Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hi Guys system playing up


  • This topic is locked This topic is locked
3 replies to this topic

#1 xerive

xerive

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2008 - 02:48 AM

Hi guys my systems really playing up and I have heard good things about this place hence my registration here.

My hard drive is constantly been accessed from boot up which is really burning me off as its slowing the pc down and it doesnt ever stop.

Heres my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 09:48:59, on 12/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Documents and Settings\darren\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - G:\utils\photoshop\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - Unknown owner - C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\database\ (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: Trackback Poster (TS Poster) - Unknown owner - C:\Program Files\Trackback Spider\Poster Service.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by xerive, 12 June 2008 - 06:22 AM.

    Advertisements

Register to Remove


#2 xerive

xerive

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2008 - 06:24 AM

Here is a 30 second sample of registry monitor: 192.38520813 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 192.38522339 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 192.38523865 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 192.38523865 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 192.38525391 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 192.38526917 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 192.38526917 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 192.38540649 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 192.38542175 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 192.38543701 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 192.38545227 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 192.38546753 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 192.38552856 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 192.64958191 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.64959717 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.66514587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.66516113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.68081665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.68083191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.69638062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.69639587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.71205139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.71206665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.72767639 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.72769165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.79016113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.79016113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.80577087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.80578613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.89956665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.89958191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.91514587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.91516113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.93077087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.93078613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.94642639 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.94645691 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 192.96205139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 192.96206665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.00891113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.00892639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.02455139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.02456665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 193.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 193.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 193.38510132 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 193.38511658 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 193.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 193.38513184 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 193.38525391 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 193.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 193.38529968 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 193.38529968 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 193.38531494 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 193.38537598 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 193.52455139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.52456665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.54014587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.54016113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.55584717 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.55586243 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.57145691 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.57147217 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.58703613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.58705139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.72764587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.72766113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.74327087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.74327087 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.75889587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.75891113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.77455139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.77456665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.79014587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.79016113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.80577087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.80577087 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.82147217 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.82148743 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.83703613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.83705139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.85263062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.85264587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.86827087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.86831665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.88394165 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.88395691 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.89955139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.89956665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.91513062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.91514587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.93083191 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.93084717 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.94639587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.94641113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.96205139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.96206665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.97766113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.97767639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 193.99325562 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 193.99327087 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.00889587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.00891113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.02455139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.02456665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.04016113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.04019165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.05577087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.05578613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.07139587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.07141113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.08706665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.08708191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.10263062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.10264587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.11828613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.11830139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.13389587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.13391113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.14955139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.14956665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.18077087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.18078613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.19639587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.19641113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.21203613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.21205139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.22764587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.22766113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.24327087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.24328613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.25891113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.25892639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.27453613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.27455139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.29016113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.29017639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.30577087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.30578613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.32139587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.32141113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.33703613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.33705139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.35266113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.35267639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 194.38502502 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 194.38502502 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 194.38504028 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 194.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 194.38507080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 194.38507080 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 194.38519287 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 194.38520813 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 194.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 194.38525391 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 194.38525391 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 194.38537598 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 194.42201233 Regmon.exe:3292 OpenKey HKCU\AppEvents\Schemes\Apps\.Default\CCSelect\.current NOT FOUND 194.43081665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.43087769 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.52459717 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.52461243 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.55577087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.55578613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.63391113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.63392639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.64955139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.64958191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.66516113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.66517639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.68075562 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.68077087 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.69641113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.69642639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.71206665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.71208191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.72767639 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.72769165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.74330139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.74331665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.75888062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.75889587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.77453613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.77455139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.79016113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.79017639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.80577087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.80578613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.82141113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.82142639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.83703613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.83705139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.85266113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.85266113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.86828613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.86830139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.91517639 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 194.91519165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 194.97782898 zlclient.exe:2104 OpenKey HKLM\SOFTWARE\Zone Labs\zonealarm SUCCESS Access: 0x20019 194.97784424 zlclient.exe:2104 QueryValue HKLM\SOFTWARE\Zone Labs\zonealarm\LastAutoUpdate SUCCESS 0x4851146E 194.97785950 zlclient.exe:2104 CloseKey HKLM\SOFTWARE\Zone Labs\zonealarm SUCCESS 195.05578613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.05580139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.07139587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.07139587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.08703613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.08705139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.10266113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.10267639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.11827087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.11828613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.13391113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.13395691 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.14956665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.14958191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.16513062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.16514587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.18077087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.18078613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.19641113 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.19642639 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.21206665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.21208191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.22763062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.22764587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.24330139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.24331665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.25889587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.25891113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.32139587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.32141113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.33703613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 195.33705139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 195.