:55:0953] [PE] Looking results : 0 [01:55:0953] [CHECK] Blacklist [01:55:0953] [CHECK] BlacklistPath [01:55:0953] [CHECK] BlacklistMD5 [01:55:0953] [CHECK] MadeNumbers [01:55:0953] [CHECK] HasUnicode [01:55:0953] [CHECK] SuspPath [01:55:0953] [CHECK] ProcessResidue [01:55:0953] [CHECK] Not found! [01:55:0953] [Check DLLs] MSVCR80.dll : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll [01:55:0969] [CHECK] WhiteDLL [01:55:0969] [Check DLLs] mscorwks.dll : c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll [01:55:0969] [CHECK] WhiteDLL [01:55:0969] [CHECK] Whitelist [01:55:0969] [CHECK] WellKnown [01:55:0969] [CHECK] WhitelistPath [01:55:0969] [CHECK] HijackName [01:55:0969] [CHECK] Signature [02:01:0000] [CHECK] Blacklist [02:01:0000] [CHECK] BlacklistPath [02:01:0000] [CHECK] BlacklistMD5 [02:01:0000] [CHECK] MadeNumbers [02:01:0000] [CHECK] HasUnicode [02:01:0000] [CHECK] SuspPath [02:01:0000] [CHECK] ProcessResidue [02:01:0000] [CHECK] Not found! [02:01:0000] [Check DLLs] sti.dll : C:\WINDOWS\System32\sti.dll [02:01:0000] [CHECK] WhiteDLL [02:01:0000] [CHECK] Whitelist [02:01:0000] [CHECK] WellKnown [02:01:0000] [CHECK] WhitelistPath [02:01:0000] [CHECK] HijackName [02:01:0000] [CHECK] Signature [02:01:0125] [PE] Mapping [02:01:0125] [PE] Parsing [02:01:0125] [PE] Dos header -> 0x24e0000 [02:01:0125] [PE] Nt header (offset : 0xe0) file size 0x10a00 [02:01:0125] [PE] pNtHeadersx86 -> 0x24e00e0 [02:01:0125] [PE] Chars -> 0x210e [02:01:0125] [PE] Optional header [02:01:0125] [PE] Sections : 5 [02:01:0125] [PE] Section : 0 - .text [02:01:0125] [PE] Section : 1 - .orpc [02:01:0125] [PE] Section : 2 - .data [02:01:0125] [PE] Section : 3 - .rsrc [02:01:0125] [PE] Section : 4 - .reloc [02:01:0125] [PE] File open : 1 [02:01:0125] [PE] Search sigs [02:01:0125] [PE] Section[0/4] : 0x24e0400 [02:01:0125] [PE] Init AhoCorasick [02:01:0125] [PE] Start AhoCorasick [02:01:0125] [PE] Looking results : 0 [02:01:0125] [PE] Section[1/4] : 0x24ee400 [02:01:0125] [PE] Init AhoCorasick [02:01:0125] [PE] Start AhoCorasick [02:01:0125] [PE] Looking results : 0 [02:01:0125] [PE] Section[2/4] : 0x24ee600 [02:01:0125] [PE] Init AhoCorasick [02:01:0125] [PE] Start AhoCorasick [02:01:0125] [PE] Looking results : 0 [02:01:0125] [PE] Section[3/4] : 0x24eec00 [02:01:0125] [PE] Init AhoCorasick [02:01:0125] [PE] Start AhoCorasick [02:01:0125] [PE] Looking results : 0 [02:01:0125] [PE] Section[4/4] : 0x24efc00 [02:01:0125] [PE] Init AhoCorasick [02:01:0125] [PE] Start AhoCorasick [02:01:0125] [PE] Looking results : 0 [02:01:0125] [CHECK] Blacklist [02:01:0125] [CHECK] BlacklistPath [02:01:0125] [CHECK] BlacklistMD5 [02:01:0125] [CHECK] MadeNumbers [02:01:0125] [CHECK] HasUnicode [02:01:0125] [CHECK] SuspPath [02:01:0125] [CHECK] ProcessResidue [02:01:0125] [CHECK] Not found! [02:01:0125] [Check DLLs] CFGMGR32.dll : C:\WINDOWS\System32\CFGMGR32.dll [02:01:0125] [CHECK] WhiteDLL [02:01:0125] [CHECK] Whitelist [02:01:0125] [CHECK] WellKnown [02:01:0125] [CHECK] WhitelistPath [02:01:0125] [CHECK] HijackName [02:01:0125] [CHECK] Signature [02:01:0313] [PE] Mapping [02:01:0313] [PE] Parsing [02:01:0313] [PE] Dos header -> 0x24e0000 [02:01:0313] [PE] Nt header (offset : 0xc0) file size 0x4200 [02:01:0313] [PE] pNtHeadersx86 -> 0x24e00c0 [02:01:0313] [PE] Chars -> 0x210e [02:01:0313] [PE] Optional header [02:01:0313] [PE] Sections : 3 [02:01:0313] [PE] Section : 0 - .text [02:01:0313] [PE] Section : 1 - .rsrc [02:01:0313] [PE] Section : 2 - .reloc [02:01:0313] [PE] File open : 1 [02:01:0313] [PE] Search sigs [02:01:0313] [PE] Section[0/2] : 0x24e0400 [02:01:0313] [PE] Init AhoCorasick [02:01:0313] [PE] Start AhoCorasick [02:01:0313] [PE] Looking results : 0 [02:01:0313] [PE] Section[1/2] : 0x24e3a00 [02:01:0313] [PE] Init AhoCorasick [02:01:0313] [PE] Start AhoCorasick [02:01:0313] [PE] Looking results : 0 [02:01:0313] [PE] Section[2/2] : 0x24e4000 [02:01:0313] [PE] Init AhoCorasick [02:01:0313] [PE] Start AhoCorasick [02:01:0313] [PE] Looking results : 0 [02:01:0313] [CHECK] Blacklist [02:01:0328] [CHECK] BlacklistPath [02:01:0328] [CHECK] BlacklistMD5 [02:01:0328] [CHECK] MadeNumbers [02:01:0328] [CHECK] HasUnicode [02:01:0328] [CHECK] SuspPath [02:01:0328] [CHECK] ProcessResidue [02:01:0328] [CHECK] Not found! [02:01:0328] [Check DLLs] msadp32.acm : C:\WINDOWS\system32\msadp32.acm [02:01:0328] [CHECK] WhiteDLL [02:01:0328] [CHECK] Whitelist [02:01:0328] [CHECK] WellKnown [02:01:0328] [CHECK] WhitelistPath [02:01:0328] [CHECK] HijackName [02:01:0328] [CHECK] Signature [02:01:0422] [PE] Mapping [02:01:0422] [PE] Parsing [02:01:0422] [PE] Dos header -> 0x24e0000 [02:01:0422] [PE] Nt header (offset : 0xd8) file size 0x3a00 [02:01:0422] [PE] pNtHeadersx86 -> 0x24e00d8 [02:01:0422] [PE] Chars -> 0x210e [02:01:0422] [PE] Optional header [02:01:0422] [PE] Sections : 4 [02:01:0422] [PE] Section : 0 - .text [02:01:0422] [PE] Section : 1 - .data [02:01:0422] [PE] Section : 2 - .rsrc [02:01:0422] [PE] Section : 3 - .reloc [02:01:0422] [PE] File open : 1 [02:01:0422] [PE] Search sigs [02:01:0422] [PE] Section[0/3] : 0x24e0400 [02:01:0422] [PE] Init AhoCorasick [02:01:0422] [PE] Start AhoCorasick [02:01:0422] [PE] Looking results : 0 [02:01:0422] [PE] Section[1/3] : 0x24e3000 [02:01:0422] [PE] Init AhoCorasick [02:01:0422] [PE] Start AhoCorasick [02:01:0422] [PE] Looking results : 0 [02:01:0422] [PE] Section[2/3] : 0x24e3200 [02:01:0422] [PE] Init AhoCorasick [02:01:0422] [PE] Start AhoCorasick [02:01:0422] [PE] Looking results : 0 [02:01:0422] [PE] Section[3/3] : 0x24e3800 [02:01:0422] [PE] Init AhoCorasick [02:01:0422] [PE] Start AhoCorasick [02:01:0422] [PE] Looking results : 0 [02:01:0422] [CHECK] Blacklist [02:01:0422] [CHECK] BlacklistPath [02:01:0422] [CHECK] BlacklistMD5 [02:01:0422] [CHECK] MadeNumbers [02:01:0422] [CHECK] HasUnicode [02:01:0422] [CHECK] SuspPath [02:01:0422] [CHECK] ProcessResidue [02:01:0422] [CHECK] Not found! [02:01:0422] [CHECK] WhiteDLL [02:01:0422] [CHECK] Whitelist [02:01:0422] [CHECK] WellKnown [02:01:0672] [Check Processes] [2596][_1576] WLIDSVCM.EXE : C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE [02:01:0672] [CHECK] WhiteDLL [02:01:0672] [CHECK] Whitelist [02:01:0672] [CHECK] WellKnown [02:01:0672] [CHECK] WhitelistPath [02:01:0672] [CHECK] HijackName [02:01:0688] [CHECK] Signature [02:01:0688] [PE] Mapping [02:01:0688] [PE] Parsing [02:01:0688] [PE] Dos header -> 0x24e0000 [02:01:0688] [PE] Nt header (offset : 0xe8) file size 0x2cb70 [02:01:0688] [PE] pNtHeadersx86 -> 0x24e00e8 [02:01:0688] [PE] Chars -> 0x102 [02:01:0688] [PE] Optional header [02:01:0688] [PE] Sections : 4 [02:01:0688] [PE] Section : 0 - .text [02:01:0688] [PE] Section : 1 - .data [02:01:0688] [PE] Section : 2 - .rsrc [02:01:0688] [PE] Section : 3 - .reloc [02:01:0688] [PE] File open : 1 [02:01:0688] [PE] Search sigs [02:01:0688] [PE] Section[0/3] : 0x24e0400 [02:01:0688] [PE] Init AhoCorasick [02:01:0688] [PE] Start AhoCorasick [02:01:0688] [PE] Looking results : 0 [02:01:0688] [PE] Section[1/3] : 0x24fda00 [02:01:0688] [PE] Init AhoCorasick [02:01:0688] [PE] Start AhoCorasick [02:01:0688] [PE] Looking results : 0 [02:01:0688] [PE] Section[2/3] : 0x24ff200 [02:01:0688] [PE] Init AhoCorasick [02:01:0688] [PE] Start AhoCorasick [02:01:0688] [PE] Looking results : 0 [02:01:0688] [PE] Section[3/3] : 0x2506e00 [02:01:0688] [PE] Init AhoCorasick [02:01:0688] [PE] Start AhoCorasick [02:01:0688] [PE] Looking results : 0 [02:01:0688] [CHECK] Blacklist [02:01:0688] [CHECK] BlacklistPath [02:01:0688] [CHECK] BlacklistMD5 [02:01:0688] [CHECK] MadeNumbers [02:01:0703] [CHECK] HasUnicode [02:01:0703] [CHECK] SuspPath [02:01:0703] [CHECK] ProcessResidue [02:01:0703] [CHECK] Not found! [02:02:0063] [Check Processes] [3108][_1024] alg.exe : C:\WINDOWS\system32\alg.exe [02:02:0063] [CHECK] WhiteDLL [02:02:0063] [CHECK] Whitelist [02:02:0063] [CHECK] WellKnown [02:02:0250] [Check Processes] [3196][_2552] jusched.exe : C:\Program Files\Common Files\Java\Java Update\jusched.exe [02:02:0250] [CHECK] WhiteDLL [02:02:0250] [CHECK] Whitelist [02:02:0407] [Check Processes] [3308][_2552] ctfmon.exe : C:\WINDOWS\system32\ctfmon.exe [02:02:0407] [CHECK] WhiteDLL [02:02:0407] [CHECK] Whitelist [02:02:0407] [CHECK] WellKnown [02:02:0407] [Check Processes] [3412][_1024] svchost.exe : C:\WINDOWS\system32\svchost.exe [02:02:0407] [CHECK] WhiteDLL [02:02:0407] [CHECK] Whitelist [02:02:0407] [CHECK] WellKnown [02:03:0407] [Check Processes] [3420][_2552] wcescomm.exe : C:\Program Files\Microsoft ActiveSync\wcescomm.exe [02:03:0407] [CHECK] WhiteDLL [02:03:0407] [CHECK] Whitelist [02:03:0407] [CHECK] WellKnown [02:03:0407] [CHECK] WhitelistPath [02:03:0407] [CHECK] HijackName [02:03:0407] [CHECK] Signature [02:03:0422] [PE] Mapping [02:03:0422] [PE] Parsing [02:03:0422] [PE] Dos header -> 0x26e0000 [02:03:0422] [PE] Nt header (offset : 0x100) file size 0x13ab28 [02:03:0422] [PE] pNtHeadersx86 -> 0x26e0100 [02:03:0422] [PE] Chars -> 0x123 [02:03:0422] [PE] Optional header [02:03:0422] [PE] Sections : 3 [02:03:0422] [PE] Section : 0 - .text [02:03:0422] [PE] Section : 1 - .data [02:03:0422] [PE] Section : 2 - .rsrc [02:03:0422] [PE] File open : 1 [02:03:0422] [PE] Search sigs [02:03:0422] [PE] Section[0/2] : 0x26e1000 [02:03:0422] [PE] Init AhoCorasick [02:03:0422] [PE] Start AhoCorasick [02:03:0438] [PE] Looking results : 0 [02:03:0578] [PE] Section[1/2] : 0x2710000 [02:03:0578] [PE] Init AhoCorasick [02:03:0578] [PE] Start AhoCorasick [02:03:0578] [PE] Looking results : 0 [02:03:0578] [PE] Section[2/2] : 0x2711000 [02:03:0578] [PE] Init AhoCorasick [02:03:0578] [PE] Start AhoCorasick [02:03:0594] [PE] Looking results : 0 [02:03:0594] [CHECK] Blacklist [02:03:0594] [CHECK] BlacklistPath [02:03:0594] [CHECK] BlacklistMD5 [02:03:0594] [CHECK] MadeNumbers [02:03:0594] [CHECK] HasUnicode [02:03:0594] [CHECK] SuspPath [02:03:0594] [CHECK] ProcessResidue [02:03:0594] [CHECK] Not found! [02:04:0735] [Check Processes] [3556][_1220] rapimgr.exe : C:\Program Files\Microsoft ActiveSync\rapimgr.exe [02:04:0735] [CHECK] WhiteDLL [02:04:0735] [CHECK] Whitelist [02:04:0735] [CHECK] WellKnown [02:04:0735] [CHECK] WhitelistPath [02:04:0735] [CHECK] HijackName [02:04:0735] [CHECK] Signature [02:04:0750] [PE] Mapping [02:04:0750] [PE] Parsing [02:04:0750] [PE] Dos header -> 0x24e0000 [02:04:0750] [PE] Nt header (offset : 0x100) file size 0x30b28 [02:04:0750] [PE] pNtHeadersx86 -> 0x24e0100 [02:04:0750] [PE] Chars -> 0x123 [02:04:0750] [PE] Optional header [02:04:0750] [PE] Sections : 3 [02:04:0750] [PE] Section : 0 - .text [02:04:0750] [PE] Section : 1 - .data [02:04:0750] [PE] Section : 2 - .rsrc [02:04:0750] [PE] File open : 1 [02:04:0750] [PE] Search sigs [02:04:0750] [PE] Section[0/2] : 0x24e1000 [02:04:0750] [PE] Init AhoCorasick [02:04:0750] [PE] Start AhoCorasick [02:04:0750] [PE] Looking results : 0 [02:04:0750] [PE] Section[1/2] : 0x2506000 [02:04:0750] [PE] Init AhoCorasick [02:04:0750] [PE] Start AhoCorasick [02:04:0750] [PE] Looking results : 0 [02:04:0750] [PE] Section[2/2] : 0x2507000 [02:04:0750] [PE] Init AhoCorasick [02:04:0750] [PE] Start AhoCorasick [02:04:0750] [PE] Looking results : 0 [02:04:0750] [CHECK] Blacklist [02:04:0750] [CHECK] BlacklistPath [02:04:0750] [CHECK] BlacklistMD5 [02:04:0750] [CHECK] MadeNumbers [02:04:0750] [CHECK] HasUnicode [02:04:0750] [CHECK] SuspPath [02:04:0750] [CHECK] ProcessResidue [02:04:0750] [CHECK] Not found! [02:04:0938] [Check Processes] [2484][_188] avgcsrvx.exe : C:\Program Files\AVG\AVG2013\avgcsrvx.exe [02:04:0938] [CHECK] WhiteDLL [02:04:0938] [CHECK] Whitelist [02:04:0938] [CHECK] WellKnown [02:04:0938] [CHECK] WhitelistPath [02:04:0938] [CHECK] HijackName [02:04:0938] [CHECK] Signature [02:04:0938] [PE] Mapping [02:04:0938] [PE] Parsing [02:04:0938] [PE] Dos header -> 0x24e0000 [02:04:0938] [PE] Nt header (offset : 0xf8) file size 0x6e630 [02:04:0938] [PE] pNtHeadersx86 -> 0x24e00f8 [02:04:0938] [PE] Chars -> 0x102 [02:04:0938] [PE] Optional header [02:04:0938] [PE] Sections : 5 [02:04:0938] [PE] Section : 0 - .text [02:04:0938] [PE] Section : 1 - .rdata [02:04:0938] [PE] Section : 2 - .data [02:04:0938] [PE] Section : 3 - .rsrc [02:04:0938] [PE] Section : 4 - .reloc [02:04:0938] [PE] File open : 1 [02:04:0938] [PE] Search sigs [02:04:0938] [PE] Section[0/4] : 0x24e0400 [02:04:0938] [PE] Init AhoCorasick [02:04:0953] [PE] Start AhoCorasick [02:04:0953] [PE] Looking results : 0 [02:04:0953] [PE] Section[1/4] : 0x2536600 [02:04:0953] [PE] Init AhoCorasick [02:04:0953] [PE] Start AhoCorasick [02:04:0953] [PE] Looking results : 0 [02:04:0953] [PE] Section[2/4] : 0x2542200 [02:04:0953] [PE] Init AhoCorasick [02:04:0953] [PE] Start AhoCorasick [02:04:0953] [PE] Looking results : 0 [02:04:0953] [PE] Section[3/4] : 0x2542c00 [02:04:0953] [PE] Init AhoCorasick [02:04:0953] [PE] Start AhoCorasick [02:04:0953] [PE] Looking results : 0 [02:04:0953] [PE] Section[4/4] : 0x2543400 [02:04:0953] [PE] Init AhoCorasick [02:04:0953] [PE] Start AhoCorasick [02:04:0953] [PE] Looking results : 0 [02:04:0953] [CHECK] Blacklist [02:04:0953] [CHECK] BlacklistPath [02:04:0953] [CHECK] BlacklistMD5 [02:04:0953] [CHECK] MadeNumbers [02:04:0953] [CHECK] HasUnicode [02:04:0953] [CHECK] SuspPath [02:04:0953] [CHECK] ProcessResidue [02:04:0953] [CHECK] Not found! [02:05:0203] [Check Processes] [1880][_2552] iexplore.exe : C:\Program Files\Internet Explorer\iexplore.exe [02:05:0203] [CHECK] WhiteDLL [02:05:0203] [CHECK] Whitelist [02:05:0203] [CHECK] WellKnown [02:05:0203] [CHECK] WhitelistPath [02:05:0219] [CHECK] HijackName [02:05:0219] [CHECK] Signature [02:05:0219] [PE] Mapping [02:05:0219] [PE] Parsing [02:05:0219] [PE] Dos header -> 0x24e0000 [02:05:0219] [PE] Nt header (offset : 0xe0) file size 0x9bf60 [02:05:0219] [PE] pNtHeadersx86 -> 0x24e00e0 [02:05:0219] [PE] Chars -> 0x102 [02:05:0219] [PE] Optional header [02:05:0219] [PE] Sections : 4 [02:05:0219] [PE] Section : 0 - .text [02:05:0219] [PE] Section : 1 - .data [02:05:0219] [PE] Section : 2 - .rsrc [02:05:0219] [PE] Section : 3 - .reloc [02:05:0219] [PE] File open : 1 [02:05:0219] [PE] Search sigs [02:05:0235] [PE] Section[0/3] : 0x24e0400 [02:05:0235] [PE] Init AhoCorasick [02:05:0235] [PE] Start AhoCorasick [02:05:0235] [PE] Looking results : 0 [02:05:0235] [PE] Section[1/3] : 0x24ea400 [02:05:0235] [PE] Init AhoCorasick [02:05:0235] [PE] Start AhoCorasick [02:05:0235] [PE] Looking results : 0 [02:05:0235] [PE] Section[2/3] : 0x24eac00 [02:05:0235] [PE] Init AhoCorasick [02:05:0235] [PE] Start AhoCorasick [02:05:0235] [PE] Looking results : 0 [02:05:0235] [PE] Section[3/3] : 0x2579c00 [02:05:0235] [PE] Init AhoCorasick [02:05:0250] [PE] Start AhoCorasick [02:05:0250] [PE] Looking results : 0 [02:05:0250] [CHECK] Blacklist [02:05:0250] [CHECK] BlacklistPath [02:05:0250] [CHECK] BlacklistMD5 [02:05:0250] [CHECK] MadeNumbers [02:05:0250] [CHECK] HasUnicode [02:05:0250] [CHECK] SuspPath [02:05:0250] [CHECK] ProcessResidue [02:05:0250] [CHECK] Not found! [02:05:0250] [Check Processes] [3320][_1880] iexplore.exe : C:\Program Files\Internet Explorer\iexplore.exe [02:05:0250] [CHECK] WhiteDLL [02:05:0250] [CHECK] Whitelist [02:05:0250] [CHECK] WellKnown [02:05:0250] [CHECK] WhitelistPath [02:05:0250] [CHECK] HijackName [02:05:0250] [CHECK] Signature [02:05:0266] [PE] Mapping [02:05:0266] [PE] Parsing [02:05:0266] [PE] Dos header -> 0x24e0000 [02:05:0266] [PE] Nt header (offset : 0xe0) file size 0x9bf60 [02:05:0266] [PE] pNtHeadersx86 -> 0x24e00e0 [02:05:0266] [PE] Chars -> 0x102 [02:05:0266] [PE] Optional header [02:05:0266] [PE] Sections : 4 [02:05:0266] [PE] Section : 0 - .text [02:05:0266] [PE] Section : 1 - .data [02:05:0266] [PE] Section : 2 - .rsrc [02:05:0266] [PE] Section : 3 - .reloc [02:05:0266] [PE] File open : 1 [02:05:0266] [PE] Search sigs [02:05:0266] [PE] Section[0/3] : 0x24e0400 [02:05:0266] [PE] Init AhoCorasick [02:05:0266] [PE] Start AhoCorasick [02:05:0266] [PE] Looking results : 0 [02:05:0266] [PE] Section[1/3] : 0x24ea400 [02:05:0266] [PE] Init AhoCorasick [02:05:0266] [PE] Start AhoCorasick [02:05:0266] [PE] Looking results : 0 [02:05:0266] [PE] Section[2/3] : 0x24eac00 [02:05:0266] [PE] Init AhoCorasick [02:05:0266] [PE] Start AhoCorasick [02:05:0282] [PE] Looking results : 0 [02:05:0282] [PE] Section[3/3] : 0x2579c00 [02:05:0282] [PE] Init AhoCorasick [02:05:0282] [PE] Start AhoCorasick [02:05:0282] [PE] Looking results : 0 [02:05:0282] [CHECK] Blacklist [02:05:0282] [CHECK] BlacklistPath [02:05:0282] [CHECK] BlacklistMD5 [02:05:0282] [CHECK] MadeNumbers [02:05:0282] [CHECK] HasUnicode [02:05:0282] [CHECK] SuspPath [02:05:0282] [CHECK] ProcessResidue [02:05:0282] [CHECK] Not found! [02:05:0297] [Check Processes] [1824][_1880] iexplore.exe : C:\Program Files\Internet Explorer\iexplore.exe [02:05:0297] [CHECK] WhiteDLL [02:05:0297] [CHECK] Whitelist [02:05:0297] [CHECK] WellKnown [02:05:0297] [CHECK] WhitelistPath [02:05:0297] [CHECK] HijackName [02:05:0297] [CHECK] Signature [02:05:0313] [PE] Mapping [02:05:0313] [PE] Parsing [02:05:0313] [PE] Dos header -> 0x24e0000 [02:05:0313] [PE] Nt header (offset : 0xe0) file size 0x9bf60 [02:05:0313] [PE] pNtHeadersx86 -> 0x24e00e0 [02:05:0313] [PE] Chars -> 0x102 [02:05:0313] [PE] Optional header [02:05:0313] [PE] Sections : 4 [02:05:0313] [PE] Section : 0 - .text [02:05:0313] [PE] Section : 1 - .data [02:05:0313] [PE] Section : 2 - .rsrc [02:05:0313] [PE] Section : 3 - .reloc [02:05:0313] [PE] File open : 1 [02:05:0313] [PE] Search sigs [02:05:0313] [PE] Section[0/3] : 0x24e0400 [02:05:0313] [PE] Init AhoCorasick [02:05:0313] [PE] Start AhoCorasick [02:05:0313] [PE] Looking results : 0 [02:05:0313] [PE] Section[1/3] : 0x24ea400 [02:05:0313] [PE] Init AhoCorasick [02:05:0313] [PE] Start AhoCorasick [02:05:0313] [PE] Looking results : 0 [02:05:0313] [PE] Section[2/3] : 0x24eac00 [02:05:0313] [PE] Init AhoCorasick [02:05:0313] [PE] Start AhoCorasick [02:05:0328] [PE] Looking results : 0 [02:05:0328] [PE] Section[3/3] : 0x2579c00 [02:05:0328] [PE] Init AhoCorasick [02:05:0328] [PE] Start AhoCorasick [02:05:0328] [PE] Looking results : 0 [02:05:0328] [CHECK] Blacklist [02:05:0328] [CHECK] BlacklistPath [02:05:0328] [CHECK] BlacklistMD5 [02:05:0328] [CHECK] MadeNumbers [02:05:0328] [CHECK] HasUnicode [02:05:0328] [CHECK] SuspPath [02:05:0328] [CHECK] ProcessResidue [02:05:0328] [CHECK] Not found! [02:12:0172] [Check Services] [1/330] 6to4 [02:12:0188] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:12:0188] [Check Services] [2/330] Abiosdsk [02:12:0188] [Check Services] C:\WINDOWS\system32\drivers\Abiosdsk.sys [02:12:0188] [Check Services] [3/330] abp480n5 [02:12:0188] [Check Services] C:\WINDOWS\system32\drivers\abp480n5.sys [02:12:0188] [Check Services] [4/330] ACPI [02:12:0188] [Check Services] C:\WINDOWS\System32\DRIVERS\ACPI.sys [02:12:0188] [Check Services] [5/330] ACPIEC [02:12:0235] [Check Services] C:\WINDOWS\system32\drivers\acpiec.sys [02:12:0235] [Check Services] [6/330] ADIHdAudAddService [02:12:0235] [Check Services] C:\WINDOWS\system32\drivers\ADIHdAud.sys [02:12:0235] [Check Services] [7/330] AdobeFlashPlayerUpdateSvc [02:12:0235] [Check Services] C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [02:12:0235] [Check Services] [8/330] adpu160m [02:12:0235] [Check Services] C:\WINDOWS\system32\drivers\adpu160m.sys [02:12:0235] [Check Services] [9/330] aec [02:12:0250] [Check Services] C:\WINDOWS\system32\drivers\aec.sys [02:12:0250] [Check Services] [10/330] AegisP [02:12:0250] [Check Services] C:\WINDOWS\system32\DRIVERS\AegisP.sys [02:12:0250] [Check Services] [11/330] AFD [02:12:0250] [Check Services] C:\WINDOWS\System32\drivers\afd.sys [02:12:0250] [Check Services] [12/330] Aha154x [02:12:0250] [Check Services] C:\WINDOWS\system32\drivers\Aha154x.sys [02:12:0250] [Check Services] [13/330] aic78u2 [02:12:0250] [Check Services] C:\WINDOWS\system32\drivers\aic78u2.sys [02:12:0250] [Check Services] [14/330] aic78xx [02:12:0250] [Check Services] C:\WINDOWS\system32\drivers\aic78xx.sys [02:12:0250] [Check Services] [15/330] Alerter [02:12:0250] [Check Services] C:\WINDOWS\System32\svchost.exe -k LocalService [02:12:0250] [Check Services] [16/330] ALG [02:12:0250] [Check Services] C:\WINDOWS\system32\alg.exe [02:12:0250] [Check Services] [17/330] AliIde [02:12:0250] [Check Services] C:\WINDOWS\system32\drivers\AliIde.sys [02:12:0250] [Check Services] [18/330] amsint [02:12:0266] [Check Services] C:\WINDOWS\system32\drivers\amsint.sys [02:12:0266] [Check Services] [19/330] ANIO [02:12:0266] [Check Services] C:\WINDOWS\system32\ANIO.sys [02:12:0266] [Check Services] [20/330] ANIWZCSdService [02:12:0500] [Check Services] C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [02:12:0500] [Check Services] [21/330] Apple Mobile Device [02:12:0500] [Check Services] "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [02:12:0500] [Check Services] [22/330] AppMgmt [02:12:0500] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:12:0500] [Check Services] [23/330] AR5211 [02:12:0516] [Check Services] C:\WINDOWS\system32\DRIVERS\ar5211.sys [02:12:0516] [Check Services] [24/330] asc [02:12:0516] [Check Services] C:\WINDOWS\system32\drivers\asc.sys [02:12:0516] [Check Services] [25/330] asc3350p [02:12:0516] [Check Services] C:\WINDOWS\system32\drivers\asc3350p.sys [02:12:0516] [Check Services] [26/330] asc3550 [02:12:0516] [Check Services] C:\WINDOWS\system32\drivers\asc3550.sys [02:12:0516] [Check Services] [27/330] aspnet_state [02:12:0594] [Check Services] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [02:12:0594] [Check Services] [28/330] AsyncMac [02:12:0594] [Check Services] C:\WINDOWS\System32\DRIVERS\asyncmac.sys [02:12:0594] [Check Services] [29/330] atapi [02:12:0594] [Check Services] C:\WINDOWS\System32\DRIVERS\atapi.sys [02:12:0594] [Check Services] [30/330] Atdisk [02:12:0594] [Check Services] C:\WINDOWS\system32\drivers\Atdisk.sys [02:12:0594] [Check Services] [31/330] Ati HotKey Poller [02:12:0594] [Check Services] C:\WINDOWS\system32\ati2evxx.exe [02:12:0610] [Check Services] [32/330] ATI Smart [02:12:0610] [Check Services] C:\WINDOWS\system32\ati2sgag.exe [02:12:0610] [Check Services] [33/330] ati2mtag [02:12:0610] [Check Services] C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [02:12:0610] [Check Services] [34/330] atiide [02:12:0610] [Check Services] C:\WINDOWS\system32\DRIVERS\atiide.sys [02:12:0610] [Check Services] [35/330] Atmarpc [02:12:0610] [Check Services] C:\WINDOWS\System32\DRIVERS\atmarpc.sys [02:12:0610] [Check Services] [36/330] ATMFBUS [02:12:0610] [Check Services] C:\WINDOWS\system32\drivers\ATMFBUS.sys [02:12:0610] [Check Services] [37/330] ATMFCVsp [02:12:0610] [Check Services] C:\WINDOWS\system32\drivers\ATMFCVsp.sys [02:12:0610] [Check Services] [38/330] ATMFFLT [02:12:0610] [Check Services] C:\WINDOWS\system32\drivers\ATMFFLT.sys [02:12:0610] [Check Services] [39/330] ATMFMdm [02:12:0610] [Check Services] C:\WINDOWS\system32\drivers\ATMFMdm.sys [02:12:0610] [Check Services] [40/330] ATMFNET [02:12:0625] [Check Services] C:\WINDOWS\system32\drivers\ATMFNET.sys [02:12:0625] [Check Services] [41/330] ATMFNVsp [02:12:0625] [Check Services] C:\WINDOWS\system32\drivers\ATMFNVsp.sys [02:12:0625] [Check Services] [42/330] ATMFVsp [02:12:0625] [Check Services] C:\WINDOWS\system32\drivers\ATMFVsp.sys [02:12:0625] [Check Services] [43/330] AudioSrv [02:12:0625] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:12:0625] [Check Services] [44/330] audstub [02:12:0625] [Check Services] C:\WINDOWS\System32\DRIVERS\audstub.sys [02:12:0625] [Check Services] [45/330] Avc [02:12:0625] [Check Services] C:\WINDOWS\system32\DRIVERS\avc.sys [02:12:0641] [Check Services] [46/330] AVGIDSAgent [02:12:0641] [Check Services] "C:\Program Files\AVG\AVG2013\avgidsagent.exe" [02:12:0641] [Check Services] [47/330] AVGIDSDriver [02:12:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\avgidsdriverx.sys [02:12:0641] [Check Services] [48/330] AVGIDSHX [02:12:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\avgidshx.sys [02:12:0641] [Check Services] [49/330] AVGIDSShim [02:12:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\avgidsshimx.sys [02:12:0641] [Check Services] [50/330] Avgldx86 [02:12:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\avgldx86.sys [02:12:0641] [Check Services] [51/330] Avglogx [02:12:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\avglogx.sys [02:12:0657] [Check Services] [52/330] Avgmfx86 [02:12:0657] [Check Services] C:\WINDOWS\system32\DRIVERS\avgmfx86.sys [02:12:0657] [Check Services] [53/330] Avgrkx86 [02:12:0657] [Check Services] C:\WINDOWS\system32\DRIVERS\avgrkx86.sys [02:12:0657] [Check Services] [54/330] Avgtdix [02:12:0657] [Check Services] C:\WINDOWS\system32\DRIVERS\avgtdix.sys [02:12:0657] [Check Services] [55/330] avgwd [02:12:0657] [Check Services] "C:\Program Files\AVG\AVG2013\avgwdsvc.exe" [02:12:0657] [Check Services] [56/330] b57w2k [02:12:0657] [Check Services] C:\WINDOWS\system32\DRIVERS\b57xp32.sys [02:12:0657] [Check Services] [57/330] Beep [02:12:0719] [Check Services] C:\WINDOWS\system32\drivers\beep.sys [02:12:0719] [Check Services] [58/330] BITS [02:12:0719] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:12:0719] [Check Services] [59/330] Browser [02:12:0735] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:12:0735] [Check Services] [60/330] cbidf2k [02:12:0782] [Check Services] C:\WINDOWS\system32\drivers\cbidf2k.sys [02:12:0782] [Check Services] [61/330] cd20xrnt [02:12:0782] [Check Services] C:\WINDOWS\system32\drivers\cd20xrnt.sys [02:12:0782] [Check Services] [62/330] Cdaudio [02:12:0782] [Check Services] C:\WINDOWS\system32\drivers\cdaudio.sys [02:12:0782] [Check Services] [63/330] Cdfs [02:12:0782] [Check Services] C:\WINDOWS\system32\drivers\cdfs.sys [02:12:0797] [Check Services] [64/330] Cdrom [02:12:0797] [Check Services] C:\WINDOWS\System32\DRIVERS\cdrom.sys [02:12:0797] [Check Services] [65/330] Changer [02:12:0797] [Check Services] C:\WINDOWS\system32\drivers\Changer.sys [02:12:0797] [Check Services] [66/330] cisvc [02:12:0844] [Check Services] C:\WINDOWS\system32\cisvc.exe [02:12:0844] [Check Services] [67/330] ClipSrv [02:12:0907] [Check Services] C:\WINDOWS\system32\clipsrv.exe [02:12:0907] [Check Services] [68/330] clr_optimization_v2.0.50727_32 [02:12:0985] [Check Services] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [02:12:0985] [Check Services] [69/330] CltMngSvc [02:12:0985] [Check Services] C:\Program Files\SearchProtect\bin\CltMngSvc.exe [02:12:0985] [Check Services] [70/330] CmdIde [02:12:0985] [Check Services] C:\WINDOWS\system32\drivers\CmdIde.sys [02:12:0985] [Check Services] [71/330] COMSysApp [02:12:0985] [Check Services] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [02:12:0985] [Check Services] [72/330] Cpqarray [02:12:0985] [Check Services] C:\WINDOWS\system32\drivers\Cpqarray.sys [02:12:0985] [Check Services] [73/330] cpuz129 [02:13:0032] [Check Services] C:\Documents and Settings\taryn\Local Settings\Temp\pcwiz32.sys [02:13:0032] [Check Services] [74/330] cpuz132 [02:13:0032] [Check Services] C:\WINDOWS\system32\drivers\cpuz132.sys [02:13:0032] [Check Services] [75/330] CryptSvc [02:13:0078] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:13:0078] [Check Services] [76/330] dac960nt [02:13:0078] [Check Services] C:\WINDOWS\system32\drivers\dac960nt.sys [02:13:0078] [Check Services] [77/330] DcomLaunch [02:13:0078] [Check Services] C:\WINDOWS\system32\svchost -k DcomLaunch [02:13:0078] [Check Services] [78/330] DefaultTabUpdate [02:13:0078] [Check Services] "C:\Documents and Settings\tryme\Application Data\DefaultTab\DefaultTab\DTUpdate.exe" [02:13:0078] [Check Services] [79/330] Dhcp [02:13:0078] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0078] [Check Services] [80/330] Disk [02:13:0078] [Check Services] C:\WINDOWS\System32\DRIVERS\disk.sys [02:13:0078] [Check Services] [81/330] dmadmin [02:13:0078] [Check Services] C:\WINDOWS\System32\dmadmin.exe /com [02:13:0078] [Check Services] [82/330] dmboot [02:13:0094] [Check Services] C:\WINDOWS\System32\drivers\dmboot.sys [02:13:0094] [Check Services] [83/330] dmio [02:13:0094] [Check Services] C:\WINDOWS\System32\drivers\dmio.sys [02:13:0094] [Check Services] [84/330] dmload [02:13:0094] [Check Services] C:\WINDOWS\System32\drivers\dmload.sys [02:13:0094] [Check Services] [85/330] dmserver [02:13:0094] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0094] [Check Services] [86/330] DMusic [02:13:0094] [Check Services] C:\WINDOWS\system32\drivers\DMusic.sys [02:13:0094] [Check Services] [87/330] Dnscache [02:13:0094] [Check Services] C:\WINDOWS\System32\svchost.exe -k NetworkService [02:13:0094] [Check Services] [88/330] Dot3svc [02:13:0094] [Check Services] C:\WINDOWS\System32\svchost.exe -k dot3svc [02:13:0094] [Check Services] [89/330] dpti2o [02:13:0094] [Check Services] C:\WINDOWS\system32\drivers\dpti2o.sys [02:13:0110] [Check Services] [90/330] drmkaud [02:13:0110] [Check Services] C:\WINDOWS\system32\drivers\drmkaud.sys [02:13:0110] [Check Services] [91/330] EapHost [02:13:0110] [Check Services] C:\WINDOWS\System32\svchost.exe -k eapsvcs [02:13:0110] [Check Services] [92/330] ERSvc [02:13:0110] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0110] [Check Services] [93/330] Eventlog [02:13:0110] [Check Services] C:\WINDOWS\system32\services.exe [02:13:0110] [Check Services] [94/330] EventSystem [02:13:0110] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0110] [Check Services] [95/330] Fastfat [02:13:0110] [Check Services] C:\WINDOWS\system32\drivers\fastfat.sys [02:13:0110] [Check Services] [96/330] FastUserSwitchingCompatibility [02:13:0110] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0110] [Check Services] [97/330] Fdc [02:13:0125] [Check Services] C:\WINDOWS\system32\DRIVERS\fdc.sys [02:13:0125] [Check Services] [98/330] Fips [02:13:0125] [Check Services] C:\WINDOWS\system32\drivers\fips.sys [02:13:0125] [Check Services] [99/330] Flpydisk [02:13:0125] [Check Services] C:\WINDOWS\system32\DRIVERS\flpydisk.sys [02:13:0125] [Check Services] [100/330] FltMgr [02:13:0125] [Check Services] C:\WINDOWS\system32\drivers\fltmgr.sys [02:13:0125] [Check Services] [101/330] FontCache3.0.0.0 [02:13:0250] [Check Services] c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [02:13:0250] [Check Services] [102/330] Ftdisk [02:13:0250] [Check Services] C:\WINDOWS\System32\DRIVERS\ftdisk.sys [02:13:0250] [Check Services] [103/330] GEARAspiWDM [02:13:0250] [Check Services] C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [02:13:0250] [Check Services] [104/330] getPlusHelper [02:13:0250] [Check Services] C:\WINDOWS\System32\svchost.exe -k getPlusHelper [02:13:0250] [Check Services] [105/330] Gpc [02:13:0266] [Check Services] C:\WINDOWS\System32\DRIVERS\msgpc.sys [02:13:0266] [Check Services] [106/330] gupdate [02:13:0266] [Check Services] "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [02:13:0266] [Check Services] [107/330] gupdatem [02:13:0266] [Check Services] "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [02:13:0266] [Check Services] [108/330] gusvc [02:13:0282] [Check Services] "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [02:13:0282] [Check Services] [109/330] HDAudBus [02:13:0282] [Check Services] C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [02:13:0282] [Check Services] [110/330] helpsvc [02:13:0282] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0282] [Check Services] [111/330] HidServ [02:13:0282] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0282] [Check Services] [112/330] hidusb [02:13:0282] [Check Services] C:\WINDOWS\System32\DRIVERS\hidusb.sys [02:13:0282] [Check Services] [113/330] hkmsvc [02:13:0297] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0297] [Check Services] [114/330] hpn [02:13:0297] [Check Services] C:\WINDOWS\system32\drivers\hpn.sys [02:13:0297] [Check Services] [115/330] hpt3xx [02:13:0297] [Check Services] C:\WINDOWS\system32\drivers\hpt3xx.sys [02:13:0297] [Check Services] [116/330] HPZid412 [02:13:0297] [Check Services] C:\WINDOWS\system32\DRIVERS\HPZid412.sys [02:13:0313] [Check Services] [117/330] HPZipr12 [02:13:0313] [Check Services] C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [02:13:0313] [Check Services] [118/330] HPZius12 [02:13:0313] [Check Services] C:\WINDOWS\system32\DRIVERS\HPZius12.sys [02:13:0313] [Check Services] [119/330] HTTP [02:13:0313] [Check Services] C:\WINDOWS\System32\Drivers\HTTP.sys [02:13:0313] [Check Services] [120/330] HTTPFilter [02:13:0313] [Check Services] C:\WINDOWS\System32\svchost.exe -k HTTPFilter [02:13:0313] [Check Services] [121/330] i2omgmt [02:13:0313] [Check Services] C:\WINDOWS\system32\drivers\i2omgmt.sys [02:13:0313] [Check Services] [122/330] i2omp [02:13:0313] [Check Services] C:\WINDOWS\system32\drivers\i2omp.sys [02:13:0313] [Check Services] [123/330] i8042prt [02:13:0360] [Check Services] C:\WINDOWS\system32\drivers\i8042prt.sys [02:13:0360] [Check Services] [124/330] idsvc [02:13:0360] [Check Services] "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [02:13:0360] [Check Services] [125/330] Imapi [02:13:0360] [Check Services] C:\WINDOWS\System32\DRIVERS\imapi.sys [02:13:0360] [Check Services] [126/330] ImapiService [02:13:0422] [Check Services] C:\WINDOWS\system32\imapi.exe [02:13:0422] [Check Services] [127/330] ini910u [02:13:0422] [Check Services] C:\WINDOWS\system32\drivers\ini910u.sys [02:13:0422] [Check Services] [128/330] IntelIde [02:13:0422] [Check Services] C:\WINDOWS\system32\drivers\IntelIde.sys [02:13:0422] [Check Services] [129/330] intelppm [02:13:0422] [Check Services] C:\WINDOWS\System32\DRIVERS\intelppm.sys [02:13:0422] [Check Services] [130/330] ip6fw [02:13:0438] [Check Services] C:\WINDOWS\system32\drivers\ip6fw.sys [02:13:0438] [Check Services] [131/330] IpFilterDriver [02:13:0438] [Check Services] C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [02:13:0438] [Check Services] [132/330] IpInIp [02:13:0438] [Check Services] C:\WINDOWS\System32\DRIVERS\ipinip.sys [02:13:0438] [Check Services] [133/330] IpNat [02:13:0438] [Check Services] C:\WINDOWS\System32\DRIVERS\ipnat.sys [02:13:0438] [Check Services] [134/330] iPod Service [02:13:0438] [Check Services] "C:\Program Files\iPod\bin\iPodService.exe" [02:13:0438] [Check Services] [135/330] IPSec [02:13:0438] [Check Services] C:\WINDOWS\System32\DRIVERS\ipsec.sys [02:13:0438] [Check Services] [136/330] IRENUM [02:13:0438] [Check Services] C:\WINDOWS\System32\DRIVERS\irenum.sys [02:13:0438] [Check Services] [137/330] isapnp [02:13:0438] [Check Services] C:\WINDOWS\System32\DRIVERS\isapnp.sys [02:13:0438] [Check Services] [138/330] JavaQuickStarterService [02:13:0469] [Check Services] "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" [02:13:0469] [Check Services] [139/330] Kbdclass [02:13:0469] [Check Services] C:\WINDOWS\System32\DRIVERS\kbdclass.sys [02:13:0469] [Check Services] [140/330] kbdhid [02:13:0469] [Check Services] C:\WINDOWS\System32\DRIVERS\kbdhid.sys [02:13:0469] [Check Services] [141/330] kmixer [02:13:0469] [Check Services] C:\WINDOWS\system32\drivers\kmixer.sys [02:13:0469] [Check Services] [142/330] KSecDD [02:13:0516] [Check Services] C:\WINDOWS\system32\drivers\ksecdd.sys [02:13:0516] [Check Services] [143/330] lanmanserver [02:13:0516] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0516] [Check Services] [144/330] lanmanworkstation [02:13:0516] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0516] [Check Services] [145/330] lbrtfdc [02:13:0516] [Check Services] C:\WINDOWS\system32\drivers\lbrtfdc.sys [02:13:0516] [Check Services] [146/330] LmHosts [02:13:0532] [Check Services] C:\WINDOWS\System32\svchost.exe -k LocalService [02:13:0532] [Check Services] [147/330] LPDSVC [02:13:0563] [Check Services] C:\WINDOWS\system32\tcpsvcs.exe [02:13:0563] [Check Services] [148/330] MA311 [02:13:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\ma311n51.sys [02:13:0563] [Check Services] [149/330] Messenger [02:13:0563] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0563] [Check Services] [150/330] mfeapfk [02:13:0563] [Check Services] C:\WINDOWS\system32\drivers\mfeapfk.sys [02:13:0563] [Check Services] [151/330] mfehidk [02:13:0563] [Check Services] C:\WINDOWS\system32\drivers\mfehidk.sys [02:13:0563] [Check Services] [152/330] mnmdd [02:13:0610] [Check Services] C:\WINDOWS\system32\drivers\mnmdd.sys [02:13:0610] [Check Services] [153/330] mnmsrvc [02:13:0610] [Check Services] C:\WINDOWS\system32\mnmsrvc.exe [02:13:0610] [Check Services] [154/330] Modem [02:13:0610] [Check Services] C:\WINDOWS\system32\drivers\modem.sys [02:13:0610] [Check Services] [155/330] Mouclass [02:13:0610] [Check Services] C:\WINDOWS\System32\DRIVERS\mouclass.sys [02:13:0610] [Check Services] [156/330] mouhid [02:13:0610] [Check Services] C:\WINDOWS\System32\DRIVERS\mouhid.sys [02:13:0610] [Check Services] [157/330] MountMgr [02:13:0625] [Check Services] C:\WINDOWS\system32\drivers\mountmgr.sys [02:13:0625] [Check Services] [158/330] MozillaMaintenance [02:13:0625] [Check Services] "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [02:13:0625] [Check Services] [159/330] mraid35x [02:13:0625] [Check Services] C:\WINDOWS\system32\drivers\mraid35x.sys [02:13:0625] [Check Services] [160/330] MRxDAV [02:13:0625] [Check Services] C:\WINDOWS\System32\DRIVERS\mrxdav.sys [02:13:0625] [Check Services] [161/330] MRxSmb [02:13:0625] [Check Services] C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [02:13:0625] [Check Services] [162/330] MSDTC [02:13:0625] [Check Services] C:\WINDOWS\system32\msdtc.exe [02:13:0625] [Check Services] [163/330] Msfs [02:13:0657] [Check Services] C:\WINDOWS\system32\drivers\msfs.sys [02:13:0657] [Check Services] [164/330] MSIServer [02:13:0657] [Check Services] C:\WINDOWS\system32\msiexec.exe /V [02:13:0657] [Check Services] [165/330] MSKSSRV [02:13:0657] [Check Services] C:\WINDOWS\system32\drivers\MSKSSRV.sys [02:13:0657] [Check Services] [166/330] MSPCLOCK [02:13:0657] [Check Services] C:\WINDOWS\system32\drivers\MSPCLOCK.sys [02:13:0657] [Check Services] [167/330] MSPQM [02:13:0657] [Check Services] C:\WINDOWS\system32\drivers\MSPQM.sys [02:13:0657] [Check