Google Redirect problem

[yos77]

Hi, I'm brand new here. I checked to see how to post correctly for help I must have missed it. In any case if I need to do somting differant let me know I will Do .

My problem is from 2 things that I know are hapenning:

1) google redirects to weird websites

2) small video pop up ads

I ran a few scans came up clean, how can I find where the source is a get rid of it?

Thank you!

[yos77]

Hi, I'm brand new here. I checked to see how to post correctly for help I must have missed it. In any case if I need to do somting differant let me know I will Do .

My problem is from 2 things that I know are hapenning:

1) google redirects to weird websites

2) small video pop up ads

I ran a few scans came up clean, how can I find where the source is a get rid of it?

Thank you!

here is Hijaxkthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:17:39 PM, on 5/24/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Palm\HotSyncWizard.exe

C:\Program Files\Palm\Palm.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: puinsd - C:\WINDOWS\SYSTEM32\puinsd.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--

End of file - 8004 bytes

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[yos77]

OTL in word doc is 112 pages copied from notepad it says it is too long. is it OK if I attach both logs?

Extras.Txt

OTL.Txt

[yos77]

Hi Elise and thank you for your reply.

[Elise]

Hi, can you please also run GMER? If it causes you trouble, please run the scan with only the Sections option checked.

[yos77]

Hi, can you please also run GMER? If it causes you trouble, please run the scan with only the Sections option checked.

Sure thing. right now its still runing when it finishes I'll post it. it took me a bit of time tryin to disable the antiviruses, I thing I got them of: spybot & mcafee.

[yos77]

GMER scan with only the Sections option checked.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-25 13:15:12

Windows 5.1.2600 Service Pack 3

Running: vscu3szc.exe; Driver: C:\DOCUME~1\ERICRA~1\LOCALS~1\Temp\pxtdapoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP F72AECD0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F72AECA6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP F72AECE6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP F72AECFC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 2 Bytes JMP F72AECBA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory + 3 805B83CD 4 Bytes [CF, 76, 90, 90] {IRET ; JBE 0xffffffffffffff93; NOP }

PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP F72AEC18 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP F72AEC2C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP F72AEC54 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP F72AEC90 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP F72AEC7C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP F72AEC68 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP F72AED15 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EC 7 Bytes JMP F72AEDA9 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3A 7 Bytes JMP F72AED93 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622064 7 Bytes JMP F72AEE17 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622916 7 Bytes JMP F72AEDBF mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP F72AED67 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806237C8 5 Bytes JMP F72AED3D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP F72AED51 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP F72AED7D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80624014 7 Bytes JMP F72AEDEB mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062427E 7 Bytes JMP F72AEDD5 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP F72AED29 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624EE8 7 Bytes JMP F72AEE55 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 806251A8 5 Bytes JMP F72AEE2D mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwLoadKey2 806255F8 7 Bytes JMP F72AEE01 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 8062589C 5 Bytes JMP F72AEE41 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF7B85C14]

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[476] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[476] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE000A

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0073

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0062

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F94

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FAF

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0051

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F52

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE009A

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F26

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F41

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F15

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FC0

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FEF

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F63

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0036

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0025

.text C:\WINDOWS\system32\svchost.exe[568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00BF

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FC3

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0039

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0014

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0FD4

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0F86

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0FE5

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006F0FA1

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8F, 88]

.text C:\WINDOWS\system32\svchost.exe[568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0FB2

.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0038

.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0FAD

.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E001D

.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FEF

.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FC8

.text C:\WINDOWS\system32\svchost.exe[568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E000C

.text C:\WINDOWS\system32\svchost.exe[568] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000

.text C:\WINDOWS\system32\svchost.exe[568] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FE5

.text C:\WINDOWS\system32\svchost.exe[568] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FCA

.text C:\WINDOWS\system32\svchost.exe[568] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0025

.text C:\WINDOWS\system32\svchost.exe[568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D0000

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50FEF

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50F6B

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50F7C

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50F8D

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A5004A

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A50FA8

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A50F2E

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F3F

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500AC

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A5009B

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A500BD

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5002F

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50FD4

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F50

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A5001E

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A50FC3

.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A50F1D

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FB6

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0058

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0FD1

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0011

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0F9B

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0000

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F003D

.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F002C

.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0F9C

.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0031

.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E000C

.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0FEF

.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FC1

.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0FDE

.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0000

.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0025

.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FEF

.text C:\WINDOWS\system32\svchost.exe[760] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FDE

.text C:\WINDOWS\system32\svchost.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D000A

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90065

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90F70

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90F8D

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90040

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FAF

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F44

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F9008C

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90F07

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F18

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F900BB

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90F9E

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F9001B

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90F5F

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90FCA

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F90FEF

.text C:\WINDOWS\system32\services.exe[860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F90F29

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FD0FC3

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FD0065

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FD0FD4

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FD0000

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FD004A

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FD0FEF

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FD0039

.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FD0FB2

.text C:\WINDOWS\system32\services.exe[860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FC0FAD

.text C:\WINDOWS\system32\services.exe[860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FC0038

.text C:\WINDOWS\system32\services.exe[860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FC0FD2

.text C:\WINDOWS\system32\services.exe[860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FC0000

.text C:\WINDOWS\system32\services.exe[860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FC0027

.text C:\WINDOWS\system32\services.exe[860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FC0FE3

.text C:\WINDOWS\system32\services.exe[860] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FA0000

.text C:\WINDOWS\system32\services.exe[860] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FA0FEF

.text C:\WINDOWS\system32\services.exe[860] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FA0FDE

.text C:\WINDOWS\system32\services.exe[860] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FA002F

.text C:\WINDOWS\system32\services.exe[860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FB0000

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060000

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0106007F

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060F94

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060FA5

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060062

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060FCA

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01060F48

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0106009A

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01060F37

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010600D0

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010600E1

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060047

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01060FE5

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060F6F

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060036

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0106001B

.text C:\WINDOWS\system32\lsass.exe[872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010600AB

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010A003D

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010A0F9B

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010A002C

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010A0011

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010A0FAC

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010A0000

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010A004E

.text C:\WINDOWS\system32\lsass.exe[872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010A0FD1

.text C:\WINDOWS\system32\lsass.exe[872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01090036

.text C:\WINDOWS\system32\lsass.exe[872] msvcrt.dll!system 77C293C7 5 Bytes JMP 01090FA1

.text C:\WINDOWS\system32\lsass.exe[872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01090FC6

.text C:\WINDOWS\system32\lsass.exe[872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01090FEF

.text C:\WINDOWS\system32\lsass.exe[872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01090011

.text C:\WINDOWS\system32\lsass.exe[872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01090000

.text C:\WINDOWS\system32\lsass.exe[872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01080FEF

.text C:\WINDOWS\system32\lsass.exe[872] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01070000

.text C:\WINDOWS\system32\lsass.exe[872] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01070FE5

.text C:\WINDOWS\system32\lsass.exe[872] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01070025

.text C:\WINDOWS\system32\lsass.exe[872] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01070FD4