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 195.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 195.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 195.38508606 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 195.38510132 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 195.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 195.38511658 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 195.38525391 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 195.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 195.38528442 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 195.38529968 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 195.38531494 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 195.38537598 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 196.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 196.38502502 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 196.38504028 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 196.38504028 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 196.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 196.38507080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 196.38508606 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 196.38520813 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 196.38522339 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 196.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 196.38525391 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 196.38526917 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 196.38533020 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 196.41517639 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.41519165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.43077087 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.43078613 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.44639587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.44644165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.46206665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.46208191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.47767639 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.47769165 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.49328613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.49330139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.50888062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.50889587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.52455139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.52456665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.54014587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.54014587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.55581665 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.55583191 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.57139587 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.57141113 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.58705139 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.58706665 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.60263062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.60264587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.61828613 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.61830139 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.69645691 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.69647217 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 196.72763062 Regmon.exe:3292 OpenKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS Access: 0x1 196.72764587 Regmon.exe:3292 CloseKey HKCU\SOFTWARE\MailFrontier\OutlookExpressEnabled SUCCESS 197.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 197.38502502 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 197.38502502 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 197.38504028 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 197.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 197.38507080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 197.38507080 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 197.38519287 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 197.38522339 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 197.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 197.38525391 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 197.38526917 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 197.38533020 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 198.38499451 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 198.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 198.38502502 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 198.38504028 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 198.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 198.38505554 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 198.38507080 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 198.38519287 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 198.38520813 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 198.38522339 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 198.38523865 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 198.38525391 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 198.38531494 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 198.88391113 vsmon.exe:1576 OpenKey HKLM\SOFTWARE\Cisco Systems\VPN Client NOT FOUND 198.88488770 vsmon.exe:1576 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip SUCCESS Access: 0x2000000 198.88490295 vsmon.exe:1576 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip SUCCESS 198.88491821 vsmon.exe:1576 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\NwlnkIpx NOT FOUND 198.88493347 vsmon.exe:1576 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Nbf NOT FOUND 198.88533020 vsmon.exe:1576 OpenKey HKCU SUCCESS Access: 0x4 198.88534546 vsmon.exe:1576 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000 198.88536072 vsmon.exe:1576 CloseKey HKCU SUCCESS 198.88537598 vsmon.exe:1576 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData SUCCESS "%USERPROFILE%\Application Data" 198.88540649 vsmon.exe:1576 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Access: 0x20019 198.88542175 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory SUCCESS "%SystemDrive%\Documents and Settings" 198.88543701 vsmon.exe:1576 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS 198.88545227 vsmon.exe:1576 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Access: 0x20019 198.88546753 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile SUCCESS "All Users" 198.88546753 vsmon.exe:1576 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS 198.88551331 vsmon.exe:1576 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Access: 0x1 198.88551331 vsmon.exe:1576 QueryKey HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS Subkeys = 0 198.88552856 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\ComSpec SUCCESS "%SystemRoot%\system32\cmd.exe" 198.88552856 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment BUFFER OVERFLOW 198.88554382 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\Path SUCCESS "%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\;C:\Program Files\IDM Computer Solutions\UltraEdit-32;C:\Program Files\Microsoft SQL Server\90\Tools..." 198.88555908 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\windir SUCCESS "%SystemRoot%" 198.88555908 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\FP_NO_HOST_CHECK SUCCESS "NO" 198.88557434 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\OS SUCCESS "Windows_NT" 198.88558960 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_ARCHITECTURE SUCCESS "x86" 198.88560486 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_LEVEL SUCCESS "6" 198.88560486 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_IDENTIFIER SUCCESS "x86 Family 6 Model 15 Stepping 6, GenuineIntel" 198.88562012 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_REVISION SUCCESS "0f06" 198.88563538 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\NUMBER_OF_PROCESSORS SUCCESS "2" 198.88565063 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PATHEXT SUCCESS ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH" 198.88566589 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TEMP SUCCESS "%SystemRoot%\TEMP" 198.88566589 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TMP SUCCESS "%SystemRoot%\TEMP" 198.88568115 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\CLASSPATH SUCCESS ".;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip" 198.88569641 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\QTJAVA SUCCESS "C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip" 198.88571167 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\tvdumpflags SUCCESS "8" 198.88572693 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\ComSpec SUCCESS "%SystemRoot%\system32\cmd.exe" 198.88574219 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment BUFFER OVERFLOW 198.88574219 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\Path SUCCESS "%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\;C:\Program Files\IDM Computer Solutions\UltraEdit-32;C:\Program Files\Microsoft SQL Server\90\Tools..." 198.88577271 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\windir SUCCESS "%SystemRoot%" 198.88578796 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\FP_NO_HOST_CHECK SUCCESS "NO" 198.88578796 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\OS SUCCESS "Windows_NT" 198.88580322 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_ARCHITECTURE SUCCESS "x86" 198.88580322 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_LEVEL SUCCESS "6" 198.88581848 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_IDENTIFIER SUCCESS "x86 Family 6 Model 15 Stepping 6, GenuineIntel" 198.88581848 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_REVISION SUCCESS "0f06" 198.88583374 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\NUMBER_OF_PROCESSORS SUCCESS "2" 198.88583374 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PATHEXT SUCCESS ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH" 198.88584900 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TEMP SUCCESS "%SystemRoot%\TEMP" 198.88587952 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TMP SUCCESS "%SystemRoot%\TEMP" 198.88591003 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\CLASSPATH SUCCESS ".;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip" 198.88592529 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\QTJAVA SUCCESS "C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip" 198.88592529 vsmon.exe:1576 EnumerateValue HKLM\System\CurrentControlSet\Control\Session Manager\Environment\tvdumpflags SUCCESS "8" 198.88594055 vsmon.exe:1576 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager\Environment SUCCESS 198.88597107 vsmon.exe:1576 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019 198.88598633 vsmon.exe:1576 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019 198.88600159 vsmon.exe:1576 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "DARREN-NEWONE" 198.88600159 vsmon.exe:1576 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS 198.88601685 vsmon.exe:1576 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS 198.88604736 vsmon.exe:1576 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Access: 0x20019 198.88606262 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory SUCCESS "%SystemDrive%\Documents and Settings" 198.88606262 vsmon.exe:1576 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS 198.88609314 vsmon.exe:1576 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Access: 0x20019 198.88609314 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\DefaultUserProfile SUCCESS "Default User" 198.88610840 vsmon.exe:1576 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS 198.88612366 vsmon.exe:1576 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS Access: 0x20019 198.88613892 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir SUCCESS "C:\Program Files" 198.88615417 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir SUCCESS "C:\Program Files\Common Files" 198.88616943 vsmon.exe:1576 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS 198.88619995 vsmon.exe:1576 OpenKey HKCU SUCCESS Access: 0x20019 198.88630676 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 198.88632202 