Services] [168/330] mssmbios [02:13:0672] [Check Services] C:\WINDOWS\System32\DRIVERS\mssmbios.sys [02:13:0672] [Check Services] [169/330] Mup [02:13:0672] [Check Services] C:\WINDOWS\system32\drivers\mup.sys [02:13:0672] [Check Services] [170/330] napagent [02:13:0672] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0672] [Check Services] [171/330] NDIS [02:13:0672] [Check Services] C:\WINDOWS\system32\drivers\ndis.sys [02:13:0672] [Check Services] [172/330] NdisTapi [02:13:0672] [Check Services] C:\WINDOWS\System32\DRIVERS\ndistapi.sys [02:13:0672] [Check Services] [173/330] Ndisuio [02:13:0672] [Check Services] C:\WINDOWS\System32\DRIVERS\ndisuio.sys [02:13:0672] [Check Services] [174/330] NdisWan [02:13:0672] [Check Services] C:\WINDOWS\System32\DRIVERS\ndiswan.sys [02:13:0672] [Check Services] [175/330] NDProxy [02:13:0703] [Check Services] C:\WINDOWS\system32\drivers\ndproxy.sys [02:13:0703] [Check Services] [176/330] NetBIOS [02:13:0703] [Check Services] C:\WINDOWS\System32\DRIVERS\netbios.sys [02:13:0703] [Check Services] [177/330] NetBT [02:13:0703] [Check Services] C:\WINDOWS\System32\DRIVERS\netbt.sys [02:13:0703] [Check Services] [178/330] NetDDE [02:13:0703] [Check Services] C:\WINDOWS\system32\netdde.exe [02:13:0703] [Check Services] [179/330] NetDDEdsdm [02:13:0719] [Check Services] C:\WINDOWS\system32\netdde.exe [02:13:0719] [Check Services] [180/330] Netlogon [02:13:0719] [Check Services] C:\WINDOWS\system32\lsass.exe [02:13:0719] [Check Services] [181/330] Netman [02:13:0719] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0719] [Check Services] [182/330] NetTcpPortSharing [02:13:0719] [Check Services] "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [02:13:0719] [Check Services] [183/330] Nla [02:13:0719] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:13:0719] [Check Services] [184/330] Npfs [02:13:0750] [Check Services] C:\WINDOWS\system32\drivers\npfs.sys [02:13:0750] [Check Services] [185/330] Ntfs [02:13:0750] [Check Services] C:\WINDOWS\system32\drivers\ntfs.sys [02:13:0750] [Check Services] [186/330] NtLmSsp [02:13:0750] [Check Services] C:\WINDOWS\system32\lsass.exe [02:13:0750] [Check Services] [187/330] NtmsSvc [02:13:0750] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:13:0750] [Check Services] [188/330] Null [02:13:0750] [Check Services] C:\WINDOWS\system32\drivers\null.sys [02:13:0750] [Check Services] [189/330] NwlnkFlt [02:13:0766] [Check Services] C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [02:13:0766] [Check Services] [190/330] NwlnkFwd [02:13:0766] [Check Services] C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [02:13:0766] [Check Services] [191/330] Parport [02:13:0766] [Check Services] C:\WINDOWS\System32\DRIVERS\parport.sys [02:13:0766] [Check Services] [192/330] PartMgr [02:13:0766] [Check Services] C:\WINDOWS\system32\drivers\partmgr.sys [02:13:0766] [Check Services] [193/330] ParVdm [02:13:0766] [Check Services] C:\WINDOWS\system32\drivers\parvdm.sys [02:13:0766] [Check Services] [194/330] PCANDIS5 [02:13:0922] [Check Services] C:\Program Files\MA311 PCI Adapter Configuration Utility\PCANDIS5.SYS [02:13:0922] [Check Services] [195/330] PCI [02:13:0922] [Check Services] C:\WINDOWS\System32\DRIVERS\pci.sys [02:13:0922] [Check Services] [196/330] PCIDump [02:13:0922] [Check Services] C:\WINDOWS\system32\drivers\PCIDump.sys [02:13:0922] [Check Services] [197/330] PCIIde [02:13:0922] [Check Services] C:\WINDOWS\System32\DRIVERS\pciide.sys [02:13:0922] [Check Services] [198/330] Pcmcia [02:13:0922] [Check Services] C:\WINDOWS\system32\drivers\pcmcia.sys [02:13:0922] [Check Services] [199/330] PDCOMP [02:13:0922] [Check Services] C:\WINDOWS\system32\drivers\PDCOMP.sys [02:13:0922] [Check Services] [200/330] PDFRAME [02:13:0922] [Check Services] C:\WINDOWS\system32\drivers\PDFRAME.sys [02:13:0922] [Check Services] [201/330] PDRELI [02:13:0922] [Check Services] C:\WINDOWS\system32\drivers\PDRELI.sys [02:13:0922] [Check Services] [202/330] PDRFRAME [02:13:0938] [Check Services] C:\WINDOWS\system32\drivers\PDRFRAME.sys [02:13:0938] [Check Services] [203/330] perc2 [02:13:0938] [Check Services] C:\WINDOWS\system32\drivers\perc2.sys [02:13:0938] [Check Services] [204/330] perc2hib [02:13:0938] [Check Services] C:\WINDOWS\system32\drivers\perc2hib.sys [02:13:0938] [Check Services] [205/330] pfc [02:13:0938] [Check Services] C:\WINDOWS\system32\drivers\pfc.sys [02:13:0938] [Check Services] [206/330] PlugPlay [02:13:0938] [Check Services] C:\WINDOWS\system32\services.exe [02:13:0938] [Check Services] [207/330] PolicyAgent [02:13:0938] [Check Services] C:\WINDOWS\system32\lsass.exe [02:13:0938] [Check Services] [208/330] PptpMiniport [02:13:0938] [Check Services] C:\WINDOWS\System32\DRIVERS\raspptp.sys [02:13:0938] [Check Services] [209/330] Processor [02:13:0938] [Check Services] C:\WINDOWS\System32\DRIVERS\processr.sys [02:13:0938] [Check Services] [210/330] Profos [02:13:0938] [Check Services] C:\WINDOWS\system32\drivers\Profos.sys [02:13:0953] [Check Services] [211/330] ProtectedStorage [02:13:0953] [Check Services] C:\WINDOWS\system32\lsass.exe [02:13:0953] [Check Services] [212/330] PSched [02:13:0953] [Check Services] C:\WINDOWS\System32\DRIVERS\psched.sys [02:13:0953] [Check Services] [213/330] Ptilink [02:13:0953] [Check Services] C:\WINDOWS\System32\DRIVERS\ptilink.sys [02:13:0953] [Check Services] [214/330] PxHelp20 [02:13:0953] [Check Services] C:\WINDOWS\System32\Drivers\PxHelp20.sys [02:13:0953] [Check Services] [215/330] ql1080 [02:13:0953] [Check Services] C:\WINDOWS\system32\drivers\ql1080.sys [02:13:0953] [Check Services] [216/330] Ql10wnt [02:13:0953] [Check Services] C:\WINDOWS\system32\drivers\Ql10wnt.sys [02:13:0953] [Check Services] [217/330] ql12160 [02:13:0953] [Check Services] C:\WINDOWS\system32\drivers\ql12160.sys [02:13:0953] [Check Services] [218/330] ql1240 [02:13:0953] [Check Services] C:\WINDOWS\system32\drivers\ql1240.sys [02:13:0953] [Check Services] [219/330] ql1280 [02:13:0969] [Check Services] C:\WINDOWS\system32\drivers\ql1280.sys [02:13:0969] [Check Services] [220/330] RalinkRegistryWriter [02:13:0969] [Check Services] "C:\Program Files\Ralink\Common\RaRegistry.exe" [02:13:0969] [Check Services] [221/330] RaMediaServer [02:14:0047] [Check Services] C:\Program Files\Ralink\Common\RaMediaServer.exe [02:14:0047] [Check Services] [222/330] RasAcd [02:14:0047] [Check Services] C:\WINDOWS\System32\DRIVERS\rasacd.sys [02:14:0047] [Check Services] [223/330] RasAuto [02:14:0047] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0047] [Check Services] [224/330] Rasl2tp [02:14:0063] [Check Services] C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [02:14:0063] [Check Services] [225/330] RasMan [02:14:0063] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0063] [Check Services] [226/330] RasPppoe [02:14:0063] [Check Services] C:\WINDOWS\System32\DRIVERS\raspppoe.sys [02:14:0063] [Check Services] [227/330] Raspti [02:14:0063] [Check Services] C:\WINDOWS\System32\DRIVERS\raspti.sys [02:14:0063] [Check Services] [228/330] Rdbss [02:14:0063] [Check Services] C:\WINDOWS\System32\DRIVERS\rdbss.sys [02:14:0063] [Check Services] [229/330] RDPCDD [02:14:0063] [Check Services] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [02:14:0063] [Check Services] [230/330] rdpdr [02:14:0063] [Check Services] C:\WINDOWS\System32\DRIVERS\rdpdr.sys [02:14:0063] [Check Services] [231/330] RDPWD [02:14:0063] [Check Services] C:\WINDOWS\system32\drivers\rdpwd.sys [02:14:0063] [Check Services] [232/330] RDSessMgr [02:14:0078] [Check Services] C:\WINDOWS\system32\sessmgr.exe [02:14:0078] [Check Services] [233/330] redbook [02:14:0078] [Check Services] C:\WINDOWS\System32\DRIVERS\redbook.sys [02:14:0078] [Check Services] [234/330] RemoteAccess [02:14:0078] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0078] [Check Services] [235/330] RemoteRegistry [02:14:0078] [Check Services] C:\WINDOWS\system32\svchost.exe -k LocalService [02:14:0078] [Check Services] [236/330] RpcLocator [02:14:0078] [Check Services] C:\WINDOWS\system32\locator.exe [02:14:0078] [Check Services] [237/330] RpcSs [02:14:0078] [Check Services] C:\WINDOWS\system32\svchost -k rpcss [02:14:0078] [Check Services] [238/330] RSVP [02:14:0125] [Check Services] C:\WINDOWS\system32\rsvp.exe [02:14:0125] [Check Services] [239/330] rt2870 [02:14:0141] [Check Services] C:\WINDOWS\system32\DRIVERS\rt2870.sys [02:14:0141] [Check Services] [240/330] RTL8192su [02:14:0141] [Check Services] C:\WINDOWS\system32\DRIVERS\RTL8192su.sys [02:14:0141] [Check Services] [241/330] SamSs [02:14:0141] [Check Services] C:\WINDOWS\system32\lsass.exe [02:14:0141] [Check Services] [242/330] SCardSvr [02:14:0172] [Check Services] C:\WINDOWS\system32\scardsvr.exe [02:14:0172] [Check Services] [243/330] Schedule [02:14:0219] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0219] [Check Services] [244/330] Scutum50 [02:14:0219] [Check Services] C:\WINDOWS\System32\Drivers\Scutum50.sys [02:14:0219] [Check Services] [245/330] Secdrv [02:14:0235] [Check Services] C:\WINDOWS\System32\DRIVERS\secdrv.sys [02:14:0235] [Check Services] [246/330] seclogon [02:14:0235] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0235] [Check Services] [247/330] SenFiltService [02:14:0235] [Check Services] C:\WINDOWS\system32\drivers\Senfilt.sys [02:14:0235] [Check Services] [248/330] SENS [02:14:0235] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:14:0235] [Check Services] [249/330] serenum [02:14:0235] [Check Services] C:\WINDOWS\System32\DRIVERS\serenum.sys [02:14:0235] [Check Services] [250/330] Serial [02:14:0235] [Check Services] C:\WINDOWS\System32\DRIVERS\serial.sys [02:14:0235] [Check Services] [251/330] Sfloppy [02:14:0235] [Check Services] C:\WINDOWS\system32\drivers\sfloppy.sys [02:14:0235] [Check Services] [252/330] SharedAccess [02:14:0235] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0235] [Check Services] [253/330] ShellHWDetection [02:14:0235] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0235] [Check Services] [254/330] Simbad [02:14:0250] [Check Services] C:\WINDOWS\system32\drivers\Simbad.sys [02:14:0250] [Check Services] [255/330] SNMP [02:14:0266] [Check Services] C:\WINDOWS\system32\snmp.exe [02:14:0266] [Check Services] [256/330] SNMPTRAP [02:14:0266] [Check Services] C:\WINDOWS\system32\snmptrap.exe [02:14:0282] [Check Services] [257/330] Sparrow [02:14:0282] [Check Services] C:\WINDOWS\system32\drivers\Sparrow.sys [02:14:0282] [Check Services] [258/330] splitter [02:14:0282] [Check Services] C:\WINDOWS\system32\drivers\splitter.sys [02:14:0282] [Check Services] [259/330] Spooler [02:14:0282] [Check Services] C:\WINDOWS\system32\spoolsv.exe [02:14:0282] [Check Services] [260/330] SQLWriter [02:14:0282] [Check Services] "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [02:14:0282] [Check Services] [261/330] sr [02:14:0282] [Check Services] C:\WINDOWS\System32\DRIVERS\sr.sys [02:14:0282] [Check Services] [262/330] srservice [02:14:0282] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0282] [Check Services] [263/330] Srv [02:14:0282] [Check Services] C:\WINDOWS\System32\DRIVERS\srv.sys [02:14:0282] [Check Services] [264/330] SSDPSRV [02:14:0282] [Check Services] C:\WINDOWS\System32\svchost.exe -k LocalService [02:14:0282] [Check Services] [265/330] SSHNAS [02:14:0297] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:14:0297] [Check Services] _FOUND_ 橐儁噓㋨菿Ⓞϫ䖋而㙾甀㴇ఊ [02:14:0313] [Check Services] [266/330] stisvc [02:14:0328] [Check Services] C:\WINDOWS\System32\svchost.exe -k imgsvc [02:14:0328] [Check Services] [267/330] swenum [02:14:0328] [Check Services] C:\WINDOWS\System32\DRIVERS\swenum.sys [02:14:0328] [Check Services] [268/330] swmidi [02:14:0328] [Check Services] C:\WINDOWS\system32\drivers\swmidi.sys [02:14:0328] [Check Services] [269/330] SwPrv [02:14:0328] [Check Services] C:\WINDOWS\System32\dllhost.exe /Processid:{D84C61B2-FCD3-42D3-870F-36E8F3B23022} [02:14:0328] [Check Services] [270/330] symc810 [02:14:0328] [Check Services] C:\WINDOWS\system32\drivers\symc810.sys [02:14:0328] [Check Services] [271/330] symc8xx [02:14:0328] [Check Services] C:\WINDOWS\system32\drivers\symc8xx.sys [02:14:0328] [Check Services] [272/330] sym_hi [02:14:0328] [Check Services] C:\WINDOWS\system32\drivers\sym_hi.sys [02:14:0328] [Check Services] [273/330] sym_u3 [02:14:0328] [Check Services] C:\WINDOWS\system32\drivers\sym_u3.sys [02:14:0328] [Check Services] [274/330] sysaudio [02:14:0328] [Check Services] C:\WINDOWS\system32\drivers\sysaudio.sys [02:14:0328] [Check Services] [275/330] SysmonLog [02:14:0422] [Check Services] C:\WINDOWS\system32\smlogsvc.exe [02:14:0422] [Check Services] [276/330] TapiSrv [02:14:0422] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0422] [Check Services] [277/330] Tcpip [02:14:0422] [Check Services] C:\WINDOWS\System32\DRIVERS\tcpip.sys [02:14:0422] [Check Services] [278/330] Tcpip6 [02:14:0438] [Check Services] C:\WINDOWS\system32\DRIVERS\tcpip6.sys [02:14:0453] [Check Services] [279/330] TDPIPE [02:14:0469] [Check Services] C:\WINDOWS\system32\drivers\tdpipe.sys [02:14:0469] [Check Services] [280/330] TDTCP [02:14:0469] [Check Services] C:\WINDOWS\system32\drivers\tdtcp.sys [02:14:0469] [Check Services] [281/330] TermDD [02:14:0469] [Check Services] C:\WINDOWS\System32\DRIVERS\termdd.sys [02:14:0469] [Check Services] [282/330] TermService [02:14:0469] [Check Services] C:\WINDOWS\System32\svchost -k DComLaunch [02:14:0469] [Check Services] [283/330] Themes [02:14:0469] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0469] [Check Services] [284/330] TlntSvr [02:14:0516] [Check Services] C:\WINDOWS\system32\tlntsvr.exe [02:14:0516] [Check Services] [285/330] TosIde [02:14:0516] [Check Services] C:\WINDOWS\system32\drivers\TosIde.sys [02:14:0532] [Check Services] [286/330] TrkWks [02:14:0532] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:14:0532] [Check Services] [287/330] Trufos [02:14:0532] [Check Services] C:\WINDOWS\system32\drivers\Trufos.sys [02:14:0532] [Check Services] [288/330] tunmp [02:14:0532] [Check Services] C:\WINDOWS\system32\DRIVERS\tunmp.sys [02:14:0532] [Check Services] [289/330] Udfs [02:14:0532] [Check Services] C:\WINDOWS\system32\drivers\udfs.sys [02:14:0532] [Check Services] [290/330] ultra [02:14:0532] [Check Services] C:\WINDOWS\system32\drivers\ultra.sys [02:14:0532] [Check Services] [291/330] Update [02:14:0532] [Check Services] C:\WINDOWS\System32\DRIVERS\update.sys [02:14:0532] [Check Services] [292/330] upnphost [02:14:0532] [Check Services] C:\WINDOWS\System32\svchost.exe -k LocalService [02:14:0532] [Check Services] [293/330] UPS [02:14:0547] [Check Services] C:\WINDOWS\system32\ups.exe [02:14:0547] [Check Services] [294/330] USB-100 [02:14:0547] [Check Services] C:\WINDOWS\system32\DRIVERS\USBKR100.SYS [02:14:0547] [Check Services] [295/330] USBAAPL [02:14:0547] [Check Services] C:\WINDOWS\System32\Drivers\usbaapl.sys [02:14:0547] [Check Services] [296/330] usbaudio [02:14:0547] [Check Services] C:\WINDOWS\system32\drivers\usbaudio.sys [02:14:0547] [Check Services] [297/330] usbccgp [02:14:0547] [Check Services] C:\WINDOWS\System32\DRIVERS\usbccgp.sys [02:14:0547] [Check Services] [298/330] usbehci [02:14:0547] [Check Services] C:\WINDOWS\system32\DRIVERS\usbehci.sys [02:14:0547] [Check Services] [299/330] usbhub [02:14:0563] [Check Services] C:\WINDOWS\System32\DRIVERS\usbhub.sys [02:14:0563] [Check Services] [300/330] usbohci [02:14:0563] [Check Services] C:\WINDOWS\System32\DRIVERS\usbohci.sys [02:14:0563] [Check Services] [301/330] usbprint [02:14:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\usbprint.sys [02:14:0563] [Check Services] [302/330] usbscan [02:14:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\usbscan.sys [02:14:0563] [Check Services] [303/330] USBSTOR [02:14:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [02:14:0563] [Check Services] [304/330] usb_rndisx [02:14:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\usb8023x.sys [02:14:0563] [Check Services] [305/330] VgaSave [02:14:0563] [Check Services] C:\WINDOWS\System32\drivers\vga.sys [02:14:0563] [Check Services] [306/330] ViaIde [02:14:0563] [Check Services] C:\WINDOWS\system32\drivers\ViaIde.sys [02:14:0563] [Check Services] [307/330] VolSnap [02:14:0578] [Check Services] C:\WINDOWS\system32\drivers\volsnap.sys [02:14:0578] [Check Services] [308/330] VSS [02:14:0578] [Check Services] C:\WINDOWS\system32\vssvc.exe [02:14:0578] [Check Services] [309/330] W32Time [02:14:0578] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0578] [Check Services] [310/330] Wanarp [02:14:0578] [Check Services] C:\WINDOWS\System32\DRIVERS\wanarp.sys [02:14:0578] [Check Services] [311/330] WDICA [02:14:0578] [Check Services] C:\WINDOWS\system32\drivers\WDICA.sys [02:14:0578] [Check Services] [312/330] wdmaud [02:14:0578] [Check Services] C:\WINDOWS\system32\drivers\wdmaud.sys [02:14:0578] [Check Services] [313/330] WebClient [02:14:0578] [Check Services] C:\WINDOWS\System32\svchost.exe -k LocalService [02:14:0578] [Check Services] [314/330] WefiEngSvc [02:14:0578] [Check Services] "C:\Program Files\WeFi\WefiEngSvc.exe" [02:14:0578] [Check Services] [315/330] winmgmt [02:14:0594] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs [02:14:0594] [Check Services] [316/330] wlidsvc [02:14:0594] [Check Services] "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" [02:14:0594] [Check Services] [317/330] WmdmPmSN [02:14:0594] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0594] [Check Services] [318/330] Wmi [02:14:0594] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0594] [Check Services] [319/330] WmiApSrv [02:14:0625] [Check Services] C:\WINDOWS\system32\wbem\wmiapsrv.exe [02:14:0625] [Check Services] [320/330] WMPNetworkSvc [02:14:0625] [Check Services] "C:\Program Files\Windows Media Player\WMPNetwk.exe" [02:14:0625] [Check Services] [321/330] WpdUsb [02:14:0625] [Check Services] C:\WINDOWS\system32\DRIVERS\wpdusb.sys [02:14:0625] [Check Services] [322/330] WS2IFSL [02:14:0625] [Check Services] C:\WINDOWS\System32\drivers\ws2ifsl.sys [02:14:0625] [Check Services] [323/330] wscsvc [02:14:0625] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0625] [Check Services] [324/330] wuauserv [02:14:0641] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0641] [Check Services] [325/330] WudfPf [02:14:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\WudfPf.sys [02:14:0641] [Check Services] [326/330] WudfRd [02:14:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\wudfrd.sys [02:14:0641] [Check Services] [327/330] WudfSvc [02:14:0641] [Check Services] C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup [02:14:0641] [Check Services] [328/330] WZCSVC [02:14:0641] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0641] [Check Services] [329/330] xmlprov [02:14:0641] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs [02:14:0641] [Check Services] [330/330] YahooAUService [02:14:0641] [Check Services] "C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" [02:14:0641] Loading Driver

