Cannot successfully remove infected file(s)

captain5678 · September 27, 2013

Hi,

I appeared to get a virus (Rootkit?) a few weeks ago. It had the effect of disabling my current antivirus and Firewall (Windows Security Essentials) amongst other things. Both MBAM and Windows Defender find infected files and attempt to remove them, but whenever I rerun the scan, the files are still there!

Any assistance would be greatly appreciated.

****

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by hk at 18:49:42 on 2013-09-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.123 [GMT 1:00]
.
AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Security Suite Firewall *Disabled*
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.

dURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} -
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_8_800_94_ActiveX.exe -update activex
mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [NPSStartup] <no file>
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:351
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll

TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{9C903BEF-1C8C-48CA-AC11-7B5C43248F06} : DHCPNameServer = 192.168.1.1 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} -
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 211560]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-6-29 394952]
S1 fbvldaqz;fbvldaqz;\??\c:\windows\system32\drivers\fbvldaqz.sys --> c:\windows\system32\drivers\fbvldaqz.sys [?]
S2 gupdate1c9ed306e0f9d60;Google Update Service (gupdate1c9ed306e0f9d60);c:\program files\google\update\GoogleUpdate.exe [2009-6-14 133104]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ADMXGHMD;ADMXGHMD;c:\docume~1\e\locals~1\temp\admxghmd.exe --> c:\docume~1\e\locals~1\temp\ADMXGHMD.exe [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-12-11 36608]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2012-7-22 55448]
S3 v800bus;Sony Ericsson V800-Vodafone 802SE driver (WDM);c:\windows\system32\drivers\v800bus.sys [2006-7-23 52416]
S3 v800mdfl;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Filter;c:\windows\system32\drivers\v800mdfl.sys [2006-7-23 6160]
S3 v800mdm;Sony Ericsson V800-Vodafone 802SE USB WMC Modem Driver;c:\windows\system32\drivers\v800mdm.sys [2006-7-23 84544]
S3 v800mgmt;Sony Ericsson V800-Vodafone 802SE USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\v800mgmt.sys [2006-7-23 77760]
S3 v800obex;Sony Ericsson V800-Vodafone 802SE USB WMC OBEX Interface;c:\windows\system32\drivers\v800obex.sys [2006-7-23 75584]
.
=============== Created Last 30 ================
.
2013-09-27 16:57:15 7328304 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e4d9d043-99ae-47f1-989e-35cc50757f17}\mpengine.dll
2013-09-22 22:48:46 7328304 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-09-08 18:38:11 -------- d-----w- c:\windows\system32\MpEngineStore
2013-09-03 13:53:52 187248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05:59 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27:48 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02:34 385024 ----a-w- c:\windows\system32\html.iec
2013-08-05 13:30:32 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 13:18:38 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-28 22:59:02 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-28 22:59:01 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 10:37:53 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 02:59:11 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 18:52:09.60 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/03/2005 23:03:12
System Uptime: 27/09/2013 17:32:39 (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 0K8980
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 72 GiB total, 18.434 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1118: 09/09/2013 16:58:09 - Software Distribution Service 3.0
RP1119: 18/09/2013 21:28:40 - System Checkpoint
RP1120: 18/09/2013 23:15:01 - Software Distribution Service 3.0
RP1121: 20/09/2013 01:27:30 - Software Distribution Service 3.0
RP1122: 20/09/2013 14:35:02 - Microsoft Antimalware Checkpoint
RP1123: 20/09/2013 15:14:16 - Software Distribution Service 3.0
RP1124: 20/09/2013 19:38:07 - Software Distribution Service 3.0
RP1125: 22/09/2013 23:48:08 - Software Distribution Service 3.0
RP1126: 27/09/2013 17:56:34 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.8)
AnswerWorks Runtime
Apple Application Support
Apple Software Update
ArcSoft Software Suite
AutoCAD LT 2002
BlackBerry Desktop Software 7.1
Bonjour
CapMan
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Dell Media Experience
Dell System Restore
Google Earth
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java Auto Updater
Java 6 Update 29
Learn2 Player (Uninstall Only)
LUMIX Simple Viewer
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Automated Troubleshooting Services Shim
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Download Manager
Microsoft Fix it Center
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works 7.0
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PC Suite
PowerDVD 5.3
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876315)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype™ 6.6
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony Ericsson Mobile Phone Monitor
Sony Ericsson OCS
Spelling Dictionaries Support For Adobe Reader 9
SpywareBlaster 5.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VirtualCom driver
WebFldrs XP
Windows Driver Package - MobileTop (sshpmdm) Modem (01/26/2008 2.6.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell 1.0
Windows Search 4.0
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
22/09/2013 00:56:49, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.159.346.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9901.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
22/09/2013 00:56:49, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.159.346.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9901.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
22/09/2013 00:16:31, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
22/09/2013 00:14:55, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 001111DFCD46 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
20/09/2013 19:22:58, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
20/09/2013 19:22:44, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The system cannot find the path specified.
20/09/2013 14:58:40, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
.
==== End Of File ===========================

MrCharlie · September 27, 2013

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

captain5678 · September 29, 2013

I have tried sending a full reply twice, but it fails to send and just says 'saving post' for about 30mins!

I will try to send this short post as a test...

captain5678 · September 29, 2013

Hmmm, yes that seemed to work fine!

I will send the original post in parts to see if that helps...

***************

Hi MrC!

Thanks for taking the time to help me out.

I have thoroughly read your instructions and notes.

I checked System Restore was on.

I checked I was subscribed to this topic and set the notification to 'Immediate' (you have written 'Instantly' - is this the same thing, or I am I looking at something different?!).

I backed up my files.

Regarding P2P and piracy, there should be no problems although this pc used to belong to someone else, so I'm not 100% sure even what some of the software that is installed on it is (e.g. looking a the list of installed programs, I'm not sure what Bonjour is, or Capman, or Segoe UI), and there are some things that I don't use, but I don't know how to uninstall (e.g. AutoCAD, Sony Ericsson stuff, ZoneAlarm stuff). Is that something you can easily check for me? If there's anything that needs to come off, can you let me know what it is?

I downloaded RogueKiller 32 Bit, quit all programs, then ran RogueKiller. It started fine, and ran for about 10 seconds, then I got the blue screen of death. I restarted the pc and reran RogueKiller; this time it ran for about 1 minute and I saw it identify one file (gupdate something) then the pc shut down by itself. There was no blue screen or warning, just shutdown. I repeated this and the same thing happened (i.e. shutdown after ~1min). I have pasted the (truncated?) log file here...