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 198.88633728 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 198.88633728 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 198.88635254 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 198.88636780 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 198.88636780 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 198.88652039 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 198.88661194 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 198.88662720 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 198.88662720 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 198.88664246 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 198.88665771 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 198.88665771 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 198.88667297 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 198.88681030 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 198.88687134 vsmon.exe:1576 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 SUCCESS Access: 0x20019 198.88688660 vsmon.exe:1576 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath SUCCESS "%systemroot%\system32\config\systemprofile" 198.88690186 vsmon.exe:1576 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 SUCCESS 198.88693237 vsmon.exe:1576 CreateKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2001F 198.88693237 vsmon.exe:1576 QueryValue HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS "1" 198.88694763 vsmon.exe:1576 SetValue HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec SUCCESS "1" 198.88696289 vsmon.exe:1576 CloseKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS 198.88717651 vsmon.exe:1576 OpenKey HKCU\Environment SUCCESS Access: 0x20019 198.88719177 vsmon.exe:1576 EnumerateValue HKCU\Environment\TEMP SUCCESS "%USERPROFILE%\Local Settings\Temp" 198.88719177 vsmon.exe:1576 EnumerateValue HKCU\Environment\TMP SUCCESS "%USERPROFILE%\Local Settings\Temp" 198.88720703 vsmon.exe:1576 EnumerateValue HKCU\Environment NO MORE ENTRIES 198.88720703 vsmon.exe:1576 EnumerateValue HKCU\Environment\TEMP SUCCESS "%USERPROFILE%\Local Settings\Temp" 198.88787842 vsmon.exe:1576 EnumerateValue HKCU\Environment\TMP SUCCESS "%USERPROFILE%\Local Settings\Temp" 198.88850403 vsmon.exe:1576 EnumerateValue HKCU\Environment NO MORE ENTRIES 198.88851929 vsmon.exe:1576 CloseKey HKCU\Environment SUCCESS 198.88851929 vsmon.exe:1576 OpenKey HKCU\Volatile Environment NOT FOUND 198.88853455 vsmon.exe:1576 CloseKey HKCU SUCCESS 198.88854980 vsmon.exe:1576 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS 198.88859558 vsmon.exe:1576 OpenKey HKCU SUCCESS Access: 0x4 198.88862610 vsmon.exe:1576 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000 198.88862610 vsmon.exe:1576 CloseKey HKCU SUCCESS 198.88864136 vsmon.exe:1576 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData SUCCESS "C:\WINDOWS\system32\config\systemprofile\Application Data" 198.88864136 vsmon.exe:1576 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS 199.38510132 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 199.38511658 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 199.38513184 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 199.38514709 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 199.38516235 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 199.38516235 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 199.38517761 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 199.38529968 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 199.38537598 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 199.38539124 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 199.38540649 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 199.38542175 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 199.38548279 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 200.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 200.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 200.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 200.38508606 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 200.38511658 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 200.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 200.38513184 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 200.38525391 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 200.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 200.38528442 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 200.38529968 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 200.38531494 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 200.38537598 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 201.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 201.38502502 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 201.38504028 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 201.38504028 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 201.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 201.38507080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 201.38507080 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 201.38520813 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 201.38522339 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 201.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 201.38525391 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 201.38525391 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 201.38533020 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 202.38508606 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 202.38510132 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 202.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 202.38511658 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 202.38514709 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 202.38514709 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 202.38516235 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 202.38528442 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 202.38529968 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 202.38531494 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 202.38533020 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 202.38533020 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 202.38540649 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 202.52558899 ScanningProcess:212 OpenKey HKLM\SOFTWARE\KasperskyLab\Components\100 NOT FOUND 203.38526917 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 203.38528442 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 203.38529968 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 203.38531494 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 203.38533020 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 203.38534546 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 203.38534546 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 203.38546753 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 203.38548279 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 203.38551331 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 203.38552856 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 203.38552856 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 203.38560486 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 204.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 204.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 204.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 204.38510132 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 204.38511658 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 204.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 204.38513184 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 204.38525391 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 204.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 204.38528442 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 204.38529968 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 204.38529968 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 204.38537598 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 205.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 205.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 205.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 205.38510132 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 205.38511658 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 205.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 205.38513184 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 205.38525391 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 205.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 205.38529968 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 205.38531494 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 205.38531494 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 205.38539124 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 206.38514709 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 206.38516235 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 206.38517761 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 206.38517761 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 206.38520813 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 206.38520813 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 206.38522339 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 206.38534546 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 206.38536072 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 206.38537598 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 206.38539124 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 206.38540649 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 206.38546753 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 207.38502502 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 207.38504028 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 207.38505554 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 207.38507080 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 207.38508606 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 207.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 207.38510132 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 207.38522339 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 207.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 207.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 207.38528442 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 207.38528442 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 207.38536072 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 208.38519287 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 208.38520813 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 208.38520813 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 208.38522339 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 208.38523865 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 208.38525391 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 208.38525391 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 208.38539124 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 208.38540649 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 208.38542175 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 208.38543701 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 208.38545227 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 208.38551331 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 208.66699219 ScanningProcess:212 OpenKey HKLM\SOFTWARE\KasperskyLab\Components\100 NOT FOUND 208.66918945 postgres.exe:2612 OpenKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers NOT FOUND 208.66921997 postgres.exe:2612 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\postgres.exe NOT FOUND 208.67366028 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 208.67367554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 208.67369080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 208.67370605 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 208.67372131 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 208.67372131 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 208.67373657 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 208.67390442 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 208.67395020 vsmon.exe:1576 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019 208.67396545 vsmon.exe:1576 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019 208.67398071 vsmon.exe:1576 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "DARREN-NEWONE" 208.67399597 vsmon.exe:1576 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS 208.67399597 vsmon.exe:1576 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS 208.67892456 vsmon.exe:1576 OpenKey HKCU SUCCESS Access: 0x2000000 208.67893982 vsmon.exe:1576 OpenKey HKCU\Software\Policies\Microsoft\Control Panel\Desktop NOT FOUND 208.67895508 vsmon.exe:1576 OpenKey HKCU\Control Panel\Desktop SUCCESS Access: 0x80000000 208.67897034 vsmon.exe:1576 QueryValue HKCU\Control Panel\Desktop\MultiUILanguageId NOT FOUND 208.67898560 vsmon.exe:1576 CloseKey HKCU\Control Panel\Desktop SUCCESS 208.67898560 vsmon.exe:1576 CloseKey HKCU SUCCESS 208.72251892 csrss.exe:812 OpenKey HKCU SUCCESS Access: 0x2000000 208.72253418 csrss.exe:812 OpenKey HKCU\Software\Policies\Microsoft\Control Panel\Desktop NOT FOUND 208.72254944 csrss.exe:812 OpenKey HKCU\Control Panel\Desktop SUCCESS Access: 0x80000000 208.72256470 csrss.exe:812 QueryValue HKCU\Control Panel\Desktop\MultiUILanguageId NOT FOUND 208.72256470 csrss.exe:812 CloseKey HKCU\Control Panel\Desktop SUCCESS 208.72257996 csrss.exe:812 CloseKey HKCU SUCCESS 208.72286987 csrss.exe:812 QueryValue HKLM\SYSTEM\Setup\SystemSetupInProgress SUCCESS 0x0 208.72438049 csrss.exe:812 QueryValue HKLM\SYSTEM\Setup\SystemSetupInProgress SUCCESS 0x0 208.72492981 csrss.exe:812 QueryValue HKLM\SYSTEM\Setup\SystemSetupInProgress SUCCESS 0x0 208.75640869 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\postgres.exe NOT FOUND 208.75704956 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019 208.75706482 