I was recently the victim of the Google Redirect Virus which was being caused by the SKYNET virus. I'm not sure how I was infected as I've always kept my virus scanner (Avira Antivir) up to date along with SpywareBlaster and Spybot S & D and performed scans regularly. I followed your guide for removing the redirect virus and ComboFix was successfully able to remove the infected files and I no longer have any redirects. I also downloaded and installed Malwarebyte's Anti-Malware, Super AntiSpyware and SpywareGuard as instructed from this site. I want to make sure my computer is free of any viruses/trojans/etc. So I have been doing multiple scans (in safe mode and in normal mode) of these programs looking for anything left over. SuperAntiSpyware removed a few files as did Malwarebyte's. That was about a week ago and I haven't found anything since.
When I run separate scans in both safe and normal mode there is nothing found. However, when I run MalwareBytes along with an Avira scan simultaneously Avira pics up a couple of files it believes to be trojans. It seems to be finding something in the C:\System Volume Information\_restore. The files it has found are A0155005.pif, A0153417.EXE, A0152802.dll (this last one keeps popping up). There is no problem removing these files. I'm not sure if it is because I have Spybot's TeaTimer running along with SpywareGuard, or if my System Restore Point is bad. I would like to know if my PC is clean so I can resume regular activities. I've posted my logs below. Thank you for your help.
Malwarebytes' Anti-Malware 1.38
Database version: 2343
Windows 5.1.2600 Service Pack 3
7/21/2009 11:46:06 AM
mbam-log-2009-07-21 (11-46-06).txt
Scan type: Quick Scan
Objects scanned: 88985
Time elapsed: 4 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/21 11:48
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: a2u41c0j.SYS
Image Path: C:\WINDOWS\System32\Drivers\a2u41c0j.SYS
Address: 0xB8E62000 Size: 413696 File Visible: - Signed: -
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA664000 Size: 187776 File Visible: - Signed: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA833A000 Size: 138496 File Visible: - Signed: -
Status: -
Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xBAE04000 Size: 5152 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA5F6000 Size: 98304 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -
Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA9000 Size: 286720 File Visible: - Signed: -
Status: -
Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAF90000 Size: 3072 File Visible: - Signed: -
Status: -
Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0xBADC2000 Size: 6144 File Visible: - Signed: -
Status: -
Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xA7B8A000 Size: 81920 File Visible: - Signed: -
Status: -
Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xA825E000 Size: 114688 File Visible: - Signed: -
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBADB8000 Size: 4224 File Visible: - Signed: -
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: - Signed: -
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xA8939000 Size: 63744 File Visible: - Signed: -
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBAB08000 Size: 62976 File Visible: - Signed: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA8E8000 Size: 53248 File Visible: - Signed: -
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xBA8D8000 Size: 36352 File Visible: - Signed: -
Status: -
Name: dmio.sys
Image Path: dmio.sys
Address: 0xBA60E000 Size: 153344 File Visible: - Signed: -
Status: -
Name: dmload.sys
Image Path: dmload.sys
Address: 0xBADAC000 Size: 5888 File Visible: - Signed: -
Status: -
Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBAAE8000 Size: 61440 File Visible: - Signed: -
Status: -
Name: dump_nvatabus.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvatabus.sys
Address: 0xA8221000 Size: 102400 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADD2000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA87F5000 Size: 12288 File Visible: - Signed: -
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xB0294000 Size: 4096 File Visible: - Signed: -
Status: -
Name: e1000325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e1000325.sys
Address: 0xB8EC7000 Size: 176128 File Visible: - Signed: -
Status: -
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA823A000 Size: 143744 File Visible: - Signed: -
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xBAC08000 Size: 27392 File Visible: - Signed: -
Status: -
Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xA9005000 Size: 44544 File Visible: - Signed: -
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xB108D000 Size: 20480 File Visible: - Signed: -
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xBA5A6000 Size: 129792 File Visible: - Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBADB6000 Size: 7936 File Visible: - Signed: -
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA634000 Size: 125056 File Visible: - Signed: -