[00:00:0063] ***** Global Init *****
[00:00:0078] Has crashed before : 1
[00:00:0078] Create mutex : RogueKiller
[00:01:0235] Mutex Created : 0x19c
[00:01:0235] Fill lists
[00:01:0281] OS Language : English
[00:01:0281] Take Privileges
[00:01:0297] Modify Token
[00:01:0297] Set priority to HIGH
[00:01:0297] Getting Operating System
[00:01:0313] Os Getted : Windows XP (5.1.2600 Service Pack 3) 32 bits version
[00:01:0313] ***** Global Init OK *****
[00:01:0313] ***** GUI Init *****
[00:01:0406] ***** GUI Init OK *****
[00:01:0422] Get build number
[00:01:0422] build number : RogueKiller™ v8.6.12 [sep 18 2013] (x64 : 0)
[00:01:0438] ***** PreScan *****
[00:01:0438] Clear ListViews
[00:01:0453] [Check Window] TF_FloatingLangBar_WndTitle
[00:01:0485] [Check Window] CiceroUIWndFrame
[00:01:0485] [Check Window] Start Menu
[00:01:0500] [Check Window] RogueKiller™ v8.6.12
[00:01:0500] [Check Window] DDE Server Window
[00:01:0516] [Check Window] SMax4PNP
[00:01:0516] [Check Window] AEBalloonTip
[00:01:0531] [Check Window] 714
[00:01:0531] [Check Window] PersistWndName
[00:01:0547] [Check Window] HkWndName
[00:01:0547] [Check Window] Connections Tray
[00:01:0563] [Check Window] Update Manager
[00:01:0563] [Check Window] HelperMsgListenerWnd
[00:01:0578] [Check Window] BbDevMgrDeviceListener
[00:01:0578] [Check Window] Sample
[00:01:0594] [Check Window] Notification Wnd for RNAdmin
[00:01:0594] [Check Window] Intel MEM
[00:01:0610] [Check Window] Power Meter
[00:01:0610] [Check Window] MS_WebcheckMonitor
[00:01:0625] [Check Window] Program Manager
[00:01:0641] [Check Window] M
[00:01:0641] [Check Window] Default IME
[00:01:0656] [Check Window] M
[00:01:0656] [Check Window] Default IME
[00:01:0672] [Check Window] Default IME
[00:01:0672] [Check Window] Default IME
[00:01:0688] [Check Window] Default IME
[00:01:0703] [Check Window] Default IME
[00:01:0703] [Check Window] Default IME
[00:01:0719] [Check Window] Default IME
[00:01:0797] [Check Window] Default IME
[00:01:0797] [Check Window] Default IME
[00:01:0813] [Check Window] Default IME
[00:01:0813] [Check Window] Default IME
[00:01:0828] [Check Window] Default IME
[00:01:0828] [Check Window] Default IME
[00:01:0844] [Check Window] M
[00:01:0844] [Check Window] Default IME
[00:01:0860] [Check Processes] Service PID : 712
[00:02:0344] [Check Processes] [0][_0] [system Process] :
[00:02:0344] [CHECK] WhiteDLL
[00:02:0360] [CHECK] Whitelist
[00:02:0360] [CHECK] WellKnown
[00:02:0375] [Check Processes] [4][_0] System :
[00:02:0375] [CHECK] WhiteDLL
[00:02:0391] [CHECK] Whitelist
[00:02:0391] [CHECK] WellKnown
[00:02:0391] [Check Processes] [596][_4] smss.exe : C:\WINDOWS\System32\smss.exe
[00:02:0406] [CHECK] WhiteDLL
[00:02:0406] [CHECK] Whitelist
[00:02:0422] [CHECK] WellKnown
[00:02:0422] [Check Processes] [644][_596] csrss.exe : C:\WINDOWS\SYSTEM32\csrss.exe
[00:02:0438] [CHECK] WhiteDLL
[00:02:0438] [CHECK] Whitelist
[00:02:0453] [CHECK] WellKnown
[00:02:0453] [Check Processes] [668][_596] winlogon.exe : C:\WINDOWS\SYSTEM32\winlogon.exe
[00:02:0469] [CHECK] WhiteDLL
[00:02:0469] [CHECK] Whitelist
[00:02:0485] [CHECK] WellKnown
[00:02:0485] [Check Processes] [712][_668] services.exe : C:\WINDOWS\SYSTEM32\services.exe
[00:02:0500] [CHECK] WhiteDLL
[00:02:0516] [CHECK] Whitelist
[00:02:0516] [CHECK] WellKnown
[00:02:0531] [Check Processes] [724][_668] lsass.exe : C:\WINDOWS\SYSTEM32\lsass.exe
[00:02:0547] [CHECK] WhiteDLL
[00:02:0547] [CHECK] Whitelist
[00:02:0547] [CHECK] WellKnown
[00:02:0563] [Check Processes] [888][_712] svchost.exe : C:\WINDOWS\SYSTEM32\svchost.exe
[00:02:0563] [CHECK] WhiteDLL
[00:02:0578] [CHECK] Whitelist
[00:02:0578] [CHECK] WellKnown
[00:02:0594] [Check Processes] [964][_712] svchost.exe : C:\WINDOWS\SYSTEM32\svchost.exe
[00:02:0594] [CHECK] WhiteDLL
[00:02:0610] [CHECK] Whitelist
[00:02:0610] [CHECK] WellKnown
[00:02:0625] [Check Processes] [1000][_712] MsMpEng.exe : c:\Program Files\Microsoft Security Client\MsMpEng.exe
[00:02:0625] [CHECK] WhiteDLL
[00:02:0641] [CHECK] Whitelist
[00:02:0641] [CHECK] WellKnown
[00:02:0656] [CHECK] WhitelistPath
[00:02:0656] [CHECK] HijackName
[00:02:0656] [CHECK] Signature
[00:02:0672] [PE] Mapping
[00:02:0672] [PE] Parsing
[00:02:0688] [PE] Dos header -> 0x1d60000
[00:02:0688] [PE] Nt header (offset : 0xd0) file size 0x56c0
[00:02:0703] [PE] pNtHeadersx86 -> 0x1d600d0
[00:02:0703] [PE] Chars -> 0x102
[00:02:0719] [PE] Optional header
[00:02:0719] [PE] Sections : 5
[00:02:0719] [PE] Section : 0 - .text
[00:02:0735] [PE] Section : 1 - .data
[00:02:0735] [PE] Section : 2 - .idata
[00:02:0750] [PE] Section : 3 - .rsrc
[00:02:0750] [PE] Section : 4 - .reloc
[00:02:0766] [PE] File open : 1
[00:02:0766] [PE] Search sigs
[00:02:0781] [PE] Section[0/4] : 0x1d60400
[00:02:0781] [PE] Init AhoCorasick
[00:02:0781] [PE] Start AhoCorasick [0x1d60400 - 512]
[00:02:0797] [PE] Looking results : 0
[00:02:0797] [PE] Section[1/4] : 0x1d60600
[00:02:0813] [PE] Init AhoCorasick
[00:02:0813] [PE] Start AhoCorasick [0x1d60600 - 512]
[00:02:0828] [PE] Looking results : 0
[00:02:0828] [PE] Section[2/4] : 0x1d60800
[00:02:0828] [PE] Init AhoCorasick
[00:02:0844] [PE] Start AhoCorasick [0x1d60800 - 512]
[00:02:0844] [PE] Looking results : 0
[00:02:0860] [PE] Section[3/4] : 0x1d60a00
[00:02:0860] [PE] Init AhoCorasick
[00:02:0875] [PE] Start AhoCorasick [0x1d60a00 - 2560]
[00:02:0875] [PE] Looking results : 0
[00:02:0891] [PE] Section[4/4] : 0x1d61400
[00:02:0891] [PE] Init AhoCorasick
[00:02:0891] [PE] Start AhoCorasick [0x1d61400 - 512]
[00:02:0906] [PE] Looking results : 0
[00:02:0906] [CHECK] Blacklist
[00:02:0922] [CHECK] BlacklistPath
[00:02:0922] [CHECK] BlacklistMD5
[00:02:0938] [CHECK] MadeNumbers
[00:02:0938] [CHECK] HasUnicode
[00:02:0938] [CHECK] SuspPath
[00:02:0953] [CHECK] ProcessResidue
[00:02:0953] [CHECK] Not found!
[00:02:0969] [Check Processes] [1040][_712] svchost.exe : C:\WINDOWS\SYSTEM32\svchost.exe
[00:02:0969] [CHECK] WhiteDLL
[00:02:0985] [CHECK] Whitelist
[00:02:0985] [CHECK] WellKnown
[00:03:0000] [Check Processes] [1160][_712] svchost.exe : C:\WINDOWS\SYSTEM32\svchost.exe
[00:03:0000] [CHECK] WhiteDLL
[00:03:0016] [CHECK] Whitelist
[00:03:0016] [CHECK] WellKnown
[00:03:0031] [Check Processes] [1300][_712] spoolsv.exe : C:\WINDOWS\SYSTEM32\spoolsv.exe
[00:03:0031] [CHECK] WhiteDLL
[00:03:0047] [CHECK] Whitelist
[00:03:0047] [CHECK] WellKnown
[00:03:0063] [Check Processes] [1408][_712] svchost.exe : C:\WINDOWS\SYSTEM32\svchost.exe
[00:03:0063] [CHECK] WhiteDLL
[00:03:0078] [CHECK] Whitelist
[00:03:0078] [CHECK] WellKnown
[00:03:0094] [Check Processes] [1448][_712] mDNSResponder.exe : C:\Program Files\Bonjour\mDNSResponder.exe
[00:03:0110] [CHECK] WhiteDLL
[00:03:0110] [CHECK] Whitelist
[00:03:0110] [CHECK] WellKnown
[00:03:0125] [CHECK] WhitelistPath
[00:03:0125] [CHECK] HijackName
[00:03:0141] [CHECK] Signature
[00:03:0156] [PE] Mapping
[00:03:0156] [PE] Parsing
[00:03:0172] [PE] Dos header -> 0x1d60000
[00:03:0172] [PE] Nt header (offset : 0xe0) file size 0x54520
[00:03:0188] [PE] pNtHeadersx86 -> 0x1d600e0
[00:03:0188] [PE] Chars -> 0x102
[00:03:0203] [PE] Optional header
[00:03:0203] [PE] Sections : 5
[00:03:0219] [PE] Section : 0 - .text
[00:03:0219] [PE] Section : 1 - .rdata
[00:03:0219] [PE] Section : 2 - .data
[00:03:0235] [PE] Section : 3 - .rsrc
[00:03:0235] [PE] Section : 4 - .reloc
[00:03:0250] [PE] File open : 1
[00:03:0250] [PE] Search sigs
[00:03:0266] [PE] Section[0/4] : 0x1d61000
[00:03:0266] [PE] Init AhoCorasick
[00:03:0281] [PE] Start AhoCorasick [0x1d61000 - 245760]
[00:03:0297] [PE] Looking results : 0
[00:03:0297] [PE] Section[1/4] : 0x1d9d000
[00:03:0297] [PE] Init AhoCorasick
[00:03:0313] [PE] Start AhoCorasick [0x1d9d000 - 61440]
[00:03:0313] [PE] Looking results : 0
[00:03:0328] [PE] Section[2/4] : 0x1dac000
[00:03:0328] [PE] Init AhoCorasick
[00:03:0344] [PE] Start AhoCorasick [0x1dac000 - 8192]
[00:03:0344] [PE] Looking results : 0
[00:03:0360] [PE] Section[3/4] : 0x1dae000
[00:03:0360] [PE] Init AhoCorasick
[00:03:0375] [PE] Start AhoCorasick [0x1dae000 - 4096]
[00:03:0375] [PE] Looking results : 0
[00:03:0391] [PE] Section[4/4] : 0x1daf000
[00:03:0391] [PE] Init AhoCorasick
[00:03:0406] [PE] Start AhoCorasick [0x1daf000 - 16384]
[00:03:0406] [PE] Looking results : 0
[00:03:0406] [CHECK] Blacklist
[00:03:0422] [CHECK] BlacklistPath
[00:03:0422] [CHECK] BlacklistMD5
[00:03:0438] [CHECK] MadeNumbers
[00:03:0438] [CHECK] HasUnicode
[00:03:0453] [CHECK] SuspPath
[00:03:0453] [CHECK] ProcessResidue
[00:03:0469] [CHECK] Not found!
[00:03:0469] [Check Processes] [1520][_712] jqs.exe : C:\Program Files\Java\jre6\bin\jqs.exe
[00:03:0485] [CHECK] WhiteDLL
[00:03:0485] [CHECK] Whitelist
[00:03:0500] [CHECK] WellKnown
[00:03:0500] [CHECK] WhitelistPath
[00:03:0516] [CHECK] HijackName
[00:03:0516] [CHECK] Signature
[00:03:0531] [PE] Mapping
[00:03:0531] [PE] Parsing
[00:03:0547] [PE] Dos header -> 0x1d60000
[00:03:0547] [PE] Nt header (offset : 0xe8) file size 0x25720
[00:03:0563] [PE] pNtHeadersx86 -> 0x1d600e8
[00:03:0563] [PE] Chars -> 0x10f
[00:03:0578] [PE] Optional header
[00:03:0578] [PE] Sections : 4
[00:03:0594] [PE] Section : 0 - .text
[00:03:0594] [PE] Section : 1 - .rdata
[00:03:0610] [PE] Section : 2 - .data
[00:03:0610] [PE] Section : 3 - .rsrc
[00:03:0625] [PE] File open : 1
[00:03:0625] [PE] Search sigs
[00:03:0625] [PE] Section[0/3] : 0x1d61000
[00:03:0641] [PE] Init AhoCorasick
[00:03:0641] [PE] Start AhoCorasick [0x1d61000 - 90112]
[00:03:0656] [PE] Looking results : 0
[00:03:0656] [PE] Section[1/3] : 0x1d77000
[00:03:0672] [PE] Init AhoCorasick
[00:03:0672] [PE] Start AhoCorasick [0x1d77000 - 45056]
[00:03:0688] [PE] Looking results : 0
[00:03:0688] [PE] Section[2/3] : 0x1d82000
[00:03:0703] [PE] Init AhoCorasick
[00:03:0703] [PE] Start AhoCorasick [0x1d82000 - 4096]
[00:03:0719] [PE] Looking results : 0
[00:03:0719] [PE] Section[3/3] : 0x1d83000
[00:03:0735] [PE] Init AhoCorasick
[00:03:0735] [PE] Start AhoCorasick [0x1d83000 - 4096]
[00:03:0750] [PE] Looking results : 0
[00:03:0750] [CHECK] Blacklist
[00:03:0750] [CHECK] BlacklistPath
[00:03:0813] [CHECK] BlacklistMD5
[00:03:0828] [CHECK] MadeNumbers
[00:03:0828] [CHECK] HasUnicode
[00:03:0844] [CHECK] SuspPath
[00:03:0860] [CHECK] ProcessResidue
[00:03:0860] [CHECK] Not found!
[00:03:0906] [Check Processes] [1584][_712] Updater.exe : C:\Program Files\Skype\Updater\Updater.exe
[00:03:0938] [CHECK] WhiteDLL
[00:03:0938] [CHECK] Whitelist
[00:03:0953] [CHECK] WellKnown
[00:03:0953] [CHECK] WhitelistPath
[00:03:0969] [CHECK] HijackName
[00:03:0969] [CHECK] Signature
[00:03:0985] [PE] Mapping
[00:04:0000] [PE] Parsing
[00:04:0000] [PE] Dos header -> 0x1d60000
[00:04:0000] [PE] Nt header (offset : 0x100) file size 0x27a68
[00:04:0016] [PE] pNtHeadersx86 -> 0x1d60100
[00:04:0016] [PE] Chars -> 0x102
[00:04:0031] [PE] Optional header
[00:04:0031] [PE] Sections : 3
[00:04:0047] [PE] Section : 0 - UPX0
[00:04:0047] [PE] Section : 1 - UPX1
[00:04:0063] [PE] Section : 2 - .rsrc
[00:04:0063] [PE] File open : 1
[00:04:0078] [PE] Search sigs
[00:04:0078] [PE] Section[0/2] : 0x1d60400
[00:04:0078] [PE] Init AhoCorasick
[00:04:0094] [PE] Start AhoCorasick [0x1d60400 - 0]
[00:04:0094] [PE] Looking results : 0
[00:04:0110] [PE] Section[1/2] : 0x1d60400
[00:04:0110] [PE] Init AhoCorasick
[00:04:0125] [PE] Start AhoCorasick [0x1d60400 - 84480]
[00:04:0125] [PE] Looking results : 0
[00:04:0141] [PE] Section[2/2] : 0x1d74e00
[00:04:0141] [PE] Init AhoCorasick
[00:04:0156] [PE] Start AhoCorasick [0x1d74e00 - 70656]
[00:04:0156] [PE] Looking results : 0
[00:04:0172] [CHECK] Blacklist
[00:04:0172] [CHECK] BlacklistPath
[00:04:0188] [CHECK] BlacklistMD5
[00:04:0188] [CHECK] MadeNumbers
[00:04:0188] [CHECK] HasUnicode
[00:04:0203] [CHECK] SuspPath
[00:04:0203] [CHECK] ProcessResidue
[00:04:0219] [CHECK] Not found!
[00:04:0250] [Check Processes] [1828][_1040] wuauclt.exe : C:\WINDOWS\SYSTEM32\wuauclt.exe
[00:04:0250] [CHECK] WhiteDLL
[00:04:0266] [CHECK] Whitelist
[00:04:0266] [CHECK] WellKnown
[00:04:0297] [Check Processes] [2008][_712] Matsvc.exe : C:\Program Files\Microsoft Fix it Center\Matsvc.exe
[00:04:0297] [CHECK] WhiteDLL
[00:04:0297] [CHECK] Whitelist
[00:04:0313] [CHECK] WellKnown
[00:04:0313] [CHECK] WhitelistPath
[00:04:0328] [CHECK] HijackName
[00:04:0328] [CHECK] Signature
[00:04:0344] [PE] Mapping
[00:04:0360] [PE] Parsing
[00:04:0360] [PE] Dos header -> 0x1d60000
[00:04:0375] [PE] Nt header (offset : 0xf8) file size 0x41530
[00:04:0375] [PE] pNtHeadersx86 -> 0x1d600f8
[00:04:0375] [PE] Chars -> 0x102
[00:04:0391] [PE] Optional header
[00:04:0391] [PE] Sections : 4
[00:04:0406] [PE] Section : 0 - .text
[00:04:0406] [PE] Section : 1 - .data
[00:04:0422] [PE] Section : 2 - .rsrc
[00:04:0422] [PE] Section : 3 - .reloc
[00:04:0438] [PE] File open : 1
[00:04:0438] [PE] Search sigs
[00:04:0453] [PE] Section[0/3] : 0x1d60400
[00:04:0453] [PE] Init AhoCorasick
[00:04:0469] [PE] Start AhoCorasick [0x1d60400 - 235520]
[00:04:0469] [PE] Looking results : 0
[00:04:0485] [PE] Section[1/3] : 0x1d99c00
[00:04:0485] [PE] Init AhoCorasick
[00:04:0500] [PE] Start AhoCorasick [0x1d99c00 - 3584]
[00:04:0500] [PE] Looking results : 0
[00:04:0516] [PE] Section[2/3] : 0x1d9aa00
[00:04:0516] [PE] Init AhoCorasick
[00:04:0516] [PE] Start AhoCorasick [0x1d9aa00 - 9728]
[00:04:0531] [PE] Looking results : 0
[00:04:0531] [PE] Section[3/3] : 0x1d9d000
[00:04:0547] [PE] Init AhoCorasick
[00:04:0547] [PE] Start AhoCorasick [0x1d9d000 - 10752]
[00:04:0563] [PE] Looking results : 0
[00:04:0563] [CHECK] Blacklist
[00:04:0578] [CHECK] BlacklistPath
[00:04:0578] [CHECK] BlacklistMD5
[00:04:0594] [CHECK] MadeNumbers
[00:04:0594] [CHECK] HasUnicode
[00:04:0610] [CHECK] SuspPath
[00:04:0610] [CHECK] ProcessResidue
[00:04:0625] [CHECK] Not found!
[00:04:0625] [Check Processes] [2028][_712] alg.exe : C:\WINDOWS\SYSTEM32\alg.exe
[00:04:0641] [CHECK] WhiteDLL
[00:04:0641] [CHECK] Whitelist
[00:04:0656] [CHECK] WellKnown
[00:04:0672] [Check Processes] [648][_484] explorer.exe : C:\WINDOWS\explorer.exe
[00:04:0688] [Check DLLs] Explorer.EXE : C:\WINDOWS\Explorer.EXE
[00:04:0688] [Check DLLs] ntdll.dll : C:\WINDOWS\system32\ntdll.dll
[00:04:0703] [CHECK] WhiteDLL
[00:04:0703] [Check DLLs] kernel32.dll : C:\WINDOWS\system32\kernel32.dll
[00:04:0719] [CHECK] WhiteDLL
[00:04:0719] [Check DLLs] ADVAPI32.dll : C:\WINDOWS\system32\ADVAPI32.dll
[00:04:0735] [CHECK] WhiteDLL
[00:04:0750] [Check DLLs] RPCRT4.dll : C:\WINDOWS\system32\RPCRT4.dll
[00:04:0750] [CHECK] WhiteDLL
[00:04:0750] [CHECK] Whitelist
[00:04:0813] [CHECK] WellKnown
[00:04:0813] [CHECK] WhitelistPath
[00:04:0828] [CHECK] HijackName
[00:04:0828] [CHECK] Signature
[00:04:0844] [PE] Mapping
[00:04:0860] [PE] Parsing
[00:04:0860] [PE] Dos header -> 0x1d60000
[00:04:0875] [PE] Nt header (offset : 0xe8) file size 0x90400
[00:04:0875] [PE] pNtHeadersx86 -> 0x1d600e8
[00:04:0891] [PE] Chars -> 0x210e
[00:04:0891] [PE] Optional header
[00:04:0891] [PE] Sections : 5
[00:04:0906] [PE] Section : 0 - .text
[00:04:0906] [PE] Section : 1 - .orpc
[00:04:0922] [PE] Section : 2 - .data
[00:04:0922] [PE] Section : 3 - .rsrc
[00:04:0938] [PE] Section : 4 - .reloc
[00:04:0938] [PE] File open : 1
[00:04:0953] [PE] Search sigs
[00:04:0953] [PE] Section[0/4] : 0x1d60400
[00:04:0969] [PE] Init AhoCorasick
[00:04:0969] [PE] Start AhoCorasick [0x1d60400 - 540160]
[00:04:0985] [PE] Looking results : 0
[00:05:0000] [PE] Section[1/4] : 0x1de4200
[00:05:0000] [PE] Init AhoCorasick
[00:05:0016] [PE] Start AhoCorasick [0x1de4200 - 27136]
[00:05:0016] [PE] Looking results : 0
[00:05:0031] [PE] Section[2/4] : 0x1deac00
[00:05:0031] [PE] Init AhoCorasick
[00:05:0047] [PE] Start AhoCorasick [0x1deac00 - 3072]
[00:05:0047] [PE] Looking results : 0
[00:05:0063] [PE] Section[3/4] : 0x1deb800
[00:05:0063] [PE] Init AhoCorasick
[00:05:0078] [PE] Start AhoCorasick [0x1deb800 - 1536]
[00:05:0078] [PE] Looking results : 0
[00:05:0078] [PE] Section[4/4] : 0x1debe00
[00:05:0094] [PE] Init AhoCorasick
[00:05:0094] [PE] Start AhoCorasick [0x1debe00 - 17920]
[00:05:0125] [PE] Looking results : 0
[00:05:0141] [CHECK] Blacklist
[00:05:0141] [CHECK] BlacklistPath
[00:05:0156] [CHECK] BlacklistMD5
[00:05:0156] [CHECK] MadeNumbers
[00:05:0172] [CHECK] HasUnicode
[00:05:0172] [CHECK] SuspPath
[00:05:0188] [CHECK] ProcessResidue
[00:05:0188] [CHECK] Not found!
[00:05:0203] [Check DLLs] Secur32.dll : C:\WINDOWS\system32\Secur32.dll
[00:05:0203] [CHECK] WhiteDLL
[00:05:0219] [CHECK] Whitelist
[00:05:0219] [CHECK] WellKnown
[00:05:0235] [CHECK] WhitelistPath
[00:05:0235] [CHECK] HijackName
[00:05:0250] [CHECK] Signature
[00:05:0250] [PE] Mapping
[00:05:0266] [PE] Parsing
[00:05:0266] [PE] Dos header -> 0x1d60000
[00:05:0266] [PE] Nt header (offset : 0xe0) file size 0xde00
[00:05:0281] [PE] pNtHeadersx86 -> 0x1d600e0
[00:05:0281] [PE] Chars -> 0x210e
[00:05:0297] [PE] Optional header
[00:05:0297] [PE] Sections : 4
[00:05:0313] [PE] Section : 0 - .text
[00:05:0313] [PE] Section : 1 - .data
[00:05:0328] [PE] Section : 2 - .rsrc
[00:05:0328] [PE] Section : 3 - .reloc
[00:05:0344] [PE] File open : 1
[00:05:0344] [PE] Search sigs
[00:05:0360] [PE] Section[0/3] : 0x1d60400
[00:05:0360] [PE] Init AhoCorasick
[00:05:0360] [PE] Start AhoCorasick [0x1d60400 - 50176]
[00:05:0375] [PE] Looking results : 0
[00:05:0375] [PE] Section[1/3] : 0x1d6c800
[00:05:0391] [PE] Init AhoCorasick
[00:05:0391] [PE] Start AhoCorasick [0x1d6c800 - 1536]
[00:05:0406] [PE] Looking results : 0
[00:05:0406] [PE] Section[2/3] : 0x1d6ce00
[00:05:0422] [PE] Init AhoCorasick
[00:05:0422] [PE] Start AhoCorasick [0x1d6ce00 - 1536]
[00:05:0438] [PE] Looking results : 0
[00:05:0438] [PE] Section[3/3] : 0x1d6d400
[00:05:0453] [PE] Init AhoCorasick
[00:05:0453] [PE] Start AhoCorasick [0x1d6d400 - 2560]
[00:05:0469] [PE] Looking results : 0
[00:05:0469] [CHECK] Blacklist
[00:05:0485] [CHECK] BlacklistPath
[00:05:0485] [CHECK] BlacklistMD5
[00:05:0500] [CHECK] MadeNumbers
[00:05:0500] [CHECK] HasUnicode
[00:05:0500] [CHECK] SuspPath
[00:05:0516] [CHECK] ProcessResidue
[00:05:0516] [CHECK] Not found!
[00:05:0531] [Check DLLs] BROWSEUI.dll : C:\WINDOWS\system32\BROWSEUI.dll
[00:05:0531] [CHECK] WhiteDLL
[00:05:0547] [CHECK] Whitelist
[00:05:0547] [CHECK] WellKnown
[00:05:0563] [CHECK] WhitelistPath
[00:05:0578] [CHECK] HijackName
[00:05:0578] [CHECK] Signature
[00:05:0610] [PE] Mapping
[00:05:0610] [PE] Parsing
[00:05:0625] [PE] Dos header -> 0x1d60000
[00:05:0625] [PE] Nt header (offset : 0xf0) file size 0xfa400
[00:05:0641] [PE] pNtHeadersx86 -> 0x1d600f0
[00:05:0641] [PE] Chars -> 0x210e
[00:05:0656] [PE] Optional header
[00:05:0656] [PE] Sections : 4
[00:05:0656] [PE] Section : 0 - .text
[00:05:0672] [PE] Section : 1 - .data
[00:05:0672] [PE] Section : 2 - .rsrc
[00:05:0688] [PE] Section : 3 - .reloc
[00:05:0688] [PE] File open : 1
[00:05:0703] [PE] Search sigs
[00:05:0703] [PE] Section[0/3] : 0x1d60400
[00:05:0719] [PE] Init AhoCorasick
[00:05:0719] [PE] Start AhoCorasick [0x1d60400 - 548352]
[00:05:0735] [PE] Looking results : 0
[00:05:0750] [PE] Section[1/3] : 0x1de6200
[00:05:0750] [PE] Init AhoCorasick
[00:05:0781] [PE] Start AhoCorasick [0x1de6200 - 3584]
[00:05:0797] [PE] Looking results : 0
[00:05:0797] [PE] Section[2/3] : 0x1de7000
[00:05:0797] [PE] Init AhoCorasick
[00:05:0813] [PE] Start AhoCorasick [0x1de7000 - 440832]
[00:05:0828] [PE] Looking results : 0
[00:05:0828] [PE] Section[3/3] : 0x1e52a00
[00:05:0844] [PE] Init AhoCorasick
[00:05:0844] [PE] Start AhoCorasick [0x1e52a00 - 31232]
[00:05:0860] [PE] Looking results : 0
[00:05:0860] [CHECK] Blacklist
[00:05:0875] [CHECK] BlacklistPath
[00:05:0875] [CHECK] BlacklistMD5
[00:05:0891] [CHECK] MadeNumbers
[00:05:0891] [CHECK] HasUnicode
[00:05:0906] [CHECK] SuspPath
[00:05:0906] [CHECK] ProcessResidue
[00:05:0906] [CHECK] Not found!
[00:05:0922] [Check DLLs] GDI32.dll : C:\WINDOWS\system32\GDI32.dll
[00:05:0922] [CHECK] WhiteDLL
[00:05:0938] [CHECK] Whitelist
[00:05:0938] [CHECK] WellKnown
[00:05:0953] [CHECK] WhitelistPath
[00:05:0953] [CHECK] HijackName
[00:05:0969] [CHECK] Signature
[00:05:0985] [PE] Mapping
[00:05:0985] [PE] Parsing
[00:06:0000] [PE] Dos header -> 0x1d60000
[00:06:0000] [PE] Nt header (offset : 0xe0) file size 0x46000
[00:06:0000] [PE] pNtHeadersx86 -> 0x1d600e0
[00:06:0016] [PE] Chars -> 0x210e
[00:06:0016] [PE] Optional header
[00:06:0031] [PE] Sections : 4
[00:06:0031] [PE] Section : 0 - .text
[00:06:0047] [PE] Section : 1 - .data
[00:06:0047] [PE] Section : 2 - .rsrc
[00:06:0063] [PE] Section : 3 - .reloc
[00:06:0063] [PE] File open : 1
[00:06:0078] [PE] Search sigs
[00:06:0078] [PE] Section[0/3] : 0x1d60400
[00:06:0094] [PE] Init AhoCorasick
[00:06:0094] [PE] Start AhoCorasick [0x1d60400 - 273408]
[00:06:0110] [PE] Looking results : 0
[00:06:0110] [PE] Section[1/3] : 0x1da3000
[00:06:0125] [PE] Init AhoCorasick
[00:06:0125] [PE] Start AhoCorasick [0x1da3000 - 4608]
[00:06:0141] [PE] Looking results : 0
[00:06:0141] [PE] Section[2/3] : 0x1da4200
[00:06:0172] [PE] Init AhoCorasick
[00:06:0172] [PE] Start AhoCorasick [0x1da4200 - 1024]
[00:06:0172] [PE] Looking results : 0
[00:06:0188] [PE] Section[3/3] : 0x1da4600
[00:06:0188] [PE] Init AhoCorasick
[00:06:0203] [PE] Start AhoCorasick [0x1da4600 - 6656]
[00:06:0203] [PE] Looking results : 0
[00:06:0219] [CHECK] Blacklist
[00:06:0219] [CHECK] BlacklistPath
[00:06:0235] [CHECK] BlacklistMD5
[00:06:0235] [CHECK] MadeNumbers
[00:06:0250] [CHECK] HasUnicode
[00:06:0266] [CHECK] SuspPath
[00:06:0266] [CHECK] ProcessResidue
[00:06:0281] [CHECK] Not found!
[00:06:0281] [Check DLLs] USER32.dll : C:\WINDOWS\system32\USER32.dll
[00:06:0297] [CHECK] WhiteDLL
[00:06:0297] [Check DLLs] msvcrt.dll : C:\WINDOWS\system32\msvcrt.dll
[00:06:0313] [CHECK] WhiteDLL
[00:06:0313] [CHECK] Whitelist
[00:06:0328] [CHECK] WellKnown
[00:06:0328] [CHECK] WhitelistPath
[00:06:0344] [CHECK] HijackName
[00:06:0344] [CHECK] Signature
[00:06:0360] [PE] Mapping
[00:06:0375] [PE] Parsing
[00:06:0375] [PE] Dos header -> 0x1d60000
[00:06:0391] [PE] Nt header (offset : 0xe8) file size 0x53c00
[00:06:0391] [PE] pNtHeadersx86 -> 0x1d600e8
[00:06:0406] [PE] Chars -> 0x210e
[00:06:0406] [PE] Optional header
[00:06:0422] [PE] Sections : 4
[00:06:0422] [PE] Section : 0 - .text
[00:06:0438] [PE] Section : 1 - .data
[00:06:0453] [PE] Section : 2 - .rsrc
[00:06:0453] [PE] Section : 3 - .reloc
[00:06:0469] [PE] File open : 1
[00:06:0469] [PE] Search sigs
[00:06:0485] [PE] Section[0/3] : 0x1d60400
[00:06:0500] [PE] Init AhoCorasick
[00:06:0500] [PE] Start AhoCorasick [0x1d60400 - 310784]
[00:06:0516] [PE] Looking results : 0
[00:06:0531] [PE] Section[1/3] : 0x1dac200
[00:06:0531] [PE] Init AhoCorasick
[00:06:0531] [PE] Start AhoCorasick [0x1dac200 - 18432]
[00:06:0547] [PE] Looking results : 0
[00:06:0547] [PE] Section[2/3] : 0x1db0a00
[00:06:0563] [PE] Init AhoCorasick
[00:06:0563] [PE] Start AhoCorasick [0x1db0a00 - 1024]
[00:06:0578] [PE] Looking results : 0
[00:06:0594] [PE] Section[3/3] : 0x1db0e00
[00:06:0594] [PE] Init AhoCorasick
[00:06:0610] [PE] Start AhoCorasick [0x1db0e00 - 11776]
[00:06:0610] [PE] Looking results : 0
[00:06:0625] [CHECK] Blacklist
[00:06:0625] [CHECK] BlacklistPath
[00:06:0641] [CHECK] BlacklistMD5
[00:06:0641] [CHECK] MadeNumbers
[00:06:0656] [CHECK] HasUnicode
[00:06:0656] [CHECK] SuspPath
[00:06:0672] [CHECK] ProcessResidue
[00:06:0672] [CHECK] Not found!
[00:06:0688] [Check DLLs] ole32.dll : C:\WINDOWS\system32\ole32.dll
[00:06:0688] [CHECK] WhiteDLL
[00:06:0703] [CHECK] Whitelist
[00:06:0703] [CHECK] WellKnown
[00:06:0719] [CHECK] WhitelistPath
[00:06:0719] [CHECK] HijackName
[00:06:0735] [CHECK] Signature
[00:06:0766] [PE] Mapping
[00:06:0828] [PE] Parsing
[00:06:0860] [PE] Dos header -> 0x2260000
[00:06:0860] [PE] Nt header (offset : 0xe0) file size 0x13ae00
[00:06:0875] [PE] pNtHeadersx86 -> 0x22600e0
[00:06:0875] [PE] Chars -> 0x210e
[00:06:0891] [PE] Optional header
[00:06:0891] [PE] Sections : 5
[00:06:0906] [PE] Section : 0 - .text
[00:06:0906] [PE] Section : 1 - .orpc
[00:06:0922] [PE] Section : 2 - .data
[00:06:0922] [PE] Section : 3 - .rsrc
[00:06:0938] [PE] Section : 4 - .reloc
[00:06:0938] [PE] File open : 1
[00:06:0953] [PE] Search sigs
[00:06:0953] [PE] Section[0/4] : 0x2260400
[00:06:0969] [PE] Init AhoCorasick
[00:06:0969] [PE] Start AhoCorasick [0x2260400 - 1177600]
[00:07:0016] [PE] Looking results : 0
[00:07:0031] [PE] Section[1/4] : 0x237fc00
[00:07:0031] [PE] Init AhoCorasick
[00:07:0047] [PE] Start AhoCorasick [0x237fc00 - 24576]
[00:07:0047] [PE] Looking results : 0
[00:07:0063] [PE] Section[2/4] : 0x2385c00
[00:07:0063] [PE] Init AhoCorasick
[00:07:0078] [PE] Start AhoCorasick [0x2385c00 - 26112]
[00:07:0094] [PE] Looking results : 0
[00:07:0094] [PE] Section[3/4] : 0x238c200
[00:07:0110] [PE] Init AhoCorasick
[00:07:0110] [PE] Start AhoCorasick [0x238c200 - 6656]
[00:07:0125] [PE] Looking results : 0
[00:07:0125] [PE] Section[4/4] : 0x238dc00
[00:07:0141] [PE] Init AhoCorasick
[00:07:0141] [PE] Start AhoCorasick [0x238dc00 - 53760]
[00:07:0141] [PE] Looking results : 0
[00:07:0156] [CHECK] Blacklist
[00:07:0172] [CHECK] BlacklistPath
[00:07:0172] [CHECK] BlacklistMD5
[00:07:0188] [CHECK] MadeNumbers
[00:07:0188] [CHECK] HasUnicode
[00:07:0203] [CHECK] SuspPath
[00:07:0219] [CHECK] ProcessResidue
[00:07:0219] [CHECK] Not found!
[00:07:0235] [Check DLLs] SHLWAPI.dll : C:\WINDOWS\system32\SHLWAPI.dll
[00:07:0235] [CHECK] WhiteDLL
[00:07:0250] [CHECK] Whitelist
[00:07:0250] [CHECK] WellKnown
[00:07:0266] [CHECK] WhitelistPath
[00:07:0266] [CHECK] HijackName
[00:07:0281] [CHECK] Signature
[00:07:0813] [PE] Mapping
[00:07:0828] [PE] Parsing
[00:07:0828] [PE] Dos header -> 0x1d60000
[00:07:0844] [PE] Nt header (offset : 0xf8) file size 0x73c00
[00:07:0844] [PE] pNtHeadersx86 -> 0x1d600f8
[00:07:0860] [PE] Chars -> 0x210e
[00:07:0891] [PE] Optional header
[00:07:0891] [PE] Sections : 4
[00:07:0906] [PE] Section : 0 - .text
[00:07:0906] [PE] Section : 1 - .data
[00:07:0922] [PE] Section : 2 - .rsrc
[00:07:0922] [PE] Section : 3 - .reloc
[00:07:0938] [PE] File open : 1
[00:07:0938] [PE] Search sigs
[00:07:0953] [PE] Section[0/3] : 0x1d60400
[00:07:0953] [PE] Init AhoCorasick
[00:07:0953] [PE] Start AhoCorasick [0x1d60400 - 441344]
[00:07:0985] [PE] Looking results : 0
[00:07:0985] [PE] Section[1/3] : 0x1dcc000
[00:08:0000] [PE] Init AhoCorasick
[00:08:0000] [PE] Start AhoCorasick [0x1dcc000 - 3072]
[00:08:0016] [PE] Looking results : 0
[00:08:0016] [PE] Section[2/3] : 0x1dccc00
[00:08:0031] [PE] Init AhoCorasick
[00:08:0031] [PE] Start AhoCorasick [0x1dccc00 - 5632]
[00:08:0047] [PE] Looking results : 0
[00:08:0063] [PE] Section[3/3] : 0x1dce200
[00:08:0078] [PE] Init AhoCorasick
[00:08:0078] [PE] Start AhoCorasick [0x1dce200 - 23040]
[00:08:0078] [PE] Looking results : 0
[00:08:0094] [CHECK] Blacklist
[00:08:0094] [CHECK] BlacklistPath
[00:08:0110] [CHECK] BlacklistMD5
[00:08:0110] [CHECK] MadeNumbers
[00:08:0125] [CHECK] HasUnicode
[00:08:0125] [CHECK] SuspPath
[00:08:0141] [CHECK] ProcessResidue
[00:08:0141] [CHECK] Not found!
[00:08:0156] [Check DLLs] OLEAUT32.dll : C:\WINDOWS\system32\OLEAUT32.dll
[00:08:0172] [CHECK] WhiteDLL
[00:08:0172] [CHECK] Whitelist
[00:08:0188] [CHECK] WellKnown
[00:08:0188] [CHECK] WhitelistPath
[00:08:0203] [CHECK] HijackName
[00:08:0203] [CHECK] Signature
[00:08:0391] [PE] Mapping
[00:08:0406] [PE] Parsing
[00:08:0406] [PE] Dos header -> 0x1d60000
[00:08:0422] [PE] Nt header (offset : 0xe8) file size 0x86e00
[00:08:0422] [PE] pNtHeadersx86 -> 0x1d600e8
[00:08:0438] [PE] Chars -> 0x210e
[00:08:0438] [PE] Optional header
[00:08:0453] [PE] Sections : 5
[00:08:0453] [PE] Section : 0 - .text
[00:08:0469] [PE] Section : 1 - .orpc
[00:08:0469] [PE] Section : 2 - .data
[00:08:0485] [PE] Section : 3 - .rsrc
[00:08:0485] [PE] Section : 4 - .reloc
[00:08:0500] [PE] File open : 1
[00:08:0500] [PE] Search sigs
[00:08:0516] [PE] Section[0/4] : 0x1d60400
[00:08:0516] [PE] Init AhoCorasick
[00:08:0516] [PE] Start AhoCorasick [0x1d60400 - 519168]
[00:08:0547] [PE] Looking results : 0
[00:08:0547] [PE] Section[1/4] : 0x1ddf000
[00:08:0563] [PE] Init AhoCorasick
[00:08:0563] [PE] Start AhoCorasick [0x1ddf000 - 1024]
[00:08:0578] [PE] Looking results : 0
[00:08:0578] [PE] Section[2/4] : 0x1ddf400
[00:08:0594] [PE] Init AhoCorasick
[00:08:0594] [PE] Start AhoCorasick [0x1ddf400 - 8192]
[00:08:0610] [PE] Looking results : 0
[00:08:0610] [PE] Section[3/4] : 0x1de1400
[00:08:0610] [PE] Init AhoCorasick
[00:08:0625] [PE] Start AhoCorasick [0x1de1400 - 1024]
[00:08:0625] [PE] Looking results : 0
[00:08:0641] [PE] Section[4/4] : 0x1de1800
[00:08:0641] [PE] Init AhoCorasick
[00:08:0656] [PE] Start AhoCorasick [0x1de1800 - 22016]
[00:08:0656] [PE] Looking results : 0
[00:08:0672] [CHECK] Blacklist
[00:08:0672] [CHECK] BlacklistPath
[00:08:0688] [CHECK] BlacklistMD5
[00:08:0688] [CHECK] MadeNumbers
[00:08:0703] [CHECK] HasUnicode
[00:08:0703] [CHECK] SuspPath
[00:08:0719] [CHECK] ProcessResidue
[00:08:0719] [CHECK] Not found!
[00:08:0735] [Check DLLs] SHDOCVW.dll : C:\WINDOWS\system32\SHDOCVW.dll
[00:08:0735] [CHECK] WhiteDLL
[00:08:0750] [CHECK] Whitelist
[00:08:0750] [CHECK] WellKnown
[00:08:0797] [CHECK] WhitelistPath
[00:08:0813] [CHECK] HijackName
[00:08:0813] [CHECK] Signature
[00:09:0000] [PE] Mapping
[00:09:0000] [PE] Parsing
[00:09:0016] [PE] Dos header -> 0x2260000
[00:09:0016] [PE] Nt header (offset : 0xf0) file size 0x16e000
[00:09:0031] [PE] pNtHeadersx86 -> 0x22600f0
[00:09:0031] [PE] Chars -> 0x210e
[00:09:0047] [PE] Optional header
[00:09:0047] [PE] Sections : 4
[00:09:0063] [PE] Section : 0 - .text
[00:09:0063] [PE] Section : 1 - .data
[00:09:0078] [PE] Section : 2 - .rsrc
[00:09:0078] [PE] Section : 3 - .reloc
[00:09:0094] [PE] File open : 1
[00:09:0094] [PE] Search sigs
[00:09:0110] [PE] Section[0/3] : 0x2260400
[00:09:0110] [PE] Init AhoCorasick
[00:09:0125] [PE] Start AhoCorasick [0x2260400 - 886272]
[00:09:0141] [PE] Looking results : 0
[00:09:0156] [PE] Section[1/3] : 0x2338a00
[00:09:0156] [PE] Init AhoCorasick
[00:09:0172] [PE] Start AhoCorasick [0x2338a00 - 6144]
[00:09:0172] [PE] Looking results : 0
[00:09:0188] [PE] Section[2/3] : 0x233a200
[00:09:0188] [PE] Init AhoCorasick
[00:09:0203] [PE] Start AhoCorasick [0x233a200 - 560128]
[00:09:0219] [PE] Looking results : 0
[00:09:0219] [PE] Section[3/3] : 0x23c2e00
[00:09:0235] [PE] Init AhoCorasick
[00:09:0235] [PE] Start AhoCorasick [0x23c2e00 - 45568]
[00:09:0250] [PE] Looking results : 0
[00:09:0250] [CHECK] Blacklist
[00:09:0266] [CHECK] BlacklistPath
[00:09:0266] [CHECK] BlacklistMD5
[00:09:0281] [CHECK] MadeNumbers
[00:09:0281] [CHECK] HasUnicode
[00:09:0297] [CHECK] SuspPath
[00:09:0297] [CHECK] ProcessResidue
[00:09:0313] [CHECK] Not found!
[00:09:0313] [Check DLLs] CRYPT32.dll : C:\WINDOWS\system32\CRYPT32.dll
[00:09:0328] [CHECK] WhiteDLL
[00:09:0328] [CHECK] Whitelist
[00:09:0344] [CHECK] WellKnown
[00:09:0344] [CHECK] WhitelistPath
[00:09:0360] [CHECK] HijackName
[00:09:0360] [CHECK] Signature
[00:09:0406] [PE] Mapping
[00:09:0422] [PE] Parsing
[00:09:0422] [PE] Dos header -> 0x1d60000
[00:09:0438] [PE] Nt header (offset : 0xe0) file size 0x92c00
[00:09:0438] [PE] pNtHeadersx86 -> 0x1d600e0
[00:09:0453] [PE] Chars -> 0x210e
[00:09:0453] [PE] Optional header
[00:09:0469] [PE] Sections : 4
[00:09:0469] [PE] Section : 0 - .text
[00:09:0485] [PE] Section : 1 - .data
[00:09:0485] [PE] Section : 2 - .rsrc
[00:09:0500] [PE] Section : 3 - .reloc
[00:09:0500] [PE] File open : 1
[00:09:0516] [PE] Search sigs
[00:09:0516] [PE] Section[0/3] : 0x1d60400
[00:09:0531] [PE] Init AhoCorasick
[00:09:0531] [PE] Start AhoCorasick [0x1d60400 - 543744]
[00:09:0547] [PE] Looking results : 0
[00:09:0563] [PE] Section[1/3] : 0x1de5000
[00:09:0563] [PE] Init AhoCorasick
[00:09:0578] [PE] Start AhoCorasick [0x1de5000 - 9216]
[00:09:0578] [PE] Looking results : 0
[00:09:0594] [PE] Section[2/3] : 0x1de7400
[00:09:0594] [PE] Init AhoCorasick
[00:09:0610] [PE] Start AhoCorasick [0x1de7400 - 26624]
[00:09:0610] [PE] Looking results : 0
[00:09:0625] [PE] Section[3/3] : 0x1dedc00
[00:09:0625] [PE] Init AhoCorasick
[00:09:0641] [PE] Start AhoCorasick [0x1dedc00 - 20480]
[00:09:0641] [PE] Looking results : 0
[00:09:0656] [CHECK] Blacklist
[00:09:0656] [CHECK] BlacklistPath
[00:09:0672] [CHECK] BlacklistMD5
[00:09:0672] [CHECK] MadeNumbers
[00:09:0688] [CHECK] HasUnicode
[00:09:0688] [CHECK] SuspPath
[00:09:0703] [CHECK] ProcessResidue
[00:09:0703] [CHECK] Not found!
[00:09:0719] [Check DLLs] MSASN1.dll : C:\WINDOWS\system32\MSASN1.dll
[00:09:0719] [CHECK] WhiteDLL
[00:09:0735] [CHECK] Whitelist
[00:09:0735] [CHECK] WellKnown
[00:09:0750] [CHECK] WhitelistPath
[00:09:0750] [CHECK] HijackName
[00:09:0797] [CHECK] Signature
[00:09:0828] [PE] Mapping
[00:09:0844] [PE] Parsing
[00:09:0844] [PE] Dos header -> 0x1d60000
[00:09:0860] [PE] Nt header (offset : 0xd8) file size 0xe600
[00:09:0860] [PE] pNtHeadersx86 -> 0x1d600d8
[00:09:0875] [PE] Chars -> 0x210e
[00:09:0875] [PE] Optional header
[00:09:0891] [PE] Sections : 4
[00:09:0891] [PE] Section : 0 - .text
[00:09:0906] [PE] Section : 1 - .data
[00:09:0906] [PE] Section : 2 - .rsrc
[00:09:0922] [PE] Section : 3 - .reloc
[00:09:0922] [PE] File open : 1
[00:09:0938] [PE] Search sigs
[00:09:0938] [PE] Section[0/3] : 0x1d60400
[00:09:0953] [PE] Init AhoCorasick
[00:09:0953] [PE] Start AhoCorasick [0x1d60400 - 55296]
[00:09:0969] [PE] Looking results : 0
[00:09:0969] [PE] Section[1/3] : 0x1d6dc00
[00:09:0985] [PE] Init AhoCorasick
[00:09:0985] [PE] Start AhoCorasick [0x1d6dc00 - 512]
[00:09:0985] [PE] Looking results : 0
[00:10:0000] [PE] Section[2/3] : 0x1d6de00
[00:10:0000] [PE] Init AhoCorasick
[00:10:0016] [PE] Start AhoCorasick [0x1d6de00 - 1024]
[00:10:0016] [PE] Looking results : 0
[00:10:0031] [PE] Section[3/3] : 0x1d6e200
[00:10:0031] [PE] Init AhoCorasick
[00:10:0047] [PE] Start AhoCorasick [0x1d6e200 - 1024]
[00:10:0047] [PE] Looking results : 0
[00:10:0063] [CHECK] Blacklist
[00:10:0063] [CHECK] BlacklistPath
[00:10:0078] [CHECK] BlacklistMD5
[00:10:0078] [CHECK] MadeNumbers
[00:10:0094] [CHECK] HasUnicode
[00:10:0094] [CHECK] SuspPath
[00:10:0110] [CHECK] ProcessResidue
[00:10:0110] [CHECK] Not found!
[00:10:0125] [Check DLLs] CRYPTUI.dll : C:\WINDOWS\system32\CRYPTUI.dll
[00:10:0125] [CHECK] WhiteDLL
[00:10:0141] [CHECK] Whitelist
[00:10:0141] [CHECK] WellKnown
[00:10:0156] [CHECK] WhitelistPath
[00:10:0156] [CHECK] HijackName
[00:10:0172] [CHECK] Signature
[00:10:0219] [PE] Mapping
[00:10:0219] [PE] Parsing
[00:10:0235] [PE] Dos header -> 0x1d60000
[00:10:0235] [PE] Nt header (offset : 0xe8) file size 0x7d200
[00:10:0250] [PE] pNtHeadersx86 -> 0x1d600e8
[00:10:0250] [PE] Chars -> 0x210e
[00:10:0266] [PE] Optional header
[00:10:0266] [PE] Sections : 4
[00:10:0281] [PE] Section : 0 - .text
[00:10:0281] [PE] Section : 1 - .data
[00:10:0297] [PE] Section : 2 - .rsrc
[00:10:0297] [PE] Section : 3 - .reloc
[00:10:0313] [PE] File open : 1
[00:10:0313] [PE] Search sigs
[00:10:0328] [PE] Section[0/3] : 0x1d60400
[00:10:0328] [PE] Init AhoCorasick
[00:10:0344] [PE] Start AhoCorasick [0x1d60400 - 291840]
[00:10:0360] [PE] Looking results : 0
[00:10:0360] [PE] Section[1/3] : 0x1da7800
[00:10:0375] [PE] Init AhoCorasick
[00:10:0375] [PE] Start AhoCorasick [0x1da7800 - 1024]
[00:10:0391] [PE] Looking results : 0
[00:10:0391] [PE] Section[2/3] : 0x1da7c00
[00:10:0406] [PE] Init AhoCorasick
[00:10:0406] [PE] Start AhoCorasick [0x1da7c00 - 207360]
[00:10:0422] [PE] Looking results : 0
[00:10:0422] [PE] Section[3/3] : 0x1dda600
[00:10:0438] [PE] Init AhoCorasick
[00:10:0438] [PE] Start AhoCorasick [0x1dda600 - 11264]
[00:10:0453] [PE] Looking results : 0
[00:10:0453] [CHECK] Blacklist
[00:10:0469] [CHECK] BlacklistPath
[00:10:0469] [CHECK] BlacklistMD5
[00:10:0485] [CHECK] MadeNumbers
[00:10:0485] [CHECK] HasUnicode
[00:10:0500] [CHECK] SuspPath
[00:10:0500] [CHECK] ProcessResidue
[00:10:0516] [CHECK] Not found!
[00:10:0516] [Check DLLs] NETAPI32.dll : C:\WINDOWS\system32\NETAPI32.dll
[00:10:0531] [CHECK] WhiteDLL
[00:10:0531] [CHECK] Whitelist
[00:10:0547] [CHECK] WellKnown
[00:10:0547] [CHECK] WhitelistPath
[00:10:0563] [CHECK] HijackName
[00:10:0563] [CHECK] Signature
[00:10:0625] [PE] Mapping
[00:10:0625] [PE] Parsing
[00:10:0641] [PE] Dos header -> 0x1d60000
[00:10:0641] [PE] Nt header (offset : 0xe8) file size 0x52800
[00:10:0656] [PE] pNtHeadersx86 -> 0x1d600e8
[00:10:0656] [PE] Chars -> 0x210e
[00:10:0672] [PE] Optional header