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0 208.75708008 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS 208.76786804 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots NOT FOUND 208.76875305 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll NOT FOUND 208.76878357 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll NOT FOUND 208.76881409 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll NOT FOUND 208.76884460 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019 208.76885986 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0 208.76885986 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled SUCCESS 0x0 208.76887512 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS 208.76890564 postgres.exe:3656 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x20019 208.76892090 postgres.exe:3656 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack NOT FOUND 208.76892090 postgres.exe:3656 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS 208.76893616 postgres.exe:3656 OpenKey HKLM SUCCESS Access: 0x2000000 208.76895142 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics NOT FOUND 208.76898193 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll NOT FOUND 208.76918030 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll NOT FOUND 208.76918030 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll NOT FOUND 208.76921082 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WSOCK32.dll NOT FOUND 208.76924133 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll NOT FOUND 208.76930237 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Access: 0x1 208.76931763 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode NOT FOUND 208.76931763 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS 208.77037048 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL NOT FOUND 208.77043152 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll NOT FOUND 208.77044678 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll NOT FOUND 208.77046204 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll NOT FOUND 208.77047729 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCR71.dll NOT FOUND 208.77049255 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LIBEAY32.dll NOT FOUND 208.77050781 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSLEAY32.dll NOT FOUND 208.77050781 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\libiconv2.dll NOT FOUND 208.77052307 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLE32.dll NOT FOUND 208.77053833 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\libintl3.dll NOT FOUND 208.77055359 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k5sprt32.dll NOT FOUND 208.77056885 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comerr32.dll NOT FOUND 208.77058411 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krb5_32.dll NOT FOUND 208.77059937 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gssapi32.dll NOT FOUND 208.77059937 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iconv.dll NOT FOUND 208.77061462 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlib1.dll NOT FOUND 208.77062988 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\libxml2.dll NOT FOUND 208.77064514 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll NOT FOUND 208.77066040 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCR80.dll NOT FOUND 208.77070618 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Error Message Instrument\ NOT FOUND 208.77072144 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS Access: 0x20019 208.77073669 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles NOT FOUND 208.77073669 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS 208.77087402 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS Access: 0x20019 208.77088928 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32\postgres NOT FOUND 208.77090454 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility32 SUCCESS 208.77091980 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility SUCCESS Access: 0x20019 208.77093506 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility\postgres NOT FOUND 208.77093506 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\IME Compatibility SUCCESS 208.77101135 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS Access: 0x20019 208.77102661 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SUCCESS "" 208.77102661 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS 208.77157593 postgres.exe:3656 SetValue HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS B4 09 B7 05 47 57 5B E7 ... 208.77162170 postgres.exe:3656 OpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SUCCESS Access: 0x20019 208.77162170 postgres.exe:3656 QueryValue HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\CriticalSectionTimeout SUCCESS 0x278D00 208.77163696 postgres.exe:3656 CloseKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SUCCESS 208.77165222 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Ole SUCCESS Access: 0x20019 208.77166748 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Ole\RWLockResourceTimeOut NOT FOUND 208.77166748 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Ole SUCCESS 208.77169800 postgres.exe:3656 OpenKey HKCR\Interface SUCCESS Access: 0x20019 208.77169800 postgres.exe:3656 QueryValue HKCR\Interface\InterfaceHelperDisableAll NOT FOUND 208.77171326 postgres.exe:3656 QueryValue HKCR\Interface\InterfaceHelperDisableAllForOle32 NOT FOUND 208.77171326 postgres.exe:3656 QueryValue HKCR\Interface\InterfaceHelperDisableTypeLib NOT FOUND 208.77172852 postgres.exe:3656 CloseKey HKCR\Interface SUCCESS 208.77174377 postgres.exe:3656 OpenKey HKCR\Interface\{00020400-0000-0000-C000-000000000046} SUCCESS Access: 0x20019 208.77175903 postgres.exe:3656 QueryValue HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAll NOT FOUND 208.77175903 postgres.exe:3656 QueryValue HKCR\Interface\{00020400-0000-0000-C000-000000000046}\InterfaceHelperDisableAllForOle32 NOT FOUND 208.77177429 postgres.exe:3656 CloseKey HKCR\Interface\{00020400-0000-0000-C000-000000000046} SUCCESS 208.77191162 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\LDAP SUCCESS Access: 0x20019 208.77192688 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\LDAP\LdapClientIntegrity SUCCESS 0x1 208.77194214 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\LDAP SUCCESS 208.77287292 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters SUCCESS Access: 0x2000000 208.77288818 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version SUCCESS "2.0" 208.77288818 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\WinSock_Registry_Version SUCCESS "2.0" 208.77291870 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 SUCCESS Access: 0x2000000 208.77293396 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num SUCCESS 0xA 208.77294922 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num SUCCESS 0xA 208.77296448 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000A NOT FOUND 208.77297974 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID SUCCESS 0x412 208.77299500 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries SUCCESS 0x11 208.77301025 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries SUCCESS Access: 0x2000000 208.77302551 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 SUCCESS Access: 0x20019 208.77304077 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem BUFFER OVERFLOW 208.77304077 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem BUFFER OVERFLOW 208.77305603 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77307129 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 SUCCESS 208.77308655 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 SUCCESS Access: 0x20019 208.77310181 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem BUFFER OVERFLOW 208.77311707 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem BUFFER OVERFLOW 208.77311707 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77313232 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 SUCCESS 208.77314758 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 SUCCESS Access: 0x20019 208.77316284 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem BUFFER OVERFLOW 208.77317810 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem BUFFER OVERFLOW 208.77317810 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77319336 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 SUCCESS 208.77322388 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 SUCCESS Access: 0x20019 208.77322388 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem BUFFER OVERFLOW 208.77323914 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem BUFFER OVERFLOW 208.77325439 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77325439 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 SUCCESS 208.77326965 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 SUCCESS Access: 0x20019 208.77328491 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem BUFFER OVERFLOW 208.77330017 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem BUFFER OVERFLOW 208.77331543 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77331543 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 SUCCESS 208.77334595 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 SUCCESS Access: 0x20019 208.77334595 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem BUFFER OVERFLOW 208.77336121 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem BUFFER OVERFLOW 208.77337646 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77337646 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 SUCCESS 208.77339172 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 SUCCESS Access: 0x20019 208.77340698 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem BUFFER OVERFLOW 208.77342224 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem BUFFER OVERFLOW 208.77343750 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77343750 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 SUCCESS 208.77345276 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 SUCCESS Access: 0x20019 208.77346802 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem BUFFER OVERFLOW 208.77348328 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem BUFFER OVERFLOW 208.77348328 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77349854 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 SUCCESS 208.77352905 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 SUCCESS Access: 0x20019 208.77352905 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem BUFFER OVERFLOW 208.77354431 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem BUFFER OVERFLOW 208.77355957 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77355957 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 SUCCESS 208.77359009 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 SUCCESS Access: 0x20019 208.77359009 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem BUFFER OVERFLOW 208.77360535 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem BUFFER OVERFLOW 208.77362061 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77362061 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 SUCCESS 208.77365112 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 SUCCESS Access: 0x20019 208.77365112 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem BUFFER OVERFLOW 208.77366638 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem BUFFER OVERFLOW 208.77368164 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77368164 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 SUCCESS 208.77371216 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 SUCCESS Access: 0x20019 208.77371216 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem BUFFER OVERFLOW 208.77372742 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem BUFFER OVERFLOW 208.77374268 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77374268 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 SUCCESS 208.77377319 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 SUCCESS Access: 0x20019 208.77377319 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem BUFFER OVERFLOW 208.77378845 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem BUFFER OVERFLOW 208.77380371 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77380371 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 SUCCESS 208.77383423 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 SUCCESS Access: 0x20019 208.77383423 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem BUFFER OVERFLOW 208.77384949 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem BUFFER OVERFLOW 208.77386475 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77386475 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 SUCCESS 208.77389526 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 SUCCESS Access: 0x20019 208.77389526 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem BUFFER OVERFLOW 208.77391052 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem BUFFER OVERFLOW 208.77392578 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77392578 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 SUCCESS 208.77395630 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 SUCCESS Access: 0x20019 208.77395630 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem BUFFER OVERFLOW 208.77397156 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem BUFFER OVERFLOW 208.77398682 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77398682 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 SUCCESS 208.77401733 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 SUCCESS Access: 0x20019 208.77401733 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem BUFFER OVERFLOW 208.77403259 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem BUFFER OVERFLOW 208.77404785 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem SUCCESS 25 53 79 73 74 65 6D 52 ... 