Status: -
Name: gameenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\gameenum.sys
Address: 0xBAD54000 Size: 10624 File Visible: - Signed: -
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -
Name: hcmon.sys
Image Path: C:\WINDOWS\system32\drivers\hcmon.sys
Address: 0xA88F9000 Size: 40960 File Visible: - Signed: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xA8929000 Size: 36864 File Visible: - Signed: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xB6035000 Size: 28672 File Visible: - Signed: -
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xA92CA000 Size: 10368 File Visible: - Signed: -
Status: -
Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA734F000 Size: 264832 File Visible: - Signed: -
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBAAF8000 Size: 42112 File Visible: - Signed: -
Status: -
Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBAAC8000 Size: 36352 File Visible: - Signed: -
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA835C000 Size: 152832 File Visible: - Signed: -
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA8403000 Size: 75264 File Visible: - Signed: -
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 37248 File Visible: - Signed: -
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAB88000 Size: 24576 File Visible: - Signed: -
Status: -
Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xA92BA000 Size: 14592 File Visible: - Signed: -
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: - Signed: -
Status: -
Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA70F4000 Size: 172416 File Visible: - Signed: -
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB8F16000 Size: 143360 File Visible: - Signed: -
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA57D000 Size: 92288 File Visible: - Signed: -
Status: -
Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xBAC70000 Size: 32768 File Visible: - Signed: -
Status: -
Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBADBA000 Size: 4224 File Visible: - Signed: -
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAB90000 Size: 23040 File Visible: - Signed: -
Status: -
Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xA92C2000 Size: 12160 File Visible: - Signed: -
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8B8000 Size: 42368 File Visible: - Signed: -
Status: -
Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA7ABD000 Size: 180608 File Visible: - Signed: -
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA827A000 Size: 455296 File Visible: - Signed: -
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xB107D000 Size: 19072 File Visible: - Signed: -
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA9D8000 Size: 35072 File Visible: - Signed: -
Status: -
Name: msmpu401.sys
Image Path: C:\WINDOWS\system32\drivers\msmpu401.sys
Address: 0xBAF53000 Size: 2944 File Visible: - Signed: -
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBAD94000 Size: 15488 File Visible: - Signed: -
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA4A9000 Size: 105344 File Visible: - Signed: -
Status: -
Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xBA4C3000 Size: 182656 File Visible: - Signed: -
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBAD78000 Size: 10112 File Visible: - Signed: -
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA87F1000 Size: 14592 File Visible: - Signed: -
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB86AA000 Size: 91520 File Visible: - Signed: -
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB0FAA000 Size: 40576 File Visible: - Signed: -
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xA962C000 Size: 34688 File Visible: - Signed: -
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA8382000 Size: 162816 File Visible: - Signed: -
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xB1075000 Size: 30848 File Visible: - Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA4F0000 Size: 574976 File Visible: - Signed: -
Status: -
Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xA92E6000 Size: 2944 File Visible: - Signed: -
Status: -
Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 6111232 File Visible: - Signed: -
Status: -
Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB8F85000 Size: 6557408 File Visible: - Signed: -
Status: -
Name: nvapu.sys
Image Path: C:\WINDOWS\system32\drivers\nvapu.sys
Address: 0xAD925000 Size: 415360 File Visible: - Signed: -
Status: -
Name: nvarm.sys
Image Path: C:\WINDOWS\system32\drivers\nvarm.sys
Address: 0xAD832000 Size: 69632 File Visible: - Signed: -
Status: -
Name: nvata.sys
Image Path: nvata.sys
Address: 0xBA5DF000 Size: 93568 File Visible: - Signed: -
Status: -
Name: nvatabus.sys
Image Path: nvatabus.sys
Address: 0xBA5C6000 Size: 102400 File Visible: - Signed: -
Status: -
Name: nvatabus.sys
Image Path: nvatabus.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -
Name: nvax.sys
Image Path: C:\WINDOWS\system32\drivers\nvax.sys
Address: 0xBA928000 Size: 53376 File Visible: - Signed: -