[00:10:0672] [PE] Sections : 4
[00:10:0688] [PE] Section : 0 - .text
[00:10:0688] [PE] Section : 1 - .data
[00:10:0703] [PE] Section : 2 - .rsrc
[00:10:0703] [PE] Section : 3 - .reloc
[00:10:0719] [PE] File open : 1
[00:10:0719] [PE] Search sigs
[00:10:0735] [PE] Section[0/3] : 0x1d60400
[00:10:0735] [PE] Init AhoCorasick
[00:10:0750] [PE] Start AhoCorasick [0x1d60400 - 314880]
[00:10:0766] [PE] Looking results : 0
[00:10:0797] [PE] Section[1/3] : 0x1dad200
[00:10:0797] [PE] Init AhoCorasick
[00:10:0813] [PE] Start AhoCorasick [0x1dad200 - 10240]
[00:10:0813] [PE] Looking results : 0
[00:10:0828] [PE] Section[2/3] : 0x1dafa00
[00:10:0828] [PE] Init AhoCorasick
[00:10:0844] [PE] Start AhoCorasick [0x1dafa00 - 1024]
[00:10:0844] [PE] Looking results : 0
[00:10:0860] [PE] Section[3/3] : 0x1dafe00
[00:10:0860] [PE] Init AhoCorasick
[00:10:0875] [PE] Start AhoCorasick [0x1dafe00 - 10752]
[00:10:0875] [PE] Looking results : 0
[00:10:0891] [CHECK] Blacklist
[00:10:0891] [CHECK] BlacklistPath
[00:10:0906] [CHECK] BlacklistMD5
[00:10:0906] [CHECK] MadeNumbers
[00:10:0922] [CHECK] HasUnicode
[00:10:0922] [CHECK] SuspPath
[00:10:0938] [CHECK] ProcessResidue
[00:10:0938] [CHECK] Not found!
[00:10:0953] [Check DLLs] VERSION.dll : C:\WINDOWS\system32\VERSION.dll
[00:10:0953] [CHECK] WhiteDLL
[00:10:0969] [CHECK] Whitelist
[00:10:0969] [CHECK] WellKnown
[00:10:0985] [CHECK] WhitelistPath
[00:10:0985] [CHECK] HijackName
[00:11:0000] [CHECK] Signature
[00:11:0016] [PE] Mapping
[00:11:0016] [PE] Parsing
[00:11:0031] [PE] Dos header -> 0x1d60000
[00:11:0031] [PE] Nt header (offset : 0xd8) file size 0x4a00
[00:11:0047] [PE] pNtHeadersx86 -> 0x1d600d8
[00:11:0047] [PE] Chars -> 0x210e
[00:11:0047] [PE] Optional header
[00:11:0063] [PE] Sections : 4
[00:11:0063] [PE] Section : 0 - .text
[00:11:0078] [PE] Section : 1 - .data
[00:11:0078] [PE] Section : 2 - .rsrc
[00:11:0094] [PE] Section : 3 - .reloc
[00:11:0094] [PE] File open : 1
[00:11:0110] [PE] Search sigs
[00:11:0110] [PE] Section[0/3] : 0x1d60400
[00:11:0125] [PE] Init AhoCorasick
[00:11:0125] [PE] Start AhoCorasick [0x1d60400 - 14848]
[00:11:0141] [PE] Looking results : 0
[00:11:0141] [PE] Section[1/3] : 0x1d63e00
[00:11:0156] [PE] Init AhoCorasick
[00:11:0156] [PE] Start AhoCorasick [0x1d63e00 - 512]
[00:11:0172] [PE] Looking results : 0
[00:11:0172] [PE] Section[2/3] : 0x1d64000
[00:11:0188] [PE] Init AhoCorasick
[00:11:0188] [PE] Start AhoCorasick [0x1d64000 - 1536]
[00:11:0203] [PE] Looking results : 0
[00:11:0203] [PE] Section[3/3] : 0x1d64600
[00:11:0219] [PE] Init AhoCorasick
[00:11:0219] [PE] Start AhoCorasick [0x1d64600 - 1024]
[00:11:0235] [PE] Looking results : 0
[00:11:0235] [CHECK] Blacklist
[00:11:0250] [CHECK] BlacklistPath
[00:11:0250] [CHECK] BlacklistMD5
[00:11:0266] [CHECK] MadeNumbers
[00:11:0266] [CHECK] HasUnicode
[00:11:0281] [CHECK] SuspPath
[00:11:0281] [CHECK] ProcessResidue
[00:11:0297] [CHECK] Not found!
[00:11:0297] [Check DLLs] WININET.dll : C:\WINDOWS\system32\WININET.dll
[00:11:0313] [CHECK] WhiteDLL
[00:11:0313] [CHECK] Whitelist
[00:11:0328] [CHECK] WellKnown
[00:11:0328] [CHECK] WhitelistPath
[00:11:0344] [CHECK] HijackName
[00:11:0344] [CHECK] Signature
[00:11:0375] [PE] Mapping
[00:11:0375] [PE] Parsing
[00:11:0391] [PE] Dos header -> 0x1d60000
[00:11:0391] [PE] Nt header (offset : 0xe8) file size 0xe0a00
[00:11:0406] [PE] pNtHeadersx86 -> 0x1d600e8
[00:11:0406] [PE] Chars -> 0x2102
[00:11:0422] [PE] Optional header
[00:11:0422] [PE] Sections : 4
[00:11:0438] [PE] Section : 0 - .text
[00:11:0438] [PE] Section : 1 - .data
[00:11:0453] [PE] Section : 2 - .rsrc
[00:11:0453] [PE] Section : 3 - .reloc
[00:11:0469] [PE] File open : 1
[00:11:0469] [PE] Search sigs
[00:11:0485] [PE] Section[0/3] : 0x1d60400
[00:11:0485] [PE] Init AhoCorasick
[00:11:0500] [PE] Start AhoCorasick [0x1d60400 - 721920]
[00:11:0531] [PE] Looking results : 0
[00:11:0531] [PE] Section[1/3] : 0x1e10800
[00:11:0547] [PE] Init AhoCorasick
[00:11:0547] [PE] Start AhoCorasick [0x1e10800 - 13824]
[00:11:0563] [PE] Looking results : 0
[00:11:0563] [PE] Section[2/3] : 0x1e13e00
[00:11:0578] [PE] Init AhoCorasick
[00:11:0578] [PE] Start AhoCorasick [0x1e13e00 - 156160]
[00:11:0594] [PE] Looking results : 0
[00:11:0594] [PE] Section[3/3] : 0x1e3a000
[00:11:0610] [PE] Init AhoCorasick
[00:11:0610] [PE] Start AhoCorasick [0x1e3a000 - 27136]
[00:11:0625] [PE] Looking results : 0
[00:11:0625] [CHECK] Blacklist
[00:11:0641] [CHECK] BlacklistPath
[00:11:0641] [CHECK] BlacklistMD5
[00:11:0656] [CHECK] MadeNumbers
[00:11:0656] [CHECK] HasUnicode
[00:11:0672] [CHECK] SuspPath
[00:11:0672] [CHECK] ProcessResidue
[00:11:0688] [CHECK] Not found!
[00:11:0688] [Check DLLs] Normaliz.dll : C:\WINDOWS\system32\Normaliz.dll
[00:11:0703] [CHECK] WhiteDLL
[00:11:0703] [CHECK] Whitelist
[00:11:0719] [CHECK] WellKnown
[00:11:0735] [CHECK] WhitelistPath
[00:11:0735] [CHECK] HijackName
[00:11:0750] [CHECK] Signature
[00:11:0766] [PE] Mapping
[00:11:0813] [PE] Parsing
[00:11:0813] [PE] Dos header -> 0x1d60000
[00:11:0828] [PE] Nt header (offset : 0xe8) file size 0x5c00
[00:11:0828] [PE] pNtHeadersx86 -> 0x1d600e8
[00:11:0844] [PE] Chars -> 0x2102
[00:11:0844] [PE] Optional header
[00:11:0860] [PE] Sections : 4
[00:11:0860] [PE] Section : 0 - .text
[00:11:0875] [PE] Section : 1 - .data
[00:11:0875] [PE] Section : 2 - .rsrc
[00:11:0891] [PE] Section : 3 - .reloc
[00:11:0891] [PE] File open : 1
[00:11:0906] [PE] Search sigs
[00:11:0906] [PE] Section[0/3] : 0x1d60400
[00:11:0922] [PE] Init AhoCorasick
[00:11:0922] [PE] Start AhoCorasick [0x1d60400 - 18944]
[00:11:0938] [PE] Looking results : 0
[00:11:0938] [PE] Section[1/3] : 0x1d64e00
[00:11:0953] [PE] Init AhoCorasick
[00:11:0953] [PE] Start AhoCorasick [0x1d64e00 - 1024]
[00:11:0969] [PE] Looking results : 0
[00:11:0969] [PE] Section[2/3] : 0x1d65200
[00:11:0985] [PE] Init AhoCorasick
[00:11:0985] [PE] Start AhoCorasick [0x1d65200 - 1024]
[00:12:0000] [PE] Looking results : 0
[00:12:0000] [PE] Section[3/3] : 0x1d65600
[00:12:0016] [PE] Init AhoCorasick
[00:12:0016] [PE] Start AhoCorasick [0x1d65600 - 1536]
[00:12:0031] [PE] Looking results : 0
[00:12:0031] [CHECK] Blacklist
[00:12:0047] [CHECK] BlacklistPath
[00:12:0047] [CHECK] BlacklistMD5
[00:12:0063] [CHECK] MadeNumbers
[00:12:0063] [CHECK] HasUnicode
[00:12:0078] [CHECK] SuspPath
[00:12:0078] [CHECK] ProcessResidue
[00:12:0094] [CHECK] Not found!
[00:12:0094] [Check DLLs] urlmon.dll : C:\WINDOWS\system32\urlmon.dll
[00:12:0110] [CHECK] WhiteDLL
[00:12:0110] [CHECK] Whitelist
[00:12:0125] [CHECK] WellKnown
[00:12:0125] [CHECK] WhitelistPath
[00:12:0141] [CHECK] HijackName
[00:12:0141] [CHECK] Signature
[00:12:0219] [PE] Mapping
[00:12:0219] [PE] Parsing
[00:12:0235] [PE] Dos header -> 0x2260000
[00:12:0235] [PE] Nt header (offset : 0xf0) file size 0x128c00
[00:12:0250] [PE] pNtHeadersx86 -> 0x22600f0
[00:12:0250] [PE] Chars -> 0x2102
[00:12:0266] [PE] Optional header
[00:12:0266] [PE] Sections : 5
[00:12:0281] [PE] Section : 0 - .text
[00:12:0281] [PE] Section : 1 - .orpc
[00:12:0297] [PE] Section : 2 - .data
[00:12:0297] [PE] Section : 3 - .rsrc
[00:12:0297] [PE] Section : 4 - .reloc
[00:12:0313] [PE] File open : 1
[00:12:0328] [PE] Search sigs
[00:12:0328] [PE] Section[0/4] : 0x2260400
[00:12:0344] [PE] Init AhoCorasick
[00:12:0344] [PE] Start AhoCorasick [0x2260400 - 816128]
[00:12:0375] [PE] Looking results : 0
[00:12:0375] [PE] Section[1/4] : 0x2327800
[00:12:0391] [PE] Init AhoCorasick
[00:12:0391] [PE] Start AhoCorasick [0x2327800 - 4608]
[00:12:0406] [PE] Looking results : 0
[00:12:0406] [PE] Section[2/4] : 0x2328a00
[00:12:0422] [PE] Init AhoCorasick
[00:12:0422] [PE] Start AhoCorasick [0x2328a00 - 15360]
[00:12:0438] [PE] Looking results : 0
[00:12:0438] [PE] Section[3/4] : 0x232c600
[00:12:0453] [PE] Init AhoCorasick
[00:12:0453] [PE] Start AhoCorasick [0x232c600 - 347648]
[00:12:0469] [PE] Looking results : 0
[00:12:0469] [PE] Section[4/4] : 0x2381400
[00:12:0485] [PE] Init AhoCorasick
[00:12:0485] [PE] Start AhoCorasick [0x2381400 - 30720]
[00:12:0500] [PE] Looking results : 0
[00:12:0500] [CHECK] Blacklist
[00:12:0516] [CHECK] BlacklistPath
[00:12:0516] [CHECK] BlacklistMD5
[00:12:0531] [CHECK] MadeNumbers
[00:12:0531] [CHECK] HasUnicode
[00:12:0547] [CHECK] SuspPath
[00:12:0547] [CHECK] ProcessResidue
[00:12:0563] [CHECK] Not found!
[00:12:0578] [Check DLLs] iertutil.dll : C:\WINDOWS\system32\iertutil.dll
[00:12:0578] [CHECK] WhiteDLL
[00:12:0594] [CHECK] Whitelist
[00:12:0594] [CHECK] WellKnown
[00:12:0610] [CHECK] WhitelistPath
[00:12:0610] [CHECK] HijackName
[00:12:0625] [CHECK] Signature
[00:12:0703] [PE] Mapping
[00:12:0719] [PE] Parsing
[00:12:0719] [PE] Dos header -> 0x2260000
[00:12:0719] [PE] Nt header (offset : 0xe8) file size 0x1e9c00
[00:12:0735] [PE] pNtHeadersx86 -> 0x22600e8
[00:12:0735] [PE] Chars -> 0x2102
[00:12:0750] [PE] Optional header
[00:12:0750] [PE] Sections : 4
[00:12:0828] [PE] Section : 0 - .text
[00:12:0828] [PE] Section : 1 - .data
[00:12:0844] [PE] Section : 2 - .rsrc
[00:12:0844] [PE] Section : 3 - .reloc
[00:12:0860] [PE] File open : 1
[00:12:0875] [PE] Search sigs
[00:12:0891] [PE] Section[0/3] : 0x2260400
[00:12:0891] [PE] Init AhoCorasick
[00:12:0906] [PE] Start AhoCorasick [0x2260400 - 1892352]
[00:12:0938] [PE] Looking results : 0
[00:12:0953] [PE] Section[1/3] : 0x242e400
[00:12:0953] [PE] Init AhoCorasick
[00:12:0969] [PE] Start AhoCorasick [0x242e400 - 16896]
[00:12:0969] [PE] Looking results : 0
[00:12:0985] [PE] Section[2/3] : 0x2432600
[00:12:0985] [PE] Init AhoCorasick
[00:13:0000] [PE] Start AhoCorasick [0x2432600 - 1536]
[00:13:0000] [PE] Looking results : 0
[00:13:0016] [PE] Section[3/3] : 0x2432c00
[00:13:0016] [PE] Init AhoCorasick
[00:13:0031] [PE] Start AhoCorasick [0x2432c00 - 94208]
[00:13:0047] [PE] Looking results : 0
[00:13:0047] [CHECK] Blacklist
[00:13:0063] [CHECK] BlacklistPath
[00:13:0063] [CHECK] BlacklistMD5
[00:13:0078] [CHECK] MadeNumbers
[00:13:0078] [CHECK] HasUnicode
[00:13:0094] [CHECK] SuspPath
[00:13:0094] [CHECK] ProcessResidue
[00:13:0125] [CHECK] Not found!
[00:13:0125] [Check DLLs] WINTRUST.dll : C:\WINDOWS\system32\WINTRUST.dll
[00:13:0141] [CHECK] WhiteDLL
[00:13:0141] [CHECK] Whitelist
[00:13:0156] [CHECK] WellKnown
[00:13:0156] [CHECK] WhitelistPath
[00:13:0172] [CHECK] HijackName
[00:13:0172] [CHECK] Signature
[00:13:0219] [PE] Mapping
[00:13:0235] [PE] Parsing
[00:13:0235] [PE] Dos header -> 0x1d60000
[00:13:0250] [PE] Nt header (offset : 0xf0) file size 0x2b600
[00:13:0250] [PE] pNtHeadersx86 -> 0x1d600f0
[00:13:0266] [PE] Chars -> 0x210e
[00:13:0266] [PE] Optional header
[00:13:0281] [PE] Sections : 4
[00:13:0281] [PE] Section : 0 - .text
[00:13:0297] [PE] Section : 1 - .data
[00:13:0297] [PE] Section : 2 - .rsrc
[00:13:0313] [PE] Section : 3 - .reloc
[00:13:0313] [PE] File open : 1
[00:13:0328] [PE] Search sigs
[00:13:0328] [PE] Section[0/3] : 0x1d60400
[00:13:0344] [PE] Init AhoCorasick
[00:13:0344] [PE] Start AhoCorasick [0x1d60400 - 165888]
[00:13:0360] [PE] Looking results : 0
[00:13:0360] [PE] Section[1/3] : 0x1d88c00
[00:13:0375] [PE] Init AhoCorasick
[00:13:0375] [PE] Start AhoCorasick [0x1d88c00 - 1024]
[00:13:0391] [PE] Looking results : 0
[00:13:0391] [PE] Section[2/3] : 0x1d89000
[00:13:0406] [PE] Init AhoCorasick
[00:13:0406] [PE] Start AhoCorasick [0x1d89000 - 4096]
[00:13:0422] [PE] Looking results : 0
[00:13:0422] [PE] Section[3/3] : 0x1d8a000
[00:13:0438] [PE] Init AhoCorasick
[00:13:0438] [PE] Start AhoCorasick [0x1d8a000 - 5632]
[00:13:0453] [PE] Looking results : 0
[00:13:0453] [CHECK] Blacklist
[00:13:0469] [CHECK] BlacklistPath
[00:13:0469] [CHECK] BlacklistMD5
[00:13:0485] [CHECK] MadeNumbers
[00:13:0485] [CHECK] HasUnicode
[00:13:0500] [CHECK] SuspPath
[00:13:0500] [CHECK] ProcessResidue
[00:13:0516] [CHECK] Not found!
[00:13:0531] [Check DLLs] IMAGEHLP.dll : C:\WINDOWS\system32\IMAGEHLP.dll
[00:13:0531] [CHECK] WhiteDLL
[00:13:0547] [CHECK] Whitelist
[00:13:0547] [CHECK] WellKnown
[00:13:0563] [CHECK] WhitelistPath
[00:13:0563] [CHECK] HijackName
[00:13:0578] [CHECK] Signature
[00:13:0625] [PE] Mapping
[00:13:0641] [PE] Parsing
[00:13:0641] [PE] Dos header -> 0x1d60000
[00:13:0656] [PE] Nt header (offset : 0xf8) file size 0x24400
[00:13:0656] [PE] pNtHeadersx86 -> 0x1d600f8
[00:13:0672] [PE] Chars -> 0x210e
[00:13:0672] [PE] Optional header
[00:13:0688] [PE] Sections : 4
[00:13:0688] [PE] Section : 0 - .text
[00:13:0703] [PE] Section : 1 - .data
[00:13:0703] [PE] Section : 2 - .rsrc
[00:13:0719] [PE] Section : 3 - .reloc
[00:13:0719] [PE] File open : 1
[00:13:0735] [PE] Search sigs
[00:13:0735] [PE] Section[0/3] : 0x1d60400
[00:13:0750] [PE] Init AhoCorasick
[00:13:0750] [PE] Start AhoCorasick [0x1d60400 - 139264]
[00:13:0797] [PE] Looking results : 0
[00:13:0813] [PE] Section[1/3] : 0x1d82400
[00:13:0813] [PE] Init AhoCorasick
[00:13:0828] [PE] Start AhoCorasick [0x1d82400 - 2560]
[00:13:0828] [PE] Looking results : 0
[00:13:0844] [PE] Section[2/3] : 0x1d82e00
[00:13:0844] [PE] Init AhoCorasick
[00:13:0860] [PE] Start AhoCorasick [0x1d82e00 - 1024]
[00:13:0860] [PE] Looking results : 0
[00:13:0875] [PE] Section[3/3] : 0x1d83200
[00:13:0875] [PE] Init AhoCorasick
[00:13:0891] [PE] Start AhoCorasick [0x1d83200 - 4608]
[00:13:0891] [PE] Looking results : 0
[00:13:0906] [CHECK] Blacklist
[00:13:0906] [CHECK] BlacklistPath
[00:13:0922] [CHECK] BlacklistMD5
[00:13:0922] [CHECK] MadeNumbers
[00:13:0938] [CHECK] HasUnicode
[00:13:0938] [CHECK] SuspPath
[00:13:0953] [CHECK] ProcessResidue
[00:13:0953] [CHECK] Not found!
[00:13:0969] [Check DLLs] WLDAP32.dll : C:\WINDOWS\system32\WLDAP32.dll
[00:13:0969] [CHECK] WhiteDLL
[00:13:0985] [CHECK] Whitelist
[00:13:0985] [CHECK] WellKnown
[00:14:0000] [CHECK] WhitelistPath
[00:14:0000] [CHECK] HijackName
[00:14:0016] [CHECK] Signature
[00:14:0047] [PE] Mapping
[00:14:0063] [PE] Parsing
[00:14:0063] [PE] Dos header -> 0x1d60000
[00:14:0078] [PE] Nt header (offset : 0xf0) file size 0x2a000
[00:14:0078] [PE] pNtHeadersx86 -> 0x1d600f0
[00:14:0094] [PE] Chars -> 0x210e
[00:14:0094] [PE] Optional header
[00:14:0110] [PE] Sections : 4
[00:14:0110] [PE] Section : 0 - .text
[00:14:0125] [PE] Section : 1 - .data
[00:14:0125] [PE] Section : 2 - .rsrc
[00:14:0141] [PE] Section : 3 - .reloc
[00:14:0141] [PE] File open : 1
[00:14:0156] [PE] Search sigs
[00:14:0156] [PE] Section[0/3] : 0x1d60400
[00:14:0172] [PE] Init AhoCorasick
[00:14:0172] [PE] Start AhoCorasick [0x1d60400 - 131072]
[00:14:0188] [PE] Looking results : 0
[00:14:0188] [PE] Section[1/3] : 0x1d80400
[00:14:0203] [PE] Init AhoCorasick
[00:14:0203] [PE] Start AhoCorasick [0x1d80400 - 30720]
[00:14:0219] [PE] Looking results : 0
[00:14:0219] [PE] Section[2/3] : 0x1d87c00
[00:14:0235] [PE] Init AhoCorasick
[00:14:0235] [PE] Start AhoCorasick [0x1d87c00 - 4096]
[00:14:0250] [PE] Looking results : 0
[00:14:0250] [PE] Section[3/3] : 0x1d88c00
[00:14:0266] [PE] Init AhoCorasick
[00:14:0266] [PE] Start AhoCorasick [0x1d88c00 - 5120]
[00:14:0281] [PE] Looking results : 0
[00:14:0281] [CHECK] Blacklist
[00:14:0297] [CHECK] BlacklistPath
[00:14:0297] [CHECK] BlacklistMD5
[00:14:0313] [CHECK] MadeNumbers
[00:14:0313] [CHECK] HasUnicode
[00:14:0328] [CHECK] SuspPath
[00:14:0328] [CHECK] ProcessResidue
[00:14:0344] [CHECK] Not found!
[00:14:0360] [Check DLLs] SHELL32.dll : C:\WINDOWS\system32\SHELL32.dll
[00:14:0360] [CHECK] WhiteDLL
[00:14:0375] [CHECK] Whitelist
[00:14:0375] [CHECK] WellKnown
[00:14:0391] [CHECK] WhitelistPath
[00:14:0391] [CHECK] HijackName
[00:14:0406] [CHECK] Signature
[00:14:0625] [CHECK] Blacklist
[00:14:0625] [CHECK] BlacklistPath
[00:14:0641] [CHECK] BlacklistMD5
[00:14:0641] [CHECK] MadeNumbers
[00:14:0656] [CHECK] HasUnicode
[00:14:0656] [CHECK] SuspPath
[00:14:0672] [CHECK] ProcessResidue
[00:14:0672] [CHECK] Not found!
[00:14:0688] [Check DLLs] UxTheme.dll : C:\WINDOWS\system32\UxTheme.dll
[00:14:0703] [CHECK] WhiteDLL
[00:14:0703] [CHECK] Whitelist
[00:14:0719] [CHECK] WellKnown
[00:14:0719] [CHECK] WhitelistPath
[00:14:0735] [CHECK] HijackName
[00:14:0735] [CHECK] Signature
[00:14:0766] [PE] Mapping
[00:14:0797] [PE] Parsing
[00:14:0813] [PE] Dos header -> 0x1d60000
[00:14:0813] [PE] Nt header (offset : 0xe8) file size 0x35600
[00:14:0828] [PE] pNtHeadersx86 -> 0x1d600e8
[00:14:0828] [PE] Chars -> 0x210e
[00:14:0844] [PE] Optional header
[00:14:0844] [PE] Sections : 4
[00:14:0860] [PE] Section : 0 - .text
[00:14:0860] [PE] Section : 1 - .data
[00:14:0875] [PE] Section : 2 - .rsrc
[00:14:0875] [PE] Section : 3 - .reloc
[00:14:0891] [PE] File open : 1
[00:14:0891] [PE] Search sigs
[00:14:0906] [PE] Section[0/3] : 0x1d60400
[00:14:0906] [PE] Init AhoCorasick
[00:14:0922] [PE] Start AhoCorasick [0x1d60400 - 193024]
[00:14:0922] [PE] Looking results : 0
[00:14:0938] [PE] Section[1/3] : 0x1d8f600
[00:14:0938] [PE] Init AhoCorasick
[00:14:0953] [PE] Start AhoCorasick [0x1d8f600 - 4096]
[00:14:0953] [PE] Looking results : 0
[00:14:0969] [PE] Section[2/3] : 0x1d90600
[00:14:0969] [PE] Init AhoCorasick
[00:14:0985] [PE] Start AhoCorasick [0x1d90600 - 13824]
[00:14:0985] [PE] Looking results : 0
[00:15:0000] [PE] Section[3/3] : 0x1d93c00
[00:15:0000] [PE] Init AhoCorasick
[00:15:0016] [PE] Start AhoCorasick [0x1d93c00 - 6656]
[00:15:0016] [PE] Looking results : 0
[00:15:0031] [CHECK] Blacklist
[00:15:0047] [CHECK] BlacklistPath
[00:15:0047] [CHECK] BlacklistMD5
[00:15:0063] [CHECK] MadeNumbers
[00:15:0063] [CHECK] HasUnicode
[00:15:0078] [CHECK] SuspPath
[00:15:0078] [CHECK] ProcessResidue
[00:15:0094] [CHECK] Not found!
[00:15:0094] [Check DLLs] ShimEng.dll : C:\WINDOWS\system32\ShimEng.dll
[00:15:0110] [CHECK] WhiteDLL
[00:15:0110] [CHECK] Whitelist
[00:15:0125] [CHECK] WellKnown
[00:15:0125] [CHECK] WhitelistPath
[00:15:0141] [CHECK] HijackName
[00:15:0141] [CHECK] Signature
[00:15:0188] [PE] Mapping
[00:15:0188] [PE] Parsing
[00:15:0203] [PE] Dos header -> 0x1d60000
[00:15:0203] [PE] Nt header (offset : 0xe8) file size 0xfe00
[00:15:0219] [PE] pNtHeadersx86 -> 0x1d600e8
[00:15:0219] [PE] Chars -> 0x210e
[00:15:0235] [PE] Optional header
[00:15:0235] [PE] Sections : 4
[00:15:0250] [PE] Section : 0 - .text
[00:15:0250] [PE] Section : 1 - .data
[00:15:0266] [PE] Section : 2 - .rsrc
[00:15:0266] [PE] Section : 3 - .reloc
[00:15:0281] [PE] File open : 1
[00:15:0281] [PE] Search sigs
[00:15:0297] [PE] Section[0/3] : 0x1d60400
[00:15:0297] [PE] Init AhoCorasick
[00:15:0313] [PE] Start AhoCorasick [0x1d60400 - 55808]
[00:15:0313] [PE] Looking results : 0
[00:15:0328] [PE] Section[1/3] : 0x1d6de00
[00:15:0328] [PE] Init AhoCorasick
[00:15:0344] [PE] Start AhoCorasick [0x1d6de00 - 1536]
[00:15:0344] [PE] Looking results : 0
[00:15:0360] [PE] Section[2/3] : 0x1d6e400
[00:15:0360] [PE] Init AhoCorasick
[00:15:0375] [PE] Start AhoCorasick [0x1d6e400 - 1024]
[00:15:0375] [PE] Looking results : 0
[00:15:0391] [PE] Section[3/3] : 0x1d6e800
[00:15:0391] [PE] Init AhoCorasick
[00:15:0406] [PE] Start AhoCorasick [0x1d6e800 - 5632]
[00:15:0422] [PE] Looking results : 0
[00:15:0422] [CHECK] Blacklist
[00:15:0438] [CHECK] BlacklistPath
[00:15:0438] [CHECK] BlacklistMD5
[00:15:0453] [CHECK] MadeNumbers
[00:15:0453] [CHECK] HasUnicode
[00:15:0469] [CHECK] SuspPath
[00:15:0469] [CHECK] ProcessResidue
[00:15:0485] [CHECK] Not found!
[00:15:0485] [Check DLLs] AcGenral.DLL : C:\WINDOWS\AppPatch\AcGenral.DLL
[00:15:0500] [CHECK] WhiteDLL
[00:15:0500] [CHECK] Whitelist
[00:15:0516] [CHECK] WellKnown
[00:15:0516] [CHECK] WhitelistPath
[00:15:0531] [CHECK] HijackName
[00:15:0531] [CHECK] Signature
[00:15:0750] [PE] Mapping
[00:15:0750] [PE] Parsing
[00:15:0781] [PE] Dos header -> 0x2260000
[00:15:0797] [PE] Nt header (offset : 0xe8) file size 0x1c4600
[00:15:0797] [PE] pNtHeadersx86 -> 0x22600e8
[00:15:0813] [PE] Chars -> 0x210e
[00:15:0813] [PE] Optional header
[00:15:0828] [PE] Sections : 4
[00:15:0828] [PE] Section : 0 - .text
[00:15:0844] [PE] Section : 1 - .data
[00:15:0844] [PE] Section : 2 - .rsrc
[00:15:0860] [PE] Section : 3 - .reloc
[00:15:0860] [PE] File open : 1
[00:15:0875] [PE] Search sigs
[00:15:0875] [PE] Section[0/3] : 0x2260400
[00:15:0891] [PE] Init AhoCorasick
[00:15:0891] [PE] Start AhoCorasick [0x2260400 - 204800]
[00:15:0906] [PE] Looking results : 0
[00:15:0922] [PE] Section[1/3] : 0x2292400
[00:15:0922] [PE] Init AhoCorasick
[00:15:0938] [PE] Start AhoCorasick [0x2292400 - 23552]
[00:15:0938] [PE] Looking results : 0
[00:15:0953] [PE] Section[2/3] : 0x2298000
[00:15:0953] [PE] Init AhoCorasick
[00:15:0969] [PE] Start AhoCorasick [0x2298000 - 1602048]
[00:16:0000] [PE] Looking results : 0
[00:16:0000] [PE] Section[3/3] : 0x241f200
[00:16:0016] [PE] Init AhoCorasick
[00:16:0016] [PE] Start AhoCorasick [0x241f200 - 21504]
[00:16:0031] [PE] Looking results : 0
[00:16:0031] [CHECK] Blacklist
[00:16:0047] [CHECK] BlacklistPath
[00:16:0047] [CHECK] BlacklistMD5
[00:16:0063] [CHECK] MadeNumbers
[00:16:0063] [CHECK] HasUnicode
[00:16:0078] [CHECK] SuspPath
[00:16:0078] [CHECK] ProcessResidue
[00:16:0094] [CHECK] Not found!
[00:16:0110] [Check DLLs] WINMM.dll : C:\WINDOWS\system32\WINMM.dll
[00:16:0110] [CHECK] WhiteDLL
[00:16:0125] [CHECK] Whitelist
[00:16:0125] [CHECK] WellKnown
[00:16:0141] [CHECK] WhitelistPath
[00:16:0141] [CHECK] HijackName
[00:16:0156] [CHECK] Signature
[00:16:0172] [PE] Mapping
[00:16:0188] [PE] Parsing
[00:16:0188] [PE] Dos header -> 0x1d60000
[00:16:0203] [PE] Nt header (offset : 0xf0) file size 0x2b000
[00:16:0203] [PE] pNtHeadersx86 -> 0x1d600f0
[00:16:0219] [PE] Chars -> 0x210e
[00:16:0219] [PE] Optional header
[00:16:0235] [PE] Sections : 4
[00:16:0250] [PE] Section : 0 - .text
[00:16:0250] [PE] Section : 1 - .data
[00:16:0266] [PE] Section : 2 - .rsrc
[00:16:0266] [PE] Section : 3 - .reloc
[00:16:0281] [PE] File open : 1
[00:16:0281] [PE] Search sigs
[00:16:0297] [PE] Section[0/3] : 0x1d60400
[00:16:0297] [PE] Init AhoCorasick
[00:16:0313] [PE] Start AhoCorasick [0x1d60400 - 126464]
[00:16:0313] [PE] Looking results : 0
[00:16:0328] [PE] Section[1/3] : 0x1d7f200
[00:16:0328] [PE] Init AhoCorasick
[00:16:0344] [PE] Start AhoCorasick [0x1d7f200 - 5120]
[00:16:0344] [PE] Looking results : 0
[00:16:0360] [PE] Section[2/3] : 0x1d80600
[00:16:0360] [PE] Init AhoCorasick
[00:16:0375] [PE] Start AhoCorasick [0x1d80600 - 36864]
[00:16:0375] [PE] Looking results : 0
[00:16:0391] [PE] Section[3/3] : 0x1d89600
[00:16:0391] [PE] Init AhoCorasick
[00:16:0406] [PE] Start AhoCorasick [0x1d89600 - 6656]
[00:16:0406] [PE] Looking results : 0
[00:16:0422] [CHECK] Blacklist
[00:16:0438] [CHECK] BlacklistPath
[00:16:0438] [CHECK] BlacklistMD5
[00:16:0453] [CHECK] MadeNumbers
[00:16:0453] [CHECK] HasUnicode
[00:16:0469] [CHECK] SuspPath
[00:16:0469] [CHECK] ProcessResidue
[00:16:0485] [CHECK] Not found!
[00:16:0485] [Check DLLs] MSACM32.dll : C:\WINDOWS\system32\MSACM32.dll
[00:16:0500] [CHECK] WhiteDLL
[00:16:0500] [CHECK] Whitelist
[00:16:0516] [CHECK] WellKnown
[00:16:0516] [CHECK] WhitelistPath
[00:16:0531] [CHECK] HijackName
[00:16:0531] [CHECK] Signature
[00:16:0563] [PE] Mapping
[00:16:0563] [PE] Parsing
[00:16:0578] [PE] Dos header -> 0x1d60000
[00:16:0578] [PE] Nt header (offset : 0xe8) file size 0x11800
[00:16:0594] [PE] pNtHeadersx86 -> 0x1d600e8
[00:16:0594] [PE] Chars -> 0x210e
[00:16:0610] [PE] Optional header
[00:16:0610] [PE] Sections : 4
[00:16:0625] [PE] Section : 0 - .text
[00:16:0625] [PE] Section : 1 - .data
[00:16:0641] [PE] Section : 2 - .rsrc
[00:16:0641] [PE] Section : 3 - .reloc
[00:16:0656] [PE] File open : 1
[00:16:0656] [PE] Search sigs
[00:16:0672] [PE] Section[0/3] : 0x1d60400
[00:16:0672] [PE] Init AhoCorasick
[00:16:0688] [PE] Start AhoCorasick [0x1d60400 - 62464]
[00:16:0688] [PE] Looking results : 0
[00:16:0703] [PE] Section[1/3] : 0x1d6f800
[00:16:0703] [PE] Init AhoCorasick
[00:16:0719] [PE] Start AhoCorasick [0x1d6f800 - 512]
[00:16:0719] [PE] Looking results : 0
[00:16:0735] [PE] Section[2/3] : 0x1d6fa00
[00:16:0735] [PE] Init AhoCorasick
[00:16:0750] [PE] Start AhoCorasick [0x1d6fa00 - 5632]
[00:16:0766] [PE] Looking results : 0
[00:16:0813] [PE] Section[3/3] : 0x1d71000
[00:16:0828] [PE] Init AhoCorasick
[00:16:0828] [PE] Start AhoCorasick [0x1d71000 - 2048]
[00:16:0844] [PE] Looking results : 0
[00:16:0844] [CHECK] Blacklist
[00:16:0860] [CHECK] BlacklistPath
[00:16:0875] [CHECK] BlacklistMD5
[00:16:0875] [CHECK] MadeNumbers
[00:16:0891] [CHECK] HasUnicode
[00:16:0891] [CHECK] SuspPath
[00:16:0906] [CHECK] ProcessResidue
[00:16:0906] [CHECK] Not found!
[00:16:0922] [Check DLLs] USERENV.dll : C:\WINDOWS\system32\USERENV.dll
[00:16:0922] [CHECK] WhiteDLL
[00:16:0938] [CHECK] Whitelist
[00:16:0938] [CHECK] WellKnown
[00:16:0953] [CHECK] WhitelistPath
[00:16:0953] [CHECK] HijackName
[00:16:0969] [CHECK] Signature
[00:17:0016] [PE] Mapping
[00:17:0031] [PE] Parsing
[00:17:0031] [PE] Dos header -> 0x1d60000
[00:17:0047] [PE] Nt header (offset : 0xf0) file size 0xb1800
[00:17:0047] [PE] pNtHeadersx86 -> 0x1d600f0
[00:17:0063] [PE] Chars -> 0x210e
[00:17:0063] [PE] Optional header
[00:17:0078] [PE] Sections : 4
[00:17:0078] [PE] Section : 0 - .text
[00:17:0094] [PE] Section : 1 - .data
[00:17:0094] [PE] Section : 2 - .rsrc
[00:17:0110] [PE] Section : 3 - .reloc
[00:17:0125] [PE] File open : 1
[00:17:0125] [PE] Search sigs
[00:17:0141] [PE] Section[0/3] : 0x1d60400
[00:17:0141] [PE] Init AhoCorasick
[00:17:0156] [PE] Start AhoCorasick [0x1d60400 - 652800]
[00:17:0172] [PE] Looking results : 0
[00:17:0172] [PE] Section[1/3] : 0x1dffa00
[00:17:0188] [PE] Init AhoCorasick
[00:17:0203] [PE] Start AhoCorasick [0x1dffa00 - 7680]
[00:17:0203] [PE] Looking results : 0
[00:17:0219] [PE] Section[2/3] : 0x1e01800
[00:17:0219] [PE] Init AhoCorasick
[00:17:0235] [PE] Start AhoCorasick [0x1e01800 - 38912]
[00:17:0235] [PE] Looking results : 0
[00:17:0250] [PE] Section[3/3] : 0x1e0b000
[00:17:0250] [PE] Init AhoCorasick
[00:17:0266] [PE] Start AhoCorasick [0x1e0b000 - 26624]
[00:17:0266] [PE] Looking results : 0
[00:17:0281] [CHECK] Blacklist
[00:17:0281] [CHECK] BlacklistPath
[00:17:0297] [CHECK] BlacklistMD5
[00:17:0297] [CHECK] MadeNumbers
[00:17:0313] [CHECK] HasUnicode
[00:17:0313] [CHECK] SuspPath
[00:17:0328] [CHECK] ProcessResidue
[00:17:0344] [CHECK] Not found!
[00:17:0344] [Check DLLs] IMM32.DLL : C:\WINDOWS\system32\IMM32.DLL
[00:17:0360] [CHECK] WhiteDLL
[00:17:0360] [CHECK] Whitelist
[00:17:0375] [CHECK] WellKnown
[00:17:0375] [CHECK] WhitelistPath
[00:17:0391] [CHECK] HijackName
[00:17:0391] [CHECK] Signature
[00:17:0406] [PE] Mapping
[00:17:0422] [PE] Parsing
[00:17:0422] [PE] Dos header -> 0x1d60000
[00:17:0438] [PE] Nt header (offset : 0xe8) file size 0x1ae00
[00:17:0438] [PE] pNtHeadersx86 -> 0x1d600e8
[00:17:0453] [PE] Chars -> 0x210e
[00:17:0453] [PE] Optional header
[00:17:0469] [PE] Sections : 4
[00:17:0469] [PE] Section : 0 - .text
[00:17:0485] [PE] Section : 1 - .data
[00:17:0485] [PE] Section : 2 - .rsrc
[00:17:0500] [PE] Section : 3 - .reloc
[00:17:0500] [PE] File open : 1
[00:17:0516] [PE] Search sigs
[00:17:0516] [PE] Section[0/3] : 0x1d60400
[00:17:0531] [PE] Init AhoCorasick
[00:17:0531] [PE] Start AhoCorasick [0x1d60400 - 84992]
[00:17:0547] [PE] Looking results : 0
[00:17:0563] [PE] Section[1/3] : 0x1d75000
[00:17:0563] [PE] Init AhoCorasick
[00:17:0578] [PE] Start AhoCorasick [0x1d75000 - 512]
[00:17:0578] [PE] Looking results : 0
[00:17:0594] [PE] Section[2/3] : 0x1d75200
[00:17:0594] [PE] Init AhoCorasick
[00:17:0610] [PE] Start AhoCorasick [0x1d75200 - 19968]
[00:17:0610] [PE] Looking results : 0
[00:17:0625] [PE] Section[3/3] : 0x1d7a000
[00:17:0625] [PE] Init AhoCorasick
[00:17:0641] [PE] Start AhoCorasick [0x1d7a000 - 3584]
[00:17:0641] [PE] Looking results : 0
[00:17:0656] [CHECK] Blacklist
[00:17:0672] [CHECK] BlacklistPath
[00:17:0672] [CHECK] BlacklistMD5
[00:17:0688] [CHECK] MadeNumbers
[00:17:0688] [CHECK] HasUnicode
[00:17:0703] [CHECK] SuspPath
[00:17:0703] [CHECK] ProcessResidue
[00:17:0719] [CHECK] Not found!
[00:17:0719] [Check DLLs] LPK.DLL : C:\WINDOWS\system32\LPK.DLL
[00:17:0735] [CHECK] WhiteDLL
[00:17:0750] [CHECK] Whitelist
[00:17:0750] [CHECK] WellKnown
[00:17:0797] [CHECK] WhitelistPath
[00:17:0813] [CHECK] HijackName
[00:17:0813] [CHECK] Signature
[00:17:0860] [PE] Mapping
[00:17:0875] [PE] Parsing
[00:17:0875] [PE] Dos header -> 0x1d60000
[00:17:0891] [PE] Nt header (offset : 0xd8) file size 0x5600
[00:17:0891] [PE] pNtHeadersx86 -> 0x1d600d8
[00:17:0906] [PE] Chars -> 0x210e
[00:17:0906] [PE] Optional header
[00:17:0922] [PE] Sections : 4
[00:17:0922] [PE] Section : 0 - .text
[00:17:0938] [PE] Section : 1 - .data
[00:17:0938] [PE] Section : 2 - .rsrc
[00:17:0953] [PE] Section : 3 - .reloc
[00:17:0953] [PE] File open : 1
[00:17:0969] [PE] Search sigs
[00:17:0969] [PE] Section[0/3] : 0x1d60400
[00:17:0985] [PE] Init AhoCorasick
[00:17:0985] [PE] Start AhoCorasick [0x1d60400 - 18432]
[00:18:0000] [PE] Looking results : 0
[00:18:0016] [PE] Section[1/3] : 0x1d64c00
[00:18:0016] [PE] Init AhoCorasick
[00:18:0031] [PE] Start AhoCorasick [0x1d64c00 - 512]
[00:18:0031] [PE] Looking results : 0
[00:18:0047] [PE] Section[2/3] : 0x1d64e00
[00:18:0047] [PE] Init AhoCorasick
[00:18:0063] [PE] Start AhoCorasick [0x1d64e00 - 1024]
[00:18:0063] [PE] Looking results : 0
[00:18:0078] [PE] Section[3/3] : 0x1d65200
[00:18:0078] [PE] Init AhoCorasick
[00:18:0094] [PE] Start AhoCorasick [0x1d65200 - 1024]
[00:18:0094] [PE] Looking results : 0
[00:18:0110] [CHECK] Blacklist
[00:18:0110] [CHECK] BlacklistPath
[00:18:0125] [CHECK] BlacklistMD5
[00:18:0141] [CHECK] MadeNumbers
[00:18:0141] [CHECK] HasUnicode
[00:18:0156] [CHECK] SuspPath
[00:18:0156] [CHECK] ProcessResidue
[00:18:0172] [CHECK] Not found!
[00:18:0172] [Check DLLs] USP10.dll : C:\WINDOWS\system32\USP10.dll
[00:18:0188] [CHECK] WhiteDLL
[00:18:0188] [CHECK] Whitelist
[00:18:0203] [CHECK] WellKnown
[00:18:0219] [CHECK] WhitelistPath
[00:18:0219] [CHECK] HijackName
[00:18:0235] [CHECK] Signature
[00:18:0281] [PE] Mapping
[00:18:0297] [PE] Parsing
[00:18:0297] [PE] Dos header -> 0x1d60000
[00:18:0313] [PE] Nt header (offset : 0xe0) file size 0x63200
[00:18:0313] [PE] pNtHeadersx86 -> 0x1d600e0
[00:18:0328] [PE] Chars -> 0x210e
[00:18:0328] [PE] Optional header
[00:18:0344] [PE] Sections : 5
[00:18:0344] [PE] Section : 0 - .text
[00:18:0360] [PE] Section : 1 - .data
[00:18:0360] [PE] Section : 2 - Shared
[00:18:0375] [PE] Section : 3 - .rsrc
[00:18:0375] [PE] Section : 4 - .reloc
[00:18:0391] [PE] File open : 1
[00:18:0391] [PE] Search sigs
[00:18:0406] [PE] Section[0/4] : 0x1d60400
[00:18:0406] [PE] Init AhoCorasick
[00:18:0422] [PE] Start AhoCorasick [0x1d60400 - 276992]
[00:18:0438] [PE] Looking results : 0
[00:18:0438] [PE] Section[1/4] : 0x1da3e00
[00:18:0453] [PE] Init AhoCorasick
[00:18:0453] [PE] Start AhoCorasick [0x1da3e00 - 41472]
[00:18:0469] [PE] Looking results : 0
[00:18:0485] [PE] Section[2/4] : 0x1dae000
[00:18:0485] [PE] Init AhoCorasick
[00:18:0500] [PE] Start AhoCorasick [0x1dae000 - 7680]
[00:18:0500] [PE] Looking results : 0
[00:18:0516] [PE] Section[3/4] : 0x1dafe00
[00:18:0516] [PE] Init AhoCorasick
[00:18:0531] [PE] Start AhoCorasick [0x1dafe00 - 72704]
[00:18:0531] [PE] Looking results : 0
[00:18:0547] [PE] Section[4/4] : 0x1dc1a00
[00:18:0563] [PE] Init AhoCorasick
[00:18:0563] [PE] Start AhoCorasick [0x1dc1a00 - 6144]
[00:18:0578] [PE] Looking results : 0
[00:18:0578] [CHECK] Blacklist
[00:18:0594] [CHECK] BlacklistPath
[00:18:0594] [CHECK] BlacklistMD5
[00:18:0610] [CHECK] MadeNumbers
[00:18:0610] [CHECK] HasUnicode
[00:18:0625] [CHECK] SuspPath
[00:18:0625] [CHECK] ProcessResidue
[00:18:0641] [CHECK] Not found!
[00:18:0656] [Check DLLs] comctl32.dll : C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[00:18:0656] [CHECK] WhiteDLL
[00:18:0672] [CHECK] Whitelist
[00:18:0672] [CHECK] WellKnown
[00:18:0688] [CHECK] WhitelistPath
[00:18:0688] [CHECK] HijackName
[00:18:0703] [CHECK] Signature
[00:18:0750] [PE] Mapping
[00:18:0797] [PE] Parsing
[00:18:0797] [PE] Dos header -> 0x2260000
[00:18:0813] [PE] Nt header (offset : 0xf0) file size 0x101600
[00:18:0813] [PE] pNtHeadersx86 -> 0x22600f0
[00:18:0828] [PE] Chars -> 0x210e
[00:18:0828] [PE] Optional header
[00:18:0844] [PE] Sections : 4
[00:18:0844] [PE] Section : 0 - .text
[00:18:0860] [PE] Section : 1 - .data
[00:18:0860] [PE] Section : 2 - .rsrc
[00:18:0875] [PE] Section : 3 - .reloc
[00:18:0875] [PE] File open : 1
[00:18:0891] [PE] Search sigs
[00:18:0891] [PE] Section[0/3] : 0x2260400
[00:18:0906] [PE] Init AhoCorasick
[00:18:0922] [PE] Start AhoCorasick [0x2260400 - 592896]
[00:18:0938] [PE] Looking results : 0
[00:18:0938] [PE] Section[1/3] : 0x22f1000
[00:18:0953] [PE] Init AhoCorasick
[00:18:0953] [PE] Start AhoCorasick [0x22f1000 - 1536]
[00:18:0969] [PE] Looking results : 0
[00:18:0985] [PE] Section[2/3] : 0x22f1600
[00:18:0985] [PE] Init AhoCorasick
[00:19:0000] [PE] Start AhoCorasick [0x22f1600 - 434176]
[00:19:0016] [PE] Looking results : 0
[00:19:0016] [PE] Section[3/3] : 0x235b600
[00:19:0031] [PE] Init AhoCorasick
[00:19:0031] [PE] Start AhoCorasick [0x235b600 - 24576]
[00:19:0047] [PE] Looking results : 0
[00:19:0047] [CHECK] Blacklist
[00:19:0063] [CHECK] BlacklistPath
[00:19:0078] [CHECK] BlacklistMD5
[00:19:0078] [CHECK] MadeNumbers
[00:19:0094] [CHECK] HasUnicode
[00:19:0094] [CHECK] SuspPath
[00:19:0110] [CHECK] ProcessResidue
[00:19:0110] [CHECK] Not found!
[00:19:0125] [Check DLLs] comctl32.dll : C:\WINDOWS\system32\comctl32.dll
[00:19:0125] [CHECK] WhiteDLL
[00:19:0141] [CHECK] Whitelist
[00:19:0156] [CHECK] WellKnown
[00:19:0156] [CHECK] WhitelistPath
[00:19:0172] [CHECK] HijackName
[00:19:0172] [CHECK] Signature
[00:19:0235] [PE] Mapping
[00:19:0250] [PE] Parsing
[00:19:0250] [PE] Dos header -> 0x1d60000
[00:19:0266] [PE] Nt header (offset : 0xf0) file size 0x96c00
[00:19:0266] [PE] pNtHeadersx86 -> 0x1d600f0
[00:19:0281] [PE] Chars -> 0x210e
[00:19:0281] [PE] Optional header
[00:19:0297] [PE] Sections : 4
[00:19:0297] [PE] Section : 0 - .text
[00:19:0313] [PE] Section : 1 - .data
[00:19:0313] [PE] Section : 2 - .rsrc
[00:19:0328] [PE] Section : 3 - .reloc
[00:19:0328] [PE] File open : 1
[00:19:0344] [PE] Search sigs
[00:19:0360] [PE] Section[0/3] : 0x1d60400
[00:19:0360] [PE] Init AhoCorasick
[00:19:0375] [PE] Start AhoCorasick [0x1d60400 - 461824]
[00:19:0391] [PE] Looking results : 0
[00:19:0391] [PE] Section[1/3] : 0x1dd1000
[00:19:0406] [PE] Init AhoCorasick
[00:19:0406] [PE] Start AhoCorasick [0x1dd1000 - 9728]
[00:19:0422] [PE] Looking results : 0
[00:19:0422] [PE] Section[2/3] : 0x1dd3600
[00:19:0438] [PE] Init AhoCorasick
[00:19:0453] [PE] Start AhoCorasick [0x1dd3600 - 128000]
[00:19:0453] [PE] Looking results : 0
[00:19:0469] [PE] Section[3/3] : 0x1df2a00
[00:19:0469] [PE] Init AhoCorasick
[00:19:0485] [PE] Start AhoCorasick [0x1df2a00 - 16896]
[00:19:0485] [PE] Looking results : 0
[00:19:0500] [CHECK] Blacklist
[00:19:0516] [CHECK] BlacklistPath
[00:19:0516] [CHECK] BlacklistMD5
[00:19:0531] [CHECK] MadeNumbers
[00:19:0531] [CHECK] HasUnicode
[00:19:0547] [CHECK] SuspPath
[00:19:0547] [CHECK] ProcessResidue
[00:19:0563] [CHECK] Not found!
[00:19:0563] [Check DLLs] msctfime.ime : C:\WINDOWS\system32\msctfime.ime
[00:19:0578] [CHECK] WhiteDLL
[00:19:0594] [CHECK] Whitelist
[00:19:0594] [CHECK] WellKnown
[00:19:0610] [CHECK] WhitelistPath
[00:19:0610] [CHECK] HijackName
[00:19:0625] [CHECK] Signature
[00:19:0641] [PE] Mapping
[00:19:0656] [PE] Parsing
[00:19:0656] [PE] Dos header -> 0x1d60000
[00:19:0672] [PE] Nt header (offset : 0xe8) file size 0x2b400
[00:19:0672] [PE] pNtHeadersx86 -> 0x1d600e8
[00:19:0688] [PE] Chars -> 0x210e
[00:19:0719] [PE] Optional header
[00:19:0719] [PE] Sections : 4
[00:19:0735] [PE] Section : 0 - .text
[00:19:0750] [PE] Section : 1 - .data
[00:19:0750] [PE] Section : 2 - .rsrc
[00:19:0797] [PE] Section : 3 - .reloc
[00:19:0813] [PE] File open : 1
[00:19:0813] [PE] Search sigs
[00:19:0828] [PE] Section[0/3] : 0x1d60400
[00:19:0828] [PE] Init AhoCorasick
[00:19:0844] [PE] Start AhoCorasick [0x1d60400 - 158720]
[00:19:0860] [PE] Looking results : 0
[00:19:0906] [PE] Section[1/3] : 0x1d87000
[00:19:0922] [PE] Init AhoCorasick
[00:19:0922] [PE] Start AhoCorasick [0x1d87000 - 512]
[00:19:0938] [PE] Looking results : 0
[00:19:0938] [PE] Section[2/3] : 0x1d87200
[00:19:0953] [PE] Init AhoCorasick
[00:19:0953] [PE] Start AhoCorasick [0x1d87200 - 5632]
[00:19:0969] [PE] Looking results : 0
[00:19:0969] [PE] Section[3/3] : 0x1d88800
[00:19:0985] [PE] Init AhoCorasick