208.77404785 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 SUCCESS 208.77406311 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries SUCCESS 208.77407837 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 SUCCESS Access: 0x2000000 208.77409363 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num SUCCESS 0x4 208.77410889 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num SUCCESS 0x4 208.77412415 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004 NOT FOUND 208.77412415 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries SUCCESS 0x3 208.77415466 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries SUCCESS Access: 0x2000000 208.77416992 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SUCCESS Access: 0x20019 208.77418518 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll" 208.77418518 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll" 208.77420044 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip" 208.77421570 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip" 208.77421570 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip" 208.77423096 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString SUCCESS "Tcpip" 208.77424622 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId SUCCESS 40 9D 05 22 9E 7E CF 11 ... 208.77426147 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily NOT FOUND 208.77426147 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace SUCCESS 0xC 208.77427673 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled SUCCESS 0x1 208.77427673 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version SUCCESS 0x0 208.77429199 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo SUCCESS 0x0 208.77430725 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SUCCESS 208.77432251 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SUCCESS Access: 0x20019 208.77433777 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath SUCCESS "%SystemRoot%\System32\winrnr.dll" 208.77433777 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath SUCCESS "%SystemRoot%\System32\winrnr.dll" 208.77435303 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS" 208.77436829 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS" 208.77436829 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS" 208.77438354 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString SUCCESS "NTDS" 208.77439880 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId SUCCESS EE 37 26 3B 80 E5 CF 11 ... 208.77441406 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily NOT FOUND 208.77441406 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace SUCCESS 0x20 208.77442932 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled SUCCESS 0x1 208.77442932 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version SUCCESS 0x0 208.77453613 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo SUCCESS 0x0 208.77455139 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SUCCESS 208.77458191 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SUCCESS Access: 0x20019 208.77458191 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll" 208.77459717 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath SUCCESS "%SystemRoot%\System32\mswsock.dll" 208.77461243 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace" 208.77461243 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace" 208.77462769 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace" 208.77464294 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString SUCCESS "Network Location Awareness (NLA) Namespace" 208.77465820 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId SUCCESS 3A 24 42 66 A8 3B A6 4A ... 208.77465820 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily NOT FOUND 208.77467346 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace SUCCESS 0xF 208.77468872 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled SUCCESS 0x1 208.77468872 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version SUCCESS 0x0 208.77470398 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo SUCCESS 0x0 208.77470398 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SUCCESS 208.77471924 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries SUCCESS 208.77473450 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\WinSock2\Parameters SUCCESS 208.77482605 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\Winsock2\Parameters SUCCESS Access: 0x1 208.77484131 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Ws2_32NumHandleBuckets NOT FOUND 208.77484131 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Ws2_32SpinCount NOT FOUND 208.77485657 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\Winsock2\Parameters SUCCESS 208.77537537 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Locale SUCCESS Access: 0x20019 208.77539063 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts SUCCESS Access: 0x20019 208.77542114 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Control\Nls\Language Groups SUCCESS Access: 0x20019 208.77542114 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\(Default) SUCCESS "00000409" 208.77543640 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000401 SUCCESS "" 208.77545166 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000402 SUCCESS "5" 208.77545166 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77549744 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000403 SUCCESS "1" 208.77549744 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77551270 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000404 SUCCESS "" 208.77552795 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000405 SUCCESS "2" 208.77552795 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77555847 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000406 SUCCESS "1" 208.77557373 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77557373 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000407 SUCCESS "1" 208.77558899 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77560425 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000408 SUCCESS "4" 208.77560425 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\4 SUCCESS "1" 208.77563477 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000409 SUCCESS "1" 208.77563477 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77565002 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000040a SUCCESS "1" 208.77566528 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77566528 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000040b SUCCESS "1" 208.77568054 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77569580 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000040c SUCCESS "1" 208.77569580 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77571106 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000040d SUCCESS "" 208.77571106 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000040e SUCCESS "2" 208.77572632 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77574158 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000040f SUCCESS "1" 208.77574158 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77575684 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000410 SUCCESS "1" 208.77575684 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77577209 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000411 SUCCESS "" 208.77578735 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000412 SUCCESS "" 208.77578735 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000413 SUCCESS "1" 208.77580261 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77580261 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000414 SUCCESS "1" 208.77581787 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77583313 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000415 SUCCESS "2" 208.77583313 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77584839 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000416 SUCCESS "1" 208.77584839 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77586365 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000418 SUCCESS "2" 208.77586365 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77587891 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000419 SUCCESS "5" 208.77589417 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77589417 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000041a SUCCESS "2" 208.77590942 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77590942 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000041b SUCCESS "2" 208.77592468 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77593994 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000041c SUCCESS "2" 208.77593994 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77595520 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000041d SUCCESS "1" 208.77595520 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77597046 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000041e SUCCESS "" 208.77597046 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000041f SUCCESS "6" 208.77598572 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\6 SUCCESS "1" 208.77601624 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000420 SUCCESS "" 208.77601624 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000421 SUCCESS "1" 208.77603149 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77604675 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000422 SUCCESS "5" 208.77604675 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77606201 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000423 SUCCESS "5" 208.77606201 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77607727 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000424 SUCCESS "2" 208.77609253 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\2 SUCCESS "1" 208.77609253 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000425 SUCCESS "3" 208.77610779 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\3 SUCCESS "1" 208.77612305 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000426 SUCCESS "3" 208.77613831 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\3 SUCCESS "1" 208.77615356 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000427 SUCCESS "3" 208.77615356 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\3 SUCCESS "1" 208.77616882 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000429 SUCCESS "" 208.77616882 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000042a SUCCESS "" 208.77618408 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000042b SUCCESS "" 208.77618408 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000042c SUCCESS "6" 208.77619934 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\6 SUCCESS "1" 208.77621460 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000042d SUCCESS "1" 208.77621460 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77622986 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000042f SUCCESS "5" 208.77622986 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77624512 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000436 SUCCESS "1" 208.77624512 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77626038 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000437 SUCCESS "" 208.77627563 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000438 SUCCESS "1" 208.77627563 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77629089 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000439 SUCCESS "" 208.77629089 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000043e SUCCESS "1" 208.77630615 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77632141 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000043f SUCCESS "5" 208.77632141 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77633667 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000440 SUCCESS "5" 208.77633667 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77635193 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000441 SUCCESS "1" 208.77636719 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77636719 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000443 SUCCESS "6" 208.77638245 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\6 SUCCESS "1" 208.77638245 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000444 SUCCESS "5" 208.77639771 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77641296 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000446 SUCCESS "" 208.77641296 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000447 SUCCESS "" 208.77642822 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000449 SUCCESS "" 208.77642822 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000044a SUCCESS "" 208.77644348 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000044b SUCCESS "" 208.77644348 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000044e SUCCESS "" 208.77645874 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000044f SUCCESS "" 208.77645874 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000450 SUCCESS "5" 208.77647400 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\5 SUCCESS "1" 208.77647400 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000456 SUCCESS "1" 208.77648926 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77650452 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000457 SUCCESS "" 208.77650452 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\0000045a SUCCESS "" 208.77651978 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000465 SUCCESS "" 208.77651978 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000801 SUCCESS "" 208.77653503 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000804 SUCCESS "" 208.77653503 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000807 SUCCESS "1" 208.77655029 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77655029 postgres.exe:3656 EnumerateValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000809 SUCCESS "1" 208.77656555 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77658081 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Locale\00000809 SUCCESS "1" 208.77659607 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Control\Nls\Language Groups\1 SUCCESS "1" 208.77770996 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll NOT FOUND 208.77816772 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll NOT FOUND 208.77821350 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Rpc\PagedBuffers NOT FOUND 208.77822876 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Rpc SUCCESS Access: 0x20019 208.77822876 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Rpc\MaxRpcSize NOT FOUND 208.77824402 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Rpc SUCCESS 208.77825928 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\postgres.exe\RpcThreadPoolThrottle NOT FOUND 208.77828979 postgres.exe:3656 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\Rpc NOT FOUND 208.77835083 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Rpc\SecurityService SUCCESS Access: 0x20019 208.77835083 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Rpc\SecurityService\DefaultAuthLevel NOT FOUND 208.77836609 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Rpc\SecurityService SUCCESS 208.77851868 postgres.exe:3656 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters SUCCESS Access: 0x20019 208.77851868 postgres.exe:3656 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters\Transports SUCCESS "Tcpip" 208.77853394 postgres.exe:3656 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters\Transports SUCCESS "Tcpip" 208.77853394 postgres.exe:3656 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters SUCCESS 208.77856445 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock SUCCESS Access: 0x20019 208.77857971 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping BUFFER OVERFLOW 208.77859497 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping BUFFER OVERFLOW 208.77859497 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping SUCCESS 0B 00 00 00 03 00 00 00 ... 