#6 krptd

New Member

Authentic Member
5 posts

Posted 30 August 2013 - 02:41 PM

Hello and good afternoon Satchfan

Several attempts to complete RogueKiller scan failed- I proceeded to next step-here is that result...
# AdwCleaner v3.001 - Report created 30/08/2013 at 12:45:30
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : taryn - MYRADXP
# Running from : C:\Documents and Settings\taryn\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc
Service Deleted : DefaultTabUpdate

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\StarApp
Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\Vaudix
Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\Program Files\Babylon
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Deal Vault
Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Program Files\Search Toolbar
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\Program Files\Vgrabber_v1.5
Folder Deleted : C:\Documents and Settings\taryn\IECompatCache
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\ConduitEngine
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\cre
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\visualbeeexe
Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Vgrabber_v1.5
Folder Deleted : C:\DOCUME~1\taryn\LOCALS~1\Temp\CT3293216
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\taryn\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\taryn\Application Data\SearchProtect
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Uniblue\SpeedUpMyPC
Folder Deleted : C:\Documents and Settings\tryme\IECompatCache
Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\AskToolbar
Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\cre
Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\mixidj
Folder Deleted : C:\DOCUME~1\tryme\LOCALS~1\Temp\AskSearch
Folder Deleted : C:\DOCUME~1\tryme\LOCALS~1\Temp\boost_interprocess
Folder Deleted : C:\DOCUME~1\tryme\LOCALS~1\Temp\OpenCandy
Folder Deleted : C:\DOCUME~1\tryme\LOCALS~1\Temp\CT3272718
Folder Deleted : C:\Documents and Settings\tryme\Application Data\BabylonToolbar
Folder Deleted : C:\Documents and Settings\tryme\Application Data\DefaultTab
Folder Deleted : C:\Documents and Settings\tryme\Application Data\iWin
Folder Deleted : C:\Documents and Settings\tryme\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\Conduit
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\Smartbar
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\CT2398341
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\CT3293216
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\CT3287802
Folder Deleted : C:\Documents and Settings\tryme\Application Data\Mozilla\Firefox\Profiles\rb3xf8f1.default\Smartbar
Folder Deleted : C:\Documents and Settings\tryme\Application Data\Mozilla\Firefox\Profiles\rb3xf8f1.default\CT3272718
Folder Deleted : C:\Documents and Settings\tryme\Application Data\Mozilla\Firefox\Profiles\rb3xf8f1.default\Extensions\toolbar@ask.com
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\Extensions\{71d2cf9e-34e4-4401-8841-f4fc3f3edc32}(2)
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\Extensions\{73507124-6acd-43aa-b749-c3bcfefbea97}
Folder Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\Extensions\{bf9194c2-b86d-4ebc-9b53-1c08b6ff779e}
Folder Deleted : C:\Documents and Settings\tryme\Application Data\Mozilla\Firefox\Profiles\rb3xf8f1.default\Extensions\{c0c2693d-2ee8-47b4-9df7-b67a0ee31988}
[!] Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
[!] Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
[!] Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
[!] Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
[!] Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
[!] Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
[!] Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
[!] Folder Deleted : C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
[!] Folder Deleted : C:\Documents and Settings\tryme\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
File Deleted : C:\END
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\Babylon.xml
File Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\Conduit.xml
File Deleted : C:\Documents and Settings\tryme\Application Data\Mozilla\Firefox\Profiles\rb3xf8f1.default\searchplugins\Conduit.xml
File Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\MyStart Search.xml
File Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\searchplugins\safesearch.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\safesearch.xml
File Deleted : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\user.js
File Deleted : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pbofibgamhkgoonaocfgemncghhadmgb
Key Deleted : HKCU\Software\Microsoft\Office\Powerpoint\Addins\babylonofficeaddin.officeaddin
Key Deleted : HKCU\Software\Microsoft\Office\Word\Addins\babylonofficeaddin.officeaddin
Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX
Key Deleted : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1
Key Deleted : HKLM\SOFTWARE\Classes\f
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0019866.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{73507124-6ACD-43AA-B749-C3BCFEFBEA97}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9817FDB5-8C5F-45F7-8740-6DEBD0AEAAE9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73507124-6ACD-43AA-B749-C3BCFEFBEA97}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73507124-6ACD-43AA-B749-C3BCFEFBEA97}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{73507124-6ACD-43AA-B749-C3BCFEFBEA97}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9817FDB5-8C5F-45F7-8740-6DEBD0AEAAE9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2BDAA264-8746-4180-9A84-07FC51CC8610}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F7E8DB3F-19D0-4148-A6F6-1B215C969C3F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{21111111-1111-1111-1111-110111981166}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{9D425283-D487-4337-BAB6-AB8354A81457}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{73507124-6ACD-43AA-B749-C3BCFEFBEA97}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{73507124-6ACD-43AA-B749-C3BCFEFBEA97}]
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AskToolbar
Key Deleted : HKCU\Software\Babylon
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\conduitEngine
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\Deal Vault
Key Deleted : HKCU\Software\DefaultTab
Key Deleted : HKCU\Software\FunWebProducts
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Vgrabber_v1.5
Key Deleted : HKCU\Software\AppDataLow\Software\DefaultTab
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\Vgrabber_v1.5
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deal Vault
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vgrabber_v1.5 Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Deal Vault
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Optimizer Pro_is1
Product Deleted : Ask Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\prefs.js ]