captain5678 · September 29, 2013

continued...

[00:20:0000] [PE] Start AhoCorasick [0x1d88800 - 11264]
[00:20:0000] [PE] Looking results : 0
[00:20:0016] [CHECK] Blacklist
[00:20:0016] [CHECK] BlacklistPath
[00:20:0031] [CHECK] BlacklistMD5
[00:20:0031] [CHECK] MadeNumbers
[00:20:0047] [CHECK] HasUnicode
[00:20:0047] [CHECK] SuspPath
[00:20:0063] [CHECK] ProcessResidue
[00:20:0078] [CHECK] Not found!
[00:20:0078] [Check DLLs] appHelp.dll : C:\WINDOWS\system32\appHelp.dll
[00:20:0094] [CHECK] WhiteDLL
[00:20:0094] [CHECK] Whitelist
[00:20:0110] [CHECK] WellKnown
[00:20:0110] [CHECK] WhitelistPath
[00:20:0125] [CHECK] HijackName
[00:20:0141] [CHECK] Signature
[00:20:0172] [PE] Mapping
[00:20:0188] [PE] Parsing
[00:20:0188] [PE] Dos header -> 0x1d60000
[00:20:0203] [PE] Nt header (offset : 0xe0) file size 0x1ec00
[00:20:0203] [PE] pNtHeadersx86 -> 0x1d600e0
[00:20:0219] [PE] Chars -> 0x210e
[00:20:0219] [PE] Optional header
[00:20:0235] [PE] Sections : 4
[00:20:0250] [PE] Section : 0 - .text
[00:20:0250] [PE] Section : 1 - .data
[00:20:0266] [PE] Section : 2 - .rsrc
[00:20:0266] [PE] Section : 3 - .reloc
[00:20:0281] [PE] File open : 1
[00:20:0281] [PE] Search sigs
[00:20:0297] [PE] Section[0/3] : 0x1d60400
[00:20:0297] [PE] Init AhoCorasick
[00:20:0313] [PE] Start AhoCorasick [0x1d60400 - 116224]
[00:20:0328] [PE] Looking results : 0
[00:20:0328] [PE] Section[1/3] : 0x1d7ca00
[00:20:0344] [PE] Init AhoCorasick
[00:20:0344] [PE] Start AhoCorasick [0x1d7ca00 - 2560]
[00:20:0360] [PE] Looking results : 0
[00:20:0360] [PE] Section[2/3] : 0x1d7d400
[00:20:0375] [PE] Init AhoCorasick
[00:20:0375] [PE] Start AhoCorasick [0x1d7d400 - 1024]
[00:20:0391] [PE] Looking results : 0
[00:20:0391] [PE] Section[3/3] : 0x1d7d800
[00:20:0406] [PE] Init AhoCorasick
[00:20:0422] [PE] Start AhoCorasick [0x1d7d800 - 5120]
[00:20:0422] [PE] Looking results : 0
[00:20:0438] [CHECK] Blacklist
[00:20:0438] [CHECK] BlacklistPath
[00:20:0453] [CHECK] BlacklistMD5
[00:20:0453] [CHECK] MadeNumbers
[00:20:0469] [CHECK] HasUnicode
[00:20:0469] [CHECK] SuspPath
[00:20:0485] [CHECK] ProcessResidue
[00:20:0485] [CHECK] Not found!
[00:20:0500] [Check DLLs] CLBCATQ.DLL : C:\WINDOWS\system32\CLBCATQ.DLL
[00:20:0516] [CHECK] WhiteDLL
[00:20:0516] [CHECK] Whitelist
[00:20:0531] [CHECK] WellKnown
[00:20:0531] [CHECK] WhitelistPath
[00:20:0547] [CHECK] HijackName
[00:20:0563] [CHECK] Signature
[00:20:0703] [PE] Mapping
[00:20:0703] [PE] Parsing
[00:20:0719] [PE] Dos header -> 0x1d60000
[00:20:0719] [PE] Nt header (offset : 0xe0) file size 0x79c00
[00:20:0735] [PE] pNtHeadersx86 -> 0x1d600e0
[00:20:0735] [PE] Chars -> 0x210e
[00:20:0750] [PE] Optional header
[00:20:0781] [PE] Sections : 4
[00:20:0781] [PE] Section : 0 - .text
[00:20:0797] [PE] Section : 1 - .data
[00:20:0797] [PE] Section : 2 - .rsrc
[00:20:0813] [PE] Section : 3 - .reloc
[00:20:0813] [PE] File open : 1
[00:20:0828] [PE] Search sigs
[00:20:0828] [PE] Section[0/3] : 0x1d60400
[00:20:0844] [PE] Init AhoCorasick
[00:20:0860] [PE] Start AhoCorasick [0x1d60400 - 464384]
[00:20:0875] [PE] Looking results : 0
[00:20:0875] [PE] Section[1/3] : 0x1dd1a00
[00:20:0891] [PE] Init AhoCorasick
[00:20:0891] [PE] Start AhoCorasick [0x1dd1a00 - 7680]
[00:20:0906] [PE] Looking results : 0
[00:20:0906] [PE] Section[2/3] : 0x1dd3800
[00:20:0922] [PE] Init AhoCorasick
[00:20:0938] [PE] Start AhoCorasick [0x1dd3800 - 8192]
[00:20:0938] [PE] Looking results : 0
[00:20:0953] [PE] Section[3/3] : 0x1dd5800
[00:20:0953] [PE] Init AhoCorasick
[00:20:0969] [PE] Start AhoCorasick [0x1dd5800 - 17408]
[00:20:0969] [PE] Looking results : 0
[00:20:0985] [CHECK] Blacklist
[00:20:0985] [CHECK] BlacklistPath
[00:21:0000] [CHECK] BlacklistMD5
[00:21:0016] [CHECK] MadeNumbers
[00:21:0016] [CHECK] HasUnicode
[00:21:0031] [CHECK] SuspPath
[00:21:0031] [CHECK] ProcessResidue
[00:21:0047] [CHECK] Not found!
[00:21:0047] [Check DLLs] COMRes.dll : C:\WINDOWS\system32\COMRes.dll
[00:21:0063] [CHECK] WhiteDLL
[00:21:0078] [CHECK] Whitelist
[00:21:0078] [CHECK] WellKnown
[00:21:0094] [CHECK] WhitelistPath
[00:21:0094] [CHECK] HijackName
[00:21:0110] [CHECK] Signature
[00:21:0156] [PE] Mapping
[00:21:0172] [PE] Parsing
[00:21:0172] [PE] Dos header -> 0x1d60000
[00:21:0188] [PE] Nt header (offset : 0xe0) file size 0xc1600
[00:21:0203] [PE] pNtHeadersx86 -> 0x1d600e0
[00:21:0203] [PE] Chars -> 0x210e
[00:21:0219] [PE] Optional header
[00:21:0219] [PE] Sections : 4
[00:21:0235] [PE] Section : 0 - .text
[00:21:0250] [PE] Section : 1 - .data
[00:21:0250] [PE] Section : 2 - .rsrc
[00:21:0266] [PE] Section : 3 - .reloc
[00:21:0297] [PE] File open : 1
[00:21:0313] [PE] Search sigs
[00:21:0313] [PE] Section[0/3] : 0x1d60400
[00:21:0328] [PE] Init AhoCorasick
[00:21:0344] [PE] Start AhoCorasick [0x1d60400 - 512]
[00:21:0344] [PE] Looking results : 0
[00:21:0360] [PE] Section[1/3] : 0x1d60000
[00:21:0391] [PE] Init AhoCorasick
[00:21:0406] [PE] Start AhoCorasick [0x1d60000 - 0]
[00:21:0422] [PE] Looking results : 0
[00:21:0422] [PE] Section[2/3] : 0x1d60600
[00:21:0438] [PE] Init AhoCorasick
[00:21:0438] [PE] Start AhoCorasick [0x1d60600 - 790016]
[00:21:0469] [PE] Looking results : 0
[00:21:0469] [PE] Section[3/3] : 0x1e21400
[00:21:0485] [PE] Init AhoCorasick
[00:21:0485] [PE] Start AhoCorasick [0x1e21400 - 512]
[00:21:0500] [PE] Looking results : 0
[00:21:0500] [CHECK] Blacklist
[00:21:0516] [CHECK] BlacklistPath
[00:21:0531] [CHECK] BlacklistMD5
[00:21:0531] [CHECK] MadeNumbers
[00:21:0547] [CHECK] HasUnicode
[00:21:0547] [CHECK] SuspPath
[00:21:0563] [CHECK] ProcessResidue
[00:21:0563] [CHECK] Not found!
[00:21:0578] [Check DLLs] cscui.dll : C:\WINDOWS\System32\cscui.dll
[00:21:0594] [CHECK] WhiteDLL
[00:21:0594] [CHECK] Whitelist
[00:21:0610] [CHECK] WellKnown
[00:21:0610] [CHECK] WhitelistPath
[00:21:0625] [CHECK] HijackName
[00:21:0641] [CHECK] Signature
[00:21:0750] [PE] Mapping
[00:21:0750] [PE] Parsing
[00:21:0766] [PE] Dos header -> 0x1d60000
[00:21:0781] [PE] Nt header (offset : 0xe8) file size 0x4fc00
[00:21:0797] [PE] pNtHeadersx86 -> 0x1d600e8
[00:21:0797] [PE] Chars -> 0x210e
[00:21:0813] [PE] Optional header
[00:21:0813] [PE] Sections : 4
[00:21:0828] [PE] Section : 0 - .text
[00:21:0828] [PE] Section : 1 - .data
[00:21:0844] [PE] Section : 2 - .rsrc
[00:21:0844] [PE] Section : 3 - .reloc
[00:21:0860] [PE] File open : 1
[00:21:0860] [PE] Search sigs
[00:21:0875] [PE] Section[0/3] : 0x1d60400
[00:21:0891] [PE] Init AhoCorasick
[00:21:0891] [PE] Start AhoCorasick [0x1d60400 - 141312]
[00:21:0906] [PE] Looking results : 0
[00:21:0906] [PE] Section[1/3] : 0x1d82c00
[00:21:0922] [PE] Init AhoCorasick
[00:21:0922] [PE] Start AhoCorasick [0x1d82c00 - 1536]
[00:21:0938] [PE] Looking results : 0
[00:21:0953] [PE] Section[2/3] : 0x1d83200
[00:21:0953] [PE] Init AhoCorasick
[00:21:0969] [PE] Start AhoCorasick [0x1d83200 - 176640]
[00:21:0969] [PE] Looking results : 0
[00:21:0985] [PE] Section[3/3] : 0x1dae400
[00:21:0985] [PE] Init AhoCorasick
[00:22:0000] [PE] Start AhoCorasick [0x1dae400 - 6144]
[00:22:0000] [PE] Looking results : 0
[00:22:0016] [CHECK] Blacklist
[00:22:0031] [CHECK] BlacklistPath
[00:22:0031] [CHECK] BlacklistMD5
[00:22:0047] [CHECK] MadeNumbers
[00:22:0047] [CHECK] HasUnicode
[00:22:0063] [CHECK] SuspPath
[00:22:0063] [CHECK] ProcessResidue
[00:22:0078] [CHECK] Not found!
[00:22:0094] [Check DLLs] CSCDLL.dll : C:\WINDOWS\System32\CSCDLL.dll
[00:22:0094] [CHECK] WhiteDLL
[00:22:0110] [CHECK] Whitelist
[00:22:0110] [CHECK] WellKnown
[00:22:0125] [CHECK] WhitelistPath
[00:22:0125] [CHECK] HijackName
[00:22:0141] [CHECK] Signature
[00:22:0203] [PE] Mapping
[00:22:0219] [PE] Parsing
[00:22:0219] [PE] Dos header -> 0x1d60000
[00:22:0235] [PE] Nt header (offset : 0xe8) file size 0x18e00
[00:22:0235] [PE] pNtHeadersx86 -> 0x1d600e8
[00:22:0250] [PE] Chars -> 0x210e
[00:22:0266] [PE] Optional header
[00:22:0266] [PE] Sections : 5
[00:22:0281] [PE] Section : 0 - .text
[00:22:0281] [PE] Section : 1 - PAGE
[00:22:0297] [PE] Section : 2 - .data
[00:22:0297] [PE] Section : 3 - .rsrc
[00:22:0313] [PE] Section : 4 - .reloc
[00:22:0328] [PE] File open : 1
[00:22:0344] [PE] Search sigs
[00:22:0344] [PE] Section[0/4] : 0x1d60400
[00:22:0360] [PE] Init AhoCorasick
[00:22:0360] [PE] Start AhoCorasick [0x1d60400 - 57856]
[00:22:0375] [PE] Looking results : 0
[00:22:0391] [PE] Section[1/4] : 0x1d6e600
[00:22:0391] [PE] Init AhoCorasick
[00:22:0406] [PE] Start AhoCorasick [0x1d6e600 - 9728]
[00:22:0406] [PE] Looking results : 0
[00:22:0422] [PE] Section[2/4] : 0x1d70c00
[00:22:0438] [PE] Init AhoCorasick
[00:22:0438] [PE] Start AhoCorasick [0x1d70c00 - 5120]
[00:22:0453] [PE] Looking results : 0
[00:22:0469] [PE] Section[3/4] : 0x1d72000
[00:22:0485] [PE] Init AhoCorasick
[00:22:0500] [PE] Start AhoCorasick [0x1d72000 - 25088]
[00:22:0500] [PE] Looking results : 0
[00:22:0516] [PE] Section[4/4] : 0x1d78200
[00:22:0531] [PE] Init AhoCorasick
[00:22:0547] [PE] Start AhoCorasick [0x1d78200 - 3072]
[00:22:0547] [PE] Looking results : 0
[00:22:0563] [CHECK] Blacklist
[00:22:0578] [CHECK] BlacklistPath
[00:22:0594] [CHECK] BlacklistMD5
[00:22:0610] [CHECK] MadeNumbers
[00:22:0610] [CHECK] HasUnicode
[00:22:0625] [CHECK] SuspPath
[00:22:0625] [CHECK] ProcessResidue
[00:22:0641] [CHECK] Not found!
[00:22:0656] [Check DLLs] themeui.dll : C:\WINDOWS\system32\themeui.dll
[00:22:0656] [CHECK] WhiteDLL
[00:22:0672] [CHECK] Whitelist
[00:22:0688] [CHECK] WellKnown
[00:22:0703] [CHECK] WhitelistPath
[00:22:0719] [CHECK] HijackName
[00:22:0719] [CHECK] Signature
[00:23:0016] [PE] Mapping
[00:23:0031] [PE] Parsing
[00:23:0063] [PE] Dos header -> 0x1d60000
[00:23:0078] [PE] Nt header (offset : 0xe0) file size 0x5e600
[00:23:0078] [PE] pNtHeadersx86 -> 0x1d600e0
[00:23:0094] [PE] Chars -> 0x210e
[00:23:0110] [PE] Optional header
[00:23:0110] [PE] Sections : 4
[00:23:0156] [PE] Section : 0 - .text
[00:23:0156] [PE] Section : 1 - .data
[00:23:0172] [PE] Section : 2 - .rsrc
[00:23:0172] [PE] Section : 3 - .reloc
[00:23:0188] [PE] File open : 1
[00:23:0203] [PE] Search sigs
[00:23:0203] [PE] Section[0/3] : 0x1d60400
[00:23:0219] [PE] Init AhoCorasick
[00:23:0219] [PE] Start AhoCorasick [0x1d60400 - 223744]
[00:23:0235] [PE] Looking results : 0
[00:23:0250] [PE] Section[1/3] : 0x1d96e00
[00:23:0250] [PE] Init AhoCorasick
[00:23:0266] [PE] Start AhoCorasick [0x1d96e00 - 3584]
[00:23:0281] [PE] Looking results : 0
[00:23:0281] [PE] Section[2/3] : 0x1d97c00
[00:23:0297] [PE] Init AhoCorasick
[00:23:0297] [PE] Start AhoCorasick [0x1d97c00 - 142848]
[00:23:0313] [PE] Looking results : 0
[00:23:0328] [PE] Section[3/3] : 0x1dbaa00
[00:23:0360] [PE] Init AhoCorasick
[00:23:0360] [PE] Start AhoCorasick [0x1dbaa00 - 15360]
[00:23:0375] [PE] Looking results : 0
[00:23:0391] [CHECK] Blacklist
[00:23:0391] [CHECK] BlacklistPath
[00:23:0406] [CHECK] BlacklistMD5
[00:23:0406] [CHECK] MadeNumbers
[00:23:0422] [CHECK] HasUnicode
[00:23:0422] [CHECK] SuspPath
[00:23:0438] [CHECK] ProcessResidue
[00:23:0453] [CHECK] Not found!
[00:23:0453] [Check DLLs] MSIMG32.dll : C:\WINDOWS\system32\MSIMG32.dll
[00:23:0469] [CHECK] WhiteDLL
[00:23:0469] [CHECK] Whitelist
[00:23:0485] [CHECK] WellKnown
[00:23:0485] [CHECK] WhitelistPath
[00:23:0500] [CHECK] HijackName
[00:23:0516] [CHECK] Signature
[00:23:0547] [PE] Mapping
[00:23:0563] [PE] Parsing
[00:23:0563] [PE] Dos header -> 0x1d60000
[00:23:0578] [PE] Nt header (offset : 0xe0) file size 0x1200
[00:23:0578] [PE] pNtHeadersx86 -> 0x1d600e0
[00:23:0594] [PE] Chars -> 0x210e
[00:23:0610] [PE] Optional header
[00:23:0610] [PE] Sections : 4
[00:23:0625] [PE] Section : 0 - .text
[00:23:0625] [PE] Section : 1 - .data
[00:23:0641] [PE] Section : 2 - .rsrc
[00:23:0641] [PE] Section : 3 - .reloc
[00:23:0656] [PE] File open : 1
[00:23:0656] [PE] Search sigs
[00:23:0672] [PE] Section[0/3] : 0x1d60400
[00:23:0688] [PE] Init AhoCorasick
[00:23:0688] [PE] Start AhoCorasick [0x1d60400 - 1536]
[00:23:0703] [PE] Looking results : 0
[00:23:0703] [PE] Section[1/3] : 0x1d60a00
[00:23:0719] [PE] Init AhoCorasick
[00:23:0719] [PE] Start AhoCorasick [0x1d60a00 - 512]
[00:23:0735] [PE] Looking results : 0
[00:23:0735] [PE] Section[2/3] : 0x1d60c00
[00:23:0750] [PE] Init AhoCorasick
[00:23:0797] [PE] Start AhoCorasick [0x1d60c00 - 1024]
[00:23:0813] [PE] Looking results : 0
[00:23:0828] [PE] Section[3/3] : 0x1d61000
[00:23:0828] [PE] Init AhoCorasick
[00:23:0844] [PE] Start AhoCorasick [0x1d61000 - 512]
[00:23:0844] [PE] Looking results : 0
[00:23:0860] [CHECK] Blacklist
[00:23:0860] [CHECK] BlacklistPath
[00:23:0875] [CHECK] BlacklistMD5
[00:23:0875] [CHECK] MadeNumbers
[00:23:0891] [CHECK] HasUnicode
[00:23:0906] [CHECK] SuspPath
[00:23:0906] [CHECK] ProcessResidue
[00:23:0922] [CHECK] Not found!
[00:23:0922] [Check DLLs] xpsp2res.dll : C:\WINDOWS\system32\xpsp2res.dll
[00:23:0938] [CHECK] WhiteDLL
[00:23:0938] [CHECK] Whitelist
[00:23:0953] [CHECK] WellKnown
[00:23:0969] [CHECK] WhitelistPath
[00:23:0969] [CHECK] HijackName
[00:23:0985] [CHECK] Signature
[00:24:0110] [PE] Mapping
[00:24:0125] [PE] Parsing
[00:24:0141] [PE] Dos header -> 0x2260000
[00:24:0141] [PE] Nt header (offset : 0xc0) file size 0x2c3800
[00:24:0156] [PE] pNtHeadersx86 -> 0x22600c0
[00:24:0172] [PE] Chars -> 0x210e
[00:24:0172] [PE] Optional header
[00:24:0188] [PE] Sections : 1
[00:24:0203] [PE] Section : 0 - .rsrc
[00:24:0219] [PE] File open : 1
[00:24:0235] [PE] Search sigs
[00:24:0250] [PE] Section[0/0] : 0x2260200
[00:24:0250] [PE] Init AhoCorasick
[00:24:0266] [PE] Start AhoCorasick [0x2260200 - 2897408]
[00:24:0313] [PE] Looking results : 0
[00:24:0328] [CHECK] Blacklist
[00:24:0344] [CHECK] BlacklistPath
[00:24:0360] [CHECK] BlacklistMD5
[00:24:0360] [CHECK] MadeNumbers
[00:24:0375] [CHECK] HasUnicode
[00:24:0375] [CHECK] SuspPath
[00:24:0391] [CHECK] ProcessResidue
[00:24:0406] [CHECK] Not found!
[00:24:0422] [Check DLLs] actxprxy.dll : C:\WINDOWS\system32\actxprxy.dll
[00:24:0422] [CHECK] WhiteDLL
[00:24:0438] [CHECK] Whitelist
[00:24:0438] [CHECK] WellKnown
[00:24:0453] [CHECK] WhitelistPath
[00:24:0469] [CHECK] HijackName
[00:24:0469] [CHECK] Signature
[00:24:0500] [PE] Mapping
[00:24:0500] [PE] Parsing
[00:24:0516] [PE] Dos header -> 0x1d60000
[00:24:0516] [PE] Nt header (offset : 0xe8) file size 0x18000
[00:24:0531] [PE] pNtHeadersx86 -> 0x1d600e8
[00:24:0531] [PE] Chars -> 0x210e
[00:24:0547] [PE] Optional header
[00:24:0547] [PE] Sections : 5
[00:24:0563] [PE] Section : 0 - .text
[00:24:0578] [PE] Section : 1 - .orpc
[00:24:0578] [PE] Section : 2 - .data
[00:24:0594] [PE] Section : 3 - .rsrc
[00:24:0594] [PE] Section : 4 - .reloc
[00:24:0610] [PE] File open : 1
[00:24:0610] [PE] Search sigs
[00:24:0625] [PE] Section[0/4] : 0x1d60400
[00:24:0625] [PE] Init AhoCorasick
[00:24:0641] [PE] Start AhoCorasick [0x1d60400 - 72192]
[00:24:0656] [PE] Looking results : 0
[00:24:0656] [PE] Section[1/4] : 0x1d71e00
[00:24:0672] [PE] Init AhoCorasick
[00:24:0672] [PE] Start AhoCorasick [0x1d71e00 - 3584]
[00:24:0688] [PE] Looking results : 0
[00:24:0688] [PE] Section[2/4] : 0x1d72c00
[00:24:0703] [PE] Init AhoCorasick
[00:24:0719] [PE] Start AhoCorasick [0x1d72c00 - 9728]
[00:24:0719] [PE] Looking results : 0
[00:24:0735] [PE] Section[3/4] : 0x1d75200
[00:24:0735] [PE] Init AhoCorasick
[00:24:0750] [PE] Start AhoCorasick [0x1d75200 - 1536]
[00:24:0750] [PE] Looking results : 0
[00:24:0797] [PE] Section[4/4] : 0x1d75800
[00:24:0813] [PE] Init AhoCorasick
[00:24:0813] [PE] Start AhoCorasick [0x1d75800 - 10240]
[00:24:0828] [PE] Looking results : 0
[00:24:0844] [CHECK] Blacklist
[00:24:0844] [CHECK] BlacklistPath
[00:24:0860] [CHECK] BlacklistMD5
[00:24:0860] [CHECK] MadeNumbers
[00:24:0875] [CHECK] HasUnicode
[00:24:0875] [CHECK] SuspPath
[00:24:0891] [CHECK] ProcessResidue
[00:24:0891] [CHECK] Not found!
[00:24:0906] [Check DLLs] SAMLIB.dll : C:\WINDOWS\system32\SAMLIB.dll
[00:24:0922] [CHECK] WhiteDLL
[00:24:0922] [CHECK] Whitelist
[00:24:0938] [CHECK] WellKnown
[00:24:0938] [CHECK] WhitelistPath
[00:24:0953] [CHECK] HijackName
[00:24:0969] [CHECK] Signature
[00:25:0000] [PE] Mapping
[00:25:0016] [PE] Parsing
[00:25:0016] [PE] Dos header -> 0x1d60000
[00:25:0031] [PE] Nt header (offset : 0xf0) file size 0xfa00
[00:25:0047] [PE] pNtHeadersx86 -> 0x1d600f0
[00:25:0047] [PE] Chars -> 0x210e
[00:25:0063] [PE] Optional header
[00:25:0063] [PE] Sections : 4
[00:25:0078] [PE] Section : 0 - .text
[00:25:0078] [PE] Section : 1 - .data
[00:25:0094] [PE] Section : 2 - .rsrc
[00:25:0110] [PE] Section : 3 - .reloc
[00:25:0110] [PE] File open : 1
[00:25:0125] [PE] Search sigs
[00:25:0125] [PE] Section[0/3] : 0x1d60400
[00:25:0141] [PE] Init AhoCorasick
[00:25:0156] [PE] Start AhoCorasick [0x1d60400 - 59392]
[00:25:0156] [PE] Looking results : 0
[00:25:0172] [PE] Section[1/3] : 0x1d6ec00
[00:25:0172] [PE] Init AhoCorasick
[00:25:0188] [PE] Start AhoCorasick [0x1d6ec00 - 512]
[00:25:0188] [PE] Looking results : 0
[00:25:0203] [PE] Section[2/3] : 0x1d6ee00
[00:25:0219] [PE] Init AhoCorasick
[00:25:0219] [PE] Start AhoCorasick [0x1d6ee00 - 1024]
[00:25:0235] [PE] Looking results : 0
[00:25:0235] [PE] Section[3/3] : 0x1d6f200
[00:25:0250] [PE] Init AhoCorasick
[00:25:0250] [PE] Start AhoCorasick [0x1d6f200 - 2048]
[00:25:0266] [PE] Looking results : 0
[00:25:0281] [CHECK] Blacklist
[00:25:0281] [CHECK] BlacklistPath
[00:25:0297] [CHECK] BlacklistMD5
[00:25:0297] [CHECK] MadeNumbers
[00:25:0313] [CHECK] HasUnicode
[00:25:0313] [CHECK] SuspPath
[00:25:0328] [CHECK] ProcessResidue
[00:25:0344] [CHECK] Not found!
[00:25:0344] [Check DLLs] SETUPAPI.dll : C:\WINDOWS\system32\SETUPAPI.dll
[00:25:0360] [CHECK] WhiteDLL
[00:25:0360] [CHECK] Whitelist
[00:25:0375] [CHECK] WellKnown
[00:25:0391] [CHECK] WhitelistPath
[00:25:0391] [CHECK] HijackName
[00:25:0406] [CHECK] Signature
[00:25:0453] [PE] Mapping
[00:25:0453] [PE] Parsing
[00:25:0469] [PE] Dos header -> 0x1d60000
[00:25:0469] [PE] Nt header (offset : 0xd8) file size 0xf0800
[00:25:0485] [PE] pNtHeadersx86 -> 0x1d600d8
[00:25:0500] [PE] Chars -> 0x2d0e
[00:25:0500] [PE] Optional header
[00:25:0516] [PE] Sections : 4
[00:25:0516] [PE] Section : 0 - .text
[00:25:0531] [PE] Section : 1 - .data
[00:25:0531] [PE] Section : 2 - .rsrc
[00:25:0547] [PE] Section : 3 - .reloc
[00:25:0563] [PE] File open : 1
[00:25:0563] [PE] Search sigs
[00:25:0578] [PE] Section[0/3] : 0x1d60400
[00:25:0578] [PE] Init AhoCorasick
[00:25:0594] [PE] Start AhoCorasick [0x1d60400 - 512000]
[00:25:0610] [PE] Looking results : 0
[00:25:0625] [PE] Section[1/3] : 0x1ddd400
[00:25:0625] [PE] Init AhoCorasick
[00:25:0641] [PE] Start AhoCorasick [0x1ddd400 - 6144]
[00:25:0656] [PE] Looking results : 0
[00:25:0656] [PE] Section[2/3] : 0x1ddec00
[00:25:0672] [PE] Init AhoCorasick
[00:25:0672] [PE] Start AhoCorasick [0x1ddec00 - 448000]
[00:25:0688] [PE] Looking results : 0
[00:25:0703] [PE] Section[3/3] : 0x1e4c200
[00:25:0703] [PE] Init AhoCorasick
[00:25:0719] [PE] Start AhoCorasick [0x1e4c200 - 17920]
[00:25:0735] [PE] Looking results : 0
[00:25:0735] [CHECK] Blacklist
[00:25:0750] [CHECK] BlacklistPath
[00:25:0750] [CHECK] BlacklistMD5
[00:25:0797] [CHECK] MadeNumbers
[00:25:0797] [CHECK] HasUnicode
[00:25:0813] [CHECK] SuspPath
[00:25:0813] [CHECK] ProcessResidue
[00:25:0828] [CHECK] Not found!
[00:25:0844] [Check DLLs] msi.dll : C:\WINDOWS\system32\msi.dll
[00:25:0844] [CHECK] WhiteDLL
[00:25:0860] [CHECK] Whitelist
[00:25:0860] [CHECK] WellKnown
[00:25:0875] [CHECK] WhitelistPath
[00:25:0875] [CHECK] HijackName
[00:25:0891] [CHECK] Signature
[00:26:0000] [PE] Mapping
[00:26:0016] [PE] Parsing
[00:26:0016] [PE] Dos header -> 0x2260000
[00:26:0031] [PE] Nt header (offset : 0xe8) file size 0x2b6200
[00:26:0031] [PE] pNtHeadersx86 -> 0x22600e8
[00:26:0047] [PE] Chars -> 0x210e
[00:26:0047] [PE] Optional header
[00:26:0063] [PE] Sections : 5
[00:26:0063] [PE] Section : 0 - .orpc
[00:26:0078] [PE] Section : 1 - .text
[00:26:0094] [PE] Section : 2 - .data
[00:26:0094] [PE] Section : 3 - .rsrc
[00:26:0110] [PE] Section : 4 - .reloc
[00:26:0110] [PE] File open : 1
[00:26:0125] [PE] Search sigs
[00:26:0141] [PE] Section[0/4] : 0x2260400
[00:26:0141] [PE] Init AhoCorasick
[00:26:0156] [PE] Start AhoCorasick [0x2260400 - 512]
[00:26:0156] [PE] Looking results : 0
[00:26:0172] [PE] Section[1/4] : 0x2260600
[00:26:0172] [PE] Init AhoCorasick
[00:26:0188] [PE] Start AhoCorasick [0x2260600 - 1775104]
[00:26:0235] [PE] Looking results : 0
[00:26:0250] [PE] Section[2/4] : 0x2411c00
[00:26:0250] [PE] Init AhoCorasick
[00:26:0266] [PE] Start AhoCorasick [0x2411c00 - 37888]
[00:26:0266] [PE] Looking results : 0
[00:26:0281] [PE] Section[3/4] : 0x241b000
[00:26:0281] [PE] Init AhoCorasick
[00:26:0297] [PE] Start AhoCorasick [0x241b000 - 978432]
[00:26:0328] [PE] Looking results : 0
[00:26:0328] [PE] Section[4/4] : 0x2509e00
[00:26:0344] [PE] Init AhoCorasick
[00:26:0344] [PE] Start AhoCorasick [0x2509e00 - 50176]
[00:26:0360] [PE] Looking results : 0
[00:26:0375] [CHECK] Blacklist
[00:26:0375] [CHECK] BlacklistPath
[00:26:0391] [CHECK] BlacklistMD5
[00:26:0391] [CHECK] MadeNumbers
[00:26:0406] [CHECK] HasUnicode
[00:26:0422] [CHECK] SuspPath
[00:26:0422] [CHECK] ProcessResidue
[00:26:0438] [CHECK] Not found!
[00:26:0438] [Check DLLs] LINKINFO.dll : C:\WINDOWS\system32\LINKINFO.dll
[00:26:0453] [CHECK] WhiteDLL
[00:26:0453] [CHECK] Whitelist
[00:26:0469] [CHECK] WellKnown
[00:26:0485] [CHECK] WhitelistPath
[00:26:0485] [CHECK] HijackName
[00:26:0500] [CHECK] Signature
[00:26:0516] [PE] Mapping
[00:26:0531] [PE] Parsing
[00:26:0531] [PE] Dos header -> 0x1d60000
[00:26:0547] [PE] Nt header (offset : 0xe8) file size 0x4e00
[00:26:0547] [PE] pNtHeadersx86 -> 0x1d600e8
[00:26:0563] [PE] Chars -> 0x210e
[00:26:0563] [PE] Optional header
[00:26:0578] [PE] Sections : 4
[00:26:0594] [PE] Section : 0 - .text
[00:26:0594] [PE] Section : 1 - .data
[00:26:0610] [PE] Section : 2 - .rsrc
[00:26:0610] [PE] Section : 3 - .reloc
[00:26:0625] [PE] File open : 1
[00:26:0625] [PE] Search sigs
[00:26:0641] [PE] Section[0/3] : 0x1d60400
[00:26:0656] [PE] Init AhoCorasick
[00:26:0656] [PE] Start AhoCorasick [0x1d60400 - 16384]
[00:26:0672] [PE] Looking results : 0
[00:26:0672] [PE] Section[1/3] : 0x1d64400
[00:26:0688] [PE] Init AhoCorasick
[00:26:0703] [PE] Start AhoCorasick [0x1d64400 - 512]
[00:26:0703] [PE] Looking results : 0
[00:26:0719] [PE] Section[2/3] : 0x1d64600
[00:26:0719] [PE] Init AhoCorasick
[00:26:0735] [PE] Start AhoCorasick [0x1d64600 - 1024]
[00:26:0735] [PE] Looking results : 0
[00:26:0750] [PE] Section[3/3] : 0x1d64a00
[00:26:0813] [PE] Init AhoCorasick
[00:26:0813] [PE] Start AhoCorasick [0x1d64a00 - 1024]
[00:26:0828] [PE] Looking results : 0
[00:26:0828] [CHECK] Blacklist
[00:26:0844] [CHECK] BlacklistPath
[00:26:0860] [CHECK] BlacklistMD5
[00:26:0860] [CHECK] MadeNumbers
[00:26:0875] [CHECK] HasUnicode
[00:26:0875] [CHECK] SuspPath
[00:26:0891] [CHECK] ProcessResidue
[00:26:0891] [CHECK] Not found!
[00:26:0906] [Check DLLs] ntshrui.dll : C:\WINDOWS\system32\ntshrui.dll
[00:26:0922] [CHECK] WhiteDLL
[00:26:0922] [CHECK] Whitelist
[00:26:0938] [CHECK] WellKnown
[00:26:0938] [CHECK] WhitelistPath
[00:26:0953] [CHECK] HijackName
[00:26:0969] [CHECK] Signature
[00:27:0000] [PE] Mapping
[00:27:0016] [PE] Parsing
[00:27:0031] [PE] Dos header -> 0x1d60000
[00:27:0031] [PE] Nt header (offset : 0xe8) file size 0x23000
[00:27:0047] [PE] pNtHeadersx86 -> 0x1d600e8
[00:27:0047] [PE] Chars -> 0x210e
[00:27:0063] [PE] Optional header
[00:27:0063] [PE] Sections : 4
[00:27:0078] [PE] Section : 0 - .text
[00:27:0094] [PE] Section : 1 - .data
[00:27:0094] [PE] Section : 2 - .rsrc
[00:27:0110] [PE] Section : 3 - .reloc
[00:27:0110] [PE] File open : 1
[00:27:0125] [PE] Search sigs
[00:27:0125] [PE] Section[0/3] : 0x1d60400
[00:27:0141] [PE] Init AhoCorasick
[00:27:0156] [PE] Start AhoCorasick [0x1d60400 - 45056]
[00:27:0156] [PE] Looking results : 0
[00:27:0172] [PE] Section[1/3] : 0x1d6b400
[00:27:0172] [PE] Init AhoCorasick
[00:27:0188] [PE] Start AhoCorasick [0x1d6b400 - 1024]
[00:27:0203] [PE] Looking results : 0
[00:27:0203] [PE] Section[2/3] : 0x1d6b800
[00:27:0219] [PE] Init AhoCorasick
[00:27:0219] [PE] Start AhoCorasick [0x1d6b800 - 93696]
[00:27:0235] [PE] Looking results : 0
[00:27:0235] [PE] Section[3/3] : 0x1d82600
[00:27:0250] [PE] Init AhoCorasick
[00:27:0266] [PE] Start AhoCorasick [0x1d82600 - 2560]
[00:27:0266] [PE] Looking results : 0
[00:27:0281] [CHECK] Blacklist
[00:27:0281] [CHECK] BlacklistPath
[00:27:0297] [CHECK] BlacklistMD5
[00:27:0313] [CHECK] MadeNumbers
[00:27:0313] [CHECK] HasUnicode
[00:27:0328] [CHECK] SuspPath
[00:27:0328] [CHECK] ProcessResidue
[00:27:0344] [CHECK] Not found!
[00:27:0360] [Check DLLs] ATL.DLL : C:\WINDOWS\system32\ATL.DLL
[00:27:0360] [CHECK] WhiteDLL
[00:27:0375] [CHECK] Whitelist
[00:27:0375] [CHECK] WellKnown
[00:27:0391] [CHECK] WhitelistPath
[00:27:0391] [CHECK] HijackName
[00:27:0406] [CHECK] Signature
[00:27:0422] [PE] Mapping
[00:27:0438] [PE] Parsing
[00:27:0438] [PE] Dos header -> 0x1d60000
[00:27:0453] [PE] Nt header (offset : 0xf0) file size 0xe600
[00:27:0453] [PE] pNtHeadersx86 -> 0x1d600f0
[00:27:0469] [PE] Chars -> 0x210e
[00:27:0469] [PE] Optional header
[00:27:0485] [PE] Sections : 4
[00:27:0500] [PE] Section : 0 - .text
[00:27:0500] [PE] Section : 1 - .data
[00:27:0516] [PE] Section : 2 - .rsrc
[00:27:0516] [PE] Section : 3 - .reloc
[00:27:0531] [PE] File open : 1
[00:27:0547] [PE] Search sigs
[00:27:0547] [PE] Section[0/3] : 0x1d60400
[00:27:0563] [PE] Init AhoCorasick
[00:27:0563] [PE] Start AhoCorasick [0x1d60400 - 44544]
[00:27:0578] [PE] Looking results : 0
[00:27:0578] [PE] Section[1/3] : 0x1d6b200
[00:27:0594] [PE] Init AhoCorasick
[00:27:0610] [PE] Start AhoCorasick [0x1d6b200 - 1024]
[00:27:0610] [PE] Looking results : 0
[00:27:0641] [PE] Section[2/3] : 0x1d6b600
[00:27:0656] [PE] Init AhoCorasick
[00:27:0656] [PE] Start AhoCorasick [0x1d6b600 - 9216]
[00:27:0672] [PE] Looking results : 0
[00:27:0672] [PE] Section[3/3] : 0x1d6da00
[00:27:0688] [PE] Init AhoCorasick
[00:27:0703] [PE] Start AhoCorasick [0x1d6da00 - 3072]
[00:27:0703] [PE] Looking results : 0
[00:27:0719] [CHECK] Blacklist
[00:27:0719] [CHECK] BlacklistPath
[00:27:0735] [CHECK] BlacklistMD5
[00:27:0750] [CHECK] MadeNumbers
[00:27:0750] [CHECK] HasUnicode
[00:27:0922] [CHECK] SuspPath
[00:27:0938] [CHECK] ProcessResidue
[00:27:0938] [CHECK] Not found!
[00:27:0953] [Check DLLs] ieframe.dll : C:\WINDOWS\system32\ieframe.dll
[00:27:0969] [CHECK] WhiteDLL
[00:27:0969] [CHECK] Whitelist
[00:27:0985] [CHECK] WellKnown
[00:27:0985] [CHECK] WhitelistPath
[00:28:0000] [CHECK] HijackName
[00:28:0016] [CHECK] Signature
[00:28:0781] [CHECK] Blacklist
[00:28:0797] [CHECK] BlacklistPath
[00:28:0797] [CHECK] BlacklistMD5
[00:28:0813] [CHECK] MadeNumbers
[00:28:0813] [CHECK] HasUnicode
[00:28:0828] [CHECK] SuspPath
[00:28:0828] [CHECK] ProcessResidue
[00:28:0844] [CHECK] Not found!
[00:28:0860] [Check DLLs] WINSTA.dll : C:\WINDOWS\system32\WINSTA.dll
[00:28:0860] [CHECK] WhiteDLL
[00:28:0875] [CHECK] Whitelist
[00:28:0875] [CHECK] WellKnown
[00:28:0891] [CHECK] WhitelistPath
[00:28:0906] [CHECK] HijackName
[00:28:0906] [CHECK] Signature
[00:28:0953] [PE] Mapping
[00:28:0953] [PE] Parsing
[00:28:0969] [PE] Dos header -> 0x1d60000
[00:28:0969] [PE] Nt header (offset : 0xe8) file size 0xd200
[00:28:0985] [PE] pNtHeadersx86 -> 0x1d600e8
[00:29:0000] [PE] Chars -> 0x210e
[00:29:0000] [PE] Optional header
[00:29:0016] [PE] Sections : 4
[00:29:0016] [PE] Section : 0 - .text
[00:29:0031] [PE] Section : 1 - .data
[00:29:0031] [PE] Section : 2 - .rsrc
[00:29:0047] [PE] Section : 3 - .reloc
[00:29:0063] [PE] File open : 1
[00:29:0063] [PE] Search sigs
[00:29:0078] [PE] Section[0/3] : 0x1d60400
[00:29:0078] [PE] Init AhoCorasick
[00:29:0094] [PE] Start AhoCorasick [0x1d60400 - 48640]
[00:29:0110] [PE] Looking results : 0
[00:29:0110] [PE] Section[1/3] : 0x1d6c200
[00:29:0125] [PE] Init AhoCorasick
[00:29:0125] [PE] Start AhoCorasick [0x1d6c200 - 512]
[00:29:0141] [PE] Looking results : 0
[00:29:0141] [PE] Section[2/3] : 0x1d6c400
[00:29:0156] [PE] Init AhoCorasick
[00:29:0172] [PE] Start AhoCorasick [0x1d6c400 - 1024]
[00:29:0172] [PE] Looking results : 0
[00:29:0188] [PE] Section[3/3] : 0x1d6c800
[00:29:0188] [PE] Init AhoCorasick
[00:29:0203] [PE] Start AhoCorasick [0x1d6c800 - 2560]
[00:29:0203] [PE] Looking results : 0
[00:29:0219] [CHECK] Blacklist
[00:29:0235] [CHECK] BlacklistPath
[00:29:0235] [CHECK] BlacklistMD5
[00:29:0250] [CHECK] MadeNumbers
[00:29:0250] [CHECK] HasUnicode
[00:29:0266] [CHECK] SuspPath
[00:29:0281] [CHECK] ProcessResidue
[00:29:0281] [CHECK] Not found!
[00:29:0297] [Check DLLs] NETSHELL.dll : C:\WINDOWS\system32\NETSHELL.dll
[00:29:0297] [CHECK] WhiteDLL
[00:29:0313] [CHECK] Whitelist
[00:29:0328] [CHECK] WellKnown
[00:29:0328] [CHECK] WhitelistPath
[00:29:0344] [CHECK] HijackName
[00:29:0344] [CHECK] Signature
[00:29:0422] [PE] Mapping
[00:29:0438] [PE] Parsing
[00:29:0453] [PE] Dos header -> 0x2260000
[00:29:0453] [PE] Nt header (offset : 0xf0) file size 0x1a0000
[00:29:0469] [PE] pNtHeadersx86 -> 0x22600f0
[00:29:0469] [PE] Chars -> 0x210e
[00:29:0485] [PE] Optional header
[00:29:0500] [PE] Sections : 5
[00:29:0500] [PE] Section : 0 - .text
[00:29:0516] [PE] Section : 1 - .orpc
[00:29:0531] [PE] Section : 2 - .data
[00:29:0547] [PE] Section : 3 - .rsrc
[00:29:0563] [PE] Section : 4 - .reloc
[00:29:0578] [PE] File open : 1
[00:29:0578] [PE] Search sigs
[00:29:0594] [PE] Section[0/4] : 0x2260600
[00:29:0594] [PE] Init AhoCorasick
[00:29:0610] [PE] Start AhoCorasick [0x2260600 - 467456]
[00:29:0625] [PE] Looking results : 0
[00:29:0641] [PE] Section[1/4] : 0x22d2800
[00:29:0641] [PE] Init AhoCorasick
[00:29:0656] [PE] Start AhoCorasick [0x22d2800 - 512]
[00:29:0672] [PE] Looking results : 0
[00:29:0672] [PE] Section[2/4] : 0x22d2a00
[00:29:0688] [PE] Init AhoCorasick
[00:29:0688] [PE] Start AhoCorasick [0x22d2a00 - 8704]
[00:29:0703] [PE] Looking results : 0
[00:29:0703] [PE] Section[3/4] : 0x22d4c00
[00:29:0719] [PE] Init AhoCorasick
[00:29:0735] [PE] Start AhoCorasick [0x22d4c00 - 1203712]
[00:29:0750] [PE] Looking results : 0
[00:29:0813] [PE] Section[4/4] : 0x23faa00
[00:29:0813] [PE] Init AhoCorasick
[00:29:0828] [PE] Start AhoCorasick [0x23faa00 - 22016]
[00:29:0828] [PE] Looking results : 0
[00:29:0844] [CHECK] Blacklist
[00:29:0875] [CHECK] BlacklistPath
[00:29:0891] [CHECK] BlacklistMD5
[00:29:0891] [CHECK] MadeNumbers
[00:29:0906] [CHECK] HasUnicode
[00:29:0922] [CHECK] SuspPath
[00:29:0922] [CHECK] ProcessResidue
[00:29:0938] [CHECK] Not found!
[00:29:0953] [Check DLLs] credui.dll : C:\WINDOWS\system32\credui.dll
[00:29:0953] [CHECK] WhiteDLL
[00:29:0969] [CHECK] Whitelist
[00:29:0969] [CHECK] WellKnown
[00:29:0985] [CHECK] WhitelistPath
[00:30:0000] [CHECK] HijackName
[00:30:0000] [CHECK] Signature
[00:30:0094] [PE] Mapping
[00:30:0110] [PE] Parsing
[00:30:0110] [PE] Dos header -> 0x1d60000
[00:30:0125] [PE] Nt header (offset : 0xe0) file size 0x28000
[00:30:0125] [PE] pNtHeadersx86 -> 0x1d600e0
[00:30:0141] [PE] Chars -> 0x210e
[00:30:0156] [PE] Optional header
[00:30:0156] [PE] Sections : 4
[00:30:0172] [PE] Section : 0 - .text
[00:30:0172] [PE] Section : 1 - .data
[00:30:0188] [PE] Section : 2 - .rsrc
[00:30:0203] [PE] Section : 3 - .reloc
[00:30:0203] [PE] File open : 1
[00:30:0219] [PE] Search sigs
[00:30:0219] [PE] Section[0/3] : 0x1d60400
[00:30:0235] [PE] Init AhoCorasick
[00:30:0235] [PE] Start AhoCorasick [0x1d60400 - 58880]
[00:30:0250] [PE] Looking results : 0
[00:30:0266] [PE] Section[1/3] : 0x1d6ea00
[00:30:0266] [PE] Init AhoCorasick
[00:30:0281] [PE] Start AhoCorasick [0x1d6ea00 - 1536]
[00:30:0281] [PE] Looking results : 0
[00:30:0297] [PE] Section[2/3] : 0x1d6f000
[00:30:0313] [PE] Init AhoCorasick
[00:30:0313] [PE] Start AhoCorasick [0x1d6f000 - 97280]
[00:30:0328] [PE] Looking results : 0
[00:30:0328] [PE] Section[3/3] : 0x1d86c00
[00:30:0344] [PE] Init AhoCorasick
[00:30:0360] [PE] Start AhoCorasick [0x1d86c00 - 5120]
[00:30:0360] [PE] Looking results : 0
[00:30:0375] [CHECK] Blacklist
[00:30:0375] [CHECK] BlacklistPath
[00:30:0391] [CHECK] BlacklistMD5
[00:30:0406] [CHECK] MadeNumbers
[00:30:0406] [CHECK] HasUnicode
[00:30:0422] [CHECK] SuspPath
[00:30:0422] [CHECK] ProcessResidue
[00:30:0438] [CHECK] Not found!
[00:30:0453] [Check DLLs] dot3api.dll : C:\WINDOWS\system32\dot3api.dll
[00:30:0453] [CHECK] WhiteDLL
[00:30:0469] [CHECK] Whitelist
[00:30:0469] [CHECK] WellKnown
[00:30:0485] [CHECK] WhitelistPath
[00:30:0500] [CHECK] HijackName
[00:30:0500] [CHECK] Signature
[00:30:0531] [PE] Mapping
[00:30:0547] [PE] Parsing
[00:30:0563] [PE] Dos header -> 0x1d60000
[00:30:0563] [PE] Nt header (offset : 0xe8) file size 0x6600
[00:30:0578] [PE] pNtHeadersx86 -> 0x1d600e8
[00:30:0594] [PE] Chars -> 0x210e
[00:30:0594] [PE] Optional header
[00:30:0610] [PE] Sections : 4
[00:30:0610] [PE] Section : 0 - .text
[00:30:0625] [PE] Section : 1 - .data
[00:30:0625] [PE] Section : 2 - .rsrc
[00:30:0641] [PE] Section : 3 - .reloc
[00:30:0656] [PE] File open : 1
[00:30:0656] [PE] Search sigs
[00:30:0672] [PE] Section[0/3] : 0x1d60400
[00:30:0672] [PE] Init AhoCorasick
[00:30:0688] [PE] Start AhoCorasick [0x1d60400 - 20992]
[00:30:0703] [PE] Looking results : 0
[00:30:0703] [PE] Section[1/3] : 0x1d65600
[00:30:0719] [PE] Init AhoCorasick
[00:30:0719] [PE] Start AhoCorasick [0x1d65600 - 512]
[00:30:0735] [PE] Looking results : 0
[00:30:0735] [PE] Section[2/3] : 0x1d65800
[00:30:0750] [PE] Init AhoCorasick
[00:30:0781] [PE] Start AhoCorasick [0x1d65800 - 2048]
[00:30:0797] [PE] Looking results : 0
[00:30:0797] [PE] Section[3/3] : 0x1d66000
[00:30:0813] [PE] Init AhoCorasick
[00:30:0813] [PE] Start AhoCorasick [0x1d66000 - 1536]
[00:30:0828] [PE] Looking results : 0
[00:30:0844] [CHECK] Blacklist
[00:30:0844] [CHECK] BlacklistPath
[00:30:0860] [CHECK] BlacklistMD5
[00:30:0860] [CHECK] MadeNumbers
[00:30:0875] [CHECK] HasUnicode
[00:30:0891] [CHECK] SuspPath
[00:30:0891] [CHECK] ProcessResidue
[00:30:0906] [CHECK] Not found!
[00:30:0906] [Check DLLs] rtutils.dll : C:\WINDOWS\system32\rtutils.dll
[00:30:0922] [CHECK] WhiteDLL
[00:30:0938] [CHECK] Whitelist
[00:30:0938] [CHECK] WellKnown
[00:30:0953] [CHECK] WhitelistPath
[00:30:0953] [CHECK] HijackName
[00:30:0969] [CHECK] Signature
[00:31:0000] [PE] Mapping
[00:31:0016] [PE] Parsing
[00:31:0016] [PE] Dos header -> 0x1d60000
[00:31:0031] [PE] Nt header (offset : 0xd8) file size 0xac00
[00:31:0047] [PE] pNtHeadersx86 -> 0x1d600d8
[00:31:0047] [PE] Chars -> 0x210e
[00:31:0063] [PE] Optional header
[00:31:0063] [PE] Sections : 4
[00:31:0078] [PE] Section : 0 - .text
[00:31:0094] [PE] Section : 1 - .data
[00:31:0094] [PE] Section : 2 - .rsrc
[00:31:0110] [PE] Section : 3 - .reloc
[00:31:0110] [PE] File open : 1
[00:31:0125] [PE] Search sigs
[00:31:0125] [PE] Section[0/3] : 0x1d60400
[00:31:0141] [PE] Init AhoCorasick
[00:31:0156] [PE] Start AhoCorasick [0x1d60400 - 38912]
[00:31:0156] [PE] Looking results : 0
[00:31:0172] [PE] Section[1/3] : 0x1d69c00
[00:31:0172] [PE] Init AhoCorasick
[00:31:0188] [PE] Start AhoCorasick [0x1d69c00 - 512]
[00:31:0203] [PE] Looking results : 0
[00:31:0203] [PE] Section[2/3] : 0x1d69e00
[00:31:0219] [PE] Init AhoCorasick
[00:31:0219] [PE] Start AhoCorasick [0x1d69e00 - 1024]
[00:31:0235] [PE] Looking results : 0
[00:31:0250] [PE] Section[3/3] : 0x1d6a200
[00:31:0250] [PE] Init AhoCorasick
[00:31:0266] [PE] Start AhoCorasick [0x1d6a200 - 2560]
[00:31:0266] [PE] Looking results : 0
[00:31:0281] [CHECK] Blacklist
[00:31:0297] [CHECK] BlacklistPath
[00:31:0297] [CHECK] BlacklistMD5
[00:31:0313] [CHECK] MadeNumbers
[00:31:0313] [CHECK] HasUnicode
[00:31:0328] [CHECK] SuspPath
[00:31:0344] [CHECK] ProcessResidue
[00:31:0344] [CHECK] Not found!
[00:31:0360] [Check DLLs] dot3dlg.dll : C:\WINDOWS\system32\dot3dlg.dll
[00:31:0360] [CHECK] WhiteDLL
[00:31:0375] [CHECK] Whitelist
[00:31:0391] [CHECK] WellKnown
[00:31:0391] [CHECK] WhitelistPath
[00:31:0406] [CHECK] HijackName
[00:31:0406] [CHECK] Signature
[00:31:0438] [PE] Mapping
[00:31:0438] [PE] Parsing
[00:31:0453] [PE] Dos header -> 0x1d60000
[00:31:0453] [PE] Nt header (offset : 0xe0) file size 0x2400
[00:31:0469] [PE] pNtHeadersx86 -> 0x1d600e0
[00:31:0469] [PE] Chars -> 0x210e
[00:31:0485] [PE] Optional header
[00:31:0500] [PE] Sections : 4
[00:31:0500] [PE] Section : 0 - .text
[00:31:0516] [PE] Section : 1 - .data
[00:31:0516] [PE] Section : 2 - .rsrc
[00:31:0531] [PE] Section : 3 - .reloc
[00:31:0547] [PE] File open : 1
[00:31:0547] [PE] Search sigs
[00:31:0563] [PE] Section[0/3] : 0x1d60400
[00:31:0563] [PE] Init AhoCorasick
[00:31:0578] [PE] Start AhoCorasick [0x1d60400 - 5632]
[00:31:0594] [PE] Looking results : 0
[00:31:0594] [PE] Section[1/3] : 0x1d61a00
[00:31:0610] [PE] Init AhoCorasick
[00:31:0610] [PE] Start AhoCorasick [0x1d61a00 - 512]
[00:31:0625] [PE] Looking results : 0
[00:31:0641] [PE] Section[2/3] : 0x1d61c00
[00:31:0641] [PE] Init AhoCorasick
[00:31:0656] [PE] Start AhoCorasick [0x1d61c00 - 1536]
[00:31:0656] [PE] Looking results : 0
[00:31:0672] [PE] Section[3/3] : 0x1d62200
[00:31:0688] [PE] Init AhoCorasick
[00:31:0688] [PE] Start AhoCorasick [0x1d62200 - 512]
[00:31:0703] [PE] Looking results : 0
[00:31:0703] [CHECK] Blacklist
[00:31:0719] [CHECK] BlacklistPath
[00:31:0735] [CHECK] BlacklistMD5
[00:31:0735] [CHECK] MadeNumbers
[00:31:0750] [CHECK] HasUnicode
[00:31:0797] [CHECK] SuspPath
[00:31:0813] [CHECK] ProcessResidue
[00:31:0813] [CHECK] Not found!
[00:31:0828] [Check DLLs] OneX.DLL : C:\WINDOWS\system32\OneX.DLL
[00:31:0844] [CHECK] WhiteDLL
[00:31:0844] [CHECK] Whitelist
[00:31:0860] [CHECK] WellKnown
[00:31:0860] [CHECK] WhitelistPath
[00:31:0875] [CHECK] HijackName
[00:31:0891] [CHECK] Signature
[00:31:0922] [PE] Mapping
[00:31:0938] [PE] Parsing
[00:31:0938] [PE] Dos header -> 0x2260000
[00:31:0953] [PE] Nt header (offset : 0xe0) file size 0x23400
[00:31:0953] [PE] pNtHeadersx86 -> 0x22600e0
[00:31:0969] [PE] Chars -> 0x210e
[00:31:0985] [PE] Optional header
[00:31:0985] [PE] Sections : 4
[00:32:0000] [PE] Section : 0 - .text
[00:32:0000] [PE] Section : 1 - .data
[00:32:0016] [PE] Section : 2 - .rsrc
[00:32:0016] [PE] Section : 3 - .reloc
[00:32:0031] [PE] File open : 1
[00:32:0047] [PE] Search sigs
[00:32:0047] [PE] Section[0/3] : 0x2260400
[00:32:0063] [PE] Init AhoCorasick
[00:32:0063] [PE] Start AhoCorasick [0x2260400 - 110592]
[00:32:0078] [PE] Looking results : 0
[00:32:0094] [PE] Section[1/3] : 0x227b400
[00:32:0094] [PE] Init AhoCorasick
[00:32:0110] [PE] Start AhoCorasick [0x227b400 - 1024]
[00:32:0110] [PE] Looking results : 0
[00:32:0125] [PE] Section[2/3] : 0x227b800
[00:32:0141] [PE] Init AhoCorasick
[00:32:0141] [PE] Start AhoCorasick [0x227b800 - 27136]
[00:32:0156] [PE] Looking results : 0
[00:32:0156] [PE] Section[3/3] : 0x2282200
[00:32:0172] [PE] Init AhoCorasick