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FE5

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F80

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0075

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0058

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0047

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0FB6

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F63

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D00AB

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0F34

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D00D7

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D00E8

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0FA5

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0000

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D009A

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D0022

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0011

.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D00C6

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0014

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0054

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0FC3

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FD4

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0F8D

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002C0F9E

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4C, 88]

.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C002F

.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00410038

.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 0041001D

.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00410FB7

.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00410FEF

.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0041000C

.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00410FD2

.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00690000

.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00690025

.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00690036

.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00690047

.text C:\WINDOWS\System32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001A0000

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02590FEF

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02590078

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02590F83

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02590F94

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02590051

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02590025

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02590F37

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02590089

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02590F0B

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02590F26

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025900BF

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02590036

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02590FD4

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02590F68

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02590014

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02590FB9

.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025900A4

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02670FD1

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02670FA5

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02670022

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02670011

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02670FC0

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02670000

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02670058

.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02670047

.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02660064

.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 02660053

.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02660FE3

.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02660000

.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02660038

.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02660011

.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02640FE5

.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02640FD4

.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02640000

.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02640FB9

.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02650FEF

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE0FEF

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FE0089

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FE0078

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE0067

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FE0FA8

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FE0025

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FE0F52

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FE009A

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FE00BF

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FE0F26

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FE0F0B

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FE0040

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE000A

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FE0F6F

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FE0FC3

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FE0FD4

.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FE0F41

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01170FC3

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0117005B

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01170FD4

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01170FEF

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01170F9E

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0117000A

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01170040

.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0117002F

.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01160053

.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 01160FC8

.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0116002E

.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0116000C

.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01160FD9

.text C:\WINDOWS\system32\svchost.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0116001D

.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0FE5

.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF0FD4

.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0014

.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0FB9

.text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0115000A

.text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A

.text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A

.text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02470FEF

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02470076

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0247005B

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0247004A

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02470039

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0247001E

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02470F3F

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02470087

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02470F09

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024700AC

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024700BD

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02470F97

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02470FD4

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02470F5C

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02470FB2

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02470FC3

.text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02470F24

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02B10FB9

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02B1004A

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02B1000A

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02B10FD4

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02B10F8D

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02B10FEF

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02B10025

.text C:\WINDOWS\System32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02B10FA8

.text C:\WINDOWS\System32\svchost.exe[1292] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FA000A

.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 024A0F9A

.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 024A0FAB

.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 024A0FCD

.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 024A0FEF

.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 024A0FBC

.text C:\WINDOWS\System32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 024A0FDE

.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02480FE5

.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0248000A

.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02480FD4

.text C:\WINDOWS\System32\svchost.exe[1292] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02480FC3

.text C:\WINDOWS\System32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02490FE5

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B004C

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0031

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F57

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F72

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0F94

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B007A

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0069

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B008B

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0EFC

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0EE1

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F83

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FD4

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F3C

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FAF

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0000

.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F17

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0036

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0FAF

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0FDB

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0011

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0FC0

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0000

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F0062

.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0047

.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0FD4

.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0055

.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E003A

.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E000C

.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0FE5

.text C:\WINDOWS\system32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E001D

.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0FEF

.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FDE

.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FCD

.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0FBC

.text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006D000A

.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A

.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A

.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AD0000

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01AD0062

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01AD0F6D

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01AD0F8A

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01AD003D

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01AD0FC0

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01AD00B5

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01AD009A

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01AD00E1

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01AD00D0

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01AD0F2D

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01AD0FA5

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01AD0011

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01AD007D

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01AD002C

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01AD0FDB

.text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01AD0F52

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01330FB9

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01330043

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0133000A

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01330FD4

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01330F86

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01330FE5

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01330F97

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [53, 89]

.text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01330FA8

.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01320FAD

.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!system 77C293C7 5 Bytes JMP 01320038

.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01320027

.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01320FEF

.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01320FD2

.text C:\WINDOWS\Explorer.EXE[1976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0132000C

.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01300000

.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01300011

.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01300FE5

.text C:\WINDOWS\Explorer.EXE[1976] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01300040

.text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01310000

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DE0000

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DE0F4D

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DE0042

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DE0F68

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DE0F83

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DE001B

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DE0095

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DE0078

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DE0F32

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DE00CB

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DE0F17

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DE0F94

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DE0FDB

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DE0067

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DE0FAF

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DE0FCA

.text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DE00B0

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006F0FD4

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006F0FA8

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006F0025

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006F0014

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006F0065

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006F0FEF

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006F004A

.text C:\WINDOWS\system32\svchost.exe[2072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006F0FC3

.text C:\WINDOWS\system32\svchost.exe[2072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006E0FA1

.text C:\WINDOWS\system32\svchost.exe[2072] msvcrt.dll!system 77C293C7 5 Bytes JMP 006E0FB2

.text C:\WINDOWS\system32\svchost.exe[2072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006E0FD7

.text C:\WINDOWS\system32\svchost.exe[2072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006E0000

.text C:\WINDOWS\system32\svchost.exe[2072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006E0022

.text C:\WINDOWS\system32\svchost.exe[2072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006E0011

.text C:\WINDOWS\system32\svchost.exe[2072] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006D0000

.text C:\WINDOWS\system32\svchost.exe[2072] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006D0011

.text C:\WINDOWS\system32\svchost.exe[2072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006D002C

.text C:\WINDOWS\system32\svchost.exe[2072] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006D0FDB

.text C:\WINDOWS\system32\SearchIndexer.exe[2316] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

.text C:\WINDOWS\system32\wuauclt.exe[2400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009B000A

.text C:\WINDOWS\system32\wuauclt.exe[2400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009C000A

.text C:\WINDOWS\system32\wuauclt.exe[2400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009A000C

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D20FEF

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D20F48

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D20047

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D20036

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D20F79

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D2000A

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D20F37

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D2007F

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D20EE6

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D20F01

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D20ECB

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D2001B

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D20FD4

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D20062

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D20FA8

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D20FC3

.text C:\WINDOWS\system32\wuauclt.exe[2400] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D20F1C

.text C:\WINDOWS\system32\wuauclt.exe[2400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02D00053

.text C:\WINDOWS\system32\wuauclt.exe[2400] msvcrt.dll!system 77C293C7 5 Bytes JMP 02D00FBE

.text C:\WINDOWS\system32\wuauclt.exe[2400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02D0001D

.text C:\WINDOWS\system32\wuauclt.exe[2400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02D00FEF

.text C:\WINDOWS\system32\wuauclt.exe[2400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02D0002E

.text C:\WINDOWS\system32\wuauclt.exe[2400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02D0000C

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D10FC0

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D10F91

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D10FE5

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D1001B

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D1004E

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D10000

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D1003D

.text C:\WINDOWS\system32\wuauclt.exe[2400] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D1002C

.text C:\WINDOWS\system32\wuauclt.exe[2400] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02CE000A

.text C:\WINDOWS\system32\wuauclt.exe[2400] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02CE0FEF

.text C:\WINDOWS\system32\wuauclt.exe[2400] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02CE0FD4