Line Deleted : user_pref("CT2398341.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT2398341.CTID", "CT2398341");
Line Deleted : user_pref("CT2398341.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2398341.EMailNotifierPollDate", "Thu Nov 05 2009 08:05:36 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.ExternalComponentPollDate128900742049031697", "Tue Nov 03 2009 08:57:31 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.ExternalComponentPollDate128966565940712506", "Tue Nov 03 2009 08:57:31 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.FirstTime", true);
Line Deleted : user_pref("CT2398341.FirstTimeFF3", true);
Line Deleted : user_pref("CT2398341.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT2398341.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT2398341.Initialize", true);
Line Deleted : user_pref("CT2398341.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT2398341.InstalledDate", "Tue Nov 03 2009 08:57:44 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.InvalidateCache", false);
Line Deleted : user_pref("CT2398341.IsGrouping", false);
Line Deleted : user_pref("CT2398341.IsMulticommunity", false);
Line Deleted : user_pref("CT2398341.IsOpenThankYouPage", true);
Line Deleted : user_pref("CT2398341.IsOpenUninstallPage", true);
Line Deleted : user_pref("CT2398341.LanguagePackLastCheckTime", "Tue Nov 03 2009 08:57:44 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT2398341.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT2398341.LastLogin_2.4.0.4", "Thu Nov 05 2009 01:53:55 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.LatestVersion", "2.1.0.18");
Line Deleted : user_pref("CT2398341.Locale", "en");
Line Deleted : user_pref("CT2398341.LoginCache", 4);
Line Deleted : user_pref("CT2398341.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT2398341.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT2398341.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT2398341.RadioIsPodcast", false);
Line Deleted : user_pref("CT2398341.RadioLastCheckTime", "Wed Nov 04 2009 08:58:02 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.RadioLastUpdateIPServer", "4");
Line Deleted : user_pref("CT2398341.RadioLastUpdateServer", "4");
Line Deleted : user_pref("CT2398341.RadioMediaID", "9962");
Line Deleted : user_pref("CT2398341.RadioMediaType", "Media Player");
Line Deleted : user_pref("CT2398341.RadioMenuSelectedID", "EBRadioMenu_CT23983419962");
Line Deleted : user_pref("CT2398341.RadioStationName", "California%20Rock");
Line Deleted : user_pref("CT2398341.RadioStationURL", "hxxp://feedlive.net/california.asx");
Line Deleted : user_pref("CT2398341.SHRINK_TOOLBAR", 1);
Line Deleted : user_pref("CT2398341.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TERM&ctid=CT2398341&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT2398341.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT2398341.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2398341&SearchSource=2&q=");
Line Deleted : user_pref("CT2398341.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT2398341.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT2398341.SearchInNewTabLastCheckTime", "Wed Nov 04 2009 08:58:05 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.SearchInNewTabServiceUrl", "hxxp://hosting.conduit-services.com/newtab/?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2398341.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageService.asmx/UsersRequests?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2398341.SettingsCheckIntervalMin", 120);
Line Deleted : user_pref("CT2398341.SettingsLastCheckTime", "Thu Nov 05 2009 07:21:55 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.SettingsLastUpdate", "1256456412");
Line Deleted : user_pref("CT2398341.ThirdPartyComponentsInterval", 72);
Line Deleted : user_pref("CT2398341.ThirdPartyComponentsLastCheck", "Tue Nov 03 2009 08:57:25 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT2398341.ThirdPartyComponentsLastUpdate", "1256456412");
Line Deleted : user_pref("CT2398341.TrusteLinkUrl", "hxxp://www.truste.org/pvr.php?page=validate&softwareProgramId=101&sealid=112");
Line Deleted : user_pref("CT2398341.UserID", "UN40083656390065832");
Line Deleted : user_pref("CT2398341.ValidationData_Toolbar", 2);
Line Deleted : user_pref("CT2398341.alertChannelId", "792920");
Line Deleted : user_pref("CT2398341.clientLogIsEnabled", false);
Line Deleted : user_pref("CT2398341.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT2398341.components.1000234", false);
Line Deleted : user_pref("CT2398341.myStuffEnabled", true);
Line Deleted : user_pref("CT2398341.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT2398341.myStuffSearchUrl", "hxxp://search.conduit.com/Results.aspx?q=SEARCH_TERM&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID&SearchType=ToolbarComponents");
Line Deleted : user_pref("CT2398341.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT2398341.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT2398341.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT3287802.1000082.isPlayDisplay", "true");
Line Deleted : user_pref("CT3287802.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description\":\"California Rock - Rock\",\"url\":\"hxxp://www.feedlive.net/california.asx\"}");
Line Deleted : user_pref("CT3287802.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3287802.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3287802.FF19Solved", "true");
Line Deleted : user_pref("CT3287802.FirstTime", "true");
Line Deleted : user_pref("CT3287802.FirstTimeFF3", "true");
Line Deleted : user_pref("CT3287802.LAST_CLIENT_STATS_SUBMIT_2.enc", "MTM3NDgxMDg2NQ==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_LAST_SUBMIT_6.enc", "MTM3NTQxOTM1OA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_SITE_IRRELEVANT.enc", "MQ==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_SITE_NEW.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_SITE_NOT_SUPPORTED.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_SITE_SUPPORTED.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_USE_HISTORY.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_USE_POP.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_USE_RELATED.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_STATS_STATS_USE_TYPED.enc", "MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEadd_stats|0|LOCAL_COOKIE_STATS_STATS_SI
TE_IRRELEVANT.enc", "MTM3NTQxOTY5OA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEadd_stats|0|LOCAL_COOKIE_STATS_STATS_SI
TE_SUPPORTED.enc", "MTM3NTI1NDk4NA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEloopback|hxxp://up.autocompleteplus.com/up?q=peergaurdia&l=www.bing.com&t=2&v=0.4&d=conduit2.enc", "MTM3NDgxMDkyNw==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEloopback|hxxp://up.autocompleteplus.com/up?q=peerguardian%2Bphoenix%2Blabs&l=www.bing.com&t=2&v=0.4&d=conduit2.enc", "MTM3NDgxMTA4Nw==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEloopback|hxxp://up.autocompleteplus.com/up?q=peerguardian&l=peerguardian.en.softonic.com&t=2&v=0.4&d=conduit2.enc", "MTM3NDgxMDk0MA==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEloopback|hxxp://up.autocompleteplus.com/up?q=peerguardian&l=www.bing.com&t=2&v=0.4&d=conduit2.enc", "MTM3NDgxMTA3NQ==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEloopback|hxxp://up.autocompleteplus.com/up?q=peerguardian&l=www.phoenixlabs.org&t=2&v=0.4&d=conduit2.enc", "MTM3NDgxMTA0Mg==");
Line Deleted : user_pref("CT3287802.LOCAL_COOKIE_THROTTLE_BASEloopback|hxxp://up.autocompleteplus.com/up?q=phoenix%2Blabs%2Bpeerblock&l=peerblock.com&t=2&v=0.4&d=conduit2.enc", "MTM3NDgxMTA5NQ==");
Line Deleted : user_pref("CT3287802.PG_ENABLE", "dHJ1ZQ==");
Line Deleted : user_pref("CT3287802.SF_JUST_INSTALLED.enc", "RkFMU0U=");
Line Deleted : user_pref("CT3287802.SF_STATUS.enc", "RU5BQkxFRA==");
Line Deleted : user_pref("CT3287802.SF_USER_ID.enc", "Y2lkXzI1NzIwMTMyMDU0MjE0MzY2NjI0");
Line Deleted : user_pref("CT3287802.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CUI=UN95417931323121124&UM=2&q=");
Line Deleted : user_pref("CT3287802.UserID", "UN95417931323121124");
Line Deleted : user_pref("CT3287802.acp_personal.appstate.enc", "ZW5hYmxl");
Line Deleted : user_pref("CT3287802.addressBarTakeOverEnabledInHidden", "true");
Line Deleted : user_pref("CT3287802.autoDisableScopes", 0);
Line Deleted : user_pref("CT3287802.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3287802.cbfirsttime.enc", "VGh1IEp1bCAyNSAyMDEzIDIwOjUzOjMxIEdNVC0wNzAwIChVUyBNb3VudGFpbiBTdGFuZGFyZCB
UaW1lKQ==");
Line Deleted : user_pref("CT3287802.countryCode", "US");
Line Deleted : user_pref("CT3287802.defaultSearch", "true");
Line Deleted : user_pref("CT3287802.enableAlerts", "true");
Line Deleted : user_pref("CT3287802.enableSearchFromAddressBar", "true");
Line Deleted : user_pref("CT3287802.firstTimeDialogOpened", "true");
Line Deleted : user_pref("CT3287802.fixPageNotFoundError", "true");
Line Deleted : user_pref("CT3287802.fixPageNotFoundErrorByUser", "true");
Line Deleted : user_pref("CT3287802.fixPageNotFoundErrorInHidden", "true");
Line Deleted : user_pref("CT3287802.fixUrls", true);
Line Deleted : user_pref("CT3287802.fullUserID", "UN95417931323121124.IN.20130724011045");
Line Deleted : user_pref("CT3287802.homepageuserchanged", true);
Line Deleted : user_pref("CT3287802.installDate", "24/07/2013 01:10:44");
Line Deleted : user_pref("CT3287802.installId", "stub.exe");
Line Deleted : user_pref("CT3287802.installSessionId", "{709BC3A5-3629-41A8-ACCF-C695058DF01F}");
Line Deleted : user_pref("CT3287802.installSp", "TRUE");
Line Deleted : user_pref("CT3287802.installType", "conduitnsisintegration");
Line Deleted : user_pref("CT3287802.installUsage", "2013-07-26T06:53:13.52993+03:00");
Line Deleted : user_pref("CT3287802.installUsageEarly", "2013-07-26T06:53:10.2800132+03:00");
Line Deleted : user_pref("CT3287802.installerVersion", "1.5.4.4");
Line Deleted : user_pref("CT3287802.isCheckedStartAsHidden", true);
Line Deleted : user_pref("CT3287802.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3287802.isFirstTimeToolbarLoading", "false");
Line Deleted : user_pref("CT3287802.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3287802.keyword", "true");
Line Deleted : user_pref("CT3287802.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource=15&CUI=UN95417931323121124&SSPV=&Lay=1&UM=2\"}");
Line Deleted : user_pref("CT3287802.lastVersion", "10.16.70.505");
Line Deleted : user_pref("CT3287802.mam_gk_appStateReportTime.enc", "MTM3NTQxOTM0MTUyMw==");
Line Deleted : user_pref("CT3287802.mam_gk_appState_ACplus.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_CouponBuddy.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_Discover.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_Easytobook.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_Easytobook_targeted.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_Find-a-Pro.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_PiclickV2-WebSearch.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_PriceGong.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appState_WindowShopper.enc", "b24=");
Line Deleted : user_pref("CT3287802.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9wcmljZWdvbmcuY29uZHV
pdGFwcHMuY29tL01BTS92MS9odG1sX2NvbXAuaHRtbCIsIm9wdGlvbnNEaWFsb2ciOnsiZGlzcGxheU5h
[...]
Line Deleted : user_pref("CT3287802.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Line Deleted : user_pref("CT3287802.mam_gk_calledSetupService.enc", "MQ==");
Line Deleted : user_pref("CT3287802.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlBpY2xpY2tWMi1XZWJTZWFyY2giLCJjcml0ZXJpYXM
iOlt7ImNyaXRlcmlhSWQiOiJhZWRjZTVkNy1mYjU3LTRlYzktOTU4Mi1jYjMzYThlNThiOWEiLCJ[...]
Line Deleted : user_pref("CT3287802.mam_gk_currentVersion.enc", "MS45LjAuNA==");
Line Deleted : user_pref("CT3287802.mam_gk_existingUsersRecoveryDone.enc", "MQ==");
Line Deleted : user_pref("CT3287802.mam_gk_first_time.enc", "MQ==");
Line Deleted : user_pref("CT3287802.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3287802.mam_gk_lastLoginTime.enc", "MTM3NTQxOTM0MTk2NA==");
Line Deleted : user_pref("CT3287802.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50IFBvbGljeSJ9LCJnYWRnZXR
EZXNjcmlwdGlvblByaW1hcnkiOnsiVGV4dCI6IlZhbHVlIEFwcHMgZW5yaWNoZXMgeW91ciB3ZWIg[...
]
Line Deleted : user_pref("CT3287802.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3287802.mam_gk_settings1.9.0.4.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiMzV
fMCIsImlzVGVzdCI6dHJ1ZSwiVXNlckNvdW50cnlDb2RlIjoiVVMiLCJpc1dlbGNvbWVFeHBlc[...]
Line Deleted : user_pref("CT3287802.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3287802.mam_gk_userId.enc", "YjZlOTQxNDYtNjM5ZS00YjdkLThjMjgtMzJmN2VkNWIyNTI0");
Line Deleted : user_pref("CT3287802.migrateAppsAndComponents", true);
Line Deleted : user_pref("CT3287802.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fsearch.conduit.com%2Fcorse%2F%3Fctid%3DCT3287802%26octid%3DCT3287802%26SearchSource%3D11%26C[...]
Line Deleted : user_pref("CT3287802.openThankYouPage", "false");
Line Deleted : user_pref("CT3287802.openUninstallPage", "true");
Line Deleted : user_pref("CT3287802.originalHomepage", "hxxp://www.safesearch.net/?utm_medium=ff&utm_campaign=135077787814&utm_source=sm&utm_content=1&utm_term=C159C57F7CC94EBA");
Line Deleted : user_pref("CT3287802.originalSearchAddressUrl", "hxxp://www.safesearch.net/search?q=");
Line Deleted : user_pref("CT3287802.originalSearchEngine", "SafeSearch");
Line Deleted : user_pref("CT3287802.originalSearchEngineName", "SafeSearch");
Line Deleted : user_pref("CT3287802.revertSettingsEnabled", "false");
Line Deleted : user_pref("CT3287802.search.searchAppId", "130058504433344387");
Line Deleted : user_pref("CT3287802.search.searchCount", "0");
Line Deleted : user_pref("CT3287802.searchFromAddressBarEnabledByUser", "true");
Line Deleted : user_pref("CT3287802.searchInNewTabEnabledByUser", "true");
Line Deleted : user_pref("CT3287802.searchInNewTabEnabledInHidden", "true");
Line Deleted : user_pref("CT3287802.searchRevert", "false");
Line Deleted : user_pref("CT3287802.searchSuggestEnabledByUser", "true");
Line Deleted : user_pref("CT3287802.searchUserMode", "2");
Line Deleted : user_pref("CT3287802.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3287802\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://VisualBeeV3.OurToolbar.com//xpi\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"VisualBee V.3\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data\":\"2\"}");
Line Deleted : user_pref("CT3287802.serviceLayer_services_Configuration_lastUpdate", "1375383240052");
Line Deleted : user_pref("CT3287802.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1374810798201");
Line Deleted : user_pref("CT3287802.serviceLayer_services_appsMetadata_lastUpdate", "1375383137581");
Line Deleted : user_pref("CT3287802.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1374810797671");
Line Deleted : user_pref("CT3287802.serviceLayer_services_installUsage_ToolbarInstallEarly_lastUpdate", "1374810795536");
Line Deleted : user_pref("CT3287802.serviceLayer_services_installUsage_ToolbarInstall_lastUpdate", "1374810798811");
Line Deleted : user_pref("CT3287802.serviceLayer_services_login_10.16.70.505_lastUpdate", "1375420300333");
Line Deleted : user_pref("CT3287802.serviceLayer_services_login_10.16.70.5_lastUpdate", "1374810798654");
Line Deleted : user_pref("CT3287802.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1374810797541");
Line Deleted : user_pref("CT3287802.serviceLayer_services_searchAPI_lastUpdate", "1375383239794");
Line Deleted : user_pref("CT3287802.serviceLayer_services_serviceMap_lastUpdate", "1375383239177");
Line Deleted : user_pref("CT3287802.serviceLayer_services_toolbarContextMenu_lastUpdate", "1374810798467");
Line Deleted : user_pref("CT3287802.serviceLayer_services_toolbarSettings_lastUpdate", "1375420299909");
Line Deleted : user_pref("CT3287802.serviceLayer_services_translation_lastUpdate", "1375383242083");
Line Deleted : user_pref("CT3287802.settingsINI", true);
Line Deleted : user_pref("CT3287802.shouldFirstTimeDialog", "false");
Line Deleted : user_pref("CT3287802.showToolbarPermission", "false");
Line Deleted : user_pref("CT3287802.smartbar.CTID", "CT3287802");
Line Deleted : user_pref("CT3287802.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT3287802.smartbar.homepage", "true");
Line Deleted : user_pref("CT3287802.smartbar.isHidden", true);
Line Deleted : user_pref("CT3287802.smartbar.toolbarName", "VisualBee V.3 ");
Line Deleted : user_pref("CT3287802.startPage", "true");
Line Deleted : user_pref("CT3287802.toolbarBornServerTime", "26-7-2013");
Line Deleted : user_pref("CT3287802.toolbarCurrentServerTime", "2-8-2013");
Line Deleted : user_pref("CT3287802.toolbarDisabled", "true");
Line Deleted : user_pref("CT3287802.toolbarLoginClientTime", "Thu Jul 25 2013 20:53:18 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT3287802.twitter_v1.8.0_twitter_app_open_t_f.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3287802.url_history0001.enc", "aHR0cDovL3d3dy5ib29rc2llc2lsay5jb20vZXJvdGljYS9ub3ZlbC9pY2VicmVha2VyL3RoZS1