Status: -
Name: nvmcp.sys
Image Path: C:\WINDOWS\system32\drivers\nvmcp.sys
Address: 0xAD843000 Size: 925696 File Visible: - Signed: -
Status: -
Name: nvoclock.sys
Image Path: C:\WINDOWS\nvoclock.sys
Address: 0xBABD8000 Size: 29696 File Visible: - Signed: -
Status: -
Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB8F5D000 Size: 80128 File Visible: - Signed: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 19712 File Visible: - Signed: -
Status: -
Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xBADEE000 Size: 6784 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xBA653000 Size: 68224 File Visible: - Signed: -
Status: -
Name: PCI_PNP1306
Image Path: \Driver\PCI_PNP1306
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: PCIIde.sys
Image Path: PCIIde.sys
Address: 0xBAE70000 Size: 3328 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\Drivers\PCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB8F39000 Size: 147456 File Visible: - Signed: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB8699000 Size: 69120 File Visible: - Signed: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAB78000 Size: 17792 File Visible: - Signed: -
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA8F8000 Size: 35712 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xAA684000 Size: 8832 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA9A8000 Size: 51328 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA9B8000 Size: 41472 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA9C8000 Size: 48384 File Visible: - Signed: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAB80000 Size: 16512 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA82EA000 Size: 175744 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBADBC000 Size: 4224 File Visible: - Signed: -
Status: -
Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB8669000 Size: 196224 File Visible: - Signed: -
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBAB18000 Size: 57600 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7578000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xA88B9000 Size: 24576 File Visible: - Signed: -
Status: -
Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xA8315000 Size: 151552 File Visible: - Signed: -
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xBA692000 Size: 98304 File Visible: - Signed: -
Status: -
Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xA8FB5000 Size: 40960 File Visible: - Signed: -
Status: -
Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBAD50000 Size: 15744 File Visible: - Signed: -
Status: -
Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBAAD8000 Size: 64512 File Visible: - Signed: -
Status: -
Name: splr.sys
Image Path: splr.sys
Address: 0xBA6AA000 Size: 1036288 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xBA594000 Size: 73472 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA76B0000 Size: 333952 File Visible: - Signed: -
Status: -
Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xA88C1000 Size: 23040 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBAE06000 Size: 4352 File Visible: - Signed: -
Status: -
Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB7E30000 Size: 60800 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA83AA000 Size: 361600 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAB70000 Size: 20480 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA9E8000 Size: 40704 File Visible: - Signed: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB85E3000 Size: 384768 File Visible: - Signed: -
Status: -
Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xA865D000 Size: 32128 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBAE66000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAC18000 Size: 30208 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB0F7A000 Size: 59520 File Visible: - Signed: -
Status: -
Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBAC10000 Size: 17152 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8EF2000 Size: 147456 File Visible: - Signed: -
Status: -
Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xA88A1000 Size: 26368 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xB1085000 Size: 20992 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8F71000 Size: 81920 File Visible: - Signed: -
Status: -
Name: vmci.sys
Image Path: C:\WINDOWS\system32\Drivers\vmci.sys
Address: 0xB9616000 Size: 48256 File Visible: - Signed: -
Status: -
Name: VMkbd.sys
Image Path: C:\WINDOWS\system32\drivers\VMkbd.sys
Address: 0xA8655000 Size: 16512 File Visible: - Signed: -
Status: -
Name: VMNET.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VMNET.SYS
Address: 0xBAD9C000 Size: 12288 File Visible: - Signed: -
Status: -
Name: vmnetadapter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys
Address: 0xBAD98000 Size: 9856 File Visible: - Signed: -
Status: -
Name: vmnetbridge.sys
Image Path: C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys
Address: 0xAFACB000 Size: 24576 File Visible: - Signed: -