.text C:\WINDOWS\system32\wuauclt.exe[2400] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02CE0025

.text C:\WINDOWS\system32\wuauclt.exe[2400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02CF0FEF

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[Elise]

Hello again, you have a nasty rootkit on board. Before starting the fix, please consider the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[yos77]

thank you for your help. Here is the log, again it is 77 pages long it is attached.

combifix_log_5_25_10.txt

[yos77]

thank you for your help. Here is the log, again it is 77 pages long it is attached.

the small windows pop up "interactive ads" videos are still popping up

[yos77]

the small windows pop up "interactive ads" videos are still popping up

the redirect is also still there

[Elise]

Don't worry, we are not yet done here

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  

RenV::
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\ssbkgdupdate .exe
c:\program files\Dell Support Center\gs_agent\custom\dsca .exe
c:\program files\eFax Messenger 4.4\j2gdllcmd .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\IVT Corporation\BlueSoleil\bttray .exe
c:\program files\Logitech\Logitech Vid\vid .exe
c:\program files\Logitech\Logitech WebCam Software\lws .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\Mobile Action\Bluetooth Manager\mabtsh .exe
c:\program files\QuickTime\qttask		  .exe
c:\program files\ScanSoft\OmniPageSE4\opwarese4 .exe
c:\program files\Windows Defender\MSASCui .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\puinsd]

File::
c:\windows\system32\puinsd.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[yos77]

ok here you go!

ComboFix 10-05-25.02 - Eric Rave 05/25/2010 23:33:50.5.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.263.1033.18.1013.496 [GMT -4:00]

Running from: c:\documents and settings\Eric Rave\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Eric Rave\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

FILE ::

"c:\windows\system32\puinsd.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\puinsd.dll

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))

.

2010-05-24 21:16 . 2007-12-04 21:10 16640 ----a-r- c:\windows\system32\drivers\PalmUSBD.sys

2010-05-18 23:32 . 2010-05-18 23:32 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-16 20:29 . 2010-05-16 20:29 52928 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-12 03:02 . 2010-05-18 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-05-12 02:21 . 2010-05-12 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

2010-05-12 02:20 . 2010-05-12 02:20 132 ----a-w- c:\documents and settings\Eric Rave\Local Settings\Application Data\fusioncache.dat

2010-05-12 02:16 . 2010-02-17 20:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2010-05-12 02:16 . 2010-02-17 20:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-05-12 02:16 . 2010-02-17 20:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-05-12 02:16 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-05-12 02:15 . 2010-05-12 02:16 -------- d-----w- c:\program files\Common Files\McAfee

2010-05-12 02:15 . 2010-05-12 02:15 -------- d-----w- c:\program files\McAfee.com

2010-05-12 02:15 . 2010-05-25 02:54 -------- d-----w- c:\program files\McAfee

2010-05-12 02:05 . 2010-02-17 20:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2010-05-12 01:42 . 2010-05-12 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-12 01:37 . 2010-05-12 01:37 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\Canneverbe Limited

2010-05-12 01:37 . 2010-05-12 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2010-05-12 01:36 . 2009-11-12 18:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2010-05-12 01:36 . 2010-05-12 01:37 -------- d-----w- c:\program files\CDBurnerXP

2010-05-12 01:23 . 2009-08-21 16:15 557568 ----a-w- c:\windows\system32\B4FM.dll

2010-05-12 01:23 . 2010-05-12 01:23 -------- d-----w- c:\program files\Burn4Free

2010-05-11 20:43 . 2010-05-12 02:05 -------- d-----w- c:\program files\Spyware Doctor

2010-05-11 20:43 . 2010-05-12 02:05 -------- d-----w- c:\program files\Common Files\PC Tools

2010-05-11 20:39 . 2010-05-11 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-05-11 11:30 . 2008-04-14 09:41 28160 ----a-w- c:\windows\system32\irmon.dll

2010-05-11 11:30 . 2008-04-14 09:41 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll

2010-05-11 11:30 . 2008-04-14 09:42 151552 ----a-w- c:\windows\system32\irftp.exe

2010-05-11 11:30 . 2008-04-14 09:42 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe

2010-05-11 11:30 . 2008-04-14 09:42 8192 ----a-w- c:\windows\system32\wshirda.dll

2010-05-11 11:30 . 2008-04-14 09:42 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll

2010-05-11 02:01 . 2010-05-24 17:31 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-05-11 01:57 . 2010-05-26 03:54 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-11 01:57 . 2010-05-11 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-11 01:57 . 2010-05-11 01:57 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-10 23:13 . 2010-05-10 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner

2010-05-10 23:13 . 2010-05-10 23:20 -------- d-----w- c:\program files\Frontline Registry Cleaner

2010-05-10 18:18 . 2010-05-10 18:18 2 --shatr- c:\windows\winstart.bat

2010-05-10 18:18 . 2010-05-11 02:07 -------- d-----w- c:\program files\UnHackMe

2010-05-10 15:03 . 2010-05-10 15:03 -------- d-----w- c:\program files\Common Files\Scanner

2010-05-10 15:01 . 2010-05-11 02:10 -------- d-----w- c:\program files\Yahoo!

2010-05-10 15:01 . 2010-05-10 15:01 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\Yahoo!

2010-05-10 14:18 . 2010-05-10 14:18 -------- d-----w- C:\AVGTemp

2010-05-07 15:05 . 2010-05-07 15:05 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache

2010-05-07 15:02 . 2010-05-07 15:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-05-07 14:55 . 2010-05-26 03:33 -------- d-----w- c:\program files\Windows Defender

2010-05-06 03:05 . 2008-04-14 09:42 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2010-05-06 03:05 . 2001-08-18 02:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2010-05-06 03:05 . 2008-04-14 09:42 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll

2010-05-06 03:05 . 2001-08-18 02:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe

2010-05-06 03:05 . 2001-08-18 02:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe

2010-05-06 03:05 . 2001-08-18 02:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe

2010-05-06 03:05 . 2001-08-17 16:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys

2010-05-06 03:05 . 2008-04-14 02:04 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys

2010-05-06 03:05 . 2008-04-14 02:04 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys

2010-05-06 03:05 . 2008-04-14 04:06 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys

2010-05-06 03:05 . 2008-04-14 02:05 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys

2010-05-06 03:05 . 2001-08-17 16:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys

2010-05-06 03:03 . 2001-08-17 17:28 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys

2010-05-06 03:02 . 2008-04-14 09:42 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe

2010-05-06 03:01 . 2001-08-18 02:36 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll

2010-05-06 03:00 . 2001-08-18 02:36 28672 ----a-w- c:\windows\system32\dllcache\sma0w.dll

2010-05-06 02:59 . 2001-08-17 17:51 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys

2010-05-06 02:58 . 2001-08-17 17:51 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys

2010-05-06 02:57 . 2001-08-17 16:11 35328 ----a-w- c:\windows\system32\dllcache\pcntpci5.sys

2010-05-06 02:56 . 2001-08-17 17:53 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys

2010-05-06 02:55 . 2008-04-14 04:24 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys

2010-05-06 02:54 . 2001-08-17 17:51 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys

2010-05-06 02:53 . 2001-08-18 02:36 45056 ----a-w- c:\windows\system32\dllcache\icam5com.dll

2010-05-06 02:52 . 2001-08-18 02:36 165888 ----a-w- c:\windows\system32\dllcache\hpgt53.dll

2010-05-06 02:51 . 2001-08-17 16:11 11850 ----a-w- c:\windows\system32\dllcache\f3ab18xj.sys

2010-05-06 02:50 . 2001-08-17 16:12 28062 ----a-w- c:\windows\system32\dllcache\dp83820.sys

2010-05-06 02:49 . 2001-08-17 16:13 21533 ----a-w- c:\windows\system32\dllcache\cpqndis5.sys

2010-05-06 02:48 . 2001-08-17 16:49 75136 ----a-w- c:\windows\system32\dllcache\atimpae.sys

2010-05-06 00:32 . 2010-05-12 02:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-05 23:18 . 2010-05-05 23:19 -------- d-----w- c:\documents and settings\Eric Rave\Local Settings\Application Data\Deployment

2010-05-05 21:36 . 2010-05-05 21:35 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-05 19:34 . 2010-05-05 19:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-05-05 19:33 . 2010-05-05 19:33 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-05-05 19:33 . 2010-05-05 19:33 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-05-05 19:33 . 2010-05-05 19:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-05-05 17:50 . 2010-05-05 17:50 -------- d-----w- c:\program files\Common Files\xing shared

2010-05-05 17:12 . 2010-05-05 17:12 -------- d-----w- c:\program files\Realtek

2010-05-05 16:23 . 2010-05-05 16:23 -------- d-----w- c:\program files\Intel Corporation

2010-05-05 15:35 . 2008-04-14 09:41 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-05-05 15:35 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll

2010-05-04 23:16 . 2010-05-04 23:17 -------- dc-h--w- c:\windows\ie8

2010-05-04 14:00 . 2010-05-04 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-04 13:58 . 2010-05-11 11:31 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-04 13:58 . 2010-05-04 13:58 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\SUPERAntiSpyware.com

2010-05-04 13:57 . 2010-05-04 13:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-05-02 17:30 . 2010-05-02 17:30 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\AVG9

2010-05-02 03:16 . 2008-04-13 15:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys

2010-05-02 03:16 . 2008-04-13 15:39 142592 ----a-w- c:\windows\system32\dllcache\aec.sys

2010-04-27 11:01 . 2010-04-27 11:01 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-27 05:20 . 2010-04-27 05:20 -------- d-----w- C:\$AVG

2010-04-27 04:14 . 2010-04-27 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-04-27 03:25 . 2010-04-27 03:25 -------- d-----w- c:\program files\AVG

2010-04-27 03:25 . 2010-05-10 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-26 22:49 . 2010-04-26 22:49 145 ----a-w- c:\program files\ypp_2420718.bat

2010-04-26 22:47 . 2010-04-26 22:47 145 ----a-w- c:\program files\ypp_2333468.bat

2010-04-26 11:54 . 2010-05-18 04:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-26 03:51 . 2010-02-16 16:30 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-05-26 03:51 . 2010-02-16 16:27 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-05-26 03:33 . 2009-12-11 15:45 -------- d-----w- c:\program files\QuickTime

2010-05-26 03:33 . 2010-03-17 15:58 -------- d-----w- c:\program files\iTunes

2010-05-26 03:33 . 2010-02-17 20:01 -------- d-----w- c:\program files\eFax Messenger 4.4

2010-05-26 03:28 . 2004-08-10 18:51 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys

2010-05-24 23:46 . 2009-12-15 22:18 -------- d-----w- c:\program files\Palm

2010-05-24 20:17 . 2008-03-13 16:42 -------- d-----w- c:\program files\Trend Micro

2010-05-21 20:47 . 2008-06-18 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-21 20:47 . 2008-06-18 22:59 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-21 18:57 . 2010-04-30 16:28 112 ----a-w- c:\documents and settings\All Users\Application Data\vNX2JN.dat

2010-05-21 17:41 . 2010-02-14 03:04 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\PrimoPDF

2010-05-18 09:15 . 2008-06-04 23:18 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-11 20:39 . 2008-03-13 16:46 -------- d-----w- c:\program files\Google

2010-05-11 12:30 . 2008-04-01 16:31 52928 ----a-w- c:\documents and settings\Eric Rave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-10 19:51 . 2008-03-13 16:45 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-05 21:35 . 2008-03-13 16:37 -------- d-----w- c:\program files\Java

2010-05-05 17:51 . 2010-01-24 18:25 -------- d-----w- c:\program files\Common Files\Real

2010-05-05 17:50 . 2010-01-24 18:25 -------- d-----w- c:\program files\Real

2010-05-05 17:50 . 2003-03-19 01:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-05 17:50 . 2003-02-21 09:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-05 17:12 . 2008-03-13 16:38 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-27 08:46 . 2010-04-18 15:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-27 05:45 . 2008-09-25 16:26 -------- d-----w- c:\program files\Voice

2010-04-27 04:07 . 2008-03-13 16:46 -------- d-----w- c:\program files\Dell

2010-04-27 03:30 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-26 01:13 . 2010-04-26 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-26 00:26 . 2010-04-26 00:26 137 ----a-w- c:\program files\ypp_2270203.bat

2010-04-26 00:24 . 2010-01-26 01:23 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\uTorrent

2010-04-26 00:18 . 2010-04-26 00:18 137 ----a-w- c:\program files\ypp_1807859.bat

2010-04-26 00:16 . 2010-04-26 00:16 137 ----a-w- c:\program files\ypp_1720859.bat

2010-04-26 00:16 . 2010-04-26 00:16 137 ----a-w- c:\program files\ypp_1719906.bat

2010-04-26 00:16 . 2010-04-26 00:16 137 ----a-w- c:\program files\ypp_1719250.bat

2010-04-25 18:22 . 2008-09-29 17:54 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\SendSpace Wizard

2010-04-18 15:54 . 2010-04-18 15:54 -------- d-----w- c:\documents and settings\Eric Rave\Application Data\Malwarebytes

2010-04-18 15:53 . 2010-04-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-18 02:32 . 2010-04-18 02:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater

2010-04-15 03:49 . 2008-03-31 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-30 04:46 . 2010-04-18 15:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2010-04-18 15:53 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-10 06:15 . 2004-08-10 18:51 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll

.