0ZWVuYWdlcnMtb2YtYmF0aG9yeS9jaGFwdGVyLzM6OjpjbGlja2hhbmRsZXI6OjoxMzc1MDYwNzE3Njk5
[...]
Line Deleted : user_pref("CT3287802.versionFromInstaller", "10.16.70.5");
Line Deleted : user_pref("CT3287802.xpeMode", "3");
Line Deleted : user_pref("CT3287802_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1375421802814,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("CT3293216.1000082.isPlayDisplay", "true");
Line Deleted : user_pref("CT3293216.1000082.state", "{\"state\":\"stopped\",\"text\":\"1.FM (Cou...\",\"description\":\"1.FM (Country)\",\"url\":\"hxxp://1.fm/wm/energycountry32k.asx\"}");
Line Deleted : user_pref("CT3293216.1000234.TWC_TMP_city", "PHOENIX");
Line Deleted : user_pref("CT3293216.1000234.TWC_TMP_country", "US");
Line Deleted : user_pref("CT3293216.1000234.TWC_country", "UNITED STATES");
Line Deleted : user_pref("CT3293216.1000234.TWC_locId", "USAZ0166");
Line Deleted : user_pref("CT3293216.1000234.TWC_location", "Phoenix, AZ");
Line Deleted : user_pref("CT3293216.1000234.TWC_region", "US");
Line Deleted : user_pref("CT3293216.1000234.TWC_temp_dis", "f");
Line Deleted : user_pref("CT3293216.1000234.TWC_wind_dis", "mph");
Line Deleted : user_pref("CT3293216.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.FF19Solved", "true");
Line Deleted : user_pref("CT3293216.FirstTime", "true");
Line Deleted : user_pref("CT3293216.FirstTimeFF3", "true");
Line Deleted : user_pref("CT3293216.SF_JUST_INSTALLED.enc", "RkFMU0U=");
Line Deleted : user_pref("CT3293216.SF_STATUS.enc", "RU5BQkxFRA==");
Line Deleted : user_pref("CT3293216.SF_USER_ID.enc", "Y2lkXzIzODIwMTMyMzA1MzU3MTExMg==");
Line Deleted : user_pref("CT3293216.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3293216&SearchSource=2&CUI=UN37057161005690142&UM=2&q=");
Line Deleted : user_pref("CT3293216.UserID", "UN37057161005690142");
Line Deleted : user_pref("CT3293216._key_edilia__uID.enc", "Y2JhY2IxMWQtMjhmMi00MDNiLTliOTItNTY2YTE4NmE3NTNm");
Line Deleted : user_pref("CT3293216.addressBarTakeOverEnabledInHidden", "true");
Line Deleted : user_pref("CT3293216.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3293216.cbfirsttime.enc", "RnJpIEF1ZyAyMyAyMDEzIDIyOjU4OjU5IEdNVC0wNzAwIChVUyBNb3VudGFpbiBTdGFuZGFyZCB
UaW1lKQ==");
Line Deleted : user_pref("CT3293216.countryCode", "US");
Line Deleted : user_pref("CT3293216.defaultSearch", "true");
Line Deleted : user_pref("CT3293216.embeddedsData", "[{\"appId\":\"130084258888001381\",\"apiPermissions\":{\"crossDomainAjax\":true,\"getMainFrameTitle\":true,\"getMainFrameUrl\":true,\"getSearchTerm\":true,\"insta[...]
Line Deleted : user_pref("CT3293216.enableAlerts", "true");
Line Deleted : user_pref("CT3293216.enableSearchFromAddressBar", "true");
Line Deleted : user_pref("CT3293216.enlargeSearchBox", "{\"enabled\":true,\"maxWidth\":1000,\"minWidth\":250,\"width\":500}");
Line Deleted : user_pref("CT3293216.firstTimeDialogOpened", "true");
Line Deleted : user_pref("CT3293216.fixPageNotFoundError", "true");
Line Deleted : user_pref("CT3293216.fixPageNotFoundErrorByUser", "true");
Line Deleted : user_pref("CT3293216.fixPageNotFoundErrorInHidden", "true");
Line Deleted : user_pref("CT3293216.flea-periodic-reports.enc", "eyJwaW5nXzAiOlsxMzc3MzM4NDI2NzIxLDE0NDAwMDAwXX0=");
Line Deleted : user_pref("CT3293216.flea-user-id.enc", "ImY2OTcyNGQxLWM0YmUtNDAwOS1hZjM1LWRlYjc5ZjEzZTQwYyI=");
Line Deleted : user_pref("CT3293216.fullUserID", "UN37057161005690142.IN.20130823225757");
Line Deleted : user_pref("CT3293216.ground-country-code.enc", "IlVTIg==");
Line Deleted : user_pref("CT3293216.homepageuserchanged", true);
Line Deleted : user_pref("CT3293216.installDate", "23/08/2013 22:58:00");
Line Deleted : user_pref("CT3293216.installId", "stub.exe");
Line Deleted : user_pref("CT3293216.installSessionId", "{8836BE83-BD5E-45F4-925E-856CE8B1E4FF}");
Line Deleted : user_pref("CT3293216.installSp", "TRUE");
Line Deleted : user_pref("CT3293216.installType", "conduitnsisintegration");
Line Deleted : user_pref("CT3293216.installUsage", "2013-08-24T08:58:35.0048603+03:00");
Line Deleted : user_pref("CT3293216.installUsageEarly", "2013-08-24T08:58:23.7392353+03:00");
Line Deleted : user_pref("CT3293216.installerVersion", "1.6.1.1");
Line Deleted : user_pref("CT3293216.isCheckedStartAsHidden", true);
Line Deleted : user_pref("CT3293216.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.isFirstTimeToolbarLoading", "false");
Line Deleted : user_pref("CT3293216.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3293216.keyword", "true");
Line Deleted : user_pref("CT3293216.lastNewTabSettings", "{\"isEnabled\":true,\"newTabUrl\":\"hxxp://search.conduit.com/?ctid=CT3293216&octid=CT3293216&SearchSource=15&CUI=UN37057161005690142&SSPV=&Lay=1&UM=2\"}");
Line Deleted : user_pref("CT3293216.lastVersion", "10.19.2.5");
Line Deleted : user_pref("CT3293216.liGround-country-code.enc", "IlVTIg==");
Line Deleted : user_pref("CT3293216.lorem-periodic-reports.enc", "eyJwaW5nXzAiOlsxMzc3MzM4NDI2Nzk4LDE0NDAwMDAwXX0=");
Line Deleted : user_pref("CT3293216.lorem-user-id.enc", "ImZjZGM2NGM4LTZjZjEtNDU2Yy1hMmRmLWNmY2JjZTMyZWZjMiI=");
Line Deleted : user_pref("CT3293216.mam_gk_appStateReportTime.enc", "MTM3NzMzODQxNTk4NA==");
Line Deleted : user_pref("CT3293216.mam_gk_appState_ACplus.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_CouponBuddy.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_Discover_Apps.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_Easytobook.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_Easytobook_targeted.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_Find-a-Pro.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_JobsMiner.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_Know.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_PiclickV2-WebSearch.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_PriceGrabber.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_WindowShopper.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appState_app13.enc", "b24=");
Line Deleted : user_pref("CT3293216.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IkNvdXBvbkJ1ZGR5IiwidXJsIjoiaHR0cDovL3d3dy5zb2NpYWxncm9
3dGh0ZWNobm9sb2dpZXMuY29tL2NvdXBvbmJ1ZGR5X3YwMDMvaW5kZXgucGhwP2N0aWQ9RUJUT09MQkFS
[...]
Line Deleted : user_pref("CT3293216.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Line Deleted : user_pref("CT3293216.mam_gk_calledSetupService.enc", "MQ==");
Line Deleted : user_pref("CT3293216.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR3JhYmJlciIsImNyaXRlcmlhcyI6W3siY3J
pdGVyaWFJZCI6Ijc4NWYzMWU4LTJiMzktNDg1Ni05M2JmLWYyMDE0NTc5Y2QzZCIsImRvbWFpbnM[...]
Line Deleted : user_pref("CT3293216.mam_gk_currentVersion.enc", "MS4xMC4yLjU=");
Line Deleted : user_pref("CT3293216.mam_gk_existingUsersRecoveryDone.enc", "MQ==");
Line Deleted : user_pref("CT3293216.mam_gk_first_time.enc", "MQ==");
Line Deleted : user_pref("CT3293216.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3293216.mam_gk_lastLoginTime.enc", "MTM3NzMzODQxMzE4Nw==");
Line Deleted : user_pref("CT3293216.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50IFBvbGljeSJ9LCJnYWRnZXR
EZXNjcmlwdGlvblByaW1hcnkiOnsiVGV4dCI6IlZhbHVlIEFwcHMgZW5yaWNoZXMgeW91ciB3ZWIg[...
]
Line Deleted : user_pref("CT3293216.mam_gk_new_welcome_experience.enc", "MQ==");
Line Deleted : user_pref("CT3293216.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3293216.mam_gk_settings1.10.2.5.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiNTJ
fMCIsImlzVGVzdCI6dHJ1ZSwiVXNlckNvdW50cnlDb2RlIjoiVVMiLCJpc1dlbGNvbWVFeHBl[...]
Line Deleted : user_pref("CT3293216.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3293216.mam_gk_userId.enc", "ZTFkNWNlNzMtYzJiNy00MDA5LWE3Y2QtNDYwNjBhOGU2NjE3");
Line Deleted : user_pref("CT3293216.mam_gk_user_approval_interacted.enc", "MQ==");
Line Deleted : user_pref("CT3293216.mam_gk_welcomeDialogMode.enc", "MQ==");
Line Deleted : user_pref("CT3293216.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"17 comments\",\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fforums.whatthetech.com%2Findex.php%3Fshowtopic%3D106388\",\"EB_MAIN_FRAME_TITLE\"[...]
Line Deleted : user_pref("CT3293216.newSettings", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.openThankYouPage", "false");
Line Deleted : user_pref("CT3293216.openUninstallPage", "true");
Line Deleted : user_pref("CT3293216.originalHomepage", "hxxp://www.safesearch.net/?utm_medium=ff&utm_campaign=135077787814&utm_source=sm&utm_content=1&utm_term=C159C57F7CC94EBA");
Line Deleted : user_pref("CT3293216.originalSearchAddressUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CUI=UN95417931323121124&UM=2&q=");
Line Deleted : user_pref("CT3293216.originalSearchEngine", "Google");
Line Deleted : user_pref("CT3293216.originalSearchEngineName", "");
Line Deleted : user_pref("CT3293216.revertSettingsEnabled", "false");
Line Deleted : user_pref("CT3293216.search.searchAppId", "130084258888001381");
Line Deleted : user_pref("CT3293216.search.searchCount", "0");
Line Deleted : user_pref("CT3293216.searchFromAddressBarEnabledByUser", "true");
Line Deleted : user_pref("CT3293216.searchInNewTabEnabledByUser", "true");
Line Deleted : user_pref("CT3293216.searchInNewTabEnabledInHidden", "true");
Line Deleted : user_pref("CT3293216.searchRevert", "false");
Line Deleted : user_pref("CT3293216.searchSuggestEnabledByUser", "true");
Line Deleted : user_pref("CT3293216.searchUserMode", "2");
Line Deleted : user_pref("CT3293216.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3293216\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://Vgrabberv15.OurToolbar.com//xpi\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"Vgrabber v1.5 \"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data\":\"2\"}");
Line Deleted : user_pref("CT3293216.serviceLayer_services_Configuration_lastUpdate", "1377323911858");
Line Deleted : user_pref("CT3293216.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1377323915570");
Line Deleted : user_pref("CT3293216.serviceLayer_services_appsMetadata_lastUpdate", "1377324006605");
Line Deleted : user_pref("CT3293216.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1377323912228");
Line Deleted : user_pref("CT3293216.serviceLayer_services_installUsage_ToolbarInstallEarly_lastUpdate", "1377323911445");
Line Deleted : user_pref("CT3293216.serviceLayer_services_installUsage_ToolbarInstall_lastUpdate", "1377323922668");
Line Deleted : user_pref("CT3293216.serviceLayer_services_login_10.19.2.5_lastUpdate", "1377340733941");
Line Deleted : user_pref("CT3293216.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1377323912390");
Line Deleted : user_pref("CT3293216.serviceLayer_services_searchAPI_lastUpdate", "1377323915681");
Line Deleted : user_pref("CT3293216.serviceLayer_services_serviceMap_lastUpdate", "1377323909470");
Line Deleted : user_pref("CT3293216.serviceLayer_services_toolbarContextMenu_lastUpdate", "1377323912478");
Line Deleted : user_pref("CT3293216.serviceLayer_services_toolbarSettings_lastUpdate", "1377338406665");
Line Deleted : user_pref("CT3293216.serviceLayer_services_translation_lastUpdate", "1377323915545");
Line Deleted : user_pref("CT3293216.settingsINI", true);
Line Deleted : user_pref("CT3293216.shouldFirstTimeDialog", "false");
Line Deleted : user_pref("CT3293216.showToolbarPermission", "false");
Line Deleted : user_pref("CT3293216.smartbar.CTID", "CT3293216");
Line Deleted : user_pref("CT3293216.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT3293216.smartbar.homepage", "true");
Line Deleted : user_pref("CT3293216.smartbar.isHidden", true);
Line Deleted : user_pref("CT3293216.smartbar.toolbarName", "Vgrabber v1.5 ");
Line Deleted : user_pref("CT3293216.startPage", "true");
Line Deleted : user_pref("CT3293216.toolbarBornServerTime", "24-8-2013");
Line Deleted : user_pref("CT3293216.toolbarCurrentServerTime", "24-8-2013");
Line Deleted : user_pref("CT3293216.toolbarDisabled", "true");
Line Deleted : user_pref("CT3293216.toolbarLoginClientTime", "Fri Aug 23 2013 22:58:43 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CT3293216.url_history0001.enc", "aHR0cDovL3d3dy50YWdnZWQuY29tL3Bob3RvX2dhbGxlcnkuaHRtbDo6OmNsaWNraGFuZGxlcjo
6OjEzNzczMzY3NjUzNjgsLCxodHRwOi8vd3d3LnRhZ2dlZC5jb20vcGhvdG9fdmlldy5odG1sP3Bob3Rv
[...]
Line Deleted : user_pref("CT3293216.versionFromInstaller", "10.19.2.5");
Line Deleted : user_pref("CT3293216.xpeMode", "0");
Line Deleted : user_pref("CT3293216_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1377323996123,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2398341");
Line Deleted : user_pref("CommunityToolbar.alert.alertInfoInterval", 60);
Line Deleted : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Thu Nov 05 2009 07:21:55 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
Line Deleted : user_pref("CommunityToolbar.alert.locale", "en");
Line Deleted : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Wed Nov 04 2009 08:57:25 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1234796400");
Line Deleted : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
Line Deleted : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
Line Deleted : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.alert.userId", "{40598a56-dfd9-43cf-ae70-58f67acd2147}");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource=61&CUI=UN95417931323121124&UM=2&UP=SP10FDD8CF-48BC-4F15-91C5-C8F0E856CD2E");
Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CUI=UN95417931323121124&UM=2&q=");
Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3293216");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "Vgrabber v1.5 Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3293216&CUI=UN37057161005690142&UM=2&SearchSource=3&q={searchTerms}");
Line Deleted : user_pref("extensions.av_ssearch.ss_domain.peerguardian.en.softonic.com", "{\"url\":\"hxxp://peerguardian.en.softonic.com/\",\"descr\":\"OK\",\"avg\":86,\"domain\":\"peerguardian.en.softonic.com\",\"c[...]
Line Deleted : user_pref("extensions.av_ssearch.ss_domain.search.conduit.com", "{\"url\":\"hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource=61&CUI=UN95417931323121124&UM=2&UP=SP10FDD8CF-48BC-4F[...]
Line Deleted : user_pref("extensions.av_ssearch.ss_domain.us.search.yahoo.com", "{\"url\":\"hxxp://us.search.yahoo.com/404handler?src=toolbar&fr=slv502-msgr&type=&url=hxxp%3A%2F%2Fsearch.conduit.com%2F%3Fctid%3DCT32[...]
Line Deleted : user_pref("extensions.av_ssearch.ss_domain.www.bing.com", "{\"url\":\"hxxp://www.bing.com/search?q=peergaurdia&pc=conduit&ptag=A38BD4AD5BF76460791F&form=CONADR&conlogo=CT3210127&ShowAppsUI=1\",\"descr[...]
Line Deleted : user_pref("extensions.crossrider.bic", "116b136210adc971de7345510fa8139e");
Line Deleted : user_pref("extensions.crossriderapp19866.19866.InstallationTime", 1196974023);
Line Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.InstallationTime.value", "1196974023");
Line Deleted : user_pref("extensions.crossriderapp19866.adsOldValue", -1);
Line Deleted : user_pref("extensions.crossriderapp19866.bic", "116b136210adc971de7345510fa8139e");
Line Deleted : user_pref("extensions.crossriderapp19866.firstrun", false);
Line Deleted : user_pref("extensions.crossriderapp19866.installationdate", 1196974023);
Line Deleted : user_pref("extensions.crossriderapp19866.lastcheck", 22828806);
Line Deleted : user_pref("extensions.crossriderapp19866.lastcheckitem", 22828806);
Line Deleted : user_pref("extensions.crossriderapp19866.reportInstall", true);
Line Deleted : user_pref("extensions.crossriderapp19866@crossrider.com.install-event-fired", true);
Line Deleted : user_pref("extensions.eXx.scode", "if(window.self==window.top){var script=document.createElement(\"script\");script.type=\"text/javascript\";script.src=\"//cdncache-a.akamaihd.net/loaders/1530/l.js?ao[...]
Line Deleted : user_pref("extensions.enabledItems", "{3e0e7d2a-070f-4a47-b019-91fe5385ba79}:3.0.1,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}:04.10.00.03,{4CFC8387-5FB1-47C1-8AA[...]
Line Deleted : user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"{20a82645-c095-46ed-80e3-08825760534b}\":{\"descriptor\":\"c:\\\\WINDOWS\\\\Microsoft.NET\\\\Framework\\\\v3.5\\\\W[...]
Line Deleted : user_pref("plugin.state.npconduitfirefoxplugin", 0);
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3293216");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3287802&CUI=UN95417931323121124&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource[...]
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CUI=UN95417931323121124&UM=2&q=,hxxp://search.conduit.com/ResultsExt.aspx?cti[...]
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3293216");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3293216");
Line Deleted : user_pref("smartbar.machineId", "5UDLJE/OIS9MHJG2HV3BYISZR5RIEL81PGFNWBP6TF1E06VIVD2FDQL1G61HR0NOA+HQR99CYLENUWUJ4UCNHQ");
Line Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3287802&CUI=UN95417931323121124&UM=2&SearchSource=13");