Status: -
Name: vmnetuserif.sys
Image Path: C:\WINDOWS\system32\drivers\vmnetuserif.sys
Address: 0xB01DA000 Size: 19584 File Visible: - Signed: -
Status: -
Name: VMparport.sys
Image Path: C:\WINDOWS\system32\Drivers\VMparport.sys
Address: 0xBADF0000 Size: 8192 File Visible: - Signed: -
Status: -
Name: vmx86.sys
Image Path: C:\WINDOWS\system32\Drivers\vmx86.sys
Address: 0xA77F2000 Size: 850816 File Visible: - Signed: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8C8000 Size: 52352 File Visible: - Signed: -
Status: -
Name: vstor2-ws60.sys
Image Path: C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys
Address: 0xA7916000 Size: 15744 File Visible: - Signed: -
Status: -
Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xA9015000 Size: 34560 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xA8645000 Size: 20480 File Visible: - Signed: -
Status: -
Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA7AA8000 Size: 83072 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -
Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xA9C83000 Size: 12032 File Visible: - Signed: -
Status: -
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/21 11:48
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
Processes
-------------------
Path: System
PID: 4 Status: -
Path: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PID: 132 Status: -
Path: C:\Program Files\SpywareGuard\sgmain.exe
PID: 180 Status: -
Path: C:\Program Files\SpywareGuard\sgbhp.exe
PID: 208 Status: -
Path: C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PID: 304 Status: -
Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 316 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 336 Status: -
Path: C:\WINDOWS\system32\spoolsv.exe
PID: 532 Status: -
Path: C:\Program Files\Avira\AntiVir Desktop\sched.exe
PID: 612 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 716 Status: -
Path: C:\WINDOWS\system32\smss.exe
PID: 816 Status: -
Path: C:\WINDOWS\system32\csrss.exe
PID: 868 Status: -
Path: C:\WINDOWS\system32\winlogon.exe
PID: 900 Status: -
Path: C:\WINDOWS\system32\services.exe
PID: 944 Status: -
Path: C:\WINDOWS\system32\lsass.exe
PID: 956 Status: -
Path: C:\WINDOWS\system32\notepad.exe
PID: 1036 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 1168 Status: -
Path: C:\WINDOWS\system32\vmnetdhcp.exe
PID: 1200 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 1216 Status: -
Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 1336 Status: -
Path: C:\WINDOWS\explorer.exe
PID: 1428 Status: -
Path: C:\WINDOWS\system32\vmnat.exe
PID: 1596 Status: -
Path: C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
PID: 1780 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 1864 Status: -
Path: C:\WINDOWS\SOUNDMAN.EXE
PID: 1892 Status: -
Path: C:\WINDOWS\system32\rundll32.exe
PID: 1932 Status: -
Path: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PID: 1952 Status: -
Path: C:\WINDOWS\system32\ctfmon.exe
PID: 1976 Status: -
Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 1984 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 2024 Status: -
Path: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PID: 2156 Status: -
Path: C:\Program Files\WinRAR\WinRAR.exe
PID: 3332 Status: -
Path: C:\Documents and Settings\Ken\Desktop\RootRepeal.exe
PID: 3356 Status: -
Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3460 Status: -
Path: C:\WINDOWS\system32\alg.exe
PID: 3620 Status: -
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/21 11:49
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked
#: 001 Function Name: NtAccessCheck
Status: Not hooked
#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked
#: 003 Function Name: NtAccessCheckByType
Status: Not hooked
#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked
#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked
#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked
#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked
#: 008 Function Name: NtAddAtom
Status: Not hooked
#: 009 Function Name: NtAddBootEntry
Status: Not hooked
#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked
#: 012 Function Name: NtAlertResumeThread
Status: Not hooked
#: 013 Function Name: NtAlertThread
Status: Not hooked
#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked
#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked
#: 016 Function Name: NtAllocateUuids
Status: Not hooked
#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked
#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked
#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked
#: 020 Function Name: NtCallbackReturn
Status: Not hooked
#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked
#: 022 Function Name: NtCancelIoFile
Status: Not hooked
#: 023 Function Name: NtCancelTimer
Status: Not hooked
#: 024 Function Name: NtClearEvent
Status: Not hooked
#: 025 Function Name: NtClose
Status: Not hooked
#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked
#: 027 Function Name: NtCompactKeys
Status: Not hooked