<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\McAfee.com\Agent\mcagent .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-24 5937984]

"HotSync"="c:\program files\PalmSource\Desktop\HotSync.exe" [N/A]

"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk

backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^01E7A.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\01E7A.exe.exe

backup=c:\windows\pss\01E7A.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^03806.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\03806.exe.exe

backup=c:\windows\pss\03806.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^04267.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\04267.exe.exe

backup=c:\windows\pss\04267.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^06B57.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\06B57.exe.exe

backup=c:\windows\pss\06B57.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^06E96.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\06E96.exe.exe

backup=c:\windows\pss\06E96.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0733C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0733C.exe.exe

backup=c:\windows\pss\0733C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^08274.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\08274.exe.exe

backup=c:\windows\pss\08274.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0AAC7.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0AAC7.exe.exe

backup=c:\windows\pss\0AAC7.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0AE46.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0AE46.exe.exe

backup=c:\windows\pss\0AE46.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0E647.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0E647.exe.exe

backup=c:\windows\pss\0E647.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0EE14.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0EE14.exe.exe

backup=c:\windows\pss\0EE14.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0F170.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0F170.exe.exe

backup=c:\windows\pss\0F170.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0F40C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0F40C.exe.exe

backup=c:\windows\pss\0F40C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^0F890.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\0F890.exe.exe

backup=c:\windows\pss\0F890.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^10973.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\10973.exe.exe

backup=c:\windows\pss\10973.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^10E74.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\10E74.exe.exe

backup=c:\windows\pss\10E74.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^12526.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\12526.exe.exe

backup=c:\windows\pss\12526.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^13B36.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\13B36.exe.exe

backup=c:\windows\pss\13B36.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^17074.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\17074.exe.exe

backup=c:\windows\pss\17074.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^17436.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\17436.exe.exe

backup=c:\windows\pss\17436.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^195BA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\195BA.exe.exe

backup=c:\windows\pss\195BA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^19CEF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\19CEF.exe.exe

backup=c:\windows\pss\19CEF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1A11D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1A11D.exe.exe

backup=c:\windows\pss\1A11D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1A4DF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1A4DF.exe.exe

backup=c:\windows\pss\1A4DF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1A7F4.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1A7F4.exe.exe

backup=c:\windows\pss\1A7F4.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1B199.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1B199.exe.exe

backup=c:\windows\pss\1B199.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1D7E5.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1D7E5.exe.exe

backup=c:\windows\pss\1D7E5.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1E820.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1E820.exe.exe

backup=c:\windows\pss\1E820.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^1FA38.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\1FA38.exe.exe

backup=c:\windows\pss\1FA38.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^20F64.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\20F64.exe.exe

backup=c:\windows\pss\20F64.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^237DB.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\237DB.exe.exe

backup=c:\windows\pss\237DB.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^25486.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\25486.exe.exe

backup=c:\windows\pss\25486.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^2D843.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\2D843.exe.exe

backup=c:\windows\pss\2D843.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^2E35E.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\2E35E.exe.exe

backup=c:\windows\pss\2E35E.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^2F506.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\2F506.exe.exe

backup=c:\windows\pss\2F506.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^3300B.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\3300B.exe.exe

backup=c:\windows\pss\3300B.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^33E3C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\33E3C.exe.exe

backup=c:\windows\pss\33E3C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^34EE8.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\34EE8.exe.exe

backup=c:\windows\pss\34EE8.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^36883.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\36883.exe.exe

backup=c:\windows\pss\36883.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^371C2.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\371C2.exe.exe

backup=c:\windows\pss\371C2.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^37DDA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\37DDA.exe.exe

backup=c:\windows\pss\37DDA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^385A1.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\385A1.exe.exe

backup=c:\windows\pss\385A1.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^38CFB.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\38CFB.exe.exe

backup=c:\windows\pss\38CFB.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^3A777.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\3A777.exe.exe

backup=c:\windows\pss\3A777.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^4008B.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\4008B.exe.exe

backup=c:\windows\pss\4008B.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^4026E.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\4026E.exe.exe

backup=c:\windows\pss\4026E.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^41B77.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\41B77.exe.exe

backup=c:\windows\pss\41B77.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^44867.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\44867.exe.exe

backup=c:\windows\pss\44867.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^488C7.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\488C7.exe.exe

backup=c:\windows\pss\488C7.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^48EC7.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\48EC7.exe.exe

backup=c:\windows\pss\48EC7.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^4CCAA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\4CCAA.exe.exe

backup=c:\windows\pss\4CCAA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^4FACF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\4FACF.exe.exe

backup=c:\windows\pss\4FACF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^50FB7.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\50FB7.exe.exe

backup=c:\windows\pss\50FB7.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^51654.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\51654.exe.exe

backup=c:\windows\pss\51654.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^51A93.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\51A93.exe.exe

backup=c:\windows\pss\51A93.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^53B59.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\53B59.exe.exe

backup=c:\windows\pss\53B59.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^5541D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\5541D.exe.exe

backup=c:\windows\pss\5541D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^57BCB.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\57BCB.exe.exe

backup=c:\windows\pss\57BCB.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^595D0.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\595D0.exe.exe

backup=c:\windows\pss\595D0.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^5B72A.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\5B72A.exe.exe

backup=c:\windows\pss\5B72A.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^619FE.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\619FE.exe.exe

backup=c:\windows\pss\619FE.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^61B2F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\61B2F.exe.exe

backup=c:\windows\pss\61B2F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^63AC1.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\63AC1.exe.exe

backup=c:\windows\pss\63AC1.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^64773.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\64773.exe.exe

backup=c:\windows\pss\64773.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^6494C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\6494C.exe.exe

backup=c:\windows\pss\6494C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^692A9.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\692A9.exe.exe

backup=c:\windows\pss\692A9.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^6B01A.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\6B01A.exe.exe

backup=c:\windows\pss\6B01A.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^6B301.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\6B301.exe.exe

backup=c:\windows\pss\6B301.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^6E126.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\6E126.exe.exe

backup=c:\windows\pss\6E126.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^70068.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\70068.exe.exe

backup=c:\windows\pss\70068.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^74506.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\74506.exe.exe

backup=c:\windows\pss\74506.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^7627D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\7627D.exe.exe

backup=c:\windows\pss\7627D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^7639F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\7639F.exe.exe

backup=c:\windows\pss\7639F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^77074.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\77074.exe.exe

backup=c:\windows\pss\77074.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^78D6D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\78D6D.exe.exe

backup=c:\windows\pss\78D6D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^7986D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\7986D.exe.exe

backup=c:\windows\pss\7986D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^7E7A4.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\7E7A4.exe.exe

backup=c:\windows\pss\7E7A4.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^7F8DE.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\7F8DE.exe.exe

backup=c:\windows\pss\7F8DE.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^80576.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\80576.exe.exe

backup=c:\windows\pss\80576.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^81267.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\81267.exe.exe

backup=c:\windows\pss\81267.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^83AA3.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\83AA3.exe.exe

backup=c:\windows\pss\83AA3.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^85498.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\85498.exe.exe

backup=c:\windows\pss\85498.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^863EA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\863EA.exe.exe

backup=c:\windows\pss\863EA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^885E8.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\885E8.exe.exe

backup=c:\windows\pss\885E8.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^89FF9.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\89FF9.exe.exe

backup=c:\windows\pss\89FF9.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^8AE61.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\8AE61.exe.exe

backup=c:\windows\pss\8AE61.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^8B122.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\8B122.exe.exe