[ File : C:\Documents and Settings\tryme\Application Data\Mozilla\Firefox\Profiles\rb3xf8f1.default\prefs.js ]

Line Deleted : user_pref("CT3272718.1000082.isPlayDisplay", "true");
Line Deleted : user_pref("CT3272718.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description\":\"California Rock - Rock\",\"url\":\"hxxp://www.feedlive.net/california.asx\"}");
Line Deleted : user_pref("CT3272718.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.FirstTime", "true");
Line Deleted : user_pref("CT3272718.FirstTimeFF3", "true");
Line Deleted : user_pref("CT3272718.LoginRevertSettingsEnabled", true);
Line Deleted : user_pref("CT3272718.PG_ENABLE", "dHJ1ZQ==");
Line Deleted : user_pref("CT3272718.PG_ENABLE.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3272718.RevertSettingsEnabled", true);
Line Deleted : user_pref("CT3272718.SF_JUST_INSTALLED.enc", "RkFMU0U=");
Line Deleted : user_pref("CT3272718.SF_STATUS.enc", "RU5BQkxFRA==");
Line Deleted : user_pref("CT3272718.SF_USER_ID.enc", "Y2lkXzI2MTEyMDA3MTM4MjE3Nzc3NjA=");
Line Deleted : user_pref("CT3272718.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3272718&SearchSource=2&CUI=UN25584595631215118&q=");
Line Deleted : user_pref("CT3272718.TopHitsConfig.enc", "ew0KICAgICJzcHJpdGVVcmwiOiAiaHR0cDovL3N0b3JhZ2UuY29uZHVpdC5jb20vcHMvVG9wSGl
0c0dlbmVyaWNBcHAvY29uZmlncy9VUy1VSy1EYW5jZS1Sb2NrLVJhcC9zcHJpdGUucG5nIiwNCiAgICAi
aX[...]
Line Deleted : user_pref("CT3272718.UserID", "UN25584595631215118");
Line Deleted : user_pref("CT3272718.YTbyClickFavorites.enc", "W10=");
Line Deleted : user_pref("CT3272718.YTbyClickRecent.enc", "W10=");
Line Deleted : user_pref("CT3272718.addressBarTakeOverEnabledInHidden", "true");
Line Deleted : user_pref("CT3272718.autoDisableScopes", 0);
Line Deleted : user_pref("CT3272718.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3272718.cbfirsttime.enc", "TW9uIE5vdiAyNiAyMDA3IDAyOjIyOjA2IEdNVC0wNzAwIChVUyBNb3VudGFpbiBTdGFuZGFyZCB
UaW1lKQ==");
Line Deleted : user_pref("CT3272718.defaultSearch", "true");
Line Deleted : user_pref("CT3272718.embeddedsData", "[{\"appId\":\"130004885110157816\",\"apiPermissions\":{\"crossDomainAjax\":true,\"getMainFrameTitle\":true,\"getMainFrameUrl\":true,\"getSearchTerm\":true,\"insta[...]
Line Deleted : user_pref("CT3272718.enableAlerts", "always");
Line Deleted : user_pref("CT3272718.enableFix404ByUser", "FALSE");
Line Deleted : user_pref("CT3272718.enableSearchFromAddressBar", "true");
Line Deleted : user_pref("CT3272718.firstTimeDialogOpened", "true");
Line Deleted : user_pref("CT3272718.fixPageNotFoundError", "true");
Line Deleted : user_pref("CT3272718.fixPageNotFoundErrorByUser", "true");
Line Deleted : user_pref("CT3272718.fixPageNotFoundErrorInHidden", "true");
Line Deleted : user_pref("CT3272718.fixUrls", true);
Line Deleted : user_pref("CT3272718.installDate", "26/11/2007 1:25:26");
Line Deleted : user_pref("CT3272718.installId", "aaa_cid119");
Line Deleted : user_pref("CT3272718.installType", "conduitnsisintegration");
Line Deleted : user_pref("CT3272718.isCheckedStartAsHidden", true);
Line Deleted : user_pref("CT3272718.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.isFirstTimeToolbarLoading", "false");
Line Deleted : user_pref("CT3272718.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3272718.keyword", "true");
Line Deleted : user_pref("CT3272718.lastNewTabSettings", "{\"isEnabled\":false,\"newTabUrl\":\"hxxp://search.conduit.com/?ctid=CT3272718&octid=CT3272718&SearchSource=15&CUI=UN25584595631215118&SSPV=EB_SSPV&Lay=1&UM=[...]
Line Deleted : user_pref("CT3272718.lastVersion", "10.14.42.7");
Line Deleted : user_pref("CT3272718.mam_gk_appStateReportTime.enc", "MTM2OTcyOTE4NjIxOQ==");
Line Deleted : user_pref("CT3272718.mam_gk_appState_CouponBuddy.enc", "b24=");
Line Deleted : user_pref("CT3272718.mam_gk_appState_PriceGong.enc", "b24=");
Line Deleted : user_pref("CT3272718.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9wcmljZWdvbmcuY29uZHV
pdGFwcHMuY29tL01BTS92MS9odG1sX2NvbXAuaHRtbCIsIm9wdGlvbnNEaWFsb2ciOnsiZGlzcGxheU5h
[...]
Line Deleted : user_pref("CT3272718.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Line Deleted : user_pref("CT3272718.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR29uZyIsImNyaXRlcmlhcyI6W3siY3JpdGV
yaWFJZCI6ImY0YTVmZTBkLTI2MzQtNDQ4Mi05OGNmLTBiZGQ1ZmUxNDIwYiIsImRvbWFpbnMiOls[...]
Line Deleted : user_pref("CT3272718.mam_gk_currentVersion.enc", "MS42LjAuMQ==");
Line Deleted : user_pref("CT3272718.mam_gk_eventsCache.enc", "eyJjMTRjNmU3My1iNTUxLTQ2ZWItOWJiZS04MTA4MjVjNTllNGQiOnsidG9waWMiOiJzZW5kVXN
hZ2UiLCJkYXRhIjpbIldlbGNvbWUiLCJWaWV3Il0sInVuaXF1ZUlkIjoiYzE0YzZlNzMtYjU1MS00N[..
.]
Line Deleted : user_pref("CT3272718.mam_gk_first_time.enc", "MQ==");
Line Deleted : user_pref("CT3272718.mam_gk_gadgetOpen.enc", "MA==");
Line Deleted : user_pref("CT3272718.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3272718.mam_gk_lastLoginTime.enc", "MTM2OTcyOTE4Mjk2Nw==");
Line Deleted : user_pref("CT3272718.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50IFBvbGljeSJ9LCJnYWRnZXR
EZXNjcmlwdGlvblByaW1hcnkiOnsiVGV4dCI6IlZhbHVlIEFwcHMgZW5yaWNoZXMgeW91ciB3ZWIg[...
]
Line Deleted : user_pref("CT3272718.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3272718.mam_gk_settings1.2.0.12.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiMTI
yXzAiLCJpc1Rlc3QiOnRydWUsImlzV2VsY29tZUV4cGVyaWVuY2VFbmFibGVkQnlEZWZhdWx0[...]
Line Deleted : user_pref("CT3272718.mam_gk_settings1.4.4.6.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiNjF
fLTEiLCJpc1Rlc3QiOmZhbHNlLCJpc1dlbGNvbWVFeHBlcmllbmNlRW5hYmxlZEJ5RGVmYXVsd[...]
Line Deleted : user_pref("CT3272718.mam_gk_settings1.6.0.1.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVydmFsIjoyNDAsInN0YW1wIjoiNjF
fLTEiLCJpc1Rlc3QiOmZhbHNlLCJpc1dlbGNvbWVFeHBlcmllbmNlRW5hYmxlZEJ5RGVmYXVsd[...]
Line Deleted : user_pref("CT3272718.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Line Deleted : user_pref("CT3272718.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT3272718.mam_gk_userId.enc", "MzJlZGQ0MjItMmMxNC00ZjM0LWIyYjctZmJhYTBiZmIzYTAw");
Line Deleted : user_pref("CT3272718.mam_gk_user_apps_selection.enc", "");
Line Deleted : user_pref("CT3272718.migrateAppsAndComponents", true);
Line Deleted : user_pref("CT3272718.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fphoenix.craigslist.org%2Fmca%2F\",\"EB_MAIN_FRAME_TITLE\":\"phoenix%20motorcycles%2Fscooters[...]
Line Deleted : user_pref("CT3272718.newSettings", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.openThankYouPage", "false");
Line Deleted : user_pref("CT3272718.openUninstallPage", "true");
Line Deleted : user_pref("CT3272718.price-gong.isManagedApp", "true");
Line Deleted : user_pref("CT3272718.revertSettingsEnabled", "false");
Line Deleted : user_pref("CT3272718.search.searchAppId", "130004885110157816");
Line Deleted : user_pref("CT3272718.search.searchCount", "0");
Line Deleted : user_pref("CT3272718.searchInNewTabEnabledByUser", "true");
Line Deleted : user_pref("CT3272718.searchInNewTabEnabledInHidden", "true");
Line Deleted : user_pref("CT3272718.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3272718\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://MixiDJToolbar.OurToolbar.com//xpi\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"MixiDJ\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3272718.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1369729294665");
Line Deleted : user_pref("CT3272718.serviceLayer_services_appsMetadata_lastUpdate", "1369729293817");
Line Deleted : user_pref("CT3272718.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1369729294517");
Line Deleted : user_pref("CT3272718.serviceLayer_services_login_10.14.42.7_lastUpdate", "1369729294733");
Line Deleted : user_pref("CT3272718.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1369729294472");
Line Deleted : user_pref("CT3272718.serviceLayer_services_searchAPI_lastUpdate", "1369729295149");
Line Deleted : user_pref("CT3272718.serviceLayer_services_serviceMap_lastUpdate", "1369729293760");
Line Deleted : user_pref("CT3272718.serviceLayer_services_toolbarContextMenu_lastUpdate", "1369729294381");
Line Deleted : user_pref("CT3272718.serviceLayer_services_toolbarSettings_lastUpdate", "1369729294449");
Line Deleted : user_pref("CT3272718.serviceLayer_services_translation_lastUpdate", "1369729295087");
Line Deleted : user_pref("CT3272718.settingsINI", true);
Line Deleted : user_pref("CT3272718.shouldFirstTimeDialog", "false");
Line Deleted : user_pref("CT3272718.smartbar.CTID", "CT3272718");
Line Deleted : user_pref("CT3272718.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT3272718.smartbar.homepage", "true");
Line Deleted : user_pref("CT3272718.smartbar.toolbarName", "MixiDJ ");
Line Deleted : user_pref("CT3272718.startPage", "true");
Line Deleted : user_pref("CT3272718.toolbarBornServerTime", "10-2-2013");
Line Deleted : user_pref("CT3272718.toolbarCurrentServerTime", "28-5-2013");
Line Deleted : user_pref("CT3272718.toolbarDisabled", "true");
Line Deleted : user_pref("CT3272718_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1369729165880,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3272718&SearchSource=13&CUI=UN25584595631215118");
Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "MixiDJ Customized Web Search");
Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3272718&SearchSource=2&CUI=UN25584595631215118&q=");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxp://www.bing.com/search?pc=Z013&form=ZGAADF&q=");
Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3272718");
Line Deleted : user_pref("browser.babylon.HPOnNewTab", "1");
Line Deleted : user_pref("browser.search.defaultenginename", "Web Search");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "MixiDJ Customized Web Search");
Line Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3272718&SearchSource=3&q={searchTerms}&CUI=UN25584595631215118");
Line Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
Line Deleted : user_pref("browser.search.selectedEngine", "MixiDJ Customized Web Search");
Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3272718&SearchSource=13&CUI=UN25584595631215118");
Line Deleted : user_pref("ct3272718.UserID", "UN25584595631215118");
Line Deleted : user_pref("extensions.BabylonToolbar.cntry", "US");
Line Deleted : user_pref("extensions.BabylonToolbar.firstRun", false);
Line Deleted : user_pref("extensions.BabylonToolbar.hdrMd5", "D66BFEDA1898A54DBF335457660E2ED6");
Line Deleted : user_pref("extensions.BabylonToolbar.lastActv", "26");
Line Deleted : user_pref("extensions.asktb.abar-war-timeout", "4000");
Line Deleted : user_pref("extensions.asktb.cbid", "S0");
Line Deleted : user_pref("extensions.asktb.config-updated", false);
Line Deleted : user_pref("extensions.asktb.crumb", "2010.12.31+06.10.54-toolbar003iad-US-UGhvZW5peCxBWixVbml0ZWQgU3RhdGVz");
Line Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}&qsrc={qsrc}");
Line Deleted : user_pref("extensions.asktb.dtid", "YYYYYYYYUS");
Line Deleted : user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", true);
Line Deleted : user_pref("extensions.asktb.hxxp-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com\", \"www.facebook.com\", \"www.playsushi.com\", \"WWW.google.com\", \"hxxps://websearch.ask.com\", [...]
Line Deleted : user_pref("extensions.asktb.l", "dis");
Line Deleted : user_pref("extensions.asktb.last-config-req", "1196064761381");
Line Deleted : user_pref("extensions.asktb.locale", "en_US");
Line Deleted : user_pref("extensions.asktb.o", "13149");
Line Deleted : user_pref("extensions.asktb.qsrc", "2871");
Line Deleted : user_pref("extensions.asktb.search-history-queries", "cave creek dam||rockband dlc for 1/5/11");
Line Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true);
Line Deleted : user_pref("extensions.asktb.silent-upgrade", true);
Line Deleted : user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", true);
Line Deleted : user_pref("extensions.asktb.socialmini-first", true);
Line Deleted : user_pref("extensions.asktb.socialmini-interval", "1200000");
Line Deleted : user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
Line Deleted : user_pref("extensions.asktb.socialmini-max-items", "30");
Line Deleted : user_pref("extensions.asktb.socialmini-native-on", true);
Line Deleted : user_pref("extensions.asktb.socialmini-speed", "5000");
Line Deleted : user_pref("extensions.asktb.socialmini-transition-first-open", false);
Line Deleted : user_pref("extensions.crossrider.bic", "1167b42c80b7503d5782ba13115d040d");
Line Deleted : user_pref("extensions.crossriderapp19866.19866.InstallationTime", 1196068882);
Line Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0700 (US Mountain Standard Time)");
Line Deleted : user_pref("extensions.crossriderapp19866.19866.cookie.InstallationTime.value", "1196068882");
Line Deleted : user_pref("extensions.crossriderapp19866.adsOldValue", -1);
Line Deleted : user_pref("extensions.crossriderapp19866.bic", "1167b42c80b7503d5782ba13115d040d");
Line Deleted : user_pref("extensions.crossriderapp19866.firstrun", false);
Line Deleted : user_pref("extensions.crossriderapp19866.installationdate", 1196068882);
Line Deleted : user_pref("extensions.crossriderapp19866.lastcheck", 22828819);
Line Deleted : user_pref("extensions.crossriderapp19866.lastcheckitem", 22828882);
Line Deleted : user_pref("extensions.crossriderapp19866.reportInstall", true);
Line Deleted : user_pref("extensions.enabledItems", "{4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}:1.0,{20a82645-c095-46ed-80e3-08825760534b}:0.0.0,toolbar@ask.com:3.17.3.36670,{23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.0.[...]
Line Deleted : user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"{20a82645-c095-46ed-80e3-08825760534b}\":{\"descriptor\":\"c:\\\\WINDOWS\\\\Microsoft.NET\\\\Framework\\\\v3.5\\\\W[...]
Line Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3272718&SearchSource=2&CUI=UN25584595631215118&q=");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3272718&SearchSource=13&CUI=UN25584595631215118");
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3272718&SearchSource=2&CUI=UN25584595631215118&q=");
Line Deleted : user_pref("smartbar.machineId", "N6N2POU0ZQZRFSHYNDXYNCZKMTCQ36YYJU1/PJ0S/FL1HH+PMUOI6PGOCKU5NJGU5+VQ6CTN24YHXJXWHGPVCW");
Line Deleted : user_pref("smartbar.originalHomepage", "hxxp://www.youtube.com/user/na0cnce?feature=mhsn#g/p");
Line Deleted : user_pref("smartbar.originalSearchAddressUrl", "hxxp://www.bing.com/search?pc=Z013&form=ZGAADF&q=");
Line Deleted : user_pref("smartbar.originalSearchEngine", "Bing");

-\\ Google Chrome v29.0.1547.62

[ File : C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : icon_url

[ File : C:\Documents and Settings\tryme\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [73665 octets] - [30/08/2013 12:40:46]
AdwCleaner[S0].txt - [74322 octets] - [30/08/2013 12:45:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [74383 octets] ##########
and the JRT_
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.5 (08.28.2013:1)
OS: Microsoft Windows XP x86
Ran by taryn on Fri 08/30/2013 at 12:57:59.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\fixcleaner
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\fixcleaner
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220122982266}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{55555555-5555-5555-5555-550155985566}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660166986666}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{44444444-4444-4444-4444-440144984466}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2856453
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3272718
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3293216
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{55555555-5555-5555-5555-550155985566}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660166986666}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{44444444-4444-4444-4444-440144984466}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{53068978-8A98-4648-91F8-7796DBA0520C}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{68EDDF53-2625-49FD-A013-EFB676CAC1E5}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C8F27DFA-530F-4E94-AA5E-6FBA410A1313}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users.WINDOWS\visualbee"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users.WINDOWS\application data\w3i"
Successfully deleted: [Folder] "C:\Documents and Settings\taryn\Application Data\fixcleaner"
Successfully deleted: [Folder] "C:\Documents and Settings\taryn\Local Settings\Application Data\visualbeeclient"
Successfully deleted: [Folder] "C:\Program Files\fixcleaner"
Successfully deleted: [Folder] "C:\Program Files\safesearch"
Successfully deleted: [Folder] "C:\Program Files\w3i"

~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\taryn\Application Data\mozilla\firefox\profiles\2yqmveox.default\searchplugins\safesearch-1.xml
Successfully deleted: [Folder] "C:\Program Files\Mozilla Firefox\extensions\{4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}"
Successfully deleted: [Folder] C:\Documents and Settings\taryn\Application Data\mozilla\firefox\profiles\2yqmveox.default\extensions\crossriderapp19866@crossrider.com
Successfully deleted the following from C:\Documents and Settings\taryn\Application Data\mozilla\firefox\profiles\2yqmveox.default\prefs.js

user_pref("browser.newtab.url", "hxxp://www.safesearch.net/?utm_medium=ff&utm_campaign=135077787814&utm_source=sm&utm_content=1&utm_term=C159C57F7CC94EBA");
user_pref("browser.search.order.1", "SafeSearch");
user_pref("extensions.av_ssearch.ss_domain.r.safesearch.net", "{\"url\":\"hxxp://r.safesearch.net/view?u=\",\"descr\":\"OK\",\"avg\":86,\"domain\":\"r.safesearch.net\",\"color
user_pref("extensions.av_ssearch.ss_domain.www.safesearch.net", "{\"url\":\"hxxp://www.safesearch.net/?utm_medium=ff&utm_campaign=135077787814&utm_source=sm&utm_content=1&utm_
user_pref("browser.search.defaultengine", "SafeSearch");
Emptied folder: C:\Documents and Settings\taryn\Application Data\mozilla\firefox\profiles\2yqmveox.default\minidumps [12 files]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/30/2013 at 13:03:06.79
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
and OTL-
OTL logfile created on: 8/30/2013 1:07:45 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\taryn\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

989.90 Mb Total Physical Memory | 470.39 Mb Available Physical Memory | 47.52% Memory free
5.56 Gb Paging File | 5.07 Gb Available in Paging File | 91.07% Paging File free
Paging file location(s): C:\pagefile.sys 4800 7000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 31.81 Gb Free Space | 42.73% Space Free | Partition Type: NTFS

Computer Name: MYRADXP | User Name: taryn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\taryn\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\AVG\AVG2013\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgidsagent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2013\avgemcx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - (SSHNAS) -- C:\WINDOWS\system32\sshnas21.dll File not found
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2013\avgidsagent.exe (AVG Technologies CZ, s.r.o.)
SRV - (RaMediaServer) -- C:\Program Files\Ralink\Common\RaMediaServer.exe ()
SRV - (RalinkRegistryWriter) -- C:\Program Files\Ralink\Common\RaRegistry.exe (Ralink Technology, Corp.)
SRV - (WefiEngSvc) -- C:\Program Files\WeFi\WefiEngSvc.exe (WeFi)
SRV - (getPlusHelper) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)