[00:32:0172] [PE] Start AhoCorasick [0x2282200 - 4608]
[00:32:0188] [PE] Looking results : 0
[00:32:0203] [CHECK] Blacklist
[00:32:0203] [CHECK] BlacklistPath
[00:32:0219] [CHECK] BlacklistMD5
[00:32:0219] [CHECK] MadeNumbers
[00:32:0235] [CHECK] HasUnicode
[00:32:0235] [CHECK] SuspPath
[00:32:0250] [CHECK] ProcessResidue
[00:32:0266] [CHECK] Not found!
[00:32:0266] [Check DLLs] WTSAPI32.dll : C:\WINDOWS\system32\WTSAPI32.dll
[00:32:0281] [CHECK] WhiteDLL
[00:32:0297] [CHECK] Whitelist
[00:32:0297] [CHECK] WellKnown
[00:32:0313] [CHECK] WhitelistPath
[00:32:0313] [CHECK] HijackName
[00:32:0328] [CHECK] Signature
[00:32:0344] [PE] Mapping
[00:32:0344] [PE] Parsing
[00:32:0360] [PE] Dos header -> 0x2260000
[00:32:0375] [PE] Nt header (offset : 0xe8) file size 0x4800
[00:32:0375] [PE] pNtHeadersx86 -> 0x22600e8
[00:32:0391] [PE] Chars -> 0x210e
[00:32:0391] [PE] Optional header
[00:32:0406] [PE] Sections : 4
[00:32:0406] [PE] Section : 0 - .text
[00:32:0422] [PE] Section : 1 - .data
[00:32:0438] [PE] Section : 2 - .rsrc
[00:32:0438] [PE] Section : 3 - .reloc
[00:32:0453] [PE] File open : 1
[00:32:0469] [PE] Search sigs
[00:32:0469] [PE] Section[0/3] : 0x2260400
[00:32:0485] [PE] Init AhoCorasick
[00:32:0485] [PE] Start AhoCorasick [0x2260400 - 14336]
[00:32:0500] [PE] Looking results : 0
[00:32:0516] [PE] Section[1/3] : 0x2263c00
[00:32:0516] [PE] Init AhoCorasick
[00:32:0531] [PE] Start AhoCorasick [0x2263c00 - 512]
[00:32:0531] [PE] Looking results : 0
[00:32:0547] [PE] Section[2/3] : 0x2263e00
[00:32:0563] [PE] Init AhoCorasick
[00:32:0563] [PE] Start AhoCorasick [0x2263e00 - 1536]
[00:32:0578] [PE] Looking results : 0
[00:32:0578] [PE] Section[3/3] : 0x2264400
[00:32:0594] [PE] Init AhoCorasick
[00:32:0610] [PE] Start AhoCorasick [0x2264400 - 1024]
[00:32:0610] [PE] Looking results : 0
[00:32:0625] [CHECK] Blacklist
[00:32:0625] [CHECK] BlacklistPath
[00:32:0641] [CHECK] BlacklistMD5
[00:32:0656] [CHECK] MadeNumbers
[00:32:0656] [CHECK] HasUnicode
[00:32:0672] [CHECK] SuspPath
[00:32:0672] [CHECK] ProcessResidue
[00:32:0688] [CHECK] Not found!
[00:32:0703] [Check DLLs] eappcfg.dll : C:\WINDOWS\system32\eappcfg.dll
[00:32:0703] [CHECK] WhiteDLL
[00:32:0719] [CHECK] Whitelist
[00:32:0719] [CHECK] WellKnown
[00:32:0735] [CHECK] WhitelistPath
[00:32:0735] [CHECK] HijackName
[00:32:0750] [CHECK] Signature
[00:32:0860] [PE] Mapping
[00:32:0891] [PE] Parsing
[00:32:0906] [PE] Dos header -> 0x2260000
[00:32:0922] [PE] Nt header (offset : 0xe8) file size 0x1f000
[00:32:0922] [PE] pNtHeadersx86 -> 0x22600e8
[00:32:0938] [PE] Chars -> 0x210e
[00:32:0953] [PE] Optional header
[00:32:0953] [PE] Sections : 4
[00:32:0969] [PE] Section : 0 - .text
[00:32:0969] [PE] Section : 1 - .data
[00:32:0985] [PE] Section : 2 - .rsrc
[00:32:0985] [PE] Section : 3 - .reloc
[00:33:0000] [PE] File open : 1
[00:33:0016] [PE] Search sigs
[00:33:0016] [PE] Section[0/3] : 0x2260400
[00:33:0031] [PE] Init AhoCorasick
[00:33:0031] [PE] Start AhoCorasick [0x2260400 - 110592]
[00:33:0047] [PE] Looking results : 0
[00:33:0063] [PE] Section[1/3] : 0x227b400
[00:33:0063] [PE] Init AhoCorasick
[00:33:0078] [PE] Start AhoCorasick [0x227b400 - 3584]
[00:33:0078] [PE] Looking results : 0
[00:33:0094] [PE] Section[2/3] : 0x227c200
[00:33:0110] [PE] Init AhoCorasick
[00:33:0110] [PE] Start AhoCorasick [0x227c200 - 1536]
[00:33:0125] [PE] Looking results : 0
[00:33:0125] [PE] Section[3/3] : 0x227c800
[00:33:0141] [PE] Init AhoCorasick
[00:33:0156] [PE] Start AhoCorasick [0x227c800 - 10240]
[00:33:0156] [PE] Looking results : 0
[00:33:0172] [CHECK] Blacklist
[00:33:0172] [CHECK] BlacklistPath
[00:33:0188] [CHECK] BlacklistMD5
[00:33:0203] [CHECK] MadeNumbers
[00:33:0203] [CHECK] HasUnicode
[00:33:0219] [CHECK] SuspPath
[00:33:0219] [CHECK] ProcessResidue
[00:33:0235] [CHECK] Not found!
[00:33:0250] [Check DLLs] MSVCP60.dll : C:\WINDOWS\system32\MSVCP60.dll
[00:33:0250] [CHECK] WhiteDLL
[00:33:0266] [Check DLLs] eappprxy.dll : C:\WINDOWS\system32\eappprxy.dll
[00:33:0266] [CHECK] WhiteDLL
[00:33:0281] [CHECK] Whitelist
[00:33:0297] [CHECK] WellKnown
[00:33:0297] [CHECK] WhitelistPath
[00:33:0313] [CHECK] HijackName
[00:33:0313] [CHECK] Signature
[00:33:0360] [PE] Mapping
[00:33:0375] [PE] Parsing
[00:33:0375] [PE] Dos header -> 0x2260000
[00:33:0391] [PE] Nt header (offset : 0xf8) file size 0xa000
[00:33:0391] [PE] pNtHeadersx86 -> 0x22600f8
[00:33:0406] [PE] Chars -> 0x210e
[00:33:0406] [PE] Optional header
[00:33:0422] [PE] Sections : 4
[00:33:0438] [PE] Section : 0 - .text
[00:33:0438] [PE] Section : 1 - .data
[00:33:0453] [PE] Section : 2 - .rsrc
[00:33:0453] [PE] Section : 3 - .reloc
[00:33:0469] [PE] File open : 1
[00:33:0485] [PE] Search sigs
[00:33:0485] [PE] Section[0/3] : 0x2260400
[00:33:0500] [PE] Init AhoCorasick
[00:33:0500] [PE] Start AhoCorasick [0x2260400 - 30208]
[00:33:0516] [PE] Looking results : 0
[00:33:0531] [PE] Section[1/3] : 0x2267a00
[00:33:0531] [PE] Init AhoCorasick
[00:33:0547] [PE] Start AhoCorasick [0x2267a00 - 3072]
[00:33:0563] [PE] Looking results : 0
[00:33:0563] [PE] Section[2/3] : 0x2268600
[00:33:0578] [PE] Init AhoCorasick
[00:33:0578] [PE] Start AhoCorasick [0x2268600 - 1536]
[00:33:0594] [PE] Looking results : 0
[00:33:0610] [PE] Section[3/3] : 0x2268c00
[00:33:0610] [PE] Init AhoCorasick
[00:33:0625] [PE] Start AhoCorasick [0x2268c00 - 5120]
[00:33:0625] [PE] Looking results : 0
[00:33:0641] [CHECK] Blacklist
[00:33:0656] [CHECK] BlacklistPath
[00:33:0656] [CHECK] BlacklistMD5
[00:33:0672] [CHECK] MadeNumbers
[00:33:0672] [CHECK] HasUnicode
[00:33:0688] [CHECK] SuspPath
[00:33:0703] [CHECK] ProcessResidue
[00:33:0703] [CHECK] Not found!
[00:33:0719] [Check DLLs] iphlpapi.dll : C:\WINDOWS\system32\iphlpapi.dll
[00:33:0735] [CHECK] WhiteDLL
[00:33:0735] [CHECK] Whitelist
[00:33:0750] [CHECK] WellKnown
[00:33:0750] [CHECK] WhitelistPath
[00:33:0797] [CHECK] HijackName
[00:33:0813] [CHECK] Signature
[00:33:0875] [PE] Mapping
[00:33:0875] [PE] Parsing
[00:33:0891] [PE] Dos header -> 0x2260000
[00:33:0906] [PE] Nt header (offset : 0xe0) file size 0x17200
[00:33:0906] [PE] pNtHeadersx86 -> 0x22600e0
[00:33:0922] [PE] Chars -> 0x210e
[00:33:0922] [PE] Optional header
[00:33:0938] [PE] Sections : 4
[00:33:0953] [PE] Section : 0 - .text
[00:33:0953] [PE] Section : 1 - .data
[00:33:0969] [PE] Section : 2 - .rsrc
[00:33:0969] [PE] Section : 3 - .reloc
[00:33:0985] [PE] File open : 1
[00:34:0000] [PE] Search sigs
[00:34:0000] [PE] Section[0/3] : 0x2260400
[00:34:0016] [PE] Init AhoCorasick
[00:34:0016] [PE] Start AhoCorasick [0x2260400 - 77312]
[00:34:0031] [PE] Looking results : 0
[00:34:0047] [PE] Section[1/3] : 0x2273200
[00:34:0047] [PE] Init AhoCorasick
[00:34:0063] [PE] Start AhoCorasick [0x2273200 - 4096]
[00:34:0063] [PE] Looking results : 0
[00:34:0078] [PE] Section[2/3] : 0x2274200
[00:34:0094] [PE] Init AhoCorasick
[00:34:0094] [PE] Start AhoCorasick [0x2274200 - 8704]
[00:34:0110] [PE] Looking results : 0
[00:34:0110] [PE] Section[3/3] : 0x2276400
[00:34:0125] [PE] Init AhoCorasick
[00:34:0141] [PE] Start AhoCorasick [0x2276400 - 3584]
[00:34:0141] [PE] Looking results : 0
[00:34:0156] [CHECK] Blacklist
[00:34:0156] [CHECK] BlacklistPath
[00:34:0172] [CHECK] BlacklistMD5
[00:34:0188] [CHECK] MadeNumbers
[00:34:0188] [CHECK] HasUnicode
[00:34:0203] [CHECK] SuspPath
[00:34:0203] [CHECK] ProcessResidue
[00:34:0219] [CHECK] Not found!
[00:34:0235] [Check DLLs] WS2_32.dll : C:\WINDOWS\system32\WS2_32.dll
[00:34:0235] [CHECK] WhiteDLL
[00:34:0250] [CHECK] Whitelist
[00:34:0266] [CHECK] WellKnown
[00:34:0266] [CHECK] WhitelistPath
[00:34:0281] [CHECK] HijackName
[00:34:0281] [CHECK] Signature
[00:34:0328] [PE] Mapping
[00:34:0328] [PE] Parsing
[00:34:0344] [PE] Dos header -> 0x2260000
[00:34:0360] [PE] Nt header (offset : 0xf0) file size 0x14200
[00:34:0360] [PE] pNtHeadersx86 -> 0x22600f0
[00:34:0375] [PE] Chars -> 0x210e
[00:34:0375] [PE] Optional header
[00:34:0391] [PE] Sections : 4
[00:34:0406] [PE] Section : 0 - .text
[00:34:0406] [PE] Section : 1 - .data
[00:34:0422] [PE] Section : 2 - .rsrc
[00:34:0422] [PE] Section : 3 - .reloc
[00:34:0438] [PE] File open : 1
[00:34:0453] [PE] Search sigs
[00:34:0453] [PE] Section[0/3] : 0x2260400
[00:34:0469] [PE] Init AhoCorasick
[00:34:0469] [PE] Start AhoCorasick [0x2260400 - 74240]
[00:34:0485] [PE] Looking results : 0
[00:34:0500] [PE] Section[1/3] : 0x2272600
[00:34:0500] [PE] Init AhoCorasick
[00:34:0516] [PE] Start AhoCorasick [0x2272600 - 2560]
[00:34:0516] [PE] Looking results : 0
[00:34:0531] [PE] Section[2/3] : 0x2273000
[00:34:0547] [PE] Init AhoCorasick
[00:34:0547] [PE] Start AhoCorasick [0x2273000 - 1024]
[00:34:0563] [PE] Looking results : 0
[00:34:0563] [PE] Section[3/3] : 0x2273400
[00:34:0578] [PE] Init AhoCorasick
[00:34:0594] [PE] Start AhoCorasick [0x2273400 - 3584]
[00:34:0610] [PE] Looking results : 0
[00:34:0610] [CHECK] Blacklist
[00:34:0625] [CHECK] BlacklistPath
[00:34:0641] [CHECK] BlacklistMD5
[00:34:0656] [CHECK] MadeNumbers
[00:34:0656] [CHECK] HasUnicode
[00:34:0672] [CHECK] SuspPath
[00:34:0672] [CHECK] ProcessResidue
[00:34:0688] [CHECK] Not found!
[00:34:0703] [Check DLLs] WS2HELP.dll : C:\WINDOWS\system32\WS2HELP.dll
[00:34:0703] [CHECK] WhiteDLL
[00:34:0719] [CHECK] Whitelist
[00:34:0735] [CHECK] WellKnown
[00:34:0735] [CHECK] WhitelistPath
[00:34:0750] [CHECK] HijackName
[00:34:0750] [CHECK] Signature
[00:34:0875] [PE] Mapping
[00:34:0891] [PE] Parsing
[00:34:0891] [PE] Dos header -> 0x2260000
[00:34:0906] [PE] Nt header (offset : 0xd8) file size 0x4e00
[00:34:0922] [PE] pNtHeadersx86 -> 0x22600d8
[00:34:0922] [PE] Chars -> 0x210e
[00:34:0938] [PE] Optional header
[00:34:0938] [PE] Sections : 4
[00:34:0953] [PE] Section : 0 - .text
[00:34:0969] [PE] Section : 1 - .data
[00:34:0969] [PE] Section : 2 - .rsrc
[00:34:0985] [PE] Section : 3 - .reloc
[00:34:0985] [PE] File open : 1
[00:35:0000] [PE] Search sigs
[00:35:0000] [PE] Section[0/3] : 0x2260400
[00:35:0016] [PE] Init AhoCorasick
[00:35:0031] [PE] Start AhoCorasick [0x2260400 - 15872]
[00:35:0031] [PE] Looking results : 0
[00:35:0047] [PE] Section[1/3] : 0x2264200
[00:35:0063] [PE] Init AhoCorasick
[00:35:0063] [PE] Start AhoCorasick [0x2264200 - 512]
[00:35:0078] [PE] Looking results : 0
[00:35:0078] [PE] Section[2/3] : 0x2264400
[00:35:0094] [PE] Init AhoCorasick
[00:35:0110] [PE] Start AhoCorasick [0x2264400 - 1536]
[00:35:0110] [PE] Looking results : 0
[00:35:0125] [PE] Section[3/3] : 0x2264a00
[00:35:0125] [PE] Init AhoCorasick
[00:35:0141] [PE] Start AhoCorasick [0x2264a00 - 1024]
[00:35:0156] [PE] Looking results : 0
[00:35:0156] [CHECK] Blacklist
[00:35:0172] [CHECK] BlacklistPath
[00:35:0172] [CHECK] BlacklistMD5
[00:35:0188] [CHECK] MadeNumbers
[00:35:0203] [CHECK] HasUnicode
[00:35:0203] [CHECK] SuspPath
[00:35:0219] [CHECK] ProcessResidue
[00:35:0219] [CHECK] Not found!
[00:35:0235] [Check DLLs] webcheck.dll : C:\WINDOWS\system32\webcheck.dll
[00:35:0250] [CHECK] WhiteDLL
[00:35:0250] [CHECK] Whitelist
[00:35:0266] [CHECK] WellKnown
[00:35:0281] [CHECK] WhitelistPath
[00:35:0281] [CHECK] HijackName
[00:35:0297] [CHECK] Signature
[00:35:0344] [PE] Mapping
[00:35:0344] [PE] Parsing
[00:35:0360] [PE] Dos header -> 0x2260000
[00:35:0375] [PE] Nt header (offset : 0xf0) file size 0x39c00
[00:35:0375] [PE] pNtHeadersx86 -> 0x22600f0
[00:35:0391] [PE] Chars -> 0x2102
[00:35:0391] [PE] Optional header
[00:35:0406] [PE] Sections : 4
[00:35:0406] [PE] Section : 0 - .text
[00:35:0422] [PE] Section : 1 - .data
[00:35:0438] [PE] Section : 2 - .rsrc
[00:35:0438] [PE] Section : 3 - .reloc
[00:35:0453] [PE] File open : 1
[00:35:0453] [PE] Search sigs
[00:35:0469] [PE] Section[0/3] : 0x2260400
[00:35:0485] [PE] Init AhoCorasick
[00:35:0485] [PE] Start AhoCorasick [0x2260400 - 168960]
[00:35:0500] [PE] Looking results : 0
[00:35:0516] [PE] Section[1/3] : 0x2289800
[00:35:0516] [PE] Init AhoCorasick
[00:35:0531] [PE] Start AhoCorasick [0x2289800 - 2560]
[00:35:0531] [PE] Looking results : 0
[00:35:0547] [PE] Section[2/3] : 0x228a200
[00:35:0563] [PE] Init AhoCorasick
[00:35:0563] [PE] Start AhoCorasick [0x228a200 - 55296]
[00:35:0578] [PE] Looking results : 0
[00:35:0594] [PE] Section[3/3] : 0x2297a00
[00:35:0594] [PE] Init AhoCorasick
[00:35:0610] [PE] Start AhoCorasick [0x2297a00 - 8704]
[00:35:0610] [PE] Looking results : 0
[00:35:0625] [CHECK] Blacklist
[00:35:0641] [CHECK] BlacklistPath
[00:35:0641] [CHECK] BlacklistMD5
[00:35:0656] [CHECK] MadeNumbers
[00:35:0656] [CHECK] HasUnicode
[00:35:0672] [CHECK] SuspPath
[00:35:0688] [CHECK] ProcessResidue
[00:35:0688] [CHECK] Not found!
[00:35:0703] [Check DLLs] MLANG.dll : C:\WINDOWS\system32\MLANG.dll
[00:35:0719] [CHECK] WhiteDLL
[00:35:0719] [CHECK] Whitelist
[00:35:0735] [CHECK] WellKnown
[00:35:0735] [CHECK] WhitelistPath
[00:35:0750] [CHECK] HijackName
[00:35:0781] [CHECK] Signature
[00:35:0844] [PE] Mapping
[00:35:0844] [PE] Parsing
[00:35:0860] [PE] Dos header -> 0x2260000
[00:35:0860] [PE] Nt header (offset : 0xf0) file size 0x8f200
[00:35:0875] [PE] pNtHeadersx86 -> 0x22600f0
[00:35:0891] [PE] Chars -> 0x210e
[00:35:0891] [PE] Optional header
[00:35:0906] [PE] Sections : 4
[00:35:0906] [PE] Section : 0 - .text
[00:35:0922] [PE] Section : 1 - .data
[00:35:0922] [PE] Section : 2 - .rsrc
[00:35:0938] [PE] Section : 3 - .reloc
[00:35:0953] [PE] File open : 1
[00:35:0953] [PE] Search sigs
[00:35:0969] [PE] Section[0/3] : 0x2260400
[00:35:0985] [PE] Init AhoCorasick
[00:35:0985] [PE] Start AhoCorasick [0x2260400 - 135168]
[00:36:0000] [PE] Looking results : 0
[00:36:0000] [PE] Section[1/3] : 0x2281400
[00:36:0016] [PE] Init AhoCorasick
[00:36:0031] [PE] Start AhoCorasick [0x2281400 - 18432]
[00:36:0031] [PE] Looking results : 0
[00:36:0047] [PE] Section[2/3] : 0x2285c00
[00:36:0063] [PE] Init AhoCorasick
[00:36:0063] [PE] Start AhoCorasick [0x2285c00 - 423424]
[00:36:0078] [PE] Looking results : 0
[00:36:0094] [PE] Section[3/3] : 0x22ed200
[00:36:0094] [PE] Init AhoCorasick
[00:36:0110] [PE] Start AhoCorasick [0x22ed200 - 8192]
[00:36:0125] [PE] Looking results : 0
[00:36:0125] [CHECK] Blacklist
[00:36:0141] [CHECK] BlacklistPath
[00:36:0156] [CHECK] BlacklistMD5
[00:36:0156] [CHECK] MadeNumbers
[00:36:0172] [CHECK] HasUnicode
[00:36:0172] [CHECK] SuspPath
[00:36:0188] [CHECK] ProcessResidue
[00:36:0203] [CHECK] Not found!
[00:36:0203] [Check DLLs] stobject.dll : C:\WINDOWS\system32\stobject.dll
[00:36:0219] [CHECK] WhiteDLL
[00:36:0219] [CHECK] Whitelist
[00:36:0235] [CHECK] WellKnown
[00:36:0250] [CHECK] WhitelistPath
[00:36:0250] [CHECK] HijackName
[00:36:0266] [CHECK] Signature
[00:36:0297] [PE] Mapping
[00:36:0313] [PE] Parsing
[00:36:0328] [PE] Dos header -> 0x2260000
[00:36:0328] [PE] Nt header (offset : 0xe0) file size 0x1dc00
[00:36:0344] [PE] pNtHeadersx86 -> 0x22600e0
[00:36:0344] [PE] Chars -> 0x210e
[00:36:0360] [PE] Optional header
[00:36:0375] [PE] Sections : 4
[00:36:0375] [PE] Section : 0 - .text
[00:36:0391] [PE] Section : 1 - .data
[00:36:0391] [PE] Section : 2 - .rsrc
[00:36:0406] [PE] Section : 3 - .reloc
[00:36:0422] [PE] File open : 1
[00:36:0422] [PE] Search sigs
[00:36:0438] [PE] Section[0/3] : 0x2260400
[00:36:0453] [PE] Init AhoCorasick
[00:36:0453] [PE] Start AhoCorasick [0x2260400 - 31232]
[00:36:0469] [PE] Looking results : 0
[00:36:0469] [PE] Section[1/3] : 0x2267e00
[00:36:0485] [PE] Init AhoCorasick
[00:36:0500] [PE] Start AhoCorasick [0x2267e00 - 1024]
[00:36:0500] [PE] Looking results : 0
[00:36:0516] [PE] Section[2/3] : 0x2268200
[00:36:0516] [PE] Init AhoCorasick
[00:36:0531] [PE] Start AhoCorasick [0x2268200 - 86528]
[00:36:0547] [PE] Looking results : 0
[00:36:0547] [PE] Section[3/3] : 0x227d400
[00:36:0563] [PE] Init AhoCorasick
[00:36:0578] [PE] Start AhoCorasick [0x227d400 - 2048]
[00:36:0578] [PE] Looking results : 0
[00:36:0594] [CHECK] Blacklist
[00:36:0594] [CHECK] BlacklistPath
[00:36:0610] [CHECK] BlacklistMD5
[00:36:0625] [CHECK] MadeNumbers
[00:36:0625] [CHECK] HasUnicode
[00:36:0641] [CHECK] SuspPath
[00:36:0641] [CHECK] ProcessResidue
[00:36:0656] [CHECK] Not found!
[00:36:0672] [Check DLLs] BatMeter.dll : C:\WINDOWS\system32\BatMeter.dll
[00:36:0672] [CHECK] WhiteDLL
[00:36:0688] [CHECK] Whitelist
[00:36:0703] [CHECK] WellKnown
[00:36:0703] [CHECK] WhitelistPath
[00:36:0719] [CHECK] HijackName
[00:36:0735] [CHECK] Signature
[00:36:0735] [PE] Mapping
[00:36:0750] [PE] Parsing
[00:36:0766] [PE] Dos header -> 0x2260000
[00:36:0766] [PE] Nt header (offset : 0xe8) file size 0x7200
[00:36:0781] [PE] pNtHeadersx86 -> 0x22600e8
[00:36:0781] [PE] Chars -> 0x210e
[00:36:0797] [PE] Optional header
[00:36:0813] [PE] Sections : 4
[00:36:0813] [PE] Section : 0 - .text
[00:36:0828] [PE] Section : 1 - .data
[00:36:0844] [PE] Section : 2 - .rsrc
[00:36:0844] [PE] Section : 3 - .reloc
[00:36:0860] [PE] File open : 1
[00:36:0860] [PE] Search sigs
[00:36:0875] [PE] Section[0/3] : 0x2260400
[00:36:0891] [PE] Init AhoCorasick
[00:36:0891] [PE] Start AhoCorasick [0x2260400 - 14336]
[00:36:0906] [PE] Looking results : 0
[00:36:0906] [PE] Section[1/3] : 0x2263c00
[00:36:0922] [PE] Init AhoCorasick
[00:36:0938] [PE] Start AhoCorasick [0x2263c00 - 1024]
[00:36:0938] [PE] Looking results : 0
[00:36:0953] [PE] Section[2/3] : 0x2264000
[00:36:0969] [PE] Init AhoCorasick
[00:36:0969] [PE] Start AhoCorasick [0x2264000 - 11776]
[00:36:0985] [PE] Looking results : 0
[00:36:0985] [PE] Section[3/3] : 0x2266e00
[00:37:0000] [PE] Init AhoCorasick
[00:37:0016] [PE] Start AhoCorasick [0x2266e00 - 1024]
[00:37:0016] [PE] Looking results : 0
[00:37:0031] [CHECK] Blacklist
[00:37:0047] [CHECK] BlacklistPath
[00:37:0047] [CHECK] BlacklistMD5
[00:37:0063] [CHECK] MadeNumbers
[00:37:0063] [CHECK] HasUnicode
[00:37:0078] [CHECK] SuspPath
[00:37:0094] [CHECK] ProcessResidue
[00:37:0094] [CHECK] Not found!
[00:37:0110] [Check DLLs] POWRPROF.dll : C:\WINDOWS\system32\POWRPROF.dll
[00:37:0125] [CHECK] WhiteDLL
[00:37:0125] [CHECK] Whitelist
[00:37:0141] [CHECK] WellKnown
[00:37:0156] [CHECK] WhitelistPath
[00:37:0156] [CHECK] HijackName
[00:37:0172] [CHECK] Signature
[00:37:0188] [PE] Mapping
[00:37:0203] [PE] Parsing
[00:37:0203] [PE] Dos header -> 0x2260000
[00:37:0219] [PE] Nt header (offset : 0xd8) file size 0x4400
[00:37:0219] [PE] pNtHeadersx86 -> 0x22600d8
[00:37:0235] [PE] Chars -> 0x210e
[00:37:0250] [PE] Optional header
[00:37:0250] [PE] Sections : 4
[00:37:0266] [PE] Section : 0 - .text
[00:37:0266] [PE] Section : 1 - .data
[00:37:0281] [PE] Section : 2 - .rsrc
[00:37:0297] [PE] Section : 3 - .reloc
[00:37:0297] [PE] File open : 1
[00:37:0313] [PE] Search sigs
[00:37:0328] [PE] Section[0/3] : 0x2260400
[00:37:0328] [PE] Init AhoCorasick
[00:37:0344] [PE] Start AhoCorasick [0x2260400 - 13312]
[00:37:0344] [PE] Looking results : 0
[00:37:0360] [PE] Section[1/3] : 0x2263800
[00:37:0375] [PE] Init AhoCorasick
[00:37:0375] [PE] Start AhoCorasick [0x2263800 - 1024]
[00:37:0391] [PE] Looking results : 0
[00:37:0391] [PE] Section[2/3] : 0x2263c00
[00:37:0406] [PE] Init AhoCorasick
[00:37:0422] [PE] Start AhoCorasick [0x2263c00 - 1024]
[00:37:0422] [PE] Looking results : 0
[00:37:0438] [PE] Section[3/3] : 0x2264000
[00:37:0453] [PE] Init AhoCorasick
[00:37:0453] [PE] Start AhoCorasick [0x2264000 - 1024]
[00:37:0469] [PE] Looking results : 0
[00:37:0469] [CHECK] Blacklist
[00:37:0485] [CHECK] BlacklistPath
[00:37:0500] [CHECK] BlacklistMD5
[00:37:0500] [CHECK] MadeNumbers
[00:37:0516] [CHECK] HasUnicode
[00:37:0531] [CHECK] SuspPath
[00:37:0531] [CHECK] ProcessResidue
[00:37:0547] [CHECK] Not found!
[00:37:0563] [Check DLLs] WPDShServiceObj.dll : C:\WINDOWS\system32\WPDShServiceObj.dll
[00:37:0563] [CHECK] WhiteDLL
[00:37:0578] [CHECK] Whitelist
[00:37:0578] [CHECK] WellKnown
[00:37:0594] [CHECK] WhitelistPath
[00:37:0610] [CHECK] HijackName
[00:37:0610] [CHECK] Signature
[00:37:0641] [PE] Mapping
[00:37:0641] [PE] Parsing
[00:37:0656] [PE] Dos header -> 0x2260000
[00:37:0656] [PE] Nt header (offset : 0xe8) file size 0x20a00
[00:37:0672] [PE] pNtHeadersx86 -> 0x22600e8
[00:37:0688] [PE] Chars -> 0x2102
[00:37:0688] [PE] Optional header
[00:37:0703] [PE] Sections : 4
[00:37:0703] [PE] Section : 0 - .text
[00:37:0719] [PE] Section : 1 - .data
[00:37:0735] [PE] Section : 2 - .rsrc
[00:37:0735] [PE] Section : 3 - .reloc
[00:37:0750] [PE] File open : 1
[00:37:0828] [PE] Search sigs
[00:37:0828] [PE] Section[0/3] : 0x2260400
[00:37:0844] [PE] Init AhoCorasick
[00:37:0860] [PE] Start AhoCorasick [0x2260400 - 117248]
[00:37:0875] [PE] Looking results : 0
[00:37:0891] [PE] Section[1/3] : 0x227ce00
[00:37:0906] [PE] Init AhoCorasick
[00:37:0906] [PE] Start AhoCorasick [0x227ce00 - 1024]
[00:37:0922] [PE] Looking results : 0
[00:37:0922] [PE] Section[2/3] : 0x227d200
[00:37:0938] [PE] Init AhoCorasick
[00:37:0953] [PE] Start AhoCorasick [0x227d200 - 2048]
[00:37:0953] [PE] Looking results : 0
[00:37:0969] [PE] Section[3/3] : 0x227da00
[00:37:0969] [PE] Init AhoCorasick
[00:37:0985] [PE] Start AhoCorasick [0x227da00 - 12288]
[00:38:0000] [PE] Looking results : 0
[00:38:0000] [CHECK] Blacklist
[00:38:0016] [CHECK] BlacklistPath
[00:38:0031] [CHECK] BlacklistMD5
[00:38:0031] [CHECK] MadeNumbers
[00:38:0047] [CHECK] HasUnicode
[00:38:0047] [CHECK] SuspPath
[00:38:0063] [CHECK] ProcessResidue
[00:38:0078] [CHECK] Not found!
[00:38:0078] [Check DLLs] WINHTTP.dll : C:\WINDOWS\system32\WINHTTP.dll
[00:38:0094] [CHECK] WhiteDLL
[00:38:0110] [CHECK] Whitelist
[00:38:0110] [CHECK] WellKnown
[00:38:0125] [CHECK] WhitelistPath
[00:38:0141] [CHECK] HijackName
[00:38:0141] [CHECK] Signature
[00:38:0172] [PE] Mapping
[00:38:0188] [PE] Parsing
[00:38:0188] [PE] Dos header -> 0x2260000
[00:38:0203] [PE] Nt header (offset : 0xe8) file size 0x56a00
[00:38:0219] [PE] pNtHeadersx86 -> 0x22600e8
[00:38:0219] [PE] Chars -> 0x210e
[00:38:0235] [PE] Optional header
[00:38:0235] [PE] Sections : 4
[00:38:0250] [PE] Section : 0 - .text
[00:38:0266] [PE] Section : 1 - .data
[00:38:0266] [PE] Section : 2 - .rsrc
[00:38:0281] [PE] Section : 3 - .reloc
[00:38:0297] [PE] File open : 1
[00:38:0297] [PE] Search sigs
[00:38:0313] [PE] Section[0/3] : 0x2260400
[00:38:0313] [PE] Init AhoCorasick
[00:38:0328] [PE] Start AhoCorasick [0x2260400 - 318976]
[00:38:0344] [PE] Looking results : 0
[00:38:0360] [PE] Section[1/3] : 0x22ae200
[00:38:0360] [PE] Init AhoCorasick
[00:38:0375] [PE] Start AhoCorasick [0x22ae200 - 2048]
[00:38:0391] [PE] Looking results : 0
[00:38:0391] [PE] Section[2/3] : 0x22aea00
[00:38:0406] [PE] Init AhoCorasick
[00:38:0406] [PE] Start AhoCorasick [0x22aea00 - 18944]
[00:38:0422] [PE] Looking results : 0
[00:38:0438] [PE] Section[3/3] : 0x22b3400
[00:38:0438] [PE] Init AhoCorasick
[00:38:0453] [PE] Start AhoCorasick [0x22b3400 - 13824]
[00:38:0469] [PE] Looking results : 0
[00:38:0469] [CHECK] Blacklist
[00:38:0485] [CHECK] BlacklistPath
[00:38:0500] [CHECK] BlacklistMD5
[00:38:0500] [CHECK] MadeNumbers
[00:38:0516] [CHECK] HasUnicode
[00:38:0516] [CHECK] SuspPath
[00:38:0531] [CHECK] ProcessResidue
[00:38:0547] [CHECK] Not found!
[00:38:0547] [Check DLLs] mydocs.dll : C:\WINDOWS\system32\mydocs.dll
[00:38:0563] [CHECK] WhiteDLL
[00:38:0578] [CHECK] Whitelist
[00:38:0578] [CHECK] WellKnown
[00:38:0594] [CHECK] WhitelistPath
[00:38:0610] [CHECK] HijackName
[00:38:0610] [CHECK] Signature
[00:38:0625] [PE] Mapping
[00:38:0641] [PE] Parsing
[00:38:0656] [PE] Dos header -> 0x2260000
[00:38:0656] [PE] Nt header (offset : 0xe8) file size 0x16200
[00:38:0672] [PE] pNtHeadersx86 -> 0x22600e8
[00:38:0672] [PE] Chars -> 0x210e
[00:38:0688] [PE] Optional header
[00:38:0703] [PE] Sections : 4
[00:38:0703] [PE] Section : 0 - .text
[00:38:0719] [PE] Section : 1 - .data
[00:38:0719] [PE] Section : 2 - .rsrc
[00:38:0735] [PE] Section : 3 - .reloc
[00:38:0750] [PE] File open : 1
[00:38:0750] [PE] Search sigs
[00:38:0828] [PE] Section[0/3] : 0x2260400
[00:38:0828] [PE] Init AhoCorasick
[00:38:0844] [PE] Start AhoCorasick [0x2260400 - 17920]
[00:38:0844] [PE] Looking results : 0
[00:38:0860] [PE] Section[1/3] : 0x2264a00
[00:38:0875] [PE] Init AhoCorasick
[00:38:0875] [PE] Start AhoCorasick [0x2264a00 - 512]
[00:38:0891] [PE] Looking results : 0
[00:38:0891] [PE] Section[2/3] : 0x2264c00
[00:38:0906] [PE] Init AhoCorasick
[00:38:0922] [PE] Start AhoCorasick [0x2264c00 - 70144]
[00:38:0922] [PE] Looking results : 0
[00:38:0938] [PE] Section[3/3] : 0x2275e00
[00:38:0953] [PE] Init AhoCorasick
[00:38:0953] [PE] Start AhoCorasick [0x2275e00 - 1024]
[00:38:0969] [PE] Looking results : 0
[00:38:0985] [CHECK] Blacklist
[00:38:0985] [CHECK] BlacklistPath
[00:39:0000] [CHECK] BlacklistMD5
[00:39:0016] [CHECK] MadeNumbers
[00:39:0016] [CHECK] HasUnicode
[00:39:0031] [CHECK] SuspPath
[00:39:0031] [CHECK] ProcessResidue
[00:39:0047] [CHECK] Not found!
[00:39:0063] [Check DLLs] pihook.dll : C:\Program Files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
[00:39:0063] [CHECK] WhiteDLL
[00:39:0078] [CHECK] Whitelist
[00:39:0094] [CHECK] WellKnown
[00:39:0094] [CHECK] WhitelistPath
[00:39:0110] [CHECK] HijackName
[00:39:0125] [CHECK] Signature
[00:39:0141] [PE] Mapping
[00:39:0156] [PE] Parsing
[00:39:0172] [PE] Dos header -> 0x2260000
[00:39:0172] [PE] Nt header (offset : 0xf0) file size 0xd000
[00:39:0188] [PE] pNtHeadersx86 -> 0x22600f0
[00:39:0188] [PE] Chars -> 0x210e
[00:39:0203] [PE] Optional header
[00:39:0219] [PE] Sections : 5
[00:39:0219] [PE] Section : 0 - .text
[00:39:0235] [PE] Section : 1 - .rdata
[00:39:0250] [PE] Section : 2 - .data
[00:39:0250] [PE] Section : 3 - Shared
[00:39:0266] [PE] Section : 4 - .reloc
[00:39:0266] [PE] File open : 1
[00:39:0281] [PE] Search sigs
[00:39:0297] [PE] Section[0/4] : 0x2261000
[00:39:0297] [PE] Init AhoCorasick
[00:39:0313] [PE] Start AhoCorasick [0x2261000 - 24576]
[00:39:0328] [PE] Looking results : 0
[00:39:0328] [PE] Section[1/4] : 0x2267000
[00:39:0344] [PE] Init AhoCorasick
[00:39:0360] [PE] Start AhoCorasick [0x2267000 - 4096]
[00:39:0360] [PE] Looking results : 0
[00:39:0375] [PE] Section[2/4] : 0x2268000
[00:39:0375] [PE] Init AhoCorasick
[00:39:0391] [PE] Start AhoCorasick [0x2268000 - 12288]
[00:39:0406] [PE] Looking results : 0
[00:39:0406] [PE] Section[3/4] : 0x226b000
[00:39:0422] [PE] Init AhoCorasick
[00:39:0438] [PE] Start AhoCorasick [0x226b000 - 4096]
[00:39:0438] [PE] Looking results : 0
[00:39:0453] [PE] Section[4/4] : 0x226c000
[00:39:0453] [PE] Init AhoCorasick
[00:39:0469] [PE] Start AhoCorasick [0x226c000 - 4096]
[00:39:0485] [PE] Looking results : 0
[00:39:0485] [CHECK] Blacklist
[00:39:0500] [CHECK] BlacklistPath
[00:39:0516] [CHECK] BlacklistMD5
[00:39:0516] [CHECK] MadeNumbers
[00:39:0531] [CHECK] HasUnicode
[00:39:0547] [CHECK] SuspPath
[00:39:0547] [CHECK] ProcessResidue
[00:39:0563] [CHECK] Not found!
[00:39:0578] [Check DLLs] PortableDeviceTypes.dll : C:\WINDOWS\system32\PortableDeviceTypes.dll
[00:39:0578] [CHECK] WhiteDLL
[00:39:0594] [CHECK] Whitelist
[00:39:0594] [CHECK] WellKnown
[00:39:0610] [CHECK] WhitelistPath
[00:39:0625] [CHECK] HijackName
[00:39:0625] [CHECK] Signature
[00:39:0656] [PE] Mapping
[00:39:0656] [PE] Parsing
[00:39:0672] [PE] Dos header -> 0x2260000
[00:39:0688] [PE] Nt header (offset : 0xf0) file size 0x28c00
[00:39:0688] [PE] pNtHeadersx86 -> 0x22600f0
[00:39:0703] [PE] Chars -> 0x2102
[00:39:0703] [PE] Optional header
[00:39:0719] [PE] Sections : 5
[00:39:0735] [PE] Section : 0 - .text
[00:39:0735] [PE] Section : 1 - .orpc
[00:39:0750] [PE] Section : 2 - .data
[00:39:0766] [PE] Section : 3 - .rsrc
[00:39:0766] [PE] Section : 4 - .reloc
[00:39:0828] [PE] File open : 1
[00:39:0828] [PE] Search sigs
[00:39:0844] [PE] Section[0/4] : 0x2260400
[00:39:0844] [PE] Init AhoCorasick
[00:39:0860] [PE] Start AhoCorasick [0x2260400 - 104960]
[00:39:0875] [PE] Looking results : 0
[00:39:0875] [PE] Section[1/4] : 0x2279e00
[00:39:0891] [PE] Init AhoCorasick
[00:39:0906] [PE] Start AhoCorasick [0x2279e00 - 512]
[00:39:0906] [PE] Looking results : 0
[00:39:0922] [PE] Section[2/4] : 0x227a000
[00:39:0938] [PE] Init AhoCorasick
[00:39:0938] [PE] Start AhoCorasick [0x227a000 - 1536]
[00:39:0953] [PE] Looking results : 0
[00:39:0953] [PE] Section[3/4] : 0x227a600
[00:39:0969] [PE] Init AhoCorasick
[00:39:0985] [PE] Start AhoCorasick [0x227a600 - 50688]
[00:39:0985] [PE] Looking results : 0
[00:40:0000] [PE] Section[4/4] : 0x2286c00
[00:40:0016] [PE] Init AhoCorasick
[00:40:0016] [PE] Start AhoCorasick [0x2286c00 - 8192]
[00:40:0031] [PE] Looking results : 0
[00:40:0047] [CHECK] Blacklist
[00:40:0078] [CHECK] BlacklistPath
[00:40:0094] [CHECK] BlacklistMD5
[00:40:0094] [CHECK] MadeNumbers
[00:40:0110] [CHECK] HasUnicode
[00:40:0125] [CHECK] SuspPath
[00:40:0125] [CHECK] ProcessResidue
[00:40:0141] [CHECK] Not found!
[00:40:0156] [Check DLLs] PortableDeviceApi.dll : C:\WINDOWS\system32\PortableDeviceApi.dll
[00:40:0156] [CHECK] WhiteDLL
[00:40:0172] [CHECK] Whitelist
[00:40:0172] [CHECK] WellKnown
[00:40:0188] [CHECK] WhitelistPath
[00:40:0203] [CHECK] HijackName
[00:40:0203] [CHECK] Signature
[00:40:0250] [PE] Mapping
[00:40:0266] [PE] Parsing
[00:40:0281] [PE] Dos header -> 0x1460000
[00:40:0281] [PE] Nt header (offset : 0xe8) file size 0x45600
[00:40:0297] [PE] pNtHeadersx86 -> 0x14600e8
[00:40:0297] [PE] Chars -> 0x2102
[00:40:0313] [PE] Optional header
[00:40:0328] [PE] Sections : 5
[00:40:0328] [PE] Section : 0 - .text
[00:40:0344] [PE] Section : 1 - .orpc
[00:40:0360] [PE] Section : 2 - .data
[00:40:0360] [PE] Section : 3 - .rsrc
[00:40:0375] [PE] Section : 4 - .reloc
[00:40:0375] [PE] File open : 1
[00:40:0391] [PE] Search sigs
[00:40:0406] [PE] Section[0/4] : 0x1460400
[00:40:0406] [PE] Init AhoCorasick
[00:40:0422] [PE] Start AhoCorasick [0x1460400 - 201216]
[00:40:0438] [PE] Looking results : 0
[00:40:0453] [PE] Section[1/4] : 0x1491600
[00:40:0453] [PE] Init AhoCorasick
[00:40:0469] [PE] Start AhoCorasick [0x1491600 - 512]
[00:40:0469] [PE] Looking results : 0
[00:40:0485] [PE] Section[2/4] : 0x1491800
[00:40:0500] [PE] Init AhoCorasick
[00:40:0500] [PE] Start AhoCorasick [0x1491800 - 4608]
[00:40:0516] [PE] Looking results : 0
[00:40:0531] [PE] Section[3/4] : 0x1492a00
[00:40:0531] [PE] Init AhoCorasick
[00:40:0547] [PE] Start AhoCorasick [0x1492a00 - 56320]
[00:40:0563] [PE] Looking results : 0
[00:40:0563] [PE] Section[4/4] : 0x14a0600
[00:40:0578] [PE] Init AhoCorasick
[00:40:0594] [PE] Start AhoCorasick [0x14a0600 - 20480]
[00:40:0594] [PE] Looking results : 0
[00:40:0610] [CHECK] Blacklist
[00:40:0610] [CHECK] BlacklistPath
[00:40:0625] [CHECK] BlacklistMD5
[00:40:0641] [CHECK] MadeNumbers
[00:40:0641] [CHECK] HasUnicode
[00:40:0656] [CHECK] SuspPath
[00:40:0672] [CHECK] ProcessResidue
[00:40:0672] [CHECK] Not found!
[00:40:0688] [Check DLLs] rsaenh.dll : C:\WINDOWS\system32\rsaenh.dll
[00:40:0703] [CHECK] WhiteDLL
[00:40:0703] [CHECK] Whitelist
[00:40:0719] [CHECK] WellKnown
[00:40:0735] [CHECK] WhitelistPath
[00:40:0735] [CHECK] HijackName
[00:40:0750] [CHECK] Signature
[00:40:0797] [PE] Mapping
[00:40:0797] [PE] Parsing
[00:40:0813] [PE] Dos header -> 0x1460000
[00:40:0828] [PE] Nt header (offset : 0xf8) file size 0x32e00
[00:40:0828] [PE] pNtHeadersx86 -> 0x14600f8
[00:40:0844] [PE] Chars -> 0x210e
[00:40:0844] [PE] Optional header
[00:40:0860] [PE] Sections : 4
[00:40:0875] [PE] Section : 0 - .text
[00:40:0875] [PE] Section : 1 - .data
[00:40:0891] [PE] Section : 2 - .rsrc
[00:40:0906] [PE] Section : 3 - .reloc
[00:40:0906] [PE] File open : 1
[00:40:0922] [PE] Search sigs
[00:40:0922] [PE] Section[0/3] : 0x1460400
[00:40:0938] [PE] Init AhoCorasick
[00:40:0953] [PE] Start AhoCorasick [0x1460400 - 187904]
[00:40:0969] [PE] Looking results : 0
[00:40:0969] [PE] Section[1/3] : 0x148e200
[00:40:0985] [PE] Init AhoCorasick
[00:41:0000] [PE] Start AhoCorasick [0x148e200 - 10752]
[00:41:0000] [PE] Looking results : 0
[00:41:0016] [PE] Section[2/3] : 0x1490c00
[00:41:0016] [PE] Init AhoCorasick
[00:41:0031] [PE] Start AhoCorasick [0x1490c00 - 3584]
[00:41:0047] [PE] Looking results : 0
[00:41:0047] [PE] Section[3/3] : 0x1491a00
[00:41:0063] [PE] Init AhoCorasick
[00:41:0078] [PE] Start AhoCorasick [0x1491a00 - 5120]
[00:41:0078] [PE] Looking results : 0
[00:41:0094] [CHECK] Blacklist
[00:41:0110] [CHECK] BlacklistPath
[00:41:0110] [CHECK] BlacklistMD5
[00:41:0125] [CHECK] MadeNumbers
[00:41:0125] [CHECK] HasUnicode
[00:41:0141] [CHECK] SuspPath
[00:41:0156] [CHECK] ProcessResidue
[00:41:0156] [CHECK] Not found!
[00:41:0172] [Check DLLs] wdmaud.drv : C:\WINDOWS\system32\wdmaud.drv
[00:41:0188] [CHECK] WhiteDLL
[00:41:0188] [CHECK] Whitelist
[00:41:0203] [CHECK] WellKnown
[00:41:0219] [CHECK] WhitelistPath
[00:41:0219] [CHECK] HijackName
[00:41:0235] [CHECK] Signature
[00:41:0266] [PE] Mapping
[00:41:0281] [PE] Parsing
[00:41:0297] [PE] Dos header -> 0x1460000
[00:41:0297] [PE] Nt header (offset : 0xe8) file size 0x5c00
[00:41:0313] [PE] pNtHeadersx86 -> 0x14600e8
[00:41:0313] [PE] Chars -> 0x210e
[00:41:0328] [PE] Optional header
[00:41:0344] [PE] Sections : 4
[00:41:0344] [PE] Section : 0 - .text
[00:41:0360] [PE] Section : 1 - .data
[00:41:0375] [PE] Section : 2 - .rsrc
[00:41:0375] [PE] Section : 3 - .reloc
[00:41:0391] [PE] File open : 1
[00:41:0406] [PE] Search sigs
[00:41:0406] [PE] Section[0/3] : 0x1460400
[00:41:0422] [PE] Init AhoCorasick
[00:41:0422] [PE] Start AhoCorasick [0x1460400 - 19456]
[00:41:0438] [PE] Looking results : 0
[00:41:0453] [PE] Section[1/3] : 0x1465000
[00:41:0453] [PE] Init AhoCorasick
[00:41:0469] [PE] Start AhoCorasick [0x1465000 - 512]
[00:41:0485] [PE] Looking results : 0
[00:41:0485] [PE] Section[2/3] : 0x1465200
[00:41:0500] [PE] Init AhoCorasick
[00:41:0516] [PE] Start AhoCorasick [0x1465200 - 1024]
[00:41:0516] [PE] Looking results : 0
[00:41:0531] [PE] Section[3/3] : 0x1465600
[00:41:0531] [PE] Init AhoCorasick
[00:41:0547] [PE] Start AhoCorasick [0x1465600 - 1536]
[00:41:0563] [PE] Looking results : 0
[00:41:0563] [CHECK] Blacklist
[00:41:0578] [CHECK] BlacklistPath
[00:41:0594] [CHECK] BlacklistMD5
[00:41:0594] [CHECK] MadeNumbers
[00:41:0610] [CHECK] HasUnicode
[00:41:0625] [CHECK] SuspPath
[00:41:0625] [CHECK] ProcessResidue
[00:41:0641] [CHECK] Not found!
[00:41:0656] [Check DLLs] MSCTF.dll : C:\WINDOWS\system32\MSCTF.dll
[00:41:0656] [CHECK] WhiteDLL
[00:41:0672] [CHECK] Whitelist
[00:41:0688] [CHECK] WellKnown
[00:41:0688] [CHECK] WhitelistPath
[00:41:0703] [CHECK] HijackName
[00:41:0703] [CHECK] Signature
[00:41:0735] [PE] Mapping
[00:41:0750] [PE] Parsing
[00:41:0797] [PE] Dos header -> 0x1460000
[00:41:0797] [PE] Nt header (offset : 0xe0) file size 0x48c00
[00:41:0813] [PE] pNtHeadersx86 -> 0x14600e0
[00:41:0813] [PE] Chars -> 0x210e
[00:41:0828] [PE] Optional header
[00:41:0844] [PE] Sections : 4
[00:41:0844] [PE] Section : 0 - .text
[00:41:0860] [PE] Section : 1 - .data
[00:41:0875] [PE] Section : 2 - .rsrc
[00:41:0875] [PE] Section : 3 - .reloc
[00:41:0891] [PE] File open : 1
[00:41:0891] [PE] Search sigs
[00:41:0906] [PE] Section[0/3] : 0x1460400
[00:41:0922] [PE] Init AhoCorasick
[00:41:0922] [PE] Start AhoCorasick [0x1460400 - 268288]
[00:41:0938] [PE] Looking results : 0
[00:41:0953] [PE] Section[1/3] : 0x14a1c00
[00:41:0969] [PE] Init AhoCorasick
[00:41:0969] [PE] Start AhoCorasick [0x14a1c00 - 3072]
[00:41:0985] [PE] Looking results : 0
[00:42:0000] [PE] Section[2/3] : 0x14a2800
[00:42:0000] [PE] Init AhoCorasick
[00:42:0016] [PE] Start AhoCorasick [0x14a2800 - 13824]
[00:42:0031] [PE] Looking results : 0
[00:42:0031] [PE] Section[3/3] : 0x14a5e00
[00:42:0047] [PE] Init AhoCorasick
[00:42:0047] [PE] Start AhoCorasick [0x14a5e00 - 11776]
[00:42:0063] [PE] Looking results : 0
[00:42:0078] [CHECK] Blacklist
[00:42:0078] [CHECK] BlacklistPath
[00:42:0094] [CHECK] BlacklistMD5
[00:42:0110] [CHECK] MadeNumbers
[00:42:0110] [CHECK] HasUnicode
[00:42:0125] [CHECK] SuspPath
[00:42:0141] [CHECK] ProcessResidue
[00:42:0141] [CHECK] Not found!
[00:42:0156] [Check DLLs] msacm32.drv : C:\WINDOWS\system32\msacm32.drv
[00:42:0172] [CHECK] WhiteDLL
[00:42:0172] [CHECK] Whitelist
[00:42:0188] [CHECK] WellKnown
[00:42:0203] [CHECK] WhitelistPath
[00:42:0203] [CHECK] HijackName
[00:42:0219] [CHECK] Signature
[00:42:0250] [PE] Mapping
[00:42:0266] [PE] Parsing
[00:42:0281] [PE] Dos header -> 0x1460000
[00:42:0281] [PE] Nt header (offset : 0xe0) file size 0x5000
[00:42:0297] [PE] pNtHeadersx86 -> 0x14600e0
[00:42:0313] [PE] Chars -> 0x210e
[00:42:0313] [PE] Optional header
[00:42:0328] [PE] Sections : 4
[00:42:0328] [PE] Section : 0 - .text
[00:42:0344] [PE] Section : 1 - .data
[00:42:0360] [PE] Section : 2 - .rsrc
[00:42:0360] [PE] Section : 3 - .reloc
[00:42:0375] [PE] File open : 1
[00:42:0391] [PE] Search sigs
[00:42:0391] [PE] Section[0/3] : 0x1460400
[00:42:0406] [PE] Init AhoCorasick
[00:42:0422] [PE] Start AhoCorasick [0x1460400 - 10240]
[00:42:0422] [PE] Looking results : 0
[00:42:0438] [PE] Section[1/3] : 0x1462c00
[00:42:0438] [PE] Init AhoCorasick
[00:42:0453] [PE] Start AhoCorasick [0x1462c00 - 512]
[00:42:0469] [PE] Looking results : 0
[00:42:0469] [PE] Section[2/3] : 0x1462e00
[00:42:0485] [PE] Init AhoCorasick
[00:42:0500] [PE] Start AhoCorasick [0x1462e00 - 7680]
[00:42:0500] [PE] Looking results : 0
[00:42:0516] [PE] Section[3/3] : 0x1464c00
[00:42:0516] [PE] Init AhoCorasick
[00:42:0531] [PE] Start AhoCorasick [0x1464c00 - 1024]
[00:42:0547] [PE] Looking results : 0
[00:42:0547] [CHECK] Blacklist
[00:42:0563] [CHECK] BlacklistPath
[00:42:0578] [CHECK] BlacklistMD5
[00:42:0578] [CHECK] MadeNumbers
[00:42:0594] [CHECK] HasUnicode
[00:42:0594] [CHECK] SuspPath
[00:42:0610] [CHECK] ProcessResidue
[00:42:0625] [CHECK] Not found!
[00:42:0625] [Check DLLs] midimap.dll : C:\WINDOWS\system32\midimap.dll
[00:42:0641] [CHECK] WhiteDLL
[00:42:0656] [CHECK] Whitelist
[00:42:0656] [CHECK] WellKnown
[00:42:0672] [CHECK] WhitelistPath
[00:42:0688] [CHECK] HijackName
[00:42:0688] [CHECK] Signature
[00:42:0703] [PE] Mapping
[00:42:0719] [PE] Parsing
[00:42:0719] [PE] Dos header -> 0x1460000
[00:42:0735] [PE] Nt header (offset : 0xd0) file size 0x4a00
[00:42:0750] [PE] pNtHeadersx86 -> 0x14600d0
[00:42:0750] [PE] Chars -> 0x210e
[00:42:0797] [PE] Optional header
[00:42:0813] [PE] Sections : 4
[00:42:0813] [PE] Section : 0 - .text
[00:42:0828] [PE] Section : 1 - .data
[00:42:0828] [PE] Section : 2 - .rsrc
[00:42:0844] [PE] Section : 3 - .reloc
[00:42:0860] [PE] File open : 1
[00:42:0860] [PE] Search sigs
[00:42:0875] [PE] Section[0/3] : 0x1460400
[00:42:0875] [PE] Init AhoCorasick
[00:42:0891] [PE] Start AhoCorasick [0x1460400 - 11264]
[00:42:0906] [PE] Looking results : 0
[00:42:0906] [PE] Section[1/3] : 0x1463000
[00:42:0922] [PE] Init AhoCorasick
[00:42:0938] [PE] Start AhoCorasick [0x1463000 - 1536]
[00:42:0938] [PE] Looking results : 0
[00:42:0953] [PE] Section[2/3] : 0x1463600
[00:42:0969] [PE] Init AhoCorasick
[00:42:0969] [PE] Start AhoCorasick [0x1463600 - 3584]
[00:42:0985] [PE] Looking results : 0
[00:42:0985] [PE] Section[3/3] : 0x1464400