backup=c:\windows\pss\8B122.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^8B3A5.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\8B3A5.exe.exe

backup=c:\windows\pss\8B3A5.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^8C1C6.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\8C1C6.exe.exe

backup=c:\windows\pss\8C1C6.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^8CF2F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\8CF2F.exe.exe

backup=c:\windows\pss\8CF2F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^90E56.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\90E56.exe.exe

backup=c:\windows\pss\90E56.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^913F6.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\913F6.exe.exe

backup=c:\windows\pss\913F6.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^92C2C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\92C2C.exe.exe

backup=c:\windows\pss\92C2C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^93065.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\93065.exe.exe

backup=c:\windows\pss\93065.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^944EF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\944EF.exe.exe

backup=c:\windows\pss\944EF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^998EE.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\998EE.exe.exe

backup=c:\windows\pss\998EE.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^99EE9.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\99EE9.exe.exe

backup=c:\windows\pss\99EE9.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^9A3E1.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\9A3E1.exe.exe

backup=c:\windows\pss\9A3E1.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^9B3AA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\9B3AA.exe.exe

backup=c:\windows\pss\9B3AA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A0936.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A0936.exe.exe

backup=c:\windows\pss\A0936.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A14AF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A14AF.exe.exe

backup=c:\windows\pss\A14AF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A161B.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A161B.exe.exe

backup=c:\windows\pss\A161B.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A265F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A265F.exe.exe

backup=c:\windows\pss\A265F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A2891.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A2891.exe.exe

backup=c:\windows\pss\A2891.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A7B11.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A7B11.exe.exe

backup=c:\windows\pss\A7B11.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A8B7C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A8B7C.exe.exe

backup=c:\windows\pss\A8B7C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^A8B87.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\A8B87.exe.exe

backup=c:\windows\pss\A8B87.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^AA0A6.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\AA0A6.exe.exe

backup=c:\windows\pss\AA0A6.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^AA8D9.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\AA8D9.exe.exe

backup=c:\windows\pss\AA8D9.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^ACFBE.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\ACFBE.exe.exe

backup=c:\windows\pss\ACFBE.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^AEA89.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\AEA89.exe.exe

backup=c:\windows\pss\AEA89.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^AF1FA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\AF1FA.exe.exe

backup=c:\windows\pss\AF1FA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^B2E8C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\B2E8C.exe.exe

backup=c:\windows\pss\B2E8C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^B604B.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\B604B.exe.exe

backup=c:\windows\pss\B604B.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^B8116.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\B8116.exe.exe

backup=c:\windows\pss\B8116.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^B87CC.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\B87CC.exe.exe

backup=c:\windows\pss\B87CC.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BAA73.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BAA73.exe.exe

backup=c:\windows\pss\BAA73.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BAF5E.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BAF5E.exe.exe

backup=c:\windows\pss\BAF5E.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BAFAF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BAFAF.exe.exe

backup=c:\windows\pss\BAFAF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BC420.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BC420.exe.exe

backup=c:\windows\pss\BC420.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BC74F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BC74F.exe.exe

backup=c:\windows\pss\BC74F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BD9E1.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BD9E1.exe.exe

backup=c:\windows\pss\BD9E1.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BE02F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BE02F.exe.exe

backup=c:\windows\pss\BE02F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^BF02B.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\BF02B.exe.exe

backup=c:\windows\pss\BF02B.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^C0546.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\C0546.exe.exe

backup=c:\windows\pss\C0546.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^C458D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\C458D.exe.exe

backup=c:\windows\pss\C458D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^C6A00.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\C6A00.exe.exe

backup=c:\windows\pss\C6A00.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^C78AF.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\C78AF.exe.exe

backup=c:\windows\pss\C78AF.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^C9DE0.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\C9DE0.exe.exe

backup=c:\windows\pss\C9DE0.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^CC65E.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\CC65E.exe.exe

backup=c:\windows\pss\CC65E.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^CD056.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\CD056.exe.exe

backup=c:\windows\pss\CD056.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^CDD39.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\CDD39.exe.exe

backup=c:\windows\pss\CDD39.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^CF46B.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\CF46B.exe.exe

backup=c:\windows\pss\CF46B.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D1DD4.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D1DD4.exe.exe

backup=c:\windows\pss\D1DD4.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D4007.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D4007.exe.exe

backup=c:\windows\pss\D4007.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D54C5.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D54C5.exe.exe

backup=c:\windows\pss\D54C5.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D6C0C.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D6C0C.exe.exe

backup=c:\windows\pss\D6C0C.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D7F34.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D7F34.exe.exe

backup=c:\windows\pss\D7F34.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D83AB.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D83AB.exe.exe

backup=c:\windows\pss\D83AB.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D8FF3.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D8FF3.exe.exe

backup=c:\windows\pss\D8FF3.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^D9CFD.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\D9CFD.exe.exe

backup=c:\windows\pss\D9CFD.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^DAE9E.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\DAE9E.exe.exe

backup=c:\windows\pss\DAE9E.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^DCA4D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\DCA4D.exe.exe

backup=c:\windows\pss\DCA4D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^DEE90.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\DEE90.exe.exe

backup=c:\windows\pss\DEE90.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^E27E3.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\E27E3.exe.exe

backup=c:\windows\pss\E27E3.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^E5646.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\E5646.exe.exe

backup=c:\windows\pss\E5646.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^E571A.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\E571A.exe.exe

backup=c:\windows\pss\E571A.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^E7AE9.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\E7AE9.exe.exe

backup=c:\windows\pss\E7AE9.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^E8AF8.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\E8AF8.exe.exe

backup=c:\windows\pss\E8AF8.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^E956F.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\E956F.exe.exe

backup=c:\windows\pss\E956F.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^eFax 4.4.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\eFax 4.4.lnk

backup=c:\windows\pss\eFax 4.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F03E6.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F03E6.exe.exe

backup=c:\windows\pss\F03E6.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F07CB.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F07CB.exe.exe

backup=c:\windows\pss\F07CB.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F1EAA.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F1EAA.exe.exe

backup=c:\windows\pss\F1EAA.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F2572.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F2572.exe.exe

backup=c:\windows\pss\F2572.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F30B4.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F30B4.exe.exe

backup=c:\windows\pss\F30B4.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F6C79.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F6C79.exe.exe

backup=c:\windows\pss\F6C79.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F822D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F822D.exe.exe

backup=c:\windows\pss\F822D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^F989D.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\F989D.exe.exe

backup=c:\windows\pss\F989D.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^FB406.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\FB406.exe.exe

backup=c:\windows\pss\FB406.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^FEAC6.exe.exe]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\FEAC6.exe.exe

backup=c:\windows\pss\FEAC6.exe.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^FileMaker Pro.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\FileMaker Pro.lnk

backup=c:\windows\pss\FileMaker Pro.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^iTunes.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\iTunes.lnk

backup=c:\windows\pss\iTunes.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat062600 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat062600 PM.bat

backup=c:\windows\pss\mel.bat062600 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat064708 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat064708 PM.bat