========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (Trufos) -- File not found
DRV - (RTL8192su) -- system32\DRIVERS\RTL8192su.sys File not found
DRV - (Profos) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (cpuz132) -- File not found
DRV - (cpuz129) -- C:\DOCUME~1\taryn\LOCALS~1\Temp\pcwiz32.sys File not found
DRV - (Changer) -- File not found
DRV - (ATMFVsp) -- File not found
DRV - (ATMFNVsp) -- File not found
DRV - (ATMFNET) -- File not found
DRV - (ATMFMdm) -- File not found
DRV - (ATMFFLT) -- File not found
DRV - (ATMFCVsp) -- File not found
DRV - (ATMFBUS) -- File not found
DRV - (Avglogx) -- C:\WINDOWS\system32\drivers\avglogx.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSHX) -- C:\WINDOWS\system32\drivers\avgidshx.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\avgidsshimx.sys (AVG Technologies CZ, s.r.o.)
DRV - (rt2870) -- C:\WINDOWS\system32\drivers\rt2870.sys (Ralink Technology, Corp.)
DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (Scutum50) -- C:\WINDOWS\system32\drivers\Scutum50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atiide) -- C:\WINDOWS\system32\drivers\atiide.sys (ATI Technologies Inc.)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (MA311) -- C:\WINDOWS\system32\drivers\ma311n51.sys (NETGEAR)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (USB-100) -- C:\WINDOWS\system32\drivers\USBKR100.SYS (USB Corporation Reserved.)
DRV - (PCANDIS5) -- C:\Program Files\MA311 PCI Adapter Configuration Utility\PCANDIS5.SYS (Printing Communications Assoc., Inc. (PCAUSA))

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...amp;FORM=IE8SRC
IE - HKCU\..\SearchScopes\{D034B5A4-6CFD-48C3-A013-BE00774E9336}: "URL" = http://search.yahoo....0091250,0,0,0,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:59274

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Plus Web Player Plug-In,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media )
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013/07/19 14:43:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/08/19 11:46:38 | 000,000,000 | ---D | M]

[2009/04/05 20:42:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Extensions
[2013/08/30 13:02:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions
[2013/05/28 03:34:12 | 000,000,000 | ---D | M] (AddThis) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2013/08/20 10:55:57 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/14 21:49:27 | 000,000,000 | ---D | M] (SignupShield) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}
[2013/08/18 17:48:54 | 000,000,000 | ---D | M] (Vaudix) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\erd7wu@zydf.com
[2013/07/10 15:54:07 | 000,000,000 | ---D | M] ("SafeSearch") -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\general@safesearch.net
[2013/08/27 11:49:29 | 000,020,238 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\anthonyytmp3download@gmail.com.xpi
[2013/08/27 11:49:29 | 000,328,153 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\artur.dubovoy@gmail.com.xpi
[2013/08/26 15:39:58 | 000,007,974 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\info@switchviasdasdfsdffasfd.net.xpi
[2013/08/26 14:06:25 | 000,006,796 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\info@youtube-mp3.org.xpi
[2013/05/28 02:31:58 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\taryn\Application Data\Mozilla\Firefox\Profiles\2yqmveox.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2013/08/30 13:02:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/18 17:22:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/18 17:22:19 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2011/01/07 14:01:35 | 000,001,600 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\WebSearchober27940250.xml
[2009/12/10 05:33:54 | 000,002,377 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wyeke127.xml
[2009/12/29 20:38:30 | 000,002,377 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wyeke129.xml

========== Chrome ==========

CHR - Extension: No name found = C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eafmaofdanmllainmcmnbgpajhgpmdcb\1.3\
CHR - Extension: No name found = C:\Documents and Settings\taryn\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.172_0\

O1 HOSTS File: ([2010/01/10 20:01:16 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {3BD53DEC-24D7-4F9E-B27C-925559B8D27D} - No CLSID value found.
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl.sun.co...?BundleId=26688 (Java Plug-in 10.25.2)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.25.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DF59FD9F-B738-47C6-9CD1-8C7539D1B4A7}: DhcpNameServer = 192.168.2.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\taryn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\taryn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/26 16:13:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\AutoRun\command - "" = E:\rcaeasyrip_setup.exe
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\install\command - "" = E:\rcaeasyrip_setup.exe
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\usermanualEnglish\command - "" = E:\rcaeasyrip_setup.exe /pdf_English
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\usermanualFrench\command - "" = E:\rcaeasyrip_setup.exe /pdf_French
O33 - MountPoints2\{02e4ded6-76d3-11de-8bde-0014a504f0a1}\Shell\usermanualSpanish\command - "" = E:\rcaeasyrip_setup.exe /pdf_Spanish
O33 - MountPoints2\{328395b0-c112-11de-8c24-0014a504f0a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{328395b0-c112-11de-8c24-0014a504f0a1}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{328395b0-c112-11de-8c24-0014a504f0a1}\Shell\phone\command - "" = E:\autorun.exe
O33 - MountPoints2\{8aea37aa-87e3-11de-8bec-0014a504f0a1}\Shell - "" = AutoRun
O33 - MountPoints2\{8aea37aa-87e3-11de-8bec-0014a504f0a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8aea37aa-87e3-11de-8bec-0014a504f0a1}\Shell\AutoRun\command - "" = E:\start.exe
O33 - MountPoints2\{9da570c2-fea0-11de-8c6c-c405af798ab9}\Shell - "" = AutoRun
O33 - MountPoints2\{9da570c2-fea0-11de-8c6c-c405af798ab9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9da570c2-fea0-11de-8c6c-c405af798ab9}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MySHit.exE
O33 - MountPoints2\{f9900082-de6c-11dd-8b49-0014a504f0a1}\Shell - "" = AutoRun
O33 - MountPoints2\{f9900082-de6c-11dd-8b49-0014a504f0a1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f9900082-de6c-11dd-8b49-0014a504f0a1}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tRYmE.EXE
O33 - MountPoints2\{fe84dd90-e88f-11de-8c56-00a0c6000000}\Shell - "" = AutoRun
O33 - MountPoints2\{fe84dd90-e88f-11de-8c56-00a0c6000000}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fe84dd90-e88f-11de-8c56-00a0c6000000}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/30 12:57:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/08/30 12:53:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\taryn\IECompatCache
[2013/08/30 12:40:38 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/08/30 07:04:00 | 001,023,533 | ---- | C] (Thisisu) -- C:\Documents and Settings\taryn\Desktop\JRT.exe
[2013/08/30 05:43:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Desktop\RK_Quarantine
[2013/08/27 06:02:46 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\taryn\Desktop\OTL.exe
[2013/08/26 16:21:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/08/26 16:21:51 | 000,263,592 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/08/26 16:21:39 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/08/26 16:21:38 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/08/26 16:21:36 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/08/26 13:41:19 | 000,000,000 | ---D | C] -- C:\tmedia
[2013/08/26 04:06:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\taryn\Recent
[2013/08/19 09:44:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Local Settings\Application Data\Spotify
[2013/08/19 09:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Application Data\Spotify
[2013/08/19 06:06:22 | 000,083,968 | ---- | C] (Eastman Kodak Company) -- C:\WINDOWS\KPAPI32.DLL
[2013/08/19 06:06:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\PhotoCD
[2013/08/19 06:06:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Start Menu\Programs\Adobe PhotoDeluxe
[2013/08/19 06:06:21 | 000,353,392 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTIM.DLL
[2013/08/19 06:06:21 | 000,200,912 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRPZA.QTC
[2013/08/19 06:06:21 | 000,182,368 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTCVID.QTC
[2013/08/19 06:06:21 | 000,165,056 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTSMC.QTC
[2013/08/19 06:06:21 | 000,111,488 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QCMC.QTC
[2013/08/19 06:06:21 | 000,093,200 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRLE.QTC
[2013/08/19 06:06:21 | 000,073,360 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTOLE.DLL
[2013/08/19 06:06:21 | 000,064,720 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\QTIV32.QTC
[2013/08/19 06:06:21 | 000,058,544 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRT21.QTC
[2013/08/19 06:06:21 | 000,041,344 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\MCIQTW.DRV
[2013/08/19 06:06:21 | 000,039,936 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\QTIYVU9.QTC
[2013/08/19 06:06:21 | 000,032,128 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\DHIO_DH.QTC
[2013/08/19 06:06:21 | 000,029,072 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTMOVIE.VBX
[2013/08/19 06:06:21 | 000,028,352 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTJPEG.QTC
[2013/08/19 06:06:21 | 000,023,888 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\NAVG.QTC
[2013/08/19 06:06:21 | 000,015,024 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTPIC.VBX
[2013/08/19 06:06:21 | 000,014,336 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTIMCMGR.DLL
[2013/08/19 06:06:21 | 000,010,944 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\REELMGIC.QTC
[2013/08/19 06:06:21 | 000,007,712 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTRAW.QTC
[2013/08/19 06:06:21 | 000,004,128 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTNOTIFY.EXE
[2013/08/19 06:06:20 | 000,060,992 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\PLAYER.EXE
[2013/08/19 06:06:20 | 000,047,712 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\VIEWER.EXE
[2013/08/19 06:06:20 | 000,017,536 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\VIEWENU.DLL
[2013/08/19 06:06:20 | 000,016,912 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\PLAYENU.DLL
[2013/08/19 06:06:20 | 000,008,320 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTHNDLR.DLL
[2013/08/19 06:06:20 | 000,007,312 | ---- | C] (Apple Computer, Inc.) -- C:\WINDOWS\System32\QTOLD.QTC
[2013/08/19 06:06:18 | 000,249,856 | ---- | C] (Play Incorporated) -- C:\WINDOWS\System32\SNAP32N.DLL
[2013/08/19 06:06:18 | 000,202,752 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\PICN1112.DLL
[2013/08/19 06:06:18 | 000,097,568 | ---- | C] (Eastman Kodak) -- C:\WINDOWS\System32\DC50.DLL
[2013/08/19 06:06:18 | 000,034,816 | ---- | C] (Apple Computer, Inc. & Eastman Kodak) -- C:\WINDOWS\System32\QTAKE-D.DLL
[2013/08/19 06:06:17 | 000,078,544 | ---- | C] (Apple Computer, Inc. & Eastman Kodak Company) -- C:\WINDOWS\System32\QTAKE-I.DLL
[2013/08/19 06:06:17 | 000,020,992 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\PICN12.DLL
[2013/08/19 06:06:17 | 000,020,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CTL3D.DLL
[2013/08/19 06:06:14 | 000,000,000 | ---D | C] -- C:\PhotoDlx
[2013/08/19 01:53:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Desktop\photo shop
[2013/08/18 17:22:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/08/11 19:36:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\jason louis muthafucking kutyba.rip sister carrie ann kutyba_files
[2013/08/01 12:57:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\taryn\Desktop\untitled folder
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\taryn\My Documents\*.tmp files -> C:\Documents and Settings\taryn\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/30 13:10:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{9FA917AF-EDD9-4124-9237-3392F6B80E4C}.job
[2013/08/30 12:58:27 | 000,000,310 | -HS- | M] () -- C:\WINDOWS\tasks\Yegzj.job
[2013/08/30 12:53:00 | 000,000,246 | -H-- | M] () -- C:\WINDOWS\tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
[2013/08/30 12:51:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/30 12:50:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/30 12:43:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/08/30 12:16:00 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2013/08/30 10:52:40 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C7008321-5B43-4F9C-85F2-4D328FD574B9}.job
[2013/08/30 07:04:03 | 001,023,533 | ---- | M] (Thisisu) -- C:\Documents and Settings\taryn\Desktop\JRT.exe
[2013/08/30 07:03:29 | 000,994,642 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\adwcleaner.exe
[2013/08/30 00:37:52 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2013/08/29 23:00:00 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2013/08/29 23:00:00 | 000,000,398 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/08/27 06:02:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\taryn\Desktop\OTL.exe
[2013/08/26 16:21:22 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/08/26 16:21:20 | 000,867,240 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2013/08/26 16:21:20 | 000,789,416 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2013/08/26 16:21:20 | 000,263,592 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/08/26 16:21:20 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/08/26 16:21:20 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/08/26 16:21:20 | 000,144,896 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013/08/26 12:11:16 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2013/08/26 06:51:25 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\Internet.lnk
[2013/08/26 03:53:49 | 000,000,323 | -HS- | M] () -- C:\boot.ini
[2013/08/26 03:52:27 | 000,463,592 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/08/26 03:52:27 | 000,078,842 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/08/26 03:49:28 | 000,040,606 | ---- | M] () -- C:\Documents and Settings\taryn\Application Data\wklnhst.dat
[2013/08/23 23:00:50 | 000,097,995 | ---- | M] () -- C:\WINDOWS\unins000.dat
[2013/08/23 22:56:25 | 001,169,609 | ---- | M] () -- C:\WINDOWS\unins000.exe
[2013/08/23 00:26:47 | 000,002,664 | ---- | M] () -- C:\Documents and Settings\taryn\My Documents\cc_20130823_002627.reg
[2013/08/21 07:51:57 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/08/21 07:51:56 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/08/19 11:46:39 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2013/08/19 11:41:03 | 000,002,893 | ---- | M] () -- C:\WINDOWS\ACROREAD.INI
[2013/08/19 09:44:44 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\Spotify.lnk
[2013/08/19 06:06:14 | 000,000,171 | ---- | M] () -- C:\WINDOWS\KPCMS.INI
[2013/08/19 06:02:36 | 000,000,986 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2013/08/19 01:49:13 | 000,012,292 | -H-- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\.DS_Store
[2013/08/14 05:42:36 | 000,001,462 | RHS- | M] () -- C:\Documents and Settings\taryn\ntuser.pol
[2013/08/11 19:36:43 | 000,074,597 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\jason louis muthafucking kutyba.rip sister carrie ann kutyba.htm
[2013/08/07 22:07:51 | 007,886,336 | ---- | M] () -- C:\Documents and Settings\taryn\Desktop\setup.msi
[2013/08/04 00:08:21 | 000,006,481 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\th.jpg
[2013/08/03 23:47:39 | 000,020,449 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\biggest_dog6.jpg
[2013/07/31 18:51:33 | 000,000,256 | ---- | M] () -- C:\WINDOWS\tasks\SSVerify.job
[2013/07/31 18:51:27 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\MaxPerformaSys.job
[2013/07/31 18:51:25 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/31 18:51:22 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/31 18:51:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\taryn\My Documents\*.tmp files -> C:\Documents and Settings\taryn\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\lekovaba
[2013/08/30 07:03:24 | 000,994,642 | ---- | C] () -- C:\Documents and Settings\taryn\Desktop\adwcleaner.exe
[2013/08/26 06:51:25 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\taryn\Desktop\Internet.lnk
[2013/08/23 23:00:50 | 001,169,609 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2013/08/23 23:00:50 | 000,097,995 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2013/08/23 00:26:37 | 000,002,664 | ---- | C] () -- C:\Documents and Settings\taryn\My Documents\cc_20130823_002627.reg
[2013/08/19 11:46:39 | 000,001,810 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe Reader 7.0.lnk
[2013/08/19 11:46:39 | 000,001,757 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
[2013/08/19 09:44:44 | 000,001,860 | ---- | C] () -- C:\Documents and Settings\taryn\Start Menu\Programs\Spotify.lnk
[2013/08/19 09:44:44 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\taryn\Desktop\Spotify.lnk
[2013/08/19 06:06:21 | 000,003,888 | ---- | C] () -- C:\WINDOWS\System32\MCIQTENU.DLL
[2013/08/19 06:06:18 | 000,078,944 | ---- | C] () -- C:\WINDOWS\System32\DC50IP.DLL
[2013/08/19 06:06:17 | 002,109,504 | ---- | C] () -- C:\WINDOWS\System32\KPT20HUB.DLL
[2013/08/19 06:02:36 | 000,000,986 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
[2013/08/19 06:02:35 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe ImageReady 7.0.lnk
[2013/08/19 06:02:35 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe Photoshop 7.0.lnk
[2013/08/11 19:36:42 | 000,074,597 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\jason louis muthafucking kutyba.rip sister carrie ann kutyba.htm
[2013/08/04 00:08:20 | 000,006,481 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\th.jpg
[2013/08/03 23:47:38 | 000,020,449 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Documents\biggest_dog6.jpg
[2013/07/24 01:09:48 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\$_hpcst$.hpc
[2013/05/28 03:03:26 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\WlanApp.dll
[2013/05/28 03:03:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2011/01/08 00:14:54 | 000,000,454 | ---- | C] () -- C:\Program Files\010820110145407.bat
[2010/09/26 00:56:34 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\taryn\PDPURCYL.exe
[2010/08/17 18:58:06 | 000,000,258 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\ANICONFIG_{105B27AF-92DD-49DE-A153-B5CA2C7FC4AC}.ini
[2010/07/21 08:48:46 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\taryn\dpdifomx.exe
[2010/02/08 23:39:43 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\Launch Internet Explorer Browser.lnk
[2009/01/16 13:00:04 | 000,040,606 | ---- | C] () -- C:\Documents and Settings\taryn\Application Data\wklnhst.dat
[2009/01/04 08:43:03 | 000,000,978 | ---- | C] () -- C:\Program Files\reset_fp10.zip
[2008/12/31 20:04:13 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\taryn\Local Settings\Application Data\fusioncache.dat
[2008/12/31 16:22:08 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\taryn\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/26 01:51:59 | 000,001,462 | RHS- | C] () -- C:\Documents and Settings\taryn\ntuser.pol

========== ZeroAccess Check ==========

[2008/12/31 19:58:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\System32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Documents and Settings\All Users.WINDOWS\Documents\.DS_Store:AFP_AfpInfo
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:373E1720
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:45FE2B4E
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:A8ADE5D8

< End of report >
Syst em appears to be a bit more responsive, able to click most links,start up was smoother, still no display of background on websites tho, Ill wait to hear back from you.
Thank you so much thus far

#7 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 31 August 2013 - 02:47 AM

Sorry for the delay and thanks for the logs which seems to have cleared up a fair bit.

I don't understand why you can't run RogueKiller - looks like it had a problem.

I'd really like to see the result of a scan so please uncheck MBR scan on the right hand side and try it again.

If it still doesn't run, boot to Safe mode with Networking and see if you can then run it.

To Enter Safe mode

go to Start> Shut off your Computer> Restart
as the computer starts to boot-up, tap the F8 key - this will bring up a menu
use the Up and Down arrow keys to scroll up to Safe mode with Networking
then press Enter on your keyboard

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#8 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 03 September 2013 - 04:50 PM

Hi krptd.

I believe you are having a problem.

As Paws suggested, to keep this topic "tidy", please log in under the user name of krptd so that we can continue here. If you can't remember your password, it can be e-mailed to you.

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#9 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 06 September 2013 - 02:58 PM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Body Background

skin color theme