captain5678 · September 29, 2013

continued...

[00:43:0000] [PE] Init AhoCorasick
[00:43:0016] [PE] Start AhoCorasick [0x1464400 - 1536]
[00:43:0016] [PE] Looking results : 0
[00:43:0031] [CHECK] Blacklist
[00:43:0047] [CHECK] BlacklistPath
[00:43:0047] [CHECK] BlacklistMD5
[00:43:0063] [CHECK] MadeNumbers
[00:43:0063] [CHECK] HasUnicode
[00:43:0078] [CHECK] SuspPath
[00:43:0094] [CHECK] ProcessResidue
[00:43:0094] [CHECK] Not found!
[00:43:0110] [Check DLLs] MPR.dll : C:\WINDOWS\system32\MPR.dll
[00:43:0125] [CHECK] WhiteDLL
[00:43:0125] [CHECK] Whitelist
[00:43:0141] [CHECK] WellKnown
[00:43:0156] [CHECK] WhitelistPath
[00:43:0156] [CHECK] HijackName
[00:43:0172] [CHECK] Signature
[00:43:0219] [PE] Mapping
[00:43:0235] [PE] Parsing
[00:43:0250] [PE] Dos header -> 0x1460000
[00:43:0250] [PE] Nt header (offset : 0xf0) file size 0xea00
[00:43:0266] [PE] pNtHeadersx86 -> 0x14600f0
[00:43:0281] [PE] Chars -> 0x210e
[00:43:0281] [PE] Optional header
[00:43:0297] [PE] Sections : 4
[00:43:0297] [PE] Section : 0 - .text
[00:43:0313] [PE] Section : 1 - .data
[00:43:0328] [PE] Section : 2 - .rsrc
[00:43:0328] [PE] Section : 3 - .reloc
[00:43:0344] [PE] File open : 1
[00:43:0360] [PE] Search sigs
[00:43:0360] [PE] Section[0/3] : 0x1460400
[00:43:0375] [PE] Init AhoCorasick
[00:43:0375] [PE] Start AhoCorasick [0x1460400 - 54272]
[00:43:0391] [PE] Looking results : 0
[00:43:0406] [PE] Section[1/3] : 0x146d800
[00:43:0406] [PE] Init AhoCorasick
[00:43:0422] [PE] Start AhoCorasick [0x146d800 - 512]
[00:43:0438] [PE] Looking results : 0
[00:43:0438] [PE] Section[2/3] : 0x146da00
[00:43:0453] [PE] Init AhoCorasick
[00:43:0469] [PE] Start AhoCorasick [0x146da00 - 1536]
[00:43:0469] [PE] Looking results : 0
[00:43:0485] [PE] Section[3/3] : 0x146e000
[00:43:0500] [PE] Init AhoCorasick
[00:43:0500] [PE] Start AhoCorasick [0x146e000 - 2560]
[00:43:0516] [PE] Looking results : 0
[00:43:0516] [CHECK] Blacklist
[00:43:0531] [CHECK] BlacklistPath
[00:43:0547] [CHECK] BlacklistMD5
[00:43:0547] [CHECK] MadeNumbers
[00:43:0563] [CHECK] HasUnicode
[00:43:0578] [CHECK] SuspPath
[00:43:0578] [CHECK] ProcessResidue
[00:43:0594] [CHECK] Not found!
[00:43:0610] [Check DLLs] drprov.dll : C:\WINDOWS\System32\drprov.dll
[00:43:0610] [CHECK] WhiteDLL
[00:43:0625] [CHECK] Whitelist
[00:43:0641] [CHECK] WellKnown
[00:43:0641] [CHECK] WhitelistPath
[00:43:0656] [CHECK] HijackName
[00:43:0656] [CHECK] Signature
[00:43:0672] [PE] Mapping
[00:43:0688] [PE] Parsing
[00:43:0688] [PE] Dos header -> 0x1460000
[00:43:0703] [PE] Nt header (offset : 0xd0) file size 0x3800
[00:43:0719] [PE] pNtHeadersx86 -> 0x14600d0
[00:43:0719] [PE] Chars -> 0x210e
[00:43:0735] [PE] Optional header
[00:43:0750] [PE] Sections : 4
[00:43:0750] [PE] Section : 0 - .text
[00:43:0797] [PE] Section : 1 - .data
[00:43:0797] [PE] Section : 2 - .rsrc
[00:43:0813] [PE] Section : 3 - .reloc
[00:43:0813] [PE] File open : 1
[00:43:0828] [PE] Search sigs
[00:43:0844] [PE] Section[0/3] : 0x1460400
[00:43:0844] [PE] Init AhoCorasick
[00:43:0860] [PE] Start AhoCorasick [0x1460400 - 10240]
[00:43:0875] [PE] Looking results : 0
[00:43:0875] [PE] Section[1/3] : 0x1462c00
[00:43:0891] [PE] Init AhoCorasick
[00:43:0891] [PE] Start AhoCorasick [0x1462c00 - 1024]
[00:43:0906] [PE] Looking results : 0
[00:43:0922] [PE] Section[2/3] : 0x1463000
[00:43:0922] [PE] Init AhoCorasick
[00:43:0938] [PE] Start AhoCorasick [0x1463000 - 1536]
[00:43:0953] [PE] Looking results : 0
[00:43:0953] [PE] Section[3/3] : 0x1463600
[00:43:0969] [PE] Init AhoCorasick
[00:43:0969] [PE] Start AhoCorasick [0x1463600 - 512]
[00:43:0985] [PE] Looking results : 0
[00:44:0000] [CHECK] Blacklist
[00:44:0000] [CHECK] BlacklistPath
[00:44:0016] [CHECK] BlacklistMD5
[00:44:0031] [CHECK] MadeNumbers
[00:44:0031] [CHECK] HasUnicode
[00:44:0047] [CHECK] SuspPath
[00:44:0063] [CHECK] ProcessResidue
[00:44:0063] [CHECK] Not found!
[00:44:0078] [Check DLLs] ntlanman.dll : C:\WINDOWS\System32\ntlanman.dll
[00:44:0094] [CHECK] WhiteDLL
[00:44:0094] [CHECK] Whitelist
[00:44:0110] [CHECK] WellKnown
[00:44:0110] [CHECK] WhitelistPath
[00:44:0125] [CHECK] HijackName
[00:44:0141] [CHECK] Signature
[00:44:0219] [PE] Mapping
[00:44:0219] [PE] Parsing
[00:44:0235] [PE] Dos header -> 0x1460000
[00:44:0250] [PE] Nt header (offset : 0xd8) file size 0xac00
[00:44:0250] [PE] pNtHeadersx86 -> 0x14600d8
[00:44:0266] [PE] Chars -> 0x210e
[00:44:0266] [PE] Optional header
[00:44:0281] [PE] Sections : 4
[00:44:0297] [PE] Section : 0 - .text
[00:44:0297] [PE] Section : 1 - .data
[00:44:0313] [PE] Section : 2 - .rsrc
[00:44:0328] [PE] Section : 3 - .reloc
[00:44:0328] [PE] File open : 1
[00:44:0344] [PE] Search sigs
[00:44:0360] [PE] Section[0/3] : 0x1460400
[00:44:0360] [PE] Init AhoCorasick
[00:44:0375] [PE] Start AhoCorasick [0x1460400 - 39424]
[00:44:0375] [PE] Looking results : 0
[00:44:0391] [PE] Section[1/3] : 0x1469e00
[00:44:0406] [PE] Init AhoCorasick
[00:44:0406] [PE] Start AhoCorasick [0x1469e00 - 512]
[00:44:0422] [PE] Looking results : 0
[00:44:0438] [PE] Section[2/3] : 0x146a000
[00:44:0438] [PE] Init AhoCorasick
[00:44:0453] [PE] Start AhoCorasick [0x146a000 - 1536]
[00:44:0469] [PE] Looking results : 0
[00:44:0469] [PE] Section[3/3] : 0x146a600
[00:44:0485] [PE] Init AhoCorasick
[00:44:0485] [PE] Start AhoCorasick [0x146a600 - 1536]
[00:44:0500] [PE] Looking results : 0
[00:44:0516] [CHECK] Blacklist
[00:44:0516] [CHECK] BlacklistPath
[00:44:0531] [CHECK] BlacklistMD5
[00:44:0547] [CHECK] MadeNumbers
[00:44:0547] [CHECK] HasUnicode
[00:44:0563] [CHECK] SuspPath
[00:44:0578] [CHECK] ProcessResidue
[00:44:0578] [CHECK] Not found!
[00:44:0594] [Check DLLs] NETUI0.dll : C:\WINDOWS\System32\NETUI0.dll
[00:44:0610] [CHECK] WhiteDLL
[00:44:0610] [CHECK] Whitelist
[00:44:0625] [CHECK] WellKnown
[00:44:0625] [CHECK] WhitelistPath
[00:44:0641] [CHECK] HijackName
[00:44:0656] [CHECK] Signature
[00:44:0672] [PE] Mapping
[00:44:0688] [PE] Parsing
[00:44:0703] [PE] Dos header -> 0x1460000
[00:44:0703] [PE] Nt header (offset : 0xe8) file size 0x13c00
[00:44:0719] [PE] pNtHeadersx86 -> 0x14600e8
[00:44:0735] [PE] Chars -> 0x210e
[00:44:0735] [PE] Optional header
[00:44:0750] [PE] Sections : 4
[00:44:0750] [PE] Section : 0 - .text
[00:44:0797] [PE] Section : 1 - .data
[00:44:0813] [PE] Section : 2 - .rsrc
[00:44:0813] [PE] Section : 3 - .reloc
[00:44:0828] [PE] File open : 1
[00:44:0844] [PE] Search sigs
[00:44:0844] [PE] Section[0/3] : 0x1460400
[00:44:0860] [PE] Init AhoCorasick
[00:44:0860] [PE] Start AhoCorasick [0x1460400 - 64512]
[00:44:0875] [PE] Looking results : 0
[00:44:0891] [PE] Section[1/3] : 0x1470000
[00:44:0891] [PE] Init AhoCorasick
[00:44:0906] [PE] Start AhoCorasick [0x1470000 - 512]
[00:44:0922] [PE] Looking results : 0
[00:44:0922] [PE] Section[2/3] : 0x1470200
[00:44:0938] [PE] Init AhoCorasick
[00:44:0953] [PE] Start AhoCorasick [0x1470200 - 13312]
[00:44:0953] [PE] Looking results : 0
[00:44:0969] [PE] Section[3/3] : 0x1473600
[00:44:0985] [PE] Init AhoCorasick
[00:44:0985] [PE] Start AhoCorasick [0x1473600 - 1536]
[00:45:0000] [PE] Looking results : 0
[00:45:0000] [CHECK] Blacklist
[00:45:0016] [CHECK] BlacklistPath
[00:45:0031] [CHECK] BlacklistMD5
[00:45:0031] [CHECK] MadeNumbers
[00:45:0047] [CHECK] HasUnicode
[00:45:0063] [CHECK] SuspPath
[00:45:0063] [CHECK] ProcessResidue
[00:45:0078] [CHECK] Not found!
[00:45:0094] [Check DLLs] NETUI1.dll : C:\WINDOWS\System32\NETUI1.dll
[00:45:0094] [CHECK] WhiteDLL
[00:45:0110] [CHECK] Whitelist
[00:45:0125] [CHECK] WellKnown
[00:45:0125] [CHECK] WhitelistPath
[00:45:0141] [CHECK] HijackName
[00:45:0156] [CHECK] Signature
[00:45:0235] [PE] Mapping
[00:45:0235] [PE] Parsing
[00:45:0250] [PE] Dos header -> 0x1460000
[00:45:0266] [PE] Nt header (offset : 0xe0) file size 0x3c000
[00:45:0266] [PE] pNtHeadersx86 -> 0x14600e0
[00:45:0281] [PE] Chars -> 0x210e
[00:45:0281] [PE] Optional header
[00:45:0297] [PE] Sections : 4
[00:45:0313] [PE] Section : 0 - .text
[00:45:0313] [PE] Section : 1 - .data
[00:45:0328] [PE] Section : 2 - .rsrc
[00:45:0344] [PE] Section : 3 - .reloc
[00:45:0360] [PE] File open : 1
[00:45:0360] [PE] Search sigs
[00:45:0375] [PE] Section[0/3] : 0x1460400
[00:45:0391] [PE] Init AhoCorasick
[00:45:0391] [PE] Start AhoCorasick [0x1460400 - 238080]
[00:45:0406] [PE] Looking results : 0
[00:45:0422] [PE] Section[1/3] : 0x149a600
[00:45:0438] [PE] Init AhoCorasick
[00:45:0438] [PE] Start AhoCorasick [0x149a600 - 512]
[00:45:0453] [PE] Looking results : 0
[00:45:0469] [PE] Section[2/3] : 0x149a800
[00:45:0469] [PE] Init AhoCorasick
[00:45:0485] [PE] Start AhoCorasick [0x149a800 - 1536]
[00:45:0485] [PE] Looking results : 0
[00:45:0500] [PE] Section[3/3] : 0x149ae00
[00:45:0516] [PE] Init AhoCorasick
[00:45:0516] [PE] Start AhoCorasick [0x149ae00 - 4608]
[00:45:0531] [PE] Looking results : 0
[00:45:0547] [CHECK] Blacklist
[00:45:0547] [CHECK] BlacklistPath
[00:45:0563] [CHECK] BlacklistMD5
[00:45:0578] [CHECK] MadeNumbers
[00:45:0578] [CHECK] HasUnicode
[00:45:0594] [CHECK] SuspPath
[00:45:0610] [CHECK] ProcessResidue
[00:45:0610] [CHECK] Not found!
[00:45:0625] [Check DLLs] NETRAP.dll : C:\WINDOWS\System32\NETRAP.dll
[00:45:0641] [CHECK] WhiteDLL
[00:45:0641] [CHECK] Whitelist
[00:45:0656] [CHECK] WellKnown
[00:45:0672] [CHECK] WhitelistPath
[00:45:0672] [CHECK] HijackName
[00:45:0688] [CHECK] Signature
[00:45:0719] [PE] Mapping
[00:45:0735] [PE] Parsing
[00:45:0735] [PE] Dos header -> 0x1480000
[00:45:0750] [PE] Nt header (offset : 0xd8) file size 0x2e00
[00:45:0781] [PE] pNtHeadersx86 -> 0x14800d8
[00:45:0781] [PE] Chars -> 0x210e
[00:45:0797] [PE] Optional header
[00:45:0813] [PE] Sections : 4
[00:45:0813] [PE] Section : 0 - .text
[00:45:0828] [PE] Section : 1 - .data
[00:45:0844] [PE] Section : 2 - .rsrc
[00:45:0844] [PE] Section : 3 - .reloc
[00:45:0860] [PE] File open : 1
[00:45:0860] [PE] Search sigs
[00:45:0875] [PE] Section[0/3] : 0x1480400
[00:45:0891] [PE] Init AhoCorasick
[00:45:0891] [PE] Start AhoCorasick [0x1480400 - 8704]
[00:45:0906] [PE] Looking results : 0
[00:45:0922] [PE] Section[1/3] : 0x1482600
[00:45:0922] [PE] Init AhoCorasick
[00:45:0938] [PE] Start AhoCorasick [0x1482600 - 512]
[00:45:0953] [PE] Looking results : 0
[00:45:0953] [PE] Section[2/3] : 0x1482800
[00:45:0969] [PE] Init AhoCorasick
[00:45:0969] [PE] Start AhoCorasick [0x1482800 - 1024]
[00:45:0985] [PE] Looking results : 0
[00:46:0000] [PE] Section[3/3] : 0x1482c00
[00:46:0000] [PE] Init AhoCorasick
[00:46:0016] [PE] Start AhoCorasick [0x1482c00 - 512]
[00:46:0031] [PE] Looking results : 0
[00:46:0031] [CHECK] Blacklist
[00:46:0047] [CHECK] BlacklistPath
[00:46:0063] [CHECK] BlacklistMD5
[00:46:0063] [CHECK] MadeNumbers
[00:46:0078] [CHECK] HasUnicode
[00:46:0078] [CHECK] SuspPath
[00:46:0094] [CHECK] ProcessResidue
[00:46:0110] [CHECK] Not found!
[00:46:0125] [Check DLLs] davclnt.dll : C:\WINDOWS\System32\davclnt.dll
[00:46:0125] [CHECK] WhiteDLL
[00:46:0141] [CHECK] Whitelist
[00:46:0141] [CHECK] WellKnown
[00:46:0156] [CHECK] WhitelistPath
[00:46:0172] [CHECK] HijackName
[00:46:0172] [CHECK] Signature
[00:46:0188] [PE] Mapping
[00:46:0203] [PE] Parsing
[00:46:0219] [PE] Dos header -> 0x1480000
[00:46:0219] [PE] Nt header (offset : 0xe0) file size 0x6200
[00:46:0235] [PE] pNtHeadersx86 -> 0x14800e0
[00:46:0235] [PE] Chars -> 0x210e
[00:46:0250] [PE] Optional header
[00:46:0266] [PE] Sections : 4
[00:46:0266] [PE] Section : 0 - .text
[00:46:0281] [PE] Section : 1 - .data
[00:46:0297] [PE] Section : 2 - .rsrc
[00:46:0297] [PE] Section : 3 - .reloc
[00:46:0313] [PE] File open : 1
[00:46:0328] [PE] Search sigs
[00:46:0328] [PE] Section[0/3] : 0x1480400
[00:46:0344] [PE] Init AhoCorasick
[00:46:0344] [PE] Start AhoCorasick [0x1480400 - 20992]
[00:46:0360] [PE] Looking results : 0
[00:46:0375] [PE] Section[1/3] : 0x1485600
[00:46:0375] [PE] Init AhoCorasick
[00:46:0391] [PE] Start AhoCorasick [0x1485600 - 512]
[00:46:0406] [PE] Looking results : 0
[00:46:0406] [PE] Section[2/3] : 0x1485800
[00:46:0422] [PE] Init AhoCorasick
[00:46:0438] [PE] Start AhoCorasick [0x1485800 - 1536]
[00:46:0438] [PE] Looking results : 0
[00:46:0453] [PE] Section[3/3] : 0x1485e00
[00:46:0469] [PE] Init AhoCorasick
[00:46:0469] [PE] Start AhoCorasick [0x1485e00 - 1024]
[00:46:0485] [PE] Looking results : 0
[00:46:0485] [CHECK] Blacklist
[00:46:0500] [CHECK] BlacklistPath
[00:46:0516] [CHECK] BlacklistMD5
[00:46:0516] [CHECK] MadeNumbers
[00:46:0531] [CHECK] HasUnicode
[00:46:0547] [CHECK] SuspPath
[00:46:0547] [CHECK] ProcessResidue
[00:46:0563] [CHECK] Not found!
[00:46:0578] [Check DLLs] MSNLNamespaceMgr.dll : C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
[00:46:0578] [CHECK] WhiteDLL
[00:46:0594] [CHECK] Whitelist
[00:46:0610] [CHECK] WellKnown
[00:46:0610] [CHECK] WhitelistPath
[00:46:0625] [CHECK] HijackName
[00:46:0641] [CHECK] Signature
[00:46:0672] [PE] Mapping
[00:46:0688] [PE] Parsing
[00:46:0688] [PE] Dos header -> 0x1480000
[00:46:0703] [PE] Nt header (offset : 0xe8) file size 0x4a400
[00:46:0719] [PE] pNtHeadersx86 -> 0x14800e8
[00:46:0719] [PE] Chars -> 0x2102
[00:46:0735] [PE] Optional header
[00:46:0750] [PE] Sections : 4
[00:46:0750] [PE] Section : 0 - .text
[00:46:0813] [PE] Section : 1 - .data
[00:46:0813] [PE] Section : 2 - .rsrc
[00:46:0844] [PE] Section : 3 - .reloc
[00:46:0860] [PE] File open : 1
[00:46:0860] [PE] Search sigs
[00:46:0875] [PE] Section[0/3] : 0x1480400
[00:46:0906] [PE] Init AhoCorasick
[00:46:0906] [PE] Start AhoCorasick [0x1480400 - 207360]
[00:46:0922] [PE] Looking results : 0
[00:46:0938] [PE] Section[1/3] : 0x14b2e00
[00:46:0953] [PE] Init AhoCorasick
[00:46:0953] [PE] Start AhoCorasick [0x14b2e00 - 1536]
[00:46:0985] [PE] Looking results : 0
[00:47:0000] [PE] Section[2/3] : 0x14b3400
[00:47:0000] [PE] Init AhoCorasick
[00:47:0016] [PE] Start AhoCorasick [0x14b3400 - 81408]
[00:47:0031] [PE] Looking results : 0
[00:47:0031] [PE] Section[3/3] : 0x14c7200
[00:47:0047] [PE] Init AhoCorasick
[00:47:0063] [PE] Start AhoCorasick [0x14c7200 - 12800]
[00:47:0063] [PE] Looking results : 0
[00:47:0078] [CHECK] Blacklist
[00:47:0094] [CHECK] BlacklistPath
[00:47:0094] [CHECK] BlacklistMD5
[00:47:0110] [CHECK] MadeNumbers
[00:47:0125] [CHECK] HasUnicode
[00:47:0125] [CHECK] SuspPath
[00:47:0141] [CHECK] ProcessResidue
[00:47:0141] [CHECK] Not found!
[00:47:0156] [CHECK] WhiteDLL
[00:47:0172] [CHECK] Whitelist
[00:47:0172] [CHECK] WellKnown
[00:47:0235] [Check Processes] [1560][_888] wmiprvse.exe : C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
[00:47:0235] [CHECK] WhiteDLL
[00:47:0250] [CHECK] Whitelist
[00:47:0266] [CHECK] WellKnown
[00:47:0266] [CHECK] WhitelistPath
[00:47:0281] [CHECK] HijackName
[00:47:0297] [CHECK] Signature
[00:47:0297] [PE] Mapping
[00:47:0313] [PE] Parsing
[00:47:0328] [PE] Dos header -> 0x1480000
[00:47:0328] [PE] Nt header (offset : 0xd8) file size 0x37a00
[00:47:0344] [PE] pNtHeadersx86 -> 0x14800d8
[00:47:0360] [PE] Chars -> 0x10f
[00:47:0360] [PE] Optional header
[00:47:0375] [PE] Sections : 3
[00:47:0391] [PE] Section : 0 - .text
[00:47:0391] [PE] Section : 1 - .data
[00:47:0406] [PE] Section : 2 - .rsrc
[00:47:0422] [PE] File open : 1
[00:47:0422] [PE] Search sigs
[00:47:0438] [PE] Section[0/2] : 0x1480400
[00:47:0453] [PE] Init AhoCorasick
[00:47:0453] [PE] Start AhoCorasick [0x1480400 - 219136]
[00:47:0469] [PE] Looking results : 0
[00:47:0485] [PE] Section[1/2] : 0x14b5c00
[00:47:0485] [PE] Init AhoCorasick
[00:47:0500] [PE] Start AhoCorasick [0x14b5c00 - 6656]
[00:47:0516] [PE] Looking results : 0
[00:47:0516] [PE] Section[2/2] : 0x14b7600
[00:47:0531] [PE] Init AhoCorasick
[00:47:0547] [PE] Start AhoCorasick [0x14b7600 - 1024]
[00:47:0547] [PE] Looking results : 0
[00:47:0563] [CHECK] Blacklist
[00:47:0578] [CHECK] BlacklistPath
[00:47:0578] [CHECK] BlacklistMD5
[00:47:0594] [CHECK] MadeNumbers
[00:47:0610] [CHECK] HasUnicode
[00:47:0610] [CHECK] SuspPath
[00:47:0625] [CHECK] ProcessResidue
[00:47:0641] [CHECK] Not found!
[00:47:0688] [Check Processes] [1952][_648] smax4pnp.exe : C:\Program Files\Analog Devices\Core\smax4pnp.exe
[00:47:0703] [CHECK] WhiteDLL
[00:47:0719] [CHECK] Whitelist
[00:47:0719] [CHECK] WellKnown
[00:47:0735] [CHECK] WhitelistPath
[00:47:0750] [CHECK] HijackName
[00:47:0750] [CHECK] Signature
[00:47:0813] [PE] Mapping
[00:47:0828] [PE] Parsing
[00:47:0844] [PE] Dos header -> 0x2260000
[00:47:0844] [PE] Nt header (offset : 0x100) file size 0x157000
[00:47:0860] [PE] pNtHeadersx86 -> 0x2260100
[00:47:0875] [PE] Chars -> 0x10f
[00:47:0875] [PE] Optional header
[00:47:0891] [PE] Sections : 4
[00:47:0906] [PE] Section : 0 - .text
[00:47:0906] [PE] Section : 1 - .rdata
[00:47:0922] [PE] Section : 2 - .data
[00:47:0922] [PE] Section : 3 - .rsrc
[00:47:0938] [PE] File open : 1
[00:47:0953] [PE] Search sigs
[00:47:0953] [PE] Section[0/3] : 0x2261000
[00:47:0969] [PE] Init AhoCorasick
[00:47:0985] [PE] Start AhoCorasick [0x2261000 - 135168]
[00:48:0000] [PE] Looking results : 0
[00:48:0000] [PE] Section[1/3] : 0x2282000
[00:48:0016] [PE] Init AhoCorasick
[00:48:0016] [PE] Start AhoCorasick [0x2282000 - 28672]
[00:48:0031] [PE] Looking results : 0
[00:48:0047] [PE] Section[2/3] : 0x2289000
[00:48:0047] [PE] Init AhoCorasick
[00:48:0063] [PE] Start AhoCorasick [0x2289000 - 12288]
[00:48:0078] [PE] Looking results : 0
[00:48:0078] [PE] Section[3/3] : 0x228c000
[00:48:0094] [PE] Init AhoCorasick
[00:48:0110] [PE] Start AhoCorasick [0x228c000 - 1224704]
[00:48:0141] [PE] Looking results : 0
[00:48:0141] [CHECK] Blacklist
[00:48:0156] [CHECK] BlacklistPath
[00:48:0172] [CHECK] BlacklistMD5
[00:48:0172] [CHECK] MadeNumbers
[00:48:0188] [CHECK] HasUnicode
[00:48:0203] [CHECK] SuspPath
[00:48:0203] [CHECK] ProcessResidue
[00:48:0219] [CHECK] Not found!
[00:48:0250] [Check Processes] [1476][_648] IntelMEM.exe : C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
[00:48:0250] [CHECK] WhiteDLL
[00:48:0266] [CHECK] Whitelist
[00:48:0281] [CHECK] WellKnown
[00:48:0281] [CHECK] WhitelistPath
[00:48:0297] [CHECK] HijackName
[00:48:0313] [CHECK] Signature
[00:48:0328] [PE] Mapping
[00:48:0328] [PE] Parsing
[00:48:0344] [PE] Dos header -> 0x1480000
[00:48:0360] [PE] Nt header (offset : 0x108) file size 0x36000
[00:48:0360] [PE] pNtHeadersx86 -> 0x1480108
[00:48:0375] [PE] Chars -> 0x10f
[00:48:0391] [PE] Optional header
[00:48:0391] [PE] Sections : 4
[00:48:0406] [PE] Section : 0 - .text
[00:48:0422] [PE] Section : 1 - .rdata
[00:48:0422] [PE] Section : 2 - .data
[00:48:0438] [PE] Section : 3 - .rsrc
[00:48:0453] [PE] File open : 1
[00:48:0453] [PE] Search sigs
[00:48:0469] [PE] Section[0/3] : 0x1481000
[00:48:0469] [PE] Init AhoCorasick
[00:48:0485] [PE] Start AhoCorasick [0x1481000 - 143360]
[00:48:0500] [PE] Looking results : 0
[00:48:0516] [PE] Section[1/3] : 0x14a4000
[00:48:0516] [PE] Init AhoCorasick
[00:48:0531] [PE] Start AhoCorasick [0x14a4000 - 36864]
[00:48:0547] [PE] Looking results : 0
[00:48:0547] [PE] Section[2/3] : 0x14ad000
[00:48:0563] [PE] Init AhoCorasick
[00:48:0563] [PE] Start AhoCorasick [0x14ad000 - 20480]
[00:48:0578] [PE] Looking results : 0
[00:48:0594] [PE] Section[3/3] : 0x14b2000
[00:48:0594] [PE] Init AhoCorasick
[00:48:0610] [PE] Start AhoCorasick [0x14b2000 - 16384]
[00:48:0625] [PE] Looking results : 0
[00:48:0625] [CHECK] Blacklist
[00:48:0641] [CHECK] BlacklistPath
[00:48:0656] [CHECK] BlacklistMD5
[00:48:0656] [CHECK] MadeNumbers
[00:48:0672] [CHECK] HasUnicode
[00:48:0688] [CHECK] SuspPath
[00:48:0688] [CHECK] ProcessResidue
[00:48:0703] [CHECK] Not found!
[00:48:0719] [Check Processes] [1360][_648] tfswctrl.exe : C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
[00:48:0735] [CHECK] WhiteDLL
[00:48:0750] [CHECK] Whitelist
[00:48:0750] [CHECK] WellKnown
[00:48:0797] [CHECK] WhitelistPath
[00:48:0797] [CHECK] HijackName
[00:48:0813] [CHECK] Signature
[00:48:0828] [PE] Mapping
[00:48:0828] [PE] Parsing
[00:48:0844] [PE] Dos header -> 0x1480000
[00:48:0860] [PE] Nt header (offset : 0xf0) file size 0x1e03b
[00:48:0860] [PE] pNtHeadersx86 -> 0x14800f0
[00:48:0875] [PE] Chars -> 0x10f
[00:48:0891] [PE] Optional header
[00:48:0891] [PE] Sections : 4
[00:48:0906] [PE] Section : 0 - .text
[00:48:0906] [PE] Section : 1 - .rdata
[00:48:0922] [PE] Section : 2 - .data
[00:48:0938] [PE] Section : 3 - .rsrc
[00:48:0938] [PE] File open : 1
[00:48:0953] [PE] Search sigs
[00:48:0969] [PE] Section[0/3] : 0x1481000
[00:48:0969] [PE] Init AhoCorasick
[00:48:0985] [PE] Start AhoCorasick [0x1481000 - 61440]
[00:49:0000] [PE] Looking results : 0
[00:49:0000] [PE] Section[1/3] : 0x1490000
[00:49:0016] [PE] Init AhoCorasick
[00:49:0031] [PE] Start AhoCorasick [0x1490000 - 8192]
[00:49:0031] [PE] Looking results : 0
[00:49:0047] [PE] Section[2/3] : 0x1492000
[00:49:0063] [PE] Init AhoCorasick
[00:49:0063] [PE] Start AhoCorasick [0x1492000 - 20480]
[00:49:0078] [PE] Looking results : 0
[00:49:0094] [PE] Section[3/3] : 0x1497000
[00:49:0094] [PE] Init AhoCorasick
[00:49:0110] [PE] Start AhoCorasick [0x1497000 - 28672]
[00:49:0125] [PE] Looking results : 0
[00:49:0125] [CHECK] Blacklist
[00:49:0141] [CHECK] BlacklistPath
[00:49:0156] [CHECK] BlacklistMD5
[00:49:0156] [CHECK] MadeNumbers
[00:49:0172] [CHECK] HasUnicode
[00:49:0188] [CHECK] SuspPath
[00:49:0188] [CHECK] ProcessResidue
[00:49:0203] [CHECK] Not found!
[00:49:0235] [Check Processes] [1852][_648] sgtray.exe : C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[00:49:0235] [CHECK] WhiteDLL
[00:49:0250] [CHECK] Whitelist
[00:49:0266] [CHECK] WellKnown
[00:49:0266] [CHECK] WhitelistPath
[00:49:0281] [CHECK] HijackName
[00:49:0297] [CHECK] Signature
[00:49:0313] [PE] Mapping
[00:49:0313] [PE] Parsing
[00:49:0328] [PE] Dos header -> 0x1480000
[00:49:0344] [PE] Nt header (offset : 0x110) file size 0x1b000
[00:49:0344] [PE] pNtHeadersx86 -> 0x1480110
[00:49:0360] [PE] Chars -> 0x10f
[00:49:0360] [PE] Optional header
[00:49:0375] [PE] Sections : 4
[00:49:0391] [PE] Section : 0 - .text
[00:49:0391] [PE] Section : 1 - .rdata
[00:49:0406] [PE] Section : 2 - .data
[00:49:0422] [PE] Section : 3 - .rsrc
[00:49:0422] [PE] File open : 1
[00:49:0438] [PE] Search sigs
[00:49:0453] [PE] Section[0/3] : 0x1481000
[00:49:0453] [PE] Init AhoCorasick
[00:49:0469] [PE] Start AhoCorasick [0x1481000 - 73728]
[00:49:0485] [PE] Looking results : 0
[00:49:0485] [PE] Section[1/3] : 0x1493000
[00:49:0500] [PE] Init AhoCorasick
[00:49:0516] [PE] Start AhoCorasick [0x1493000 - 24576]
[00:49:0516] [PE] Looking results : 0
[00:49:0531] [PE] Section[2/3] : 0x1499000
[00:49:0547] [PE] Init AhoCorasick
[00:49:0547] [PE] Start AhoCorasick [0x1499000 - 4096]
[00:49:0563] [PE] Looking results : 0
[00:49:0578] [PE] Section[3/3] : 0x149a000
[00:49:0578] [PE] Init AhoCorasick
[00:49:0594] [PE] Start AhoCorasick [0x149a000 - 4096]
[00:49:0610] [PE] Looking results : 0
[00:49:0610] [CHECK] Blacklist
[00:49:0625] [CHECK] BlacklistPath
[00:49:0641] [CHECK] BlacklistMD5
[00:49:0641] [CHECK] MadeNumbers
[00:49:0656] [CHECK] HasUnicode
[00:49:0672] [CHECK] SuspPath
[00:49:0672] [CHECK] ProcessResidue
[00:49:0688] [CHECK] Not found!
[00:49:0703] [Check Processes] [1816][_648] iTunesHelper.exe : C:\Program Files\iTunes\iTunesHelper.exe
[00:49:0719] [CHECK] WhiteDLL
[00:49:0735] [CHECK] Whitelist
[00:49:0750] [CHECK] WellKnown
[00:49:0750] [CHECK] WhitelistPath
[00:49:0797] [CHECK] HijackName
[00:49:0813] [CHECK] Signature
[00:49:0828] [PE] Mapping
[00:49:0828] [PE] Parsing
[00:49:0844] [PE] Dos header -> 0x1480000
[00:49:0860] [PE] Nt header (offset : 0xe8) file size 0x66d28
[00:49:0860] [PE] pNtHeadersx86 -> 0x14800e8
[00:49:0875] [PE] Chars -> 0x102
[00:49:0891] [PE] Optional header
[00:49:0891] [PE] Sections : 5
[00:49:0906] [PE] Section : 0 - .text
[00:49:0922] [PE] Section : 1 - .rdata
[00:49:0922] [PE] Section : 2 - .data
[00:49:0938] [PE] Section : 3 - .rsrc
[00:49:0938] [PE] Section : 4 - .reloc
[00:49:0953] [PE] File open : 1
[00:49:0969] [PE] Search sigs
[00:49:0969] [PE] Section[0/4] : 0x1480400
[00:49:0985] [PE] Init AhoCorasick
[00:50:0000] [PE] Start AhoCorasick [0x1480400 - 26624]
[00:50:0000] [PE] Looking results : 0
[00:50:0016] [PE] Section[1/4] : 0x1486c00
[00:50:0031] [PE] Init AhoCorasick
[00:50:0031] [PE] Start AhoCorasick [0x1486c00 - 9216]
[00:50:0047] [PE] Looking results : 0
[00:50:0063] [PE] Section[2/4] : 0x1489000
[00:50:0063] [PE] Init AhoCorasick
[00:50:0078] [PE] Start AhoCorasick [0x1489000 - 3584]
[00:50:0094] [PE] Looking results : 0
[00:50:0094] [PE] Section[3/4] : 0x1489e00
[00:50:0110] [PE] Init AhoCorasick
[00:50:0125] [PE] Start AhoCorasick [0x1489e00 - 370688]
[00:50:0141] [PE] Looking results : 0
[00:50:0141] [PE] Section[4/4] : 0x14e4600
[00:50:0156] [PE] Init AhoCorasick
[00:50:0172] [PE] Start AhoCorasick [0x14e4600 - 4608]
[00:50:0172] [PE] Looking results : 0
[00:50:0188] [CHECK] Blacklist
[00:50:0203] [CHECK] BlacklistPath
[00:50:0203] [CHECK] BlacklistMD5
[00:50:0219] [CHECK] MadeNumbers
[00:50:0235] [CHECK] HasUnicode
[00:50:0235] [CHECK] SuspPath
[00:50:0250] [CHECK] ProcessResidue
[00:50:0266] [CHECK] Not found!
[00:50:0281] [Check Processes] [1620][_648] realsched.exe : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[00:50:0297] [CHECK] WhiteDLL
[00:50:0313] [CHECK] Whitelist
[00:50:0313] [CHECK] WellKnown
[00:50:0328] [CHECK] WhitelistPath
[00:50:0344] [CHECK] HijackName
[00:50:0344] [CHECK] Signature
[00:50:0360] [PE] Mapping
[00:50:0375] [PE] Parsing
[00:50:0391] [PE] Dos header -> 0x1480000
[00:50:0391] [PE] Nt header (offset : 0xf8) file size 0x30610
[00:50:0406] [PE] pNtHeadersx86 -> 0x14800f8
[00:50:0422] [PE] Chars -> 0x10f
[00:50:0422] [PE] Optional header
[00:50:0438] [PE] Sections : 4
[00:50:0453] [PE] Section : 0 - .text
[00:50:0453] [PE] Section : 1 - .rdata
[00:50:0469] [PE] Section : 2 - .data
[00:50:0485] [PE] Section : 3 - .rsrc
[00:50:0485] [PE] File open : 1
[00:50:0500] [PE] Search sigs
[00:50:0516] [PE] Section[0/3] : 0x1481000
[00:50:0516] [PE] Init AhoCorasick
[00:50:0531] [PE] Start AhoCorasick [0x1481000 - 151552]
[00:50:0547] [PE] Looking results : 0
[00:50:0547] [PE] Section[1/3] : 0x14a6000
[00:50:0563] [PE] Init AhoCorasick
[00:50:0578] [PE] Start AhoCorasick [0x14a6000 - 28672]
[00:50:0578] [PE] Looking results : 0
[00:50:0594] [PE] Section[2/3] : 0x14ad000
[00:50:0610] [PE] Init AhoCorasick
[00:50:0610] [PE] Start AhoCorasick [0x14ad000 - 4096]
[00:50:0625] [PE] Looking results : 0
[00:50:0641] [PE] Section[3/3] : 0x14ae000
[00:50:0641] [PE] Init AhoCorasick
[00:50:0656] [PE] Start AhoCorasick [0x14ae000 - 4096]
[00:50:0672] [PE] Looking results : 0
[00:50:0672] [CHECK] Blacklist
[00:50:0688] [CHECK] BlacklistPath
[00:50:0703] [CHECK] BlacklistMD5
[00:50:0703] [CHECK] MadeNumbers
[00:50:0719] [CHECK] HasUnicode
[00:50:0735] [CHECK] SuspPath
[00:50:0735] [CHECK] ProcessResidue
[00:50:0750] [CHECK] Not found!
[00:50:0813] [Check Processes] [320][_648] RIMBBLaunchAgent.exe : C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
[00:50:0828] [CHECK] WhiteDLL
[00:50:0844] [CHECK] Whitelist
[00:50:0844] [CHECK] WellKnown
[00:50:0860] [CHECK] WhitelistPath
[00:50:0875] [CHECK] HijackName
[00:50:0875] [CHECK] Signature
[00:50:0891] [PE] Mapping
[00:50:0906] [PE] Parsing
[00:50:0922] [PE] Dos header -> 0x1480000
[00:50:0922] [PE] Nt header (offset : 0x100) file size 0x16150
[00:50:0938] [PE] pNtHeadersx86 -> 0x1480100
[00:50:0953] [PE] Chars -> 0x102
[00:50:0953] [PE] Optional header
[00:50:0969] [PE] Sections : 5
[00:50:0969] [PE] Section : 0 - .text
[00:50:0985] [PE] Section : 1 - .rdata
[00:51:0000] [PE] Section : 2 - .data
[00:51:0000] [PE] Section : 3 - .rsrc
[00:51:0016] [PE] Section : 4 - .reloc
[00:51:0031] [PE] File open : 1
[00:51:0031] [PE] Search sigs
[00:51:0047] [PE] Section[0/4] : 0x1481000
[00:51:0063] [PE] Init AhoCorasick
[00:51:0063] [PE] Start AhoCorasick [0x1481000 - 49152]
[00:51:0078] [PE] Looking results : 0
[00:51:0094] [PE] Section[1/4] : 0x148d000
[00:51:0094] [PE] Init AhoCorasick
[00:51:0110] [PE] Start AhoCorasick [0x148d000 - 16384]
[00:51:0125] [PE] Looking results : 0
[00:51:0125] [PE] Section[2/4] : 0x1491000
[00:51:0141] [PE] Init AhoCorasick
[00:51:0156] [PE] Start AhoCorasick [0x1491000 - 4096]
[00:51:0156] [PE] Looking results : 0
[00:51:0172] [PE] Section[3/4] : 0x1492000
[00:51:0188] [PE] Init AhoCorasick
[00:51:0188] [PE] Start AhoCorasick [0x1492000 - 4096]
[00:51:0203] [PE] Looking results : 0
[00:51:0219] [PE] Section[4/4] : 0x1493000
[00:51:0219] [PE] Init AhoCorasick
[00:51:0235] [PE] Start AhoCorasick [0x1493000 - 8192]
[00:51:0250] [PE] Looking results : 0
[00:51:0250] [CHECK] Blacklist
[00:51:0266] [CHECK] BlacklistPath
[00:51:0281] [CHECK] BlacklistMD5
[00:51:0281] [CHECK] MadeNumbers
[00:51:0297] [CHECK] HasUnicode
[00:51:0313] [CHECK] SuspPath
[00:51:0313] [CHECK] ProcessResidue
[00:51:0328] [CHECK] Not found!
[00:51:0360] [Check Processes] [456][_648] hkcmd.exe : C:\WINDOWS\SYSTEM32\hkcmd.exe
[00:51:0360] [CHECK] WhiteDLL
[00:51:0375] [CHECK] Whitelist
[00:51:0391] [CHECK] WellKnown
[00:51:0391] [CHECK] WhitelistPath
[00:51:0406] [CHECK] HijackName
[00:51:0422] [CHECK] Signature
[00:51:0422] [PE] Mapping
[00:51:0438] [PE] Parsing
[00:51:0453] [PE] Dos header -> 0x1480000
[00:51:0453] [PE] Nt header (offset : 0x100) file size 0x13000
[00:51:0469] [PE] pNtHeadersx86 -> 0x1480100
[00:51:0485] [PE] Chars -> 0x10f
[00:51:0485] [PE] Optional header
[00:51:0500] [PE] Sections : 4
[00:51:0516] [PE] Section : 0 - .text
[00:51:0516] [PE] Section : 1 - .rdata
[00:51:0531] [PE] Section : 2 - .data
[00:51:0547] [PE] Section : 3 - .rsrc
[00:51:0547] [PE] File open : 1
[00:51:0563] [PE] Search sigs
[00:51:0578] [PE] Section[0/3] : 0x1481000
[00:51:0610] [PE] Init AhoCorasick
[00:51:0625] [PE] Start AhoCorasick [0x1481000 - 45056]
[00:51:0625] [PE] Looking results : 0
[00:51:0641] [PE] Section[1/3] : 0x148c000
[00:51:0656] [PE] Init AhoCorasick
[00:51:0656] [PE] Start AhoCorasick [0x148c000 - 8192]
[00:51:0672] [PE] Looking results : 0
[00:51:0688] [PE] Section[2/3] : 0x148e000
[00:51:0688] [PE] Init AhoCorasick
[00:51:0703] [PE] Start AhoCorasick [0x148e000 - 16384]
[00:51:0719] [PE] Looking results : 0
[00:51:0719] [PE] Section[3/3] : 0x1492000
[00:51:0735] [PE] Init AhoCorasick
[00:51:0750] [PE] Start AhoCorasick [0x1492000 - 4096]
[00:51:0750] [PE] Looking results : 0
[00:51:0797] [CHECK] Blacklist
[00:51:0813] [CHECK] BlacklistPath
[00:51:0813] [CHECK] BlacklistMD5
[00:51:0828] [CHECK] MadeNumbers
[00:51:0844] [CHECK] HasUnicode
[00:51:0844] [CHECK] SuspPath
[00:51:0860] [CHECK] ProcessResidue
[00:51:0875] [CHECK] Not found!
[00:51:0906] [Check Processes] [496][_648] igfxpers.exe : C:\WINDOWS\SYSTEM32\igfxpers.exe
[00:51:0922] [CHECK] WhiteDLL
[00:51:0922] [CHECK] Whitelist
[00:51:0938] [CHECK] WellKnown
[00:51:0953] [CHECK] WhitelistPath
[00:51:0953] [CHECK] HijackName
[00:51:0969] [CHECK] Signature
[00:51:0985] [PE] Mapping
[00:52:0000] [PE] Parsing
[00:52:0000] [PE] Dos header -> 0x1480000
[00:52:0016] [PE] Nt header (offset : 0xf8) file size 0x1c000
[00:52:0031] [PE] pNtHeadersx86 -> 0x14800f8
[00:52:0031] [PE] Chars -> 0x10e
[00:52:0047] [PE] Optional header
[00:52:0047] [PE] Sections : 6
[00:52:0063] [PE] Section : 0 - .text
[00:52:0078] [PE] Section : 1 - .rdata
[00:52:0078] [PE] Section : 2 - .data
[00:52:0094] [PE] Section : 3 - .idata
[00:52:0110] [PE] Section : 4 - .rsrc
[00:52:0110] [PE] Section : 5 - .reloc
[00:52:0125] [PE] File open : 1
[00:52:0141] [PE] Search sigs
[00:52:0141] [PE] Section[0/5] : 0x1481000
[00:52:0156] [PE] Init AhoCorasick
[00:52:0172] [PE] Start AhoCorasick [0x1481000 - 69632]
[00:52:0188] [PE] Looking results : 0
[00:52:0188] [PE] Section[1/5] : 0x1492000
[00:52:0203] [PE] Init AhoCorasick
[00:52:0219] [PE] Start AhoCorasick [0x1492000 - 8192]
[00:52:0219] [PE] Looking results : 0
[00:52:0235] [PE] Section[2/5] : 0x1494000
[00:52:0250] [PE] Init AhoCorasick
[00:52:0250] [PE] Start AhoCorasick [0x1494000 - 16384]
[00:52:0266] [PE] Looking results : 0
[00:52:0266] [PE] Section[3/5] : 0x1498000
[00:52:0281] [PE] Init AhoCorasick
[00:52:0297] [PE] Start AhoCorasick [0x1498000 - 4096]
[00:52:0297] [PE] Looking results : 0
[00:52:0313] [PE] Section[4/5] : 0x1499000
[00:52:0328] [PE] Init AhoCorasick
[00:52:0328] [PE] Start AhoCorasick [0x1499000 - 4096]
[00:52:0344] [PE] Looking results : 0
[00:52:0360] [PE] Section[5/5] : 0x149a000
[00:52:0360] [PE] Init AhoCorasick
[00:52:0375] [PE] Start AhoCorasick [0x149a000 - 8192]
[00:52:0391] [PE] Looking results : 0
[00:52:0391] [CHECK] Blacklist
[00:52:0406] [CHECK] BlacklistPath
[00:52:0422] [CHECK] BlacklistMD5
[00:52:0422] [CHECK] MadeNumbers
[00:52:0438] [CHECK] HasUnicode
[00:52:0453] [CHECK] SuspPath
[00:52:0453] [CHECK] ProcessResidue
[00:52:0469] [CHECK] Not found!
[00:52:0485] [Check Processes] [548][_648] ctfmon.exe : C:\WINDOWS\SYSTEM32\ctfmon.exe
[00:52:0500] [CHECK] WhiteDLL
[00:52:0516] [CHECK] Whitelist
[00:52:0531] [CHECK] WellKnown
[00:52:0563] [Check Processes] [2228][_712] iPodService.exe : C:\Program Files\iPod\bin\iPodService.exe
[00:52:0578] [CHECK] WhiteDLL
[00:52:0594] [CHECK] Whitelist
[00:52:0594] [CHECK] WellKnown
[00:52:0610] [CHECK] WhitelistPath
[00:52:0625] [CHECK] HijackName
[00:52:0625] [CHECK] Signature
[00:52:0656] [PE] Mapping
[00:52:0672] [PE] Parsing
[00:52:0672] [PE] Dos header -> 0x1480000
[00:52:0688] [PE] Nt header (offset : 0xf8) file size 0xc8328
[00:52:0703] [PE] pNtHeadersx86 -> 0x14800f8
[00:52:0703] [PE] Chars -> 0x102
[00:52:0719] [PE] Optional header
[00:52:0735] [PE] Sections : 5
[00:52:0735] [PE] Section : 0 - .text
[00:52:0750] [PE] Section : 1 - .rdata
[00:52:0797] [PE] Section : 2 - .data
[00:52:0797] [PE] Section : 3 - .rsrc
[00:52:0813] [PE] Section : 4 - .reloc
[00:52:0828] [PE] File open : 1
[00:52:0828] [PE] Search sigs
[00:52:0844] [PE] Section[0/4] : 0x1480400
[00:52:0844] [PE] Init AhoCorasick
[00:52:0860] [PE] Start AhoCorasick [0x1480400 - 299520]
[00:52:0875] [PE] Looking results : 0
[00:52:0891] [PE] Section[1/4] : 0x14c9600
[00:52:0906] [PE] Init AhoCorasick
[00:52:0906] [PE] Start AhoCorasick [0x14c9600 - 80896]
[00:52:0922] [PE] Looking results : 0
[00:52:0938] [PE] Section[2/4] : 0x14dd200
[00:52:0938] [PE] Init AhoCorasick
[00:52:0953] [PE] Start AhoCorasick [0x14dd200 - 11776]
[00:52:0969] [PE] Looking results : 0
[00:52:0969] [PE] Section[3/4] : 0x14e0000
[00:52:0985] [PE] Init AhoCorasick
[00:53:0000] [PE] Start AhoCorasick [0x14e0000 - 395776]
[00:53:0016] [PE] Looking results : 0
[00:53:0016] [PE] Section[4/4] : 0x1540a00
[00:53:0031] [PE] Init AhoCorasick
[00:53:0047] [PE] Start AhoCorasick [0x1540a00 - 25600]
[00:53:0047] [PE] Looking results : 0
[00:53:0063] [CHECK] Blacklist
[00:53:0078] [CHECK] BlacklistPath
[00:53:0078] [CHECK] BlacklistMD5
[00:53:0094] [CHECK] MadeNumbers
[00:53:0110] [CHECK] HasUnicode
[00:53:0110] [CHECK] SuspPath
[00:53:0125] [CHECK] ProcessResidue
[00:53:0141] [CHECK] Not found!
[00:53:0610] [Check Services] [1/314] Abiosdsk