backup=c:\windows\pss\mel.bat064708 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat070708 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat070708 PM.bat

backup=c:\windows\pss\mel.bat070708 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat072509 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat072509 PM.bat

backup=c:\windows\pss\mel.bat072509 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat091103 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat091103 PM.bat

backup=c:\windows\pss\mel.bat091103 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat091105 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat091105 PM.bat

backup=c:\windows\pss\mel.bat091105 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat091107 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat091107 PM.bat

backup=c:\windows\pss\mel.bat091107 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat091108 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat091108 PM.bat

backup=c:\windows\pss\mel.bat091108 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat100720 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat100720 PM.bat

backup=c:\windows\pss\mel.bat100720 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat102045 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat102045 PM.bat

backup=c:\windows\pss\mel.bat102045 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat102057 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat102057 PM.bat

backup=c:\windows\pss\mel.bat102057 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat102059 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat102059 PM.bat

backup=c:\windows\pss\mel.bat102059 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat102100 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat102100 PM.bat

backup=c:\windows\pss\mel.bat102100 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat102109 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat102109 PM.bat

backup=c:\windows\pss\mel.bat102109 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat162719 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat162719 PM.bat

backup=c:\windows\pss\mel.bat162719 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat172518 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat172518 PM.bat

backup=c:\windows\pss\mel.bat172518 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat174811 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat174811 PM.bat

backup=c:\windows\pss\mel.bat174811 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat175918 AM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat175918 AM.bat

backup=c:\windows\pss\mel.bat175918 AM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat175919 AM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat175919 AM.bat

backup=c:\windows\pss\mel.bat175919 AM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat191017 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat191017 PM.bat

backup=c:\windows\pss\mel.bat191017 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat191112 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat191112 PM.bat

backup=c:\windows\pss\mel.bat191112 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat191119 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat191119 PM.bat

backup=c:\windows\pss\mel.bat191119 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat261324 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat261324 PM.bat

backup=c:\windows\pss\mel.bat261324 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat264726 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat264726 PM.bat

backup=c:\windows\pss\mel.bat264726 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat264729 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat264729 PM.bat

backup=c:\windows\pss\mel.bat264729 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat285220 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat285220 PM.bat

backup=c:\windows\pss\mel.bat285220 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat291120 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat291120 PM.bat

backup=c:\windows\pss\mel.bat291120 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat291122 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat291122 PM.bat

backup=c:\windows\pss\mel.bat291122 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat291125 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat291125 PM.bat

backup=c:\windows\pss\mel.bat291125 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat362633 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat362633 PM.bat

backup=c:\windows\pss\mel.bat362633 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat362733 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat362733 PM.bat

backup=c:\windows\pss\mel.bat362733 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat372535 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat372535 PM.bat

backup=c:\windows\pss\mel.bat372535 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat373738 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat373738 PM.bat

backup=c:\windows\pss\mel.bat373738 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat373739 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat373739 PM.bat

backup=c:\windows\pss\mel.bat373739 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat380139 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat380139 PM.bat

backup=c:\windows\pss\mel.bat380139 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat385231 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat385231 PM.bat

backup=c:\windows\pss\mel.bat385231 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat393838 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat393838 PM.bat

backup=c:\windows\pss\mel.bat393838 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat462541 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat462541 PM.bat

backup=c:\windows\pss\mel.bat462541 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat475849 AM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat475849 AM.bat

backup=c:\windows\pss\mel.bat475849 AM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat481742 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat481742 PM.bat

backup=c:\windows\pss\mel.bat481742 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat491047 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat491047 PM.bat

backup=c:\windows\pss\mel.bat491047 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat562559 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat562559 PM.bat

backup=c:\windows\pss\mel.bat562559 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat572454 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat572454 PM.bat

backup=c:\windows\pss\mel.bat572454 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat581756 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat581756 PM.bat

backup=c:\windows\pss\mel.bat581756 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat583853 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat583853 PM.bat

backup=c:\windows\pss\mel.bat583853 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat591057 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat591057 PM.bat

backup=c:\windows\pss\mel.bat591057 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^mel.bat591058 PM.bat]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\mel.bat591058 PM.bat

backup=c:\windows\pss\mel.bat591058 PM.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to 1 AIT A List of items mach4.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to 1 AIT A List of items mach4.lnk

backup=c:\windows\pss\Shortcut to 1 AIT A List of items mach4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to EOM.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to EOM.lnk

backup=c:\windows\pss\Shortcut to EOM.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to Eric AIT.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to Eric AIT.lnk

backup=c:\windows\pss\Shortcut to Eric AIT.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to Eric Templates.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to Eric Templates.lnk

backup=c:\windows\pss\Shortcut to Eric Templates.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to ESTIMATE.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to ESTIMATE.lnk

backup=c:\windows\pss\Shortcut to ESTIMATE.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to lcl_world.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to lcl_world.lnk

backup=c:\windows\pss\Shortcut to lcl_world.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to North America.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to North America.lnk

backup=c:\windows\pss\Shortcut to North America.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to OUTLOOK.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to OUTLOOK.lnk

backup=c:\windows\pss\Shortcut to OUTLOOK.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric Rave^Start Menu^Programs^Startup^Shortcut to US Rates.lnk]

path=c:\documents and settings\Eric Rave\Start Menu\Programs\Startup\Shortcut to US Rates.lnk

backup=c:\windows\pss\Shortcut to US Rates.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

c:\program files\quicktime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2009-09-04 16:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]

c:\program files\internet explorer\wmpscfgs.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2007-07-17 01:48 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]

c:\progra~1\AVG\AVG9\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]

c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BtTray]

2008-08-04 22:04 226816 ----a-w- c:\program files\IVT Corporation\BlueSoleil\bttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Protection]

c:\program files\Digital Protection\digprot.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2008-10-07 20:25 95744 ----a-w- c:\program files\eFax Messenger 4.4\j2gdllcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-05-06 02:35 136176 ----atw- c:\documents and settings\Eric Rave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]

c:\docume~1\ERICRA~1\LOCALS~1\Temp\install.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87sdhfush87fsufhuie3fddf]

c:\docume~1\ericra~1\locals~1\temp\bh7hi .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-07-17 01:45 142104 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2006-10-03 16:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-16 20:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-02-15 22:07 141608 ----a-w- c:\program files\iTunes\ituneshelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lagerejige]

sohagale.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]

2009-07-16 20:35 5458704 ----a-w- c:\program files\Logitech\Logitech Vid\vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\lws.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaBtSh]

2006-02-08 22:29 24576 ----a-w- c:\program files\Mobile Action\Bluetooth Manager\mabtsh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

f:\malwarebytes' anti-malware\mbam .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]

c:\docume~1\ERICRA~1\LOCALS~1\Temp\y9cq84h.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]

c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]

2007-02-04 16:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\opwarese4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

c:\windows\system32\igfxpers.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QZAIB7KITK]

c:\docume~1\ERICRA~1\LOCALS~1\Temp\Rh1.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-07-17 01:48 16132608 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2008-11-07 19:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\ssbkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

2010-05-11 11:31 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysmon64x.exe]

c:\docume~1\ERICRA~1\LOCALS~1\TEMP\SYSMON64X.EXE [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-01-24 18:25 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]

c:\docume~1\ericra~1\locals~1\temp\rgz .exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\FileMaker\\FileMaker Pro 8.5\\FileMaker Pro.exe"=

"c:\\kav\\kav7\\setup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Palm\\Hotsync.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Eric Rave\\Desktop\\utorrent.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [9/24/2009 6:40 AM 20616]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/11/2010 10:21 PM 203280]

R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\ma730Pt.sys [2/5/2010 4:20 PM 103680]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [9/24/2009 2:38 PM 22528]

S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [6/17/2009 3:01 PM 26248]

S3 Ma730c;MA730 Bluetooth Core Driver;c:\windows\system32\drivers\ma730c.sys [2/5/2010 4:20 PM 157024]

S3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [2/5/2010 4:20 PM 50522]

.