208.77861023 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock SUCCESS 208.77864075 postgres.exe:3656 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock SUCCESS Access: 0x20019 208.77864075 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\MinSockaddrLength SUCCESS 0x10 208.77865601 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\MaxSockaddrLength SUCCESS 0x10 208.77865601 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\UseDelayedAcceptance SUCCESS 0x0 208.77867126 postgres.exe:3656 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\HelperDllName SUCCESS "%SystemRoot%\System32\wshtcpip.dll" 208.77937317 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll NOT FOUND 208.77938843 postgres.exe:3656 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock SUCCESS 208.77995300 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.77998352 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.77998352 postgres.exe:3656 CloseKey HKCU SUCCESS 208.77999878 postgres.exe:3656 QueryValue HKCU\Control Panel\International\Locale SUCCESS "00000809" 208.77999878 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78002930 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78004456 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78004456 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78005981 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sCurrency SUCCESS "" 208.78007507 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78009033 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78010559 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78012085 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78012085 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sMonDecimalSep SUCCESS "." 208.78013611 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78015137 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78016663 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78018188 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78019714 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sMonThousandSep SUCCESS "," 208.78019714 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78021240 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78022766 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78024292 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78025818 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sMonGrouping SUCCESS "3;0" 208.78025818 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78028870 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78028870 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78030396 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78031921 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sPositiveSign SUCCESS "" 208.78031921 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78034973 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78036499 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78036499 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78038025 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sNegativeSign SUCCESS "-" 208.78038025 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78041077 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78042603 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78042603 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78044128 postgres.exe:3656 QueryValue HKCU\Control Panel\International\iCurrDigits SUCCESS "2" 208.78044128 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78048706 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78050232 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78050232 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78051758 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sDecimal SUCCESS "." 208.78053284 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78054810 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78056335 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78056335 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78057861 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sThousand SUCCESS "," 208.78059387 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78060913 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78062439 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78062439 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78063965 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sGrouping SUCCESS "3;0" 208.78065491 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78070068 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78073120 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78073120 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78074646 postgres.exe:3656 QueryValue HKCU\Control Panel\International\s1159 SUCCESS "AM" 208.78074646 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78077698 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78079224 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78079224 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78080750 postgres.exe:3656 QueryValue HKCU\Control Panel\International\s2359 SUCCESS "PM" 208.78080750 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78083801 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78083801 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78085327 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78086853 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sShortDate SUCCESS "dd/MM/yyyy" 208.78086853 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78089905 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78091431 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78091431 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78092957 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sLongDate SUCCESS "dd MMMM yyyy" 208.78092957 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78096008 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78097534 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78097534 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78099060 postgres.exe:3656 QueryValue HKCU\Control Panel\International\sTimeFormat SUCCESS "HH:mm:ss" 208.78099060 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.78102112 postgres.exe:3656 OpenKey HKCU SUCCESS Access: 0x2000000 208.78103638 postgres.exe:3656 OpenKey HKCU\Control Panel\International SUCCESS Access: 0x20019 208.78103638 postgres.exe:3656 CloseKey HKCU SUCCESS 208.78105164 postgres.exe:3656 QueryValue HKCU\Control Panel\International\iCalendarType SUCCESS "1" 208.78105164 postgres.exe:3656 CloseKey HKCU\Control Panel\International SUCCESS 208.79342651 postgres.exe:3656 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS Access: 0x20019 208.79344177 postgres.exe:3656 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles NOT FOUND 208.79345703 postgres.exe:3656 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize SUCCESS 209.21206665 zlclient.exe:2104 OpenKey HKLM\SOFTWARE\Zone Labs\zonealarm SUCCESS Access: 0x20019 209.21208191 zlclient.exe:2104 QueryValue HKLM\SOFTWARE\Zone Labs\zonealarm\LastAutoUpdate SUCCESS 0x4851146E 209.21211243 zlclient.exe:2104 CloseKey HKLM\SOFTWARE\Zone Labs\zonealarm SUCCESS 209.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 209.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 209.38508606 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 209.38510132 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 209.38511658 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 209.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 209.38513184 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 209.38525391 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 209.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 209.38528442 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 209.38529968 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 209.38531494 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 209.38537598 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 210.38508606 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 210.38510132 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 210.38511658 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 210.38511658 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 210.38514709 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 210.38514709 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 210.38516235 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 210.38526917 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 210.38528442 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 210.38531494 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 210.38531494 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 210.38533020 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 210.38539124 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 210.71203613 zlclient.exe:2104 OpenKey HKLM\SOFTWARE\Zone Labs\zonealarm SUCCESS Access: 0x20019 210.71206665 zlclient.exe:2104 QueryValue HKLM\SOFTWARE\Zone Labs\zonealarm\LastAutoUpdate SUCCESS 0x4851146E 210.71209717 zlclient.exe:2104 CloseKey HKLM\SOFTWARE\Zone Labs\zonealarm SUCCESS 211.38517761 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 211.38519287 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 211.38520813 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 211.38522339 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 211.38523865 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 211.38523865 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 211.38525391 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 211.38537598 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 211.38539124 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 211.38540649 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 211.38542175 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 211.38542175 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 211.38549805 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 212.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 212.38502502 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 212.38504028 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 212.38505554 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 212.38507080 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 212.38507080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 212.38508606 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 212.38520813 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 212.38522339 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 212.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 212.38525391 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 212.38525391 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 212.38533020 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 213.38499451 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 213.38500977 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 213.38502502 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 213.38504028 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 213.38505554 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 213.38507080 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 213.38507080 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 213.38519287 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 213.38520813 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 213.38523865 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F 213.38523865 lsass.exe:892 QueryValue HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB\V SUCCESS 00 00 00 00 BC 00 00 00 ... 213.38525391 lsass.exe:892 CloseKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS 213.38533020 lsass.exe:892 CloseKey HKLM\SECURITY\Policy SUCCESS 214.38571167 lsass.exe:892 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F 214.38572693 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 214.38574219 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW 214.38575745 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 214.38577271 lsass.exe:892 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019 214.38577271 lsass.exe:892 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE 214.38578796 lsass.exe:892 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS 214.38591003 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\000003EB NOT FOUND 214.38592529 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\000003EB NOT FOUND 214.38594055 lsass.exe:892 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\000003EB SUCCESS Access: 0x2001F