[00:53:0641] [Check Services] C:\WINDOWS\system32\drivers\Abiosdsk.sys
[00:53:0641] [Check Services] [2/314] abp480n5
[00:53:0656] [Check Services] C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
[00:53:0672] [Check Services] [3/314] ACPI
[00:53:0688] [Check Services] C:\WINDOWS\system32\DRIVERS\ACPI.sys
[00:53:0688] [Check Services] [4/314] ACPIEC
[00:53:0703] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\ACPIEC.SYS
[00:53:0719] [Check Services] [5/314] ADMXGHMD
[00:53:0735] [Check Services] C:\Documents and Settings\Euan\Local Settings\Temp\ADMXGHMD.exe
[00:53:0735] [Check Services] [6/314] AdobeFlashPlayerUpdateSvc
[00:53:0860] [Check Services] C:\WINDOWS\SYSTEM32\Macromed\Flash\FlashPlayerUpdateService.exe
[00:53:0891] [Check Services] [7/314] adpu160m
[00:53:0906] [Check Services] C:\WINDOWS\system32\DRIVERS\adpu160m.sys
[00:53:0906] [Check Services] [8/314] aec
[00:53:0922] [Check Services] C:\WINDOWS\system32\drivers\aec.sys
[00:53:0938] [Check Services] [9/314] AFD
[00:53:0953] [Check Services] C:\WINDOWS\System32\drivers\afd.sys
[00:53:0953] [Check Services] [10/314] agp440
[00:53:0969] [Check Services] C:\WINDOWS\system32\DRIVERS\agp440.sys
[00:53:0985] [Check Services] [11/314] agpCPQ
[00:54:0000] [Check Services] C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
[00:54:0000] [Check Services] [12/314] Aha154x
[00:54:0016] [Check Services] C:\WINDOWS\system32\DRIVERS\aha154x.sys
[00:54:0031] [Check Services] [13/314] aic78u2
[00:54:0047] [Check Services] C:\WINDOWS\system32\DRIVERS\aic78u2.sys
[00:54:0047] [Check Services] [14/314] aic78xx
[00:54:0063] [Check Services] C:\WINDOWS\system32\DRIVERS\aic78xx.sys
[00:54:0078] [Check Services] [15/314] Alerter
[00:54:0094] [Check Services] C:\WINDOWS\system32\svchost.exe -k LocalService
[00:54:0094] [Check Services] [16/314] ALG
[00:54:0110] [Check Services] C:\WINDOWS\SYSTEM32\alg.exe
[00:54:0125] [Check Services] [17/314] AliIde
[00:54:0141] [Check Services] C:\WINDOWS\system32\DRIVERS\aliide.sys
[00:54:0156] [Check Services] [18/314] alim1541
[00:54:0156] [Check Services] C:\WINDOWS\system32\DRIVERS\alim1541.sys
[00:54:0172] [Check Services] [19/314] amdagp
[00:54:0188] [Check Services] C:\WINDOWS\system32\DRIVERS\amdagp.sys
[00:54:0203] [Check Services] [20/314] amsint
[00:54:0203] [Check Services] C:\WINDOWS\system32\DRIVERS\amsint.sys
[00:54:0219] [Check Services] [21/314] AppMgmt
[00:54:0235] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:54:0250] [Check Services] [22/314] asc
[00:54:0250] [Check Services] C:\WINDOWS\system32\DRIVERS\asc.sys
[00:54:0266] [Check Services] [23/314] asc3350p
[00:54:0281] [Check Services] C:\WINDOWS\system32\DRIVERS\asc3350p.sys
[00:54:0297] [Check Services] [24/314] asc3550
[00:54:0313] [Check Services] C:\WINDOWS\system32\DRIVERS\asc3550.sys
[00:54:0344] [Check Services] [25/314] aspnet_state
[00:54:0375] [Check Services] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
[00:54:0391] [Check Services] [26/314] AsyncMac
[00:54:0406] [Check Services] C:\WINDOWS\system32\DRIVERS\asyncmac.sys
[00:54:0406] [Check Services] [27/314] atapi
[00:54:0422] [Check Services] C:\WINDOWS\system32\DRIVERS\atapi.sys
[00:54:0438] [Check Services] [28/314] Atdisk
[00:54:0453] [Check Services] C:\WINDOWS\system32\drivers\Atdisk.sys
[00:54:0453] [Check Services] [29/314] Atmarpc
[00:54:0469] [Check Services] C:\WINDOWS\system32\DRIVERS\atmarpc.sys
[00:54:0485] [Check Services] [30/314] AudioSrv
[00:54:0500] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:54:0500] [Check Services] [31/314] audstub
[00:54:0516] [Check Services] C:\WINDOWS\system32\DRIVERS\audstub.sys
[00:54:0531] [Check Services] [32/314] Beep
[00:54:0547] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS
[00:54:0563] [Check Services] [33/314] BITS
[00:54:0563] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:54:0578] [Check Services] [34/314] Bonjour Service
[00:54:0594] [Check Services] "C:\Program Files\Bonjour\mDNSResponder.exe"
[00:54:0610] [Check Services] [35/314] Browser
[00:54:0625] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:54:0625] [Check Services] [36/314] bvrp_pci
[00:54:0641] [Check Services] C:\WINDOWS\system32\drivers\bvrp_pci.sys
[00:54:0656] [Check Services] [37/314] cbidf
[00:54:0672] [Check Services] C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
[00:54:0672] [Check Services] [38/314] cbidf2k
[00:54:0688] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\CBIDF2K.SYS
[00:54:0703] [Check Services] [39/314] cd20xrnt
[00:54:0719] [Check Services] C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
[00:54:0719] [Check Services] [40/314] Cdaudio
[00:54:0735] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\CDAUDIO.SYS
[00:54:0750] [Check Services] [41/314] Cdfs
[00:54:0813] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\cdfs.sys
[00:54:0813] [Check Services] [42/314] Cdrom
[00:54:0828] [Check Services] C:\WINDOWS\system32\DRIVERS\cdrom.sys
[00:54:0844] [Check Services] [43/314] Changer
[00:54:0860] [Check Services] C:\WINDOWS\system32\drivers\Changer.sys
[00:54:0860] [Check Services] [44/314] CiSvc
[00:54:0906] [Check Services] C:\WINDOWS\SYSTEM32\cisvc.exe
[00:54:0906] [Check Services] [45/314] ClipSrv
[00:54:0922] [Check Services] C:\WINDOWS\SYSTEM32\clipsrv.exe
[00:54:0938] [Check Services] [46/314] clr_optimization_v2.0.50727_32
[00:54:0985] [Check Services] c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[00:55:0000] [Check Services] [47/314] CmdIde
[00:55:0016] [Check Services] C:\WINDOWS\system32\DRIVERS\cmdide.sys
[00:55:0016] [Check Services] [48/314] COMSysApp
[00:55:0031] [Check Services] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[00:55:0047] [Check Services] [49/314] Cpqarray
[00:55:0063] [Check Services] C:\WINDOWS\system32\DRIVERS\cpqarray.sys
[00:55:0063] [Check Services] [50/314] CryptSvc
[00:55:0078] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:55:0094] [Check Services] [51/314] dac2w2k
[00:55:0110] [Check Services] C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
[00:55:0110] [Check Services] [52/314] dac960nt
[00:55:0125] [Check Services] C:\WINDOWS\system32\DRIVERS\dac960nt.sys
[00:55:0141] [Check Services] [53/314] DcomLaunch
[00:55:0156] [Check Services] C:\WINDOWS\system32\svchost -k DcomLaunch
[00:55:0156] [Check Services] [54/314] Dhcp
[00:55:0172] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:55:0188] [Check Services] [55/314] Disk
[00:55:0203] [Check Services] C:\WINDOWS\system32\DRIVERS\disk.sys
[00:55:0219] [Check Services] [56/314] dmadmin
[00:55:0219] [Check Services] C:\WINDOWS\System32\dmadmin.exe /com
[00:55:0235] [Check Services] [57/314] dmboot
[00:55:0250] [Check Services] C:\WINDOWS\System32\drivers\dmboot.sys
[00:55:0266] [Check Services] [58/314] dmio
[00:55:0281] [Check Services] C:\WINDOWS\System32\drivers\dmio.sys
[00:55:0281] [Check Services] [59/314] dmload
[00:55:0297] [Check Services] C:\WINDOWS\System32\drivers\dmload.sys
[00:55:0313] [Check Services] [60/314] dmserver
[00:55:0328] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:55:0328] [Check Services] [61/314] DMusic
[00:55:0344] [Check Services] C:\WINDOWS\system32\drivers\DMusic.sys
[00:55:0360] [Check Services] [62/314] Dnscache
[00:55:0375] [Check Services] C:\WINDOWS\system32\svchost.exe -k NetworkService
[00:55:0391] [Check Services] [63/314] Dot3svc
[00:55:0406] [Check Services] C:\WINDOWS\System32\svchost.exe -k dot3svc
[00:55:0422] [Check Services] [64/314] dpti2o
[00:55:0438] [Check Services] C:\WINDOWS\system32\DRIVERS\dpti2o.sys
[00:55:0453] [Check Services] [65/314] drmkaud
[00:55:0469] [Check Services] C:\WINDOWS\system32\drivers\drmkaud.sys
[00:55:0469] [Check Services] [66/314] drvmcdb
[00:55:0485] [Check Services] C:\WINDOWS\system32\drivers\drvmcdb.sys
[00:55:0500] [Check Services] [67/314] drvnddm
[00:55:0516] [Check Services] C:\WINDOWS\system32\drivers\drvnddm.sys
[00:55:0516] [Check Services] [68/314] E100B
[00:55:0531] [Check Services] C:\WINDOWS\system32\DRIVERS\e100b325.sys
[00:55:0547] [Check Services] [69/314] EapHost
[00:55:0563] [Check Services] C:\WINDOWS\System32\svchost.exe -k eapsvcs
[00:55:0578] [Check Services] [70/314] ERSvc
[00:55:0578] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:55:0594] [Check Services] [71/314] Eventlog
[00:55:0610] [Check Services] C:\WINDOWS\SYSTEM32\services.exe
[00:55:0625] [Check Services] [72/314] EventSystem
[00:55:0641] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:55:0641] [Check Services] [73/314] Fastfat
[00:55:0656] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\fastfat.sys
[00:55:0672] [Check Services] [74/314] FastUserSwitchingCompatibility
[00:55:0688] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:55:0688] [Check Services] [75/314] fbvldaqz
[00:55:0703] [Check Services] C:\WINDOWS\system32\drivers\fbvldaqz.sys
[00:55:0719] [Check Services] [76/314] Fdc
[00:55:0735] [Check Services] C:\WINDOWS\system32\DRIVERS\fdc.sys
[00:55:0735] [Check Services] [77/314] Fips
[00:55:0750] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\fips.sys
[00:55:0781] [Check Services] [78/314] Flpydisk
[00:55:0797] [Check Services] C:\WINDOWS\system32\DRIVERS\flpydisk.sys
[00:55:0813] [Check Services] [79/314] FltMgr
[00:55:0828] [Check Services] C:\WINDOWS\system32\drivers\fltmgr.sys
[00:55:0844] [Check Services] [80/314] FontCache3.0.0.0
[00:55:0922] [Check Services] c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
[00:55:0938] [Check Services] [81/314] FsUsbExDisk
[00:55:0969] [Check Services] C:\WINDOWS\SYSTEM32\FsUsbExDisk.SYS
[00:55:0969] [Check Services] [82/314] Ftdisk
[00:55:0985] [Check Services] C:\WINDOWS\system32\DRIVERS\ftdisk.sys
[00:56:0000] [Check Services] [83/314] GEARAspiWDM
[00:56:0016] [Check Services] C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
[00:56:0031] [Check Services] [84/314] Gpc
[00:56:0031] [Check Services] C:\WINDOWS\system32\DRIVERS\msgpc.sys
[00:56:0047] [Check Services] [85/314] gupdate1c9ed306e0f9d60
[00:56:0063] [Check Services] "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc
[00:56:0078] [Check Services] [86/314] gupdatem
[00:56:0094] [Check Services] "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
[00:56:0094] [Check Services] [87/314] helpsvc
[00:56:0110] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:56:0125] [Check Services] [88/314] HidServ
[00:56:0141] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:56:0141] [Check Services] [89/314] HidUsb
[00:56:0156] [Check Services] C:\WINDOWS\system32\DRIVERS\hidusb.sys
[00:56:0172] [Check Services] [90/314] hkmsvc
[00:56:0188] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:56:0203] [Check Services] [91/314] hpn
[00:56:0219] [Check Services] C:\WINDOWS\system32\DRIVERS\hpn.sys
[00:56:0250] [Check Services] [92/314] HTTP
[00:56:0266] [Check Services] C:\WINDOWS\System32\Drivers\HTTP.sys
[00:56:0281] [Check Services] [93/314] HTTPFilter
[00:56:0281] [Check Services] C:\WINDOWS\System32\svchost.exe -k HTTPFilter
[00:56:0297] [Check Services] [94/314] i2omgmt
[00:56:0313] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\i2omgmt.sys
[00:56:0328] [Check Services] [95/314] i2omp
[00:56:0344] [Check Services] C:\WINDOWS\system32\DRIVERS\i2omp.sys
[00:56:0344] [Check Services] [96/314] i8042prt
[00:56:0360] [Check Services] C:\WINDOWS\system32\DRIVERS\i8042prt.sys
[00:56:0375] [Check Services] [97/314] ialm
[00:56:0391] [Check Services] C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
[00:56:0391] [Check Services] [98/314] idsvc
[00:56:0406] [Check Services] "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
[00:56:0422] [Check Services] [99/314] Imapi
[00:56:0438] [Check Services] C:\WINDOWS\system32\DRIVERS\imapi.sys
[00:56:0453] [Check Services] [100/314] ImapiService
[00:56:0485] [Check Services] C:\WINDOWS\SYSTEM32\imapi.exe
[00:56:0500] [Check Services] [101/314] ini910u
[00:56:0500] [Check Services] C:\WINDOWS\system32\DRIVERS\ini910u.sys
[00:56:0516] [Check Services] [102/314] IntelC51
[00:56:0531] [Check Services] C:\WINDOWS\system32\DRIVERS\IntelC51.sys
[00:56:0547] [Check Services] [103/314] IntelC52
[00:56:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\IntelC52.sys
[00:56:0563] [Check Services] [104/314] IntelC53
[00:56:0578] [Check Services] C:\WINDOWS\system32\DRIVERS\IntelC53.sys
[00:56:0594] [Check Services] [105/314] IntelIde
[00:56:0610] [Check Services] C:\WINDOWS\system32\DRIVERS\intelide.sys
[00:56:0610] [Check Services] [106/314] intelppm
[00:56:0625] [Check Services] C:\WINDOWS\system32\DRIVERS\intelppm.sys
[00:56:0641] [Check Services] [107/314] Ip6Fw
[00:56:0656] [Check Services] C:\WINDOWS\system32\drivers\ip6fw.sys
[00:56:0672] [Check Services] [108/314] IpFilterDriver
[00:56:0672] [Check Services] C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
[00:56:0688] [Check Services] [109/314] IpInIp
[00:56:0703] [Check Services] C:\WINDOWS\system32\DRIVERS\ipinip.sys
[00:56:0719] [Check Services] [110/314] IpNat
[00:56:0735] [Check Services] C:\WINDOWS\system32\DRIVERS\ipnat.sys
[00:56:0735] [Check Services] [111/314] iPod Service
[00:56:0750] [Check Services] "C:\Program Files\iPod\bin\iPodService.exe"
[00:56:0797] [Check Services] [112/314] IPSec
[00:56:0797] [Check Services] C:\WINDOWS\system32\DRIVERS\ipsec.sys
[00:56:0813] [Check Services] [113/314] IRENUM
[00:56:0828] [Check Services] C:\WINDOWS\system32\DRIVERS\irenum.sys
[00:56:0844] [Check Services] [114/314] isapnp
[00:56:0860] [Check Services] C:\WINDOWS\system32\DRIVERS\isapnp.sys
[00:56:0860] [Check Services] [115/314] JavaQuickStarterService
[00:56:0875] [Check Services] "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
[00:56:0891] [Check Services] [116/314] Kbdclass
[00:56:0906] [Check Services] C:\WINDOWS\system32\DRIVERS\kbdclass.sys
[00:56:0906] [Check Services] [117/314] kmixer
[00:56:0922] [Check Services] C:\WINDOWS\system32\drivers\kmixer.sys
[00:56:0938] [Check Services] [118/314] KSecDD
[00:56:0953] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\ksecdd.sys
[00:56:0969] [Check Services] [119/314] lanmanserver
[00:56:0969] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:56:0985] [Check Services] [120/314] lanmanworkstation
[00:57:0000] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:57:0016] [Check Services] [121/314] lbrtfdc
[00:57:0031] [Check Services] C:\WINDOWS\system32\drivers\lbrtfdc.sys
[00:57:0031] [Check Services] [122/314] LmHosts
[00:57:0047] [Check Services] C:\WINDOWS\system32\svchost.exe -k LocalService
[00:57:0063] [Check Services] [123/314] MatSvc
[00:57:0094] [Check Services] "C:\Program Files\Microsoft Fix it Center\Matsvc.exe"
[00:57:0110] [Check Services] [124/314] Messenger
[00:57:0125] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:57:0141] [Check Services] [125/314] Microsoft Office Groove Audit Service
[00:57:0156] [Check Services] "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
[00:57:0156] [Check Services] [126/314] mnmdd
[00:57:0172] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\MNMDD.SYS
[00:57:0188] [Check Services] [127/314] mnmsrvc
[00:57:0203] [Check Services] C:\WINDOWS\SYSTEM32\mnmsrvc.exe
[00:57:0219] [Check Services] [128/314] Modem
[00:57:0219] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\modem.sys
[00:57:0235] [Check Services] [129/314] MODEMCSA
[00:57:0250] [Check Services] C:\WINDOWS\system32\drivers\MODEMCSA.sys
[00:57:0266] [Check Services] [130/314] mohfilt
[00:57:0281] [Check Services] C:\WINDOWS\system32\DRIVERS\mohfilt.sys
[00:57:0281] [Check Services] [131/314] Mouclass
[00:57:0297] [Check Services] C:\WINDOWS\system32\DRIVERS\mouclass.sys
[00:57:0313] [Check Services] [132/314] MountMgr
[00:57:0328] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\mountmgr.sys
[00:57:0328] [Check Services] [133/314] MpFilter
[00:57:0344] [Check Services] C:\WINDOWS\system32\DRIVERS\MpFilter.sys
[00:57:0360] [Check Services] [134/314] mraid35x
[00:57:0375] [Check Services] C:\WINDOWS\system32\DRIVERS\mraid35x.sys
[00:57:0391] [Check Services] [135/314] MRxDAV
[00:57:0391] [Check Services] C:\WINDOWS\system32\DRIVERS\mrxdav.sys
[00:57:0406] [Check Services] [136/314] MRxSmb
[00:57:0422] [Check Services] C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
[00:57:0438] [Check Services] [137/314] MSDTC
[00:57:0453] [Check Services] C:\WINDOWS\SYSTEM32\msdtc.exe
[00:57:0453] [Check Services] [138/314] Msfs
[00:57:0469] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\msfs.sys
[00:57:0485] [Check Services] [139/314] MSIServer
[00:57:0500] [Check Services] C:\WINDOWS\system32\msiexec.exe /V
[00:57:0500] [Check Services] [140/314] MSKSSRV
[00:57:0516] [Check Services] C:\WINDOWS\system32\drivers\MSKSSRV.sys
[00:57:0531] [Check Services] [141/314] MsMpSvc
[00:57:0547] [Check Services] "c:\Program Files\Microsoft Security Client\MsMpEng.exe"
[00:57:0563] [Check Services] [142/314] MSPCLOCK
[00:57:0563] [Check Services] C:\WINDOWS\system32\drivers\MSPCLOCK.sys
[00:57:0578] [Check Services] [143/314] MSPQM
[00:57:0594] [Check Services] C:\WINDOWS\system32\drivers\MSPQM.sys
[00:57:0610] [Check Services] [144/314] mssmbios
[00:57:0625] [Check Services] C:\WINDOWS\system32\DRIVERS\mssmbios.sys
[00:57:0625] [Check Services] [145/314] Mup
[00:57:0641] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\mup.sys
[00:57:0656] [Check Services] [146/314] napagent
[00:57:0672] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:57:0672] [Check Services] [147/314] NDIS
[00:57:0688] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys
[00:57:0703] [Check Services] [148/314] NdisTapi
[00:57:0719] [Check Services] C:\WINDOWS\system32\DRIVERS\ndistapi.sys
[00:57:0735] [Check Services] [149/314] Ndisuio
[00:57:0750] [Check Services] C:\WINDOWS\system32\DRIVERS\ndisuio.sys
[00:57:0750] [Check Services] [150/314] NdisWan
[00:57:0797] [Check Services] C:\WINDOWS\system32\DRIVERS\ndiswan.sys
[00:57:0797] [Check Services] [151/314] NDProxy
[00:57:0813] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\ndproxy.sys
[00:57:0828] [Check Services] [152/314] NetBIOS
[00:57:0844] [Check Services] C:\WINDOWS\system32\DRIVERS\netbios.sys
[00:57:0860] [Check Services] [153/314] NetBT
[00:57:0860] [Check Services] C:\WINDOWS\system32\DRIVERS\netbt.sys
[00:57:0875] [Check Services] [154/314] NetDDE
[00:57:0891] [Check Services] C:\WINDOWS\SYSTEM32\netdde.exe
[00:57:0906] [Check Services] [155/314] NetDDEdsdm
[00:57:0922] [Check Services] C:\WINDOWS\SYSTEM32\netdde.exe
[00:57:0922] [Check Services] [156/314] Netlogon
[00:57:0938] [Check Services] C:\WINDOWS\SYSTEM32\lsass.exe
[00:57:0953] [Check Services] [157/314] Netman
[00:57:0969] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:57:0969] [Check Services] [158/314] NetSvc
[00:58:0063] [Check Services] C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
[00:58:0078] [Check Services] [159/314] NetTcpPortSharing
[00:58:0078] [Check Services] "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
[00:58:0094] [Check Services] [160/314] Nla
[00:58:0110] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:58:0125] [Check Services] [161/314] Npfs
[00:58:0141] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\npfs.sys
[00:58:0141] [Check Services] [162/314] Ntfs
[00:58:0156] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\ntfs.sys
[00:58:0172] [Check Services] [163/314] NtLmSsp
[00:58:0188] [Check Services] C:\WINDOWS\SYSTEM32\lsass.exe
[00:58:0188] [Check Services] [164/314] NtmsSvc
[00:58:0203] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:58:0219] [Check Services] [165/314] Null
[00:58:0235] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\NULL.SYS
[00:58:0250] [Check Services] [166/314] nv
[00:58:0266] [Check Services] C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
[00:58:0266] [Check Services] [167/314] NwlnkFlt
[00:58:0281] [Check Services] C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
[00:58:0297] [Check Services] [168/314] NwlnkFwd
[00:58:0313] [Check Services] C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
[00:58:0313] [Check Services] [169/314] odserv
[00:58:0328] [Check Services] "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
[00:58:0344] [Check Services] [170/314] ose
[00:58:0360] [Check Services] "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
[00:58:0375] [Check Services] [171/314] Parport
[00:58:0406] [Check Services] C:\WINDOWS\system32\DRIVERS\parport.sys
[00:58:0422] [Check Services] [172/314] PartMgr
[00:58:0438] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\partmgr.sys
[00:58:0438] [Check Services] [173/314] ParVdm
[00:58:0453] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\PARVDM.SYS
[00:58:0469] [Check Services] [174/314] PCI
[00:58:0485] [Check Services] C:\WINDOWS\system32\DRIVERS\pci.sys
[00:58:0500] [Check Services] [175/314] PCIDump
[00:58:0500] [Check Services] C:\WINDOWS\system32\drivers\PCIDump.sys
[00:58:0516] [Check Services] [176/314] PCIIde
[00:58:0531] [Check Services] C:\WINDOWS\system32\DRIVERS\pciide.sys
[00:58:0547] [Check Services] [177/314] Pcmcia
[00:58:0563] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\pcmcia.sys
[00:58:0563] [Check Services] [178/314] PDCOMP
[00:58:0578] [Check Services] C:\WINDOWS\system32\drivers\PDCOMP.sys
[00:58:0594] [Check Services] [179/314] PDFRAME
[00:58:0610] [Check Services] C:\WINDOWS\system32\drivers\PDFRAME.sys
[00:58:0625] [Check Services] [180/314] PDRELI
[00:58:0625] [Check Services] C:\WINDOWS\system32\drivers\PDRELI.sys
[00:58:0641] [Check Services] [181/314] PDRFRAME
[00:58:0656] [Check Services] C:\WINDOWS\system32\drivers\PDRFRAME.sys
[00:58:0672] [Check Services] [182/314] perc2
[00:58:0688] [Check Services] C:\WINDOWS\system32\DRIVERS\perc2.sys
[00:58:0688] [Check Services] [183/314] perc2hib
[00:58:0703] [Check Services] C:\WINDOWS\system32\DRIVERS\perc2hib.sys
[00:58:0719] [Check Services] [184/314] pfc
[00:58:0735] [Check Services] C:\WINDOWS\system32\drivers\pfc.sys
[00:58:0750] [Check Services] [185/314] PlugPlay
[00:58:0750] [Check Services] C:\WINDOWS\SYSTEM32\services.exe
[00:58:0813] [Check Services] [186/314] PptpMiniport
[00:58:0813] [Check Services] C:\WINDOWS\system32\DRIVERS\raspptp.sys
[00:58:0828] [Check Services] [187/314] ProtectedStorage
[00:58:0844] [Check Services] C:\WINDOWS\SYSTEM32\lsass.exe
[00:58:0860] [Check Services] [188/314] PSched
[00:58:0875] [Check Services] C:\WINDOWS\system32\DRIVERS\psched.sys
[00:58:0875] [Check Services] [189/314] Ptilink
[00:58:0891] [Check Services] C:\WINDOWS\system32\DRIVERS\ptilink.sys
[00:58:0906] [Check Services] [190/314] PxHelp20
[00:58:0922] [Check Services] C:\WINDOWS\System32\Drivers\PxHelp20.sys
[00:58:0922] [Check Services] [191/314] ql1080
[00:58:0938] [Check Services] C:\WINDOWS\system32\DRIVERS\ql1080.sys
[00:58:0953] [Check Services] [192/314] Ql10wnt
[00:58:0969] [Check Services] C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
[00:58:0985] [Check Services] [193/314] ql12160
[00:58:0985] [Check Services] C:\WINDOWS\system32\DRIVERS\ql12160.sys
[00:59:0000] [Check Services] [194/314] ql1240
[00:59:0016] [Check Services] C:\WINDOWS\system32\DRIVERS\ql1240.sys
[00:59:0031] [Check Services] [195/314] ql1280
[00:59:0047] [Check Services] C:\WINDOWS\system32\DRIVERS\ql1280.sys
[00:59:0047] [Check Services] [196/314] RapportIaso
[00:59:0156] [Check Services] c:\documents and settings\all users\application data\Trusteer\Rapport\store\exts\rapportms\baseline\rapportiaso.sys
[00:59:0156] [Check Services] [197/314] RasAcd
[00:59:0172] [Check Services] C:\WINDOWS\system32\DRIVERS\rasacd.sys
[00:59:0188] [Check Services] [198/314] RasAuto
[00:59:0203] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:59:0219] [Check Services] [199/314] Rasl2tp
[00:59:0219] [Check Services] C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
[00:59:0235] [Check Services] [200/314] RasMan
[00:59:0250] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:59:0266] [Check Services] [201/314] RasPppoe
[00:59:0281] [Check Services] C:\WINDOWS\system32\DRIVERS\raspppoe.sys
[00:59:0281] [Check Services] [202/314] Raspti
[00:59:0297] [Check Services] C:\WINDOWS\system32\DRIVERS\raspti.sys
[00:59:0313] [Check Services] [203/314] Rdbss
[00:59:0328] [Check Services] C:\WINDOWS\system32\DRIVERS\rdbss.sys
[00:59:0344] [Check Services] [204/314] RDPCDD
[00:59:0344] [Check Services] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
[00:59:0360] [Check Services] [205/314] rdpdr
[00:59:0375] [Check Services] C:\WINDOWS\system32\DRIVERS\rdpdr.sys
[00:59:0391] [Check Services] [206/314] RDPWD
[00:59:0406] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\rdpwd.sys
[00:59:0406] [Check Services] [207/314] RDSessMgr
[00:59:0422] [Check Services] C:\WINDOWS\SYSTEM32\sessmgr.exe
[00:59:0438] [Check Services] [208/314] redbook
[00:59:0453] [Check Services] C:\WINDOWS\system32\DRIVERS\redbook.sys
[00:59:0469] [Check Services] [209/314] RimUsb
[00:59:0469] [Check Services] C:\WINDOWS\System32\Drivers\RimUsb.sys
[00:59:0485] [Check Services] [210/314] RimVSerPort
[00:59:0516] [Check Services] C:\WINDOWS\system32\DRIVERS\RimSerial.sys
[00:59:0531] [Check Services] [211/314] ROOTMODEM
[00:59:0547] [Check Services] C:\WINDOWS\System32\Drivers\RootMdm.sys
[00:59:0547] [Check Services] [212/314] RpcLocator
[00:59:0563] [Check Services] C:\WINDOWS\SYSTEM32\locator.exe
[00:59:0578] [Check Services] [213/314] RpcSs
[00:59:0594] [Check Services] C:\WINDOWS\system32\svchost -k rpcss
[00:59:0610] [Check Services] [214/314] RSVP
[00:59:0641] [Check Services] C:\WINDOWS\SYSTEM32\RSVP.EXE
[00:59:0656] [Check Services] [215/314] SamSs
[00:59:0672] [Check Services] C:\WINDOWS\SYSTEM32\lsass.exe
[00:59:0688] [Check Services] [216/314] SCardSvr
[00:59:0688] [Check Services] C:\WINDOWS\SYSTEM32\scardsvr.exe
[00:59:0703] [Check Services] [217/314] Schedule
[00:59:0719] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:59:0735] [Check Services] [218/314] Secdrv
[00:59:0750] [Check Services] C:\WINDOWS\system32\DRIVERS\secdrv.sys
[00:59:0750] [Check Services] [219/314] seclogon
[00:59:0813] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:59:0828] [Check Services] [220/314] senfilt
[00:59:0844] [Check Services] C:\WINDOWS\system32\drivers\senfilt.sys
[00:59:0844] [Check Services] [221/314] SENS
[00:59:0860] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[00:59:0875] [Check Services] [222/314] serenum
[00:59:0891] [Check Services] C:\WINDOWS\system32\DRIVERS\serenum.sys
[00:59:0906] [Check Services] [223/314] Serial
[00:59:0906] [Check Services] C:\WINDOWS\system32\DRIVERS\serial.sys
[00:59:0922] [Check Services] [224/314] Sfloppy
[00:59:0938] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\sfloppy.sys
[00:59:0953] [Check Services] [225/314] SharedAccess
[00:59:0969] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[00:59:0985] [Check Services] [226/314] ShellHWDetection
[01:00:0000] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[01:00:0016] [Check Services] [227/314] Simbad
[01:00:0031] [Check Services] C:\WINDOWS\system32\drivers\Simbad.sys
[01:00:0047] [Check Services] [228/314] sisagp
[01:00:0047] [Check Services] C:\WINDOWS\system32\DRIVERS\sisagp.sys
[01:00:0063] [Check Services] [229/314] SkypeUpdate
[01:00:0078] [Check Services] "C:\Program Files\Skype\Updater\Updater.exe"
[01:00:0094] [Check Services] [230/314] smwdm
[01:00:0110] [Check Services] C:\WINDOWS\system32\drivers\smwdm.sys
[01:00:0110] [Check Services] [231/314] SONYPVU1
[01:00:0125] [Check Services] C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
[01:00:0141] [Check Services] [232/314] Sparrow
[01:00:0156] [Check Services] C:\WINDOWS\system32\DRIVERS\sparrow.sys
[01:00:0172] [Check Services] [233/314] splitter
[01:00:0188] [Check Services] C:\WINDOWS\system32\drivers\splitter.sys
[01:00:0188] [Check Services] [234/314] Spooler
[01:00:0203] [Check Services] C:\WINDOWS\SYSTEM32\spoolsv.exe
[01:00:0219] [Check Services] [235/314] sr
[01:00:0235] [Check Services] C:\WINDOWS\system32\DRIVERS\sr.sys
[01:00:0235] [Check Services] [236/314] srescan
[01:00:0250] [Check Services] C:\WINDOWS\system32\ZoneLabs\srescan.sys
[01:00:0266] [Check Services] [237/314] srservice
[01:00:0281] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[01:00:0297] [Check Services] [238/314] Srv
[01:00:0313] [Check Services] C:\WINDOWS\system32\DRIVERS\srv.sys
[01:00:0313] [Check Services] [239/314] sscdbhk5
[01:00:0328] [Check Services] C:\WINDOWS\system32\drivers\sscdbhk5.sys
[01:00:0344] [Check Services] [240/314] SSDPSRV
[01:00:0360] [Check Services] C:\WINDOWS\system32\svchost.exe -k LocalService
[01:00:0360] [Check Services] [241/314] ssrtln
[01:00:0375] [Check Services] C:\WINDOWS\system32\drivers\ssrtln.sys
[01:00:0391] [Check Services] [242/314] stisvc
[01:00:0406] [Check Services] C:\WINDOWS\system32\svchost.exe -k imgsvc
[01:00:0422] [Check Services] [243/314] swenum
[01:00:0422] [Check Services] C:\WINDOWS\system32\DRIVERS\swenum.sys
[01:00:0438] [Check Services] [244/314] swmidi
[01:00:0453] [Check Services] C:\WINDOWS\system32\drivers\swmidi.sys
[01:00:0469] [Check Services] [245/314] SwPrv
[01:00:0485] [Check Services] C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}
[01:00:0485] [Check Services] [246/314] symc810
[01:00:0500] [Check Services] C:\WINDOWS\system32\DRIVERS\symc810.sys
[01:00:0516] [Check Services] [247/314] symc8xx
[01:00:0531] [Check Services] C:\WINDOWS\system32\DRIVERS\symc8xx.sys
[01:00:0547] [Check Services] [248/314] sym_hi
[01:00:0563] [Check Services] C:\WINDOWS\system32\DRIVERS\sym_hi.sys
[01:00:0578] [Check Services] [249/314] sym_u3
[01:00:0578] [Check Services] C:\WINDOWS\system32\DRIVERS\sym_u3.sys
[01:00:0594] [Check Services] [250/314] sysaudio
[01:00:0610] [Check Services] C:\WINDOWS\system32\drivers\sysaudio.sys
[01:00:0625] [Check Services] [251/314] SysmonLog
[01:00:0656] [Check Services] C:\WINDOWS\SYSTEM32\smlogsvc.exe
[01:00:0672] [Check Services] [252/314] TapiSrv
[01:00:0688] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[01:00:0688] [Check Services] [253/314] Tcpip
[01:00:0703] [Check Services] C:\WINDOWS\system32\DRIVERS\tcpip.sys
[01:00:0719] [Check Services] [254/314] TDPIPE
[01:00:0735] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\tdpipe.sys
[01:00:0735] [Check Services] [255/314] TDTCP
[01:00:0750] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\tdtcp.sys
[01:00:0781] [Check Services] [256/314] TermDD
[01:00:0797] [Check Services] C:\WINDOWS\system32\DRIVERS\termdd.sys
[01:00:0813] [Check Services] [257/314] TermService
[01:00:0828] [Check Services] C:\WINDOWS\System32\svchost -k DComLaunch
[01:00:0844] [Check Services] [258/314] tfsnboio
[01:00:0860] [Check Services] C:\WINDOWS\system32\dla\tfsnboio.sys
[01:00:0860] [Check Services] [259/314] tfsncofs
[01:00:0875] [Check Services] C:\WINDOWS\system32\dla\tfsncofs.sys
[01:00:0891] [Check Services] [260/314] tfsndrct
[01:00:0906] [Check Services] C:\WINDOWS\system32\dla\tfsndrct.sys
[01:00:0922] [Check Services] [261/314] tfsndres
[01:00:0922] [Check Services] C:\WINDOWS\system32\dla\tfsndres.sys
[01:00:0938] [Check Services] [262/314] tfsnifs
[01:00:0953] [Check Services] C:\WINDOWS\system32\dla\tfsnifs.sys
[01:00:0969] [Check Services] [263/314] tfsnopio
[01:00:0985] [Check Services] C:\WINDOWS\system32\dla\tfsnopio.sys
[01:00:0985] [Check Services] [264/314] tfsnpool
[01:01:0000] [Check Services] C:\WINDOWS\system32\dla\tfsnpool.sys
[01:01:0016] [Check Services] [265/314] tfsnudf
[01:01:0031] [Check Services] C:\WINDOWS\system32\dla\tfsnudf.sys
[01:01:0031] [Check Services] [266/314] tfsnudfa
[01:01:0047] [Check Services] C:\WINDOWS\system32\dla\tfsnudfa.sys
[01:01:0063] [Check Services] [267/314] Themes
[01:01:0078] [Check Services] C:\WINDOWS\System32\svchost.exe -k netsvcs
[01:01:0094] [Check Services] [268/314] TosIde
[01:01:0110] [Check Services] C:\WINDOWS\system32\DRIVERS\toside.sys
[01:01:0110] [Check Services] [269/314] TrkWks
[01:01:0125] [Check Services] C:\WINDOWS\system32\svchost.exe -k netsvcs
[01:01:0141] [Check Services] [270/314] Udfs
[01:01:0156] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\udfs.sys
[01:01:0172] [Check Services] [271/314] ultra
[01:01:0172] [Check Services] C:\WINDOWS\system32\DRIVERS\ultra.sys
[01:01:0188] [Check Services] [272/314] Update
[01:01:0203] [Check Services] C:\WINDOWS\system32\DRIVERS\update.sys
[01:01:0219] [Check Services] [273/314] upnphost
[01:01:0235] [Check Services] C:\WINDOWS\system32\svchost.exe -k LocalService
[01:01:0235] [Check Services] [274/314] UPS
[01:01:0266] [Check Services] C:\WINDOWS\SYSTEM32\ups.exe
[01:01:0281] [Check Services] [275/314] usbaudio
[01:01:0297] [Check Services] C:\WINDOWS\system32\drivers\usbaudio.sys
[01:01:0313] [Check Services] [276/314] usbccgp
[01:01:0328] [Check Services] C:\WINDOWS\system32\DRIVERS\usbccgp.sys
[01:01:0328] [Check Services] [277/314] usbehci
[01:01:0344] [Check Services] C:\WINDOWS\system32\DRIVERS\usbehci.sys
[01:01:0360] [Check Services] [278/314] usbhub
[01:01:0375] [Check Services] C:\WINDOWS\system32\DRIVERS\usbhub.sys
[01:01:0375] [Check Services] [279/314] USBSTOR
[01:01:0391] [Check Services] C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
[01:01:0406] [Check Services] [280/314] usbuhci
[01:01:0422] [Check Services] C:\WINDOWS\system32\DRIVERS\usbuhci.sys
[01:01:0438] [Check Services] [281/314] usb_rndisx
[01:01:0453] [Check Services] C:\WINDOWS\system32\DRIVERS\usb8023x.sys
[01:01:0453] [Check Services] [282/314] v800bus
[01:01:0469] [Check Services] C:\WINDOWS\system32\DRIVERS\v800bus.sys
[01:01:0485] [Check Services] [283/314] v800mdfl
[01:01:0500] [Check Services] C:\WINDOWS\system32\DRIVERS\v800mdfl.sys
[01:01:0500] [Check Services] [284/314] v800mdm
[01:01:0516] [Check Services] C:\WINDOWS\system32\DRIVERS\v800mdm.sys
[01:01:0531] [Check Services] [285/314] v800mgmt
[01:01:0547] [Check Services] C:\WINDOWS\system32\DRIVERS\v800mgmt.sys
[01:01:0563] [Check Services] [286/314] v800obex
[01:01:0578] [Check Services] C:\WINDOWS\system32\DRIVERS\v800obex.sys
[01:01:0578] [Check Services] [287/314] VgaSave
[01:01:0594] [Check Services] C:\WINDOWS\System32\drivers\vga.sys
[01:01:0610] [Check Services] [288/314] viaagp
[01:01:0625] [Check Services] C:\WINDOWS\system32\DRIVERS\viaagp.sys
[01:01:0641] [Check Services] [289/314] ViaIde
[01:01:0641] [Check Services] C:\WINDOWS\system32\DRIVERS\viaide.sys
[01:01:0656] [Check Services] [290/314] VolSnap
[01:01:0672] [Check Services] C:\WINDOWS\SYSTEM32\DRIVERS\volsnap.sys
[01:01:0688] [Check Services] [291/314] vsdatant
[01:01:0703] [Check Services] C:\WINDOWS\System32\vsdatant.sys
[01:01:0703] [Check Services] [292/314] vsmon
[01:01:0719] [Check Services] C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service
[01:01:0735] [Check Services] [293/314] VSS
[01:01:0750] [Check Services] C:\WINDOWS\SYSTEM32\vssvc.exe