Contents of the 'Scheduled Tasks' folder

2010-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-26 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-05-11 20:39]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2475377152-2739459925-2995650207-1008Core.job

- c:\documents and settings\Eric Rave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-06 02:35]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2475377152-2739459925-2995650207-1008UA.job

- c:\documents and settings\Eric Rave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-06 02:35]

2010-05-12 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 16:22]

2010-05-12 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 16:22]

2010-05-18 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-05-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2475377152-2739459925-2995650207-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2475377152-2739459925-2995650207-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

.

.

------- Supplementary Scan -------

.

uStart Page = www.google.com

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Eric Rave\Application Data\Mozilla\Firefox\Profiles\n49n6fgu.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{0dfbb232-045d-508f-4d7c-3c9446cfe71f}\components\372c24cf.dll

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\Eric Rave\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-25 23:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8654DAC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7677f28

\Driver\ACPI -> ACPI.sys @ 0xf750acb8

\Driver\atapi -> atapi.sys @ 0xf74c2852

\Driver\iaStor -> iaStor.sys @ 0xf742f918

IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Bluetooth Device (Personal Area Network) -> SendCompleteHandler -> NDIS.sys @ 0xf7307bb0

PacketIndicateHandler -> NDIS.sys @ 0xf72f6a0d

SendHandler -> NDIS.sys @ 0xf730ab40

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,f9,f6,f1,82,db,01,4f,a6,58,92,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,f9,f6,f1,82,db,01,4f,a6,58,92,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

@DACL=(02 0000)

@=""

"DLLName"="igfxdev.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]

@DACL=(02 0000)

"DLLName"="c:\\program files\\common files\\logitech\\bluetooth\\LBTWlgn.dll"

"Asynchronous"=dword:00000000

"Startup"="OnStartup"

"Logon"="OnLogon"

"StartShell"="OnStartShell"

"Logoff"="OnLogoff"

"Shutdown"="OnShutdown"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(876)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3244)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\program files\CDBurnerXP\NMSAccessU.exe

c:\windows\system32\wdfmgr.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\rundll32.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2010-05-26 00:09:23 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-26 04:09

ComboFix2.txt 2010-05-25 22:23

ComboFix3.txt 2010-05-10 22:57

ComboFix4.txt 2010-05-10 18:00

Pre-Run: 123,804,069,888 bytes free

Post-Run: 123,759,448,064 bytes free

- - End Of File - - 13EA908C0D57479CD7216B05FAE22895

[Elise]

Please run the following as a CFScript and post me the resulting log:

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\McAfee.com\Agent\mcagent .exe

OTL

-----

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Copy and Paste the following code into the textbox. Do not include the word "Code"

/md5start
rdpcdd.sys
/md5stop

[*]Push

[*]A report will open. Copy and Paste that report in your next reply.

[yos77]

CFScript log attached:

CFScript_5_26_10.txt

[yos77]

OTL Log report atached:

Thanx!!

[yos77]

Sorry about that

OTL Log report atached:

Thanx!! rolleyes.gif

OTL_5_26_10.Txt

[Elise]

No problem

We need to replace an infected file using the Recovery Console.

1. Restart your computer
   
2. Before Windows loads, you will be prompted to choose which Operating System to start
   
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
   
4. You must enter which Windows installation to log onto. Type 1 and press enter.
   
5. At the C:\Windows prompt, type the following bolded text, and press Enter after each line:
   cd system32\drivers
   ren RDPCDD.sys rdpcdd.vir
   copy C:\WINDOWS\system32\dllcache\rdpcdd.sys rdpcdd.sys
   
   
6. The command should then show 1 file(s) copied. At the next prompt type the following bolded text, and press Enter:
   
7. At the next prompt type the following bolded text, and press Enter:
   exit
   

Windows will now begin loading.

When succesfully done, run the following CFScript:

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

[yos77]

No problem

We need to replace an infected file using the Recovery Console.

When succesfully done, run the following CFScript:

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe

results attached

Thanks again

Log_5_26_10_200pm.txt

[Elise]

Hello again,

The good news is that the rootkit is gone, well done

The bad news is that the last vundo infected file is a stubborn one. Can you please completely uninstall your Adobe Reader and reinstall it (the infected file is an Adobe file, you can download the latest Adobe reader from their website).

Please let me know how things are running now; what problems do you still have left?

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  

On the Scanner tab:

• Make sure the "Perform Full Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.
  

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

[yos77]

Hello again,

The good news is that the rootkit is gone, well done

The bad news is that the last vundo infected file is a stubborn one. Can you please completely uninstall your Adobe Reader and reinstall it (the infected file is an Adobe file, you can download the latest Adobe reader from their website).

Please let me know how things are running now; what problems do you still have left?

error while trying to uninstall see atached

Then says "fatal error..."

Thanx!

Adobe_Error.bmp

[Elise]

Please run the following as a CFScript and then try again.

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[yos77]

Please run the following as a CFScript and then try again.

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

Log attached.

this warning pop up from McAfee:

McAfee has detected a potentially unauthorized registry change to your computer.

About this Registry Change

SystemGuards: Internet Explorer Restrictions

Program: Registry Editor

Location: C:\WINDOWS\regedit.exe

Spyware, adware, and other potentially unwanted programs can make registry changes to Internet Explorer Restrictions, affecting browser settings and options.

Should I allow it?

also the small interactive advertisements are still popping up.

combifix_log_5_26_10_530pm.txt

[yos77]

Log attached.

this warning pop up from McAfee:

McAfee has detected a potentially unauthorized registry change to your computer.

About this Registry Change

SystemGuards: Internet Explorer Restrictions

Program: Registry Editor

Location: C:\WINDOWS\regedit.exe

Spyware, adware, and other potentially unwanted programs can make registry changes to Internet Explorer Restrictions, affecting browser settings and options.

Should I allow it?

also the small interactive advertisements are still popping up.

I tried running the combi fix again after successfully removing adobe (thank you ), gives me error see attached.

also attached is the notebook file i used.

Thank you

Combifix_error_5_26_10.bmp

combofix_5_26_10_700pm.txt