#: 028 Function Name: NtCompareTokens
Status: Not hooked
#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked
#: 030 Function Name: NtCompressKey
Status: Not hooked
#: 031 Function Name: NtConnectPort
Status: Not hooked
#: 032 Function Name: NtContinue
Status: Not hooked
#: 033 Function Name: NtCreateDebugObject
Status: Not hooked
#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked
#: 035 Function Name: NtCreateEvent
Status: Not hooked
#: 036 Function Name: NtCreateEventPair
Status: Not hooked
#: 037 Function Name: NtCreateFile
Status: Not hooked
#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked
#: 039 Function Name: NtCreateJobObject
Status: Not hooked
#: 040 Function Name: NtCreateJobSet
Status: Not hooked
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa8ea380e
#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked
#: 043 Function Name: NtCreateMutant
Status: Not hooked
#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked
#: 045 Function Name: NtCreatePagingFile
Status: Not hooked
#: 046 Function Name: NtCreatePort
Status: Not hooked
#: 047 Function Name: NtCreateProcess
Status: Not hooked
#: 048 Function Name: NtCreateProcessEx
Status: Not hooked
#: 049 Function Name: NtCreateProfile
Status: Not hooked
#: 050 Function Name: NtCreateSection
Status: Not hooked
#: 051 Function Name: NtCreateSemaphore
Status: Not hooked
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa8ea3804
#: 054 Function Name: NtCreateTimer
Status: Not hooked
#: 055 Function Name: NtCreateToken
Status: Not hooked
#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked
#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked
#: 058 Function Name: NtDebugContinue
Status: Not hooked
#: 059 Function Name: NtDelayExecution
Status: Not hooked
#: 060 Function Name: NtDeleteAtom
Status: Not hooked
#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked
#: 062 Function Name: NtDeleteFile
Status: Not hooked
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa8ea3813
#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa8ea381d
#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked
#: 067 Function Name: NtDisplayString
Status: Not hooked
#: 068 Function Name: NtDuplicateObject
Status: Not hooked
#: 069 Function Name: NtDuplicateToken
Status: Not hooked
#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "splr.sys" at address 0xba6c8ca2
#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "splr.sys" at address 0xba6c9030
#: 074 Function Name: NtExtendSection
Status: Not hooked
#: 075 Function Name: NtFilterToken
Status: Not hooked
#: 076 Function Name: NtFindAtom
Status: Not hooked
#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked
#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked
#: 079 Function Name: NtFlushKey
Status: Not hooked
#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked
#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked
#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked
#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked
#: 084 Function Name: NtFsControlFile
Status: Not hooked
#: 085 Function Name: NtGetContextThread
Status: Not hooked
#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked
#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked
#: 088 Function Name: NtGetWriteWatch
Status: Not hooked
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked
#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked
#: 091 Function Name: NtImpersonateThread
Status: Not hooked
#: 092 Function Name: NtInitializeRegistry
Status: Not hooked
#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked
#: 094 Function Name: NtIsProcessInJob
Status: Not hooked
#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked
#: 096 Function Name: NtListenPort
Status: Not hooked
#: 097 Function Name: NtLoadDriver
Status: Not hooked
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa8ea3822
#: 099 Function Name: NtLoadKey2
Status: Not hooked
#: 100 Function Name: NtLockFile
Status: Not hooked
#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked
#: 102 Function Name: NtLockRegistryKey
Status: Not hooked
#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked
#: 104 Function Name: NtMakePermanentObject
Status: Not hooked
#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked
#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked
#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked
#: 108 Function Name: NtMapViewOfSection
Status: Not hooked
#: 109 Function Name: NtModifyBootEntry
Status: Not hooked
#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked
#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked
#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked
#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked
#: 114 Function Name: NtOpenEvent
Status: Not hooked
#: 115 Function Name: NtOpenEventPair
Status: Not hooked
#: 116 Function Name: NtOpenFile
Status: Not hooked
#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked
#: 118 Function Name: NtOpenJobObject
Status: Not hooked