#3 xerive

xerive

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2008 - 06:50 AM

Ran combo fix.

This is log after it ran

ComboFix 08-06-10.5 - darren 2008-06-12 13:29:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1391 [GMT 1:00]
Running from: C:\Documents and Settings\darren\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\azip32.dll
C:\WINDOWS\system32\comctlw32u.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\dzgtactx.dll
C:\WINDOWS\system32\FTPx.dll
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 12:24 . 2008-06-12 12:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-12 12:14 . 2008-06-12 13:12 <DIR> d-------- C:\SDFix
2008-06-12 09:03 . 2008-06-12 09:03 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 00:53 . 2008-06-12 03:41 <DIR> d-------- C:\Documents and Settings\darren\.housecall6.6
2008-06-12 00:52 . 2008-06-12 00:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-10 22:47 . 2008-05-07 06:12 1,288,192 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2008-06-10 22:46 . 2008-04-14 13:30 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 22:46 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 18:25 . 2008-06-10 18:25 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-10 16:36 . 2008-06-10 16:37 <DIR> d-------- C:\Program Files\RivaTuner v2.09
2008-06-10 16:34 . 2008-05-14 23:43 186,349 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-10 15:20 . 2008-06-10 15:20 <DIR> d-------- C:\Fraps
2008-06-10 15:20 . 2008-06-10 17:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-10 14:43 . 2008-06-10 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-10 13:39 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-06-10 13:39 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-06-10 13:39 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-06-10 13:39 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-06-10 13:39 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-06-10 13:39 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-06-10 13:39 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-06-10 13:38 . 2008-06-10 13:38 <DIR> d-------- C:\WINDOWS\Logs
2008-06-10 13:31 . 2008-05-08 15:54 446,464 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-10 13:31 . 2008-05-14 23:43 446,464 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-10 13:31 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-10 13:31 . 2008-06-12 13:37 181,232 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-10 13:31 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-10 13:31 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-10 13:31 . 2008-05-14 23:43 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-09 14:05 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-06-09 14:05 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-06-09 14:05 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-06-09 14:05 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-06-09 14:05 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-06-09 14:05 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-06-09 14:05 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-06-09 14:05 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-06-09 14:05 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-06-09 14:05 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-06-09 01:48 . 2008-06-09 01:52 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-06-08 19:19 . 2008-06-10 13:31 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-08 12:05 . 2008-06-08 12:06 <DIR> d-------- C:\Program Files\MyAffiliateFinder
2008-06-02 12:20 . 2008-06-02 12:20 60 --a------ C:\WINDOWS\WININIT.INI
2008-06-02 11:38 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-02 11:28 . 2008-06-02 11:28 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-02 11:28 . 2008-06-02 11:28 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-02 11:28 . 2008-06-02 11:28 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-02 11:27 . 2008-06-02 11:29 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-02 11:12 . 2008-04-14 01:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-06-01 22:21 . 2008-06-02 14:50 <DIR> d-------- C:\Program Files\SENuke
2008-06-01 22:21 . 2006-10-26 22:17 765,736 --a------ C:\WINDOWS\system32\MSWORD.OLB
2008-06-01 22:15 . 2008-06-08 21:24 <DIR> d-------- C:\Program Files\PromoSoft
2008-05-30 11:46 . 2008-05-30 11:46 1,277,495 --a------ C:\WINDOWS\XSitePro2 ClipArt Uninstaller.exe
2008-05-30 00:32 . 2008-05-31 11:06 1,408,361 --a------ C:\WINDOWS\XSitePro2 Uninstaller.exe
2008-05-28 12:42 . 2008-05-28 12:42 5,632 --a------ C:\WINDOWS\system32\cocpyinf.dll
2008-05-27 20:52 . 2008-05-27 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SimCity Societies
2008-05-27 15:57 . 2008-05-27 15:57 <DIR> d-------- C:\Documents and Settings\darren\pad
2008-05-27 15:27 . 2008-05-27 15:27 <DIR> d-------- C:\Program Files\Backlink Submitter
2008-05-27 15:06 . 2008-05-27 15:06 40 --a------ C:\WINDOWS\instantarticlesubmitter.ini
2008-05-27 15:05 . 2008-05-27 15:05 <DIR> d-------- C:\Program Files\Instant Affiliate Submitter
2008-05-27 15:05 . 2008-05-27 15:05 <DIR> d-------- C:\Documents and Settings\darren\Application Data\Software Defender
2008-05-27 15:05 . 2008-05-27 15:06 65 --a------ C:\WINDOWS\instantaffiliatesubmitter.ini
2008-05-27 14:58 . 2008-05-27 14:59 <DIR> d-------- C:\Program Files\PPC Accelerator
2008-05-26 03:08 . 2008-05-26 03:08 103 --a------ C:\WINDOWS\pro.INI
2008-05-26 03:00 . 2008-05-26 03:08 <DIR> d-------- C:\Program Files\Teleport Pro
2008-05-25 09:13 . 2008-05-25 09:13 <DIR> d-------- C:\Program Files\EdwinSoft
2008-05-22 03:26 . 2008-05-22 03:26 <DIR> d-------- C:\Program Files\Lexwatt Solutions
2008-05-22 03:23 . 2008-05-22 03:23 <DIR> d-------- C:\Program Files\Turbo Tube
2008-05-21 19:41 . 2008-05-21 19:41 362 --a------ C:\WINDOWS\CompetitionDominator.INI
2008-05-21 19:40 . 2008-05-21 19:41 <DIR> d-------- C:\Program Files\CompetitionDominator
2008-05-21 15:23 . 2008-05-31 11:05 <DIR> d-------- C:\Program Files\XSitePro2
2008-05-19 15:04 . 2008-05-19 15:04 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-05-19 15:04 . 2007-09-07 14:55 27,672 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2008-05-19 15:04 . 2007-09-07 14:55 12,744 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2008-05-19 15:04 . 2007-09-07 14:55 6,173 --a------ C:\WINDOWS\system32\drivers\Entech.vxd
2008-05-19 15:04 . 2001-11-19 20:05 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2008-05-19 08:02 . 2008-05-19 08:02 <DIR> d-------- C:\Documents and Settings\darren\Application Data\Nero
2008-05-19 07:59 . 2008-05-19 08:00 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-19 07:59 . 2008-05-19 07:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-18 17:53 . 2008-05-18 17:53 <DIR> d-------- C:\Documents and Settings\darren\Application Data\Roxio
2008-05-18 17:52 . 2008-05-20 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Napster
2008-05-18 14:20 . 2008-05-18 14:22 <DIR> d-------- C:\Program Files\Domain Suggestion Tool
2008-05-17 04:00 . 2008-05-17 04:00 <DIR> d-------- C:\Program Files\Smart PC Solutions
2008-05-17 04:00 . 2008-05-17 04:00 <DIR> d-------- C:\Documents and Settings\darren\Application Data\Smart PC Solutions
2008-05-17 03:58 . 2008-05-17 03:58 <DIR> d-------- C:\Program Files\IBP 10
2008-05-17 03:58 . 2008-06-09 11:49 <DIR> d-------- C:\Documents and Settings\darren\Application Data\IBP
2008-05-16 19:01 . 2008-05-17 17:05 <DIR> d-------- C:\Program Files\Wp Soft
2008-05-14 11:32 . 2008-05-14 11:32 <DIR> d-------- C:\Program Files\VLS Media
2008-05-13 00:55 . 2008-05-13 00:55 <DIR> d-------- C:\Program Files\Pcsx2_0.9.4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 12:38 --------- d-----w C:\Documents and Settings\darren\Application Data\tor
2008-06-12 12:36 7,479,961 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-12 12:35 716,840 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-12 12:35 57,551,904 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-12 12:20 --------- d-----w C:\Documents and Settings\darren\Application Data\Vidalia
2008-06-12 10:48 --------- d-----w C:\Program Files\Trillian
2008-06-11 23:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-11 02:10 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-10 17:28 3,471,872 ----a-w C:\WINDOWS\Internet Logs\xDB1F.tmp
2008-06-10 14:24 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-10 14:22 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-09 09:08 --------- d-----w C:\Program Files\The Logo Creator v5
2008-06-09 07:26 --------- d-----w C:\Documents and Settings\darren\Application Data\uTorrent