I hope that means something to you!

Thanks!

Captain

MrCharlie · September 29, 2013

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on Change parameters in TDSSKiller.
Check all boxes then click OK.
Click the Start Scan button.
The scan should take no longer than 2 minutes.
If a suspicious object is detected, the default action will be Skip, click on Continue.

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
If in doubt about an entry....please ask or choose Skip
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

captain5678 · September 29, 2013

Hi MrC,

I ran TDSSKiller. There was one malware object found, but it did not give the option to cure, so I selected skip as suggested.

I have attached the two log files.

Thanks!

Captain.

TDSSKiller.3.0.0.10_29.09.2013_23.43.03_log.txt

TDSSKiller.3.0.0.10_29.09.2013_23.47.33_log.txt

MrCharlie · September 29, 2013

OK...please do this:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

captain5678 · September 29, 2013

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-09-2013 01
Ran by hk (administrator) on abc on 30-09-2013 00:21:17
Running from C:\Documents and Settings\hk\Desktop\farbar
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
(Sonic Solutions) C:\WINDOWS\system32\dla\tfswctrl.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(Research In Motion Limited) C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [soundMAXPnP] - C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [intelMeM] - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [221184 2003-09-03] (Intel Corporation)
HKLM\...\Run: [dla] - C:\WINDOWS\system32\dla\tfswctrl.exe [122939 2004-08-13] (Sonic Solutions)
HKLM\...\Run: [updateManager] - C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [110592 2006-06-30] (Sonic Solutions)
HKLM\...\Run: [NPSStartup] - [x]
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421160 2010-12-13] (Apple Inc.)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-09-28] (RealNetworks, Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [114688 2005-09-20] (Intel Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKCU\...\Run: [skype] - C:\Program Files\Skype\Phone\Skype.exe [19875432 2013-06-21] (Skype Technologies S.A.)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {53189a35-4646-11e2-8b26-001111dfcd46} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL drivers\setup.exe
HKU\EMK\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [ 2008-04-14] (Microsoft Corporation)
HKU\EMK\...\Run: [MSKAGENTEXE] - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
HKU\SJK\...\Run: [MSKAGENTEXE] - C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
HKU\SJK\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\qttask.exe [ 2010-11-29] (Apple Inc.)
HKU\SJK\...\Run: [spybotSD TeaTimer] - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
SearchScopes: HKCU - DefaultScope {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://uk.search.yahoo.com/search?fr=mcafee&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://uk.search.yahoo.com/search?fr=mcafee&p={searchTerms}
BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll No File
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll No File [ ]
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1

========================== Services (Whitelisted) =================

S2 gupdate1c9ed306e0f9d60; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-06-14] (Google Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] (Microsoft Corporation)
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [143360 2003-12-17] (Intel® Corporation)
S3 ADMXGHMD; C:\DOCUME~1\hk\LOCALS~1\Temp\ADMXGHMD.exe [x]
R2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
S3 Microsoft Office Groove Audit Service; "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" [x]
S3 odserv; "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" [x]
S2 vsmon; C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\ \ \???\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R2 drvnddm; C:\Windows\System32\drivers\drvnddm.sys [40544 2004-08-13] (Sonic Solutions)
S3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2009-11-02] ()
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1302332 2005-09-20] (Intel Corporation)
R3 IntelC51; C:\Windows\System32\DRIVERS\IntelC51.sys [1233525 2004-03-05] (Intel Corporation)
R3 IntelC52; C:\Windows\System32\DRIVERS\IntelC52.sys [647929 2004-03-05] (Intel Corporation)
R3 IntelC53; C:\Windows\System32\DRIVERS\IntelC53.sys [61157 2004-06-15] (Intel Corporation)
R3 mohfilt; C:\Windows\System32\DRIVERS\mohfilt.sys [37048 2004-03-05] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R3 pfc; C:\Windows\System32\drivers\pfc.sys [21248 2003-09-20] (Padus, Inc.)
S3 RapportIaso; c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [55448 2013-04-03] (Trusteer Ltd.)
R3 senfilt; C:\Windows\System32\drivers\senfilt.sys [732928 2004-09-17] (Creative Technology Ltd.)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R1 sscdbhk5; C:\Windows\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions)
R1 ssrtln; C:\Windows\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions)
R2 tfsnboio; C:\Windows\System32\dla\tfsnboio.sys [25723 2004-08-13] (Sonic Solutions)
R2 tfsncofs; C:\Windows\System32\dla\tfsncofs.sys [34843 2004-08-13] (Sonic Solutions)
R2 tfsndrct; C:\Windows\System32\dla\tfsndrct.sys [4123 2004-08-13] (Sonic Solutions)
R2 tfsndres; C:\Windows\System32\dla\tfsndres.sys [2239 2004-08-13] (Sonic Solutions)
R2 tfsnifs; C:\Windows\System32\dla\tfsnifs.sys [86202 2004-08-13] (Sonic Solutions)
R2 tfsnopio; C:\Windows\System32\dla\tfsnopio.sys [14715 2004-08-13] (Sonic Solutions)
R2 tfsnpool; C:\Windows\System32\dla\tfsnpool.sys [6363 2004-08-13] (Sonic Solutions)
R2 tfsnudf; C:\Windows\System32\dla\tfsnudf.sys [98714 2004-08-13] (Sonic Solutions)
R2 tfsnudfa; C:\Windows\System32\dla\tfsnudfa.sys [100603 2004-08-13] (Sonic Solutions)
S3 v800bus; C:\Windows\System32\DRIVERS\v800bus.sys [52416 2004-08-09] (MCCI)
S3 v800mdfl; C:\Windows\System32\DRIVERS\v800mdfl.sys [6160 2004-08-09] (MCCI)
S3 v800mdm; C:\Windows\System32\DRIVERS\v800mdm.sys [84544 2004-08-09] (MCCI)
S3 v800mgmt; C:\Windows\System32\DRIVERS\v800mgmt.sys [77760 2004-08-09] (MCCI)
S3 v800obex; C:\Windows\System32\DRIVERS\v800obex.sys [75584 2004-08-09] (MCCI)
R1 vsdatant; C:\Windows\System32\vsdatant.sys [394952 2007-11-14] (Zone Labs, LLC)
S3 bvrp_pci; No ImagePath
S1 fbvldaqz; \??\C:\WINDOWS\system32\drivers\fbvldaqz.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S0 srescan; system32\ZoneLabs\srescan.sys [x]
S3 wanatw; system32\DRIVERS\wanatw4.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-30 00:20 - 2013-09-30 00:20 - 00000000 ____D C:\FRST
2013-09-30 00:17 - 2013-09-30 00:19 - 00000000 ____D C:\Documents and Settings\hk\Desktop\farbar
2013-09-29 23:42 - 2013-09-29 23:42 - 04119392 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\hk\Desktop\tdsskiller.exe
2013-09-29 20:13 - 2013-09-29 20:13 - 00090112 _____ C:\WINDOWS\Minidump\Mini092913-01.dmp
2013-09-28 02:04 - 2013-09-28 02:04 - 00090112 _____ C:\WINDOWS\Minidump\Mini092813-03.dmp
2013-09-28 02:01 - 2013-09-28 02:01 - 00090112 _____ C:\WINDOWS\Minidump\Mini092813-02.dmp
2013-09-28 01:52 - 2013-09-28 01:52 - 00090112 _____ C:\WINDOWS\Minidump\Mini092813-01.dmp
2013-09-27 23:42 - 2013-09-27 23:42 - 00090112 _____ C:\WINDOWS\Minidump\Mini092713-01.dmp
2013-09-27 23:41 - 2013-09-29 20:12 - 00000000 _____ C:\WINDOWS\system32\TrueSight.sys
2013-09-27 23:40 - 2013-09-29 20:11 - 00000000 ____D C:\Documents and Settings\hk\Desktop\RK_Quarantine
2013-09-27 23:38 - 2013-09-27 23:39 - 00922112 _____ C:\Documents and Settings\hk\Desktop\RogueKiller.exe
2013-09-27 18:52 - 2013-09-27 19:03 - 00009584 _____ C:\Documents and Settings\hk\Desktop\dds.txt
2013-09-27 18:52 - 2013-09-27 18:52 - 00021461 _____ C:\Documents and Settings\hk\Desktop\attach.txt
2013-09-27 18:47 - 2013-09-27 18:48 - 00688992 ____R (Swearware) C:\Documents and Settings\hk\Desktop\dds.scr
2013-09-20 19:50 - 2013-09-20 19:51 - 00012858 _____ C:\WINDOWS\KB2870699-IE8.log
2013-09-20 19:48 - 2013-09-20 19:48 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$
2013-09-20 19:48 - 2013-09-20 19:48 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$
2013-09-20 19:47 - 2013-09-20 19:47 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$
2013-09-20 19:35 - 2013-09-20 19:48 - 00010909 _____ C:\WINDOWS\KB2876315.log
2013-09-20 19:35 - 2013-09-20 19:48 - 00009925 _____ C:\WINDOWS\KB2864063.log
2013-09-20 19:35 - 2013-09-20 19:48 - 00009911 _____ C:\WINDOWS\KB2876217.log
2013-09-09 23:33 - 2013-09-09 23:33 - 00000042 _____ C:\Documents and Settings\hk\Desktop\flickr1.txt
2013-09-08 19:41 - 2013-09-08 19:41 - 00000052 _____ C:\Documents and Settings\hk\Desktop\Windows virus scan 080913.txt
2013-09-08 19:38 - 2013-09-08 19:41 - 00000000 ____D C:\WINDOWS\system32\MpEngineStore
2013-09-07 18:36 - 2013-09-07 18:51 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Real
2013-09-07 18:29 - 2013-09-07 18:35 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-09-07 18:20 - 2013-09-07 18:20 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe

==================== One Month Modified Files and Folders =======

2013-09-30 00:20 - 2013-09-30 00:20 - 00000000 ____D C:\FRST
2013-09-30 00:19 - 2013-09-30 00:17 - 00000000 ____D C:\Documents and Settings\hk\Desktop\farbar
2013-09-30 00:12 - 2009-07-01 11:13 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-30 00:04 - 2013-05-31 10:32 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-09-29 23:48 - 2005-02-18 18:51 - 00001531 _____ C:\SMax.log
2013-09-29 23:47 - 2012-05-06 23:26 - 00000616 ____H C:\WINDOWS\Tasks\ConfigExec.job
2013-09-29 23:47 - 2005-02-18 18:50 - 01710237 _____ C:\WINDOWS\WindowsUpdate.log
2013-09-29 23:46 - 2005-02-18 18:47 - 00002206 _____ C:\WINDOWS\system32\WPA.DBL
2013-09-29 23:45 - 2009-07-01 11:13 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-29 23:45 - 2005-02-18 18:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-09-29 23:44 - 2005-02-18 18:49 - 00032534 _____ C:\WINDOWS\SchedLgU.Txt
2013-09-29 23:43 - 2005-03-12 23:09 - 00000278 ___SH C:\Documents and Settings\hk\NTUSER.INI
2013-09-29 23:43 - 2005-03-12 23:09 - 00000000 ____D C:\Documents and Settings\hk
2013-09-29 23:42 - 2013-09-29 23:42 - 04119392 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\hk\Desktop\tdsskiller.exe
2013-09-29 20:14 - 2009-11-13 18:25 - 00000000 ____D C:\Documents and Settings\hk\Application Data\Skype
2013-09-29 20:13 - 2013-09-29 20:13 - 00090112 _____ C:\WINDOWS\Minidump\Mini092913-01.dmp
2013-09-29 20:13 - 2005-04-24 23:24 - 00000000 ____D C:\WINDOWS\Minidump
2013-09-29 20:12 - 2013-09-27 23:41 - 00000000 _____ C:\WINDOWS\system32\TrueSight.sys
2013-09-29 20:11 - 2013-09-27 23:40 - 00000000 ____D C:\Documents and Settings\hk\Desktop\RK_Quarantine
2013-09-28 02:04 - 2013-09-28 02:04 - 00090112 _____ C:\WINDOWS\Minidump\Mini092813-03.dmp
2013-09-28 02:01 - 2013-09-28 02:01 - 00090112 _____ C:\WINDOWS\Minidump\Mini092813-02.dmp
2013-09-28 01:52 - 2013-09-28 01:52 - 00090112 _____ C:\WINDOWS\Minidump\Mini092813-01.dmp
2013-09-28 01:49 - 2012-12-15 03:23 - 00000462 _____ C:\Documents and Settings\hk\Application Data\Rim.Transcoder.Exception.log
2013-09-28 01:49 - 2012-12-15 01:30 - 00000308 _____ C:\Documents and Settings\hk\Application Data\Rim.DesktopHelper.Exception.log
2013-09-28 01:49 - 2012-12-15 01:29 - 00000462 _____ C:\Documents and Settings\hk\Application Data\Rim.Desktop.Exception.log
2013-09-28 00:14 - 2013-04-13 18:28 - 00000000 ____D C:\Documents and Settings\hk\Desktop\Files
2013-09-27 23:46 - 2005-02-18 18:49 - 00546586 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-09-27 23:42 - 2013-09-27 23:42 - 00090112 _____ C:\WINDOWS\Minidump\Mini092713-01.dmp
2013-09-27 23:39 - 2013-09-27 23:38 - 00922112 _____ C:\Documents and Settings\hk\Desktop\RogueKiller.exe
2013-09-27 23:26 - 2012-05-06 23:26 - 00000580 ____H C:\WINDOWS\Tasks\DataUpload.job
2013-09-27 19:04 - 2012-04-12 21:16 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-09-27 19:04 - 2011-07-12 21:51 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-09-27 19:03 - 2013-09-27 18:52 - 00009584 _____ C:\Documents and Settings\hk\Desktop\dds.txt
2013-09-27 18:52 - 2013-09-27 18:52 - 00021461 _____ C:\Documents and Settings\hk\Desktop\attach.txt
2013-09-27 18:48 - 2013-09-27 18:47 - 00688992 ____R (Swearware) C:\Documents and Settings\hk\Desktop\dds.scr
2013-09-23 11:54 - 2008-10-28 23:15 - 00000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2013-09-23 01:25 - 2006-11-24 02:38 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB924270$
2013-09-22 00:59 - 2012-05-04 19:08 - 00327680 _____ C:\WINDOWS\system32\config\WindowsPowerShell.evt
2013-09-22 00:14 - 2009-03-11 02:17 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB959772_WM11$
2013-09-20 19:53 - 2004-08-10 14:08 - 00360136 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-09-20 19:51 - 2013-09-20 19:50 - 00012858 _____ C:\WINDOWS\KB2870699-IE8.log
2013-09-20 19:51 - 2010-06-10 13:05 - 01074402 _____ C:\WINDOWS\FaxSetup.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00923198 _____ C:\WINDOWS\setupapi.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00538766 _____ C:\WINDOWS\ocgen.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00415179 _____ C:\WINDOWS\tsoc.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00357741 _____ C:\WINDOWS\comsetup.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00219539 _____ C:\WINDOWS\ntdtcsetup.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00169560 _____ C:\WINDOWS\iis6.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00060280 _____ C:\WINDOWS\ocmsn.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00054428 _____ C:\WINDOWS\msgsocm.log
2013-09-20 19:51 - 2010-06-10 13:05 - 00001374 _____ C:\WINDOWS\imsins.log
2013-09-20 19:50 - 2010-08-11 17:54 - 00066023 _____ C:\WINDOWS\updspapi.log
2013-09-20 19:50 - 2010-03-08 22:59 - 00000000 ____D C:\WINDOWS\ie8updates
2013-09-20 19:48 - 2013-09-20 19:48 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876315$
2013-09-20 19:48 - 2013-09-20 19:48 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2876217$
2013-09-20 19:48 - 2013-09-20 19:35 - 00010909 _____ C:\WINDOWS\KB2876315.log
2013-09-20 19:48 - 2013-09-20 19:35 - 00009925 _____ C:\WINDOWS\KB2864063.log
2013-09-20 19:48 - 2013-09-20 19:35 - 00009911 _____ C:\WINDOWS\KB2876217.log
2013-09-20 19:48 - 2010-06-10 13:05 - 00001374 _____ C:\WINDOWS\imsins.BAK
2013-09-20 19:47 - 2013-09-20 19:47 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2864063$
2013-09-20 19:44 - 2004-08-10 14:04 - 00000603 _____ C:\WINDOWS\WIN.INI
2013-09-20 19:42 - 2013-08-28 01:42 - 00000000 ____D C:\WINDOWS\system32\MRT
2013-09-20 19:38 - 2005-05-11 12:42 - 76725432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2013-09-20 19:19 - 2012-03-31 17:17 - 00002347 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
2013-09-20 19:18 - 2005-03-30 01:47 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-09-20 14:58 - 2006-10-15 03:01 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB924496$
2013-09-18 21:45 - 2007-08-16 02:55 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB921503$
2013-09-09 23:33 - 2013-09-09 23:33 - 00000042 _____ C:\Documents and Settings\hk\Desktop\flickr1.txt
2013-09-09 23:16 - 2005-02-18 18:40 - 00000000 ____D C:\WINDOWS\Resources
2013-09-08 22:49 - 2011-02-10 23:57 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2485376$
2013-09-08 19:41 - 2013-09-08 19:41 - 00000052 _____ C:\Documents and Settings\hk\Desktop\Windows virus scan 080913.txt
2013-09-08 19:41 - 2013-09-08 19:38 - 00000000 ____D C:\WINDOWS\system32\MpEngineStore
2013-09-08 00:31 - 2011-03-09 22:08 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2479943$
2013-09-07 19:17 - 2005-08-20 22:18 - 00000000 ____D C:\WINDOWS\Sun
2013-09-07 18:51 - 2013-09-07 18:36 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Real
2013-09-07 18:35 - 2013-09-07 18:29 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-09-07 18:20 - 2013-09-07 18:20 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2013-09-07 18:14 - 2008-01-10 00:39 - 00000000 ____D C:\Documents and Settings\hk\Local Settings\Application Data\Google
2013-09-07 18:14 - 2008-01-10 00:38 - 00000000 ____D C:\Program Files\Google

Files to move or delete:
====================
ZeroAccess:
C:\Documents and Settings\hk\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\hk\settings.dat

Some content of TEMP:
====================
C:\Documents and Settings\hk\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\hk\Local Settings\Temp\{B750A925-EACD-4FFC-853A-6CCACEF7B872}.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

I have changed the username and in the log files, just in case you were wondering.

Thanks!

Addition.txt

MrCharlie · September 30, 2013

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

This is the contents of the fixlist.txt, if you changed any of it...you must correct anything you changed in the fixlist.txt (attached) or the fix won't work:

HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe"
HKCU\...\Run: [Google Update*] - [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\ \ \???\{3dc32db7-d17b-333f-d167-0e5d453a1c2e}\GoogleUpdate.exe"
S1 fbvldaqz; \??\C:\WINDOWS\system32\drivers\fbvldaqz.sys [x]
C:\WINDOWS\system32\drivers\fbvldaqz.sys
C:\Program Files\Google\Desktop\Install
C:\Documents and Settings\hk\settings.dat
C:\Documents and Settings\hk\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\hk\Local Settings\Temp\{B750A925-EACD-4FFC-853A-6CCACEF7B872}.exe

-----------------------------------

Download the attached fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall
If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

MrCharlie · October 2, 2013

How are we doing??

Do you still need help or can I close this post??

MrC

captain5678 · October 2, 2013

Hi MrC,

Thanks for your continued support. I apologise for not replying to your last post. Having read the info relating to the rootkit/backdoor, I will probably reformat and reinstall, although I need to check I have been given the discs. If I don't have the discs, I will try to clean as well as I can. Either way, I'll let you know (and probably ask for help!).

MrCharlie · October 2, 2013

OK...MrC

MrCharlie · October 4, 2013

How are we doing?? MrC

captain5678 · October 4, 2013

Hi MrC,

I am away from home at the moment so cannot work on the pc until next week. Do you need to close this thread or can you keep it open?

MrCharlie · October 4, 2013

I'll keep it open....MrC

AdvancedSetup · October 10, 2013

bump to keep on top

AdvancedSetup · October 16, 2013

Are you still with us? it's now been over a week.

captain5678 · October 16, 2013

Hello Ron,

Thanks for checking in with me. I am still in the process of transferring/backing up files. Can I ask, if I decide to reinstall the os, do I have to completely wipe the drive first then reinstall with the discs, or can I perform a Dell factory reset? Also, if I transfer my files back on to the pc after reinstalling, is there any way I can be sure that there are no infected files amongst them?

Thanks!

MrCharlie · October 22, 2013

Can I ask, if I decide to reinstall the os, do I have to completely wipe the drive first then reinstall with the discs, or can I perform a Dell factory reset?

Factory Restore should do it.

Also, if I transfer my files back on to the pc after reinstalling, is there any way I can be sure that there are no infected files amongst them?

You would have to clean the computer before you back-up the files to ensure they're clean.

MrC

AdvancedSetup · October 22, 2013

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Cannot successfully remove infected file(s)

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information