#: 119 Function Name: NtOpenKey
Status: Hooked by "splr.sys" at address 0xba6ab0c0
#: 120 Function Name: NtOpenMutant
Status: Not hooked
#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa8ea37f0
#: 123 Function Name: NtOpenProcessToken
Status: Not hooked
#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked
#: 125 Function Name: NtOpenSection
Status: Not hooked
#: 126 Function Name: NtOpenSemaphore
Status: Not hooked
#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa8ea37f5
#: 129 Function Name: NtOpenThreadToken
Status: Not hooked
#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked
#: 131 Function Name: NtOpenTimer
Status: Not hooked
#: 132 Function Name: NtPlugPlayControl
Status: Not hooked
#: 133 Function Name: NtPowerInformation
Status: Not hooked
#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked
#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked
#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked
#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked
#: 138 Function Name: NtPulseEvent
Status: Not hooked
#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked
#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked
#: 141 Function Name: NtQueryBootOptions
Status: Not hooked
#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked
#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked
#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked
#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked
#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked
#: 147 Function Name: NtQueryEaFile
Status: Not hooked
#: 148 Function Name: NtQueryEvent
Status: Not hooked
#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked
#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked
#: 151 Function Name: NtQueryInformationFile
Status: Not hooked
#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked
#: 153 Function Name: NtQueryInformationPort
Status: Not hooked
#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked
#: 155 Function Name: NtQueryInformationThread
Status: Not hooked
#: 156 Function Name: NtQueryInformationToken
Status: Not hooked
#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked
#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked
#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked
#: 160 Function Name: NtQueryKey
Status: Hooked by "splr.sys" at address 0xba6c9108
#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked
#: 162 Function Name: NtQueryMutant
Status: Not hooked
#: 163 Function Name: NtQueryObject
Status: Not hooked
#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked
#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked
#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked
#: 167 Function Name: NtQuerySection
Status: Not hooked
#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked
#: 169 Function Name: NtQuerySemaphore
Status: Not hooked
#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked
#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked
#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked
#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked
#: 174 Function Name: NtQuerySystemTime
Status: Not hooked
#: 175 Function Name: NtQueryTimer
Status: Not hooked
#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "splr.sys" at address 0xba6c8f88
#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked
#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked
#: 180 Function Name: NtQueueApcThread
Status: Not hooked
#: 181 Function Name: NtRaiseException
Status: Not hooked
#: 182 Function Name: NtRaiseHardError
Status: Not hooked
#: 183 Function Name: NtReadFile
Status: Not hooked
#: 184 Function Name: NtReadFileScatter
Status: Not hooked
#: 185 Function Name: NtReadRequestData
Status: Not hooked
#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked
#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked
#: 188 Function Name: NtReleaseMutant
Status: Not hooked
#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked
#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked
#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked
#: 192 Function Name: NtRenameKey
Status: Not hooked
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa8ea382c
#: 194 Function Name: NtReplyPort
Status: Not hooked
#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked
#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked
#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked
#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked
#: 199 Function Name: NtRequestPort
Status: Not hooked
#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked
#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked
#: 202 Function Name: NtResetEvent
Status: Not hooked
#: 203 Function Name: NtResetWriteWatch
Status: Not hooked
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa8ea3827
#: 205 Function Name: NtResumeProcess
Status: Not hooked
#: 206 Function Name: NtResumeThread
Status: Not hooked
#: 207 Function Name: NtSaveKey
Status: Not hooked
#: 208 Function Name: NtSaveKeyEx
Status: Not hooked
#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked
#: 210 Function Name: NtSecureConnectPort
Status: Not hooked
#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked
#: 212 Function Name: NtSetBootOptions
Status: Not hooked
#: 213 Function Name: NtSetContextThread
Status: Not hooked
#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked
#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked
#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked
#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked
#: 218 Function Name: NtSetEaFile
Status: Not hooked
#: 219 Function Name: NtSetEvent
Status: Not hooked
#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked
#: 221 Function Name: NtSetHighEventPair
Status: Not hooked
#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked
#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked
#: 224 Function Name: NtSetInformationFile
Status: Not hooked
#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked
#: 226 Function Name: NtSetInformationKey
Status: Not hooked
#: 227 Function Name: NtSetInformationObject
Status: Not hooked
#: 228 Function Name: NtSetInformationProcess
Status: Not hooked
#: 229 Function Name: NtSetInformationThread
Status: Not hooked
#: 230 Function Name: NtSetInformationToken
Status: Not hooked
#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked
#: 232 Function Name: NtSetIoCompletion
Status: Not hooked
#: 233 Function Name: NtSetLdtEntries
Status: Not hooked
#: 234 Function Name: NtSetLowEventPair
Status: Not hooked
#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked
#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked
#: 237 Function Name: NtSetSecurityObject
Status: Not hooked
#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked
#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked
#: 240 Function Name: NtSetSystemInformation
Status: Not hooked
#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked
#: 242 Function Name: NtSetSystemTime
Status: Not hooked
#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked
#: 244 Function Name: NtSetTimer
Status: Not hooked
#: 245 Function Name: NtSetTimerResolution
Status: Not hooked
#: 246 Function Name: NtSetUuidSeed
Status: Not hooked
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa8ea3818
#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked
#: 249 Function Name: NtShutdownSystem
Status: Not hooked
#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked
#: 251 Function Name: NtStartProfile
Status: Not hooked
#: 252 Function Name: NtStopProfile
Status: Not hooked
#: 253 Function Name: NtSuspendProcess
Status: Not hooked
#: 254 Function Name: NtSuspendThread
Status: Not hooked
#: 255 Function Name: NtSystemDebugControl
Status: Not hooked
#: 256 Function Name: NtTerminateJobObject
Status: Not hooked
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa8ea37ff
#: 258 Function Name: NtTerminateThread
Status: Not hooked
#: 259 Function Name: NtTestAlert
Status: Not hooked
#: 260 Function Name: NtTraceEvent
Status: Not hooked
#: 261 Function Name: NtTranslateFilePath
Status: Not hooked
#: 262 Function Name: NtUnloadDriver
Status: Not hooked
#: 263 Function Name: NtUnloadKey
Status: Not hooked
#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked
#: 265 Function Name: NtUnlockFile
Status: Not hooked
#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked
#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked
#: 268 Function Name: NtVdmControl
Status: Not hooked
#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked
#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked
#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked
#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked
#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked
#: 274 Function Name: NtWriteFile
Status: Not hooked
#: 275 Function Name: NtWriteFileGather
Status: Not hooked
#: 276 Function Name: NtWriteRequestData
Status: Not hooked
#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked
#: 278 Function Name: NtYieldExecution
Status: Not hooked
#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked
#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked
#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked
#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked
#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/21 11:48
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
Hidden Services
-------------------
OTL logfile created on: 7/21/2009 11:51:45 AM - Run 2
OTL by OldTimer - Version 3.0.9.2 Folder = C:\Documents and Settings\Ken\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 68.57% Memory free
3.85 Gb Paging File | 3.36 Gb Available in Paging File | 87.41% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 24.91 Gb Free Space | 33.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 973.17 Mb Total Space | 890.92 Mb Free Space | 91.55% Space Free | Partition Type: FAT
Drive I: | 111.79 Gb Total Space | 