2008-06-09 00:50 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-04 02:51 76,855 ----a-w C:\Program Files\dasdasdasd.txt
2008-06-03 22:27 --------- d-----w C:\Program Files\DROPS Full
2008-06-03 11:55 --------- d-----w C:\Program Files\The Logo Creator v4
2008-06-02 15:51 --------- d-----w C:\Program Files\Keywords Raptor
2008-06-01 23:13 --------- d-----w C:\Program Files\SEO Elite 4
2008-05-27 02:19 --------- d-----w C:\Program Files\RSS Submit
2008-05-25 08:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 10:46 --------- d-----w C:\Program Files\WordFlood 2.0
2008-05-20 10:46 --------- d-----w C:\Program Files\WebPosition 4
2008-05-20 10:46 --------- d-----w C:\Program Files\Replay Media Catcher
2008-05-20 10:46 --------- d-----w C:\Program Files\MagicRecovery Pro DEMO
2008-05-20 10:46 --------- d-----w C:\Program Files\FriendBlasterPro
2008-05-20 10:46 --------- d-----w C:\Program Files\EmailMarketingDirector
2008-05-20 10:46 --------- d-----w C:\Program Files\A1Monitor
2008-05-20 10:37 --------- d-----w C:\Documents and Settings\darren\Application Data\BitTorrent DNA
2008-05-20 10:37 --------- d-----w C:\Documents and Settings\darren\Application Data\BitTorrent
2008-05-20 10:37 --------- d-----w C:\Documents and Settings\darren\Application Data\Azureus
2008-05-19 14:06 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-05-19 06:59 --------- d-----w C:\Program Files\Nero
2008-05-18 21:22 --------- d-----w C:\Program Files\Affiliate Elite
2008-05-18 21:16 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-16 12:30 --------- d-----w C:\Program Files\Swf2Avi
2008-05-11 00:15 --------- d-----w C:\Program Files\XShan Corporation
2008-05-11 00:15 --------- d-----w C:\Documents and Settings\darren\Application Data\XShan
2008-05-10 23:50 --------- d-----w C:\Program Files\Keyword Elite
2008-05-10 18:28 --------- d-----w C:\Program Files\Instant PopOver
2008-05-10 18:03 --------- d-----w C:\Program Files\WordTracker Miner
2008-05-09 23:29 --------- d-----w C:\Program Files\Keyword Utilities
2008-05-08 23:01 640,512 ----a-w C:\WINDOWS\Internet Logs\xDB28F.tmp
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 21:46 768,544 ----a-w C:\WINDOWS\system32\nvcplui.exe
2008-05-02 21:46 313,888 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2008-05-01 23:06 286,720 ----a-w C:\WINDOWS\iun507.exe
2008-05-01 11:17 --------- d-----w C:\Program Files\Network Traffic Generator and Monitor
2008-05-01 11:12 --------- d-----w C:\Documents and Settings\darren\Application Data\CyberInstaller Studio 2008
2008-05-01 08:59 --------- d-----w C:\Program Files\Presell Robot
2008-04-30 23:18 --------- d-----w C:\Program Files\Macromedia
2008-04-30 23:18 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-26 12:30 2,825,728 ----a-w C:\WINDOWS\Internet Logs\xDB1E.tmp
2008-04-26 12:30 1,006,592 ----a-w C:\WINDOWS\Internet Logs\xDB1D.tmp
2008-04-23 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-23 08:46 --------- d-----w C:\Program Files\Democracy2
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-22 13:43 2,808,320 ----a-w C:\WINDOWS\Internet Logs\xDB1C.tmp
2008-04-22 09:58 2,807,808 ----a-w C:\WINDOWS\Internet Logs\xDB1B.tmp
2008-04-21 23:20 --------- d-----w C:\Program Files\CommentKahuna
2008-04-21 18:35 --------- d-----w C:\Program Files\Registry Genius
2008-04-21 18:29 --------- d-----w C:\Program Files\MimarSinan Visual Split Studio 6
2008-04-21 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\MimarSinan
2008-04-17 10:17 2,756,096 ----a-w C:\WINDOWS\Internet Logs\xDB1A.tmp
2008-04-16 16:15 2,789,376 ----a-w C:\WINDOWS\Internet Logs\xDB19.tmp
2008-04-16 11:10 --------- d-----w C:\Documents and Settings\darren\Application Data\Sierra
2008-04-16 10:35 --------- d-----w C:\Documents and Settings\darren\Application Data\Sports Interactive
2008-04-15 21:46 --------- d--h--w C:\Program Files\FX Uninstall Information
2008-04-14 21:47 --------- d-----w C:\Program Files\Ad Word Analyzer
2008-04-14 12:30 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-14 04:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 04:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 04:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-08-26 07:02 11852288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-14 23:43 13533184]
"nwiz"="nwiz.exe" [2008-05-14 23:43 1630208 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-14 23:43 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"MSVideo"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GammaTray.lnk]
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GammaTray.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^darren^Start Menu^Programs^Startup^Rapidown.lnk]
backup=C:\WINDOWS\pss\Rapidown.lnkStartup
path=C:\Documents and Settings\darren\Start Menu\Programs\Startup\Rapidown.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-03-21 09:23 1953792 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 19:54 623992 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
G:\utils\photoshop\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced Tools Check]
C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-10-27 11:52 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 01:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-12-12 10:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 15:16 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
--a------ 2007-03-20 14:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-14 01:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-14 23:43 1630208 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-03-21 07:49 16126464 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartPatrol]
--a------ 2005-06-03 06:57 1151488 C:\PROGRA~1\AddWeb8\SmartPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Warning]
C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-04 23:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC]
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2006-04-05 18:19 122880 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"A1Monitor931075154"=2 (0x2)
"MDM"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"TS Poster"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\IBP 10\\IBP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 acedrv10;acedrv10;C:\WINDOWS\system32\drivers\acedrv10.sys [2007-07-24 08:45]
R2 acehlp10;acehlp10;C:\WINDOWS\system32\drivers\acehlp10.sys [2007-07-11 09:20]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 pgsql-8.3;PostgreSQL Database Server 8.3;"C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\database\" []
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2008-02-24 14:27]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 08:36]
S2 NVR0FLASHDev;NVR0FLASHDev;C:\WINDOWS\nvflash.sys []
S4 A1Monitor931075154;A1Monitor931075154;C:\Program Files\A1Monitor\VMonitor.EXE []
S4 TS Poster;Trackback Poster;"C:\Program Files\Trackback Spider\Poster Service.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45752744-6aaa-11dc-8738-806d6172696f}]
\Shell\AutoRun\command - T:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{464a43bc-7a71-11dc-8903-806d6172696f}]
\Shell\AutoRun\command - H:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68c0fee5-6aa0-11dc-bc71-806d6172696f}]
\Shell\AutoRun\command - H:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-12 01:59:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-09-26 01:59:22 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 13:37:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\pg_ctl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
.
**************************************************************************
.
Completion time: 2008-06-12 13:43:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 12:43:44

Pre-Run: 7,626,993,664 bytes free
Post-Run: 8,413,831,168 bytes free

402 --- E O F --- 2008-06-12 02:51:12


Hard drive still accessing all the time.

#4 xerive

xerive

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 12 June 2008 - 06:54 AM

Latest hijack this report:


Logfile of HijackThis v1.99.1
Scan saved at 13:54:35, on 12/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\pg_ctl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\postgres.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\darren\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase9563.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - G:\utils\photoshop\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - Unknown owner - C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\pgsql\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "C:\Documents and Settings\darren\GungHo Technologies\Trackback Spider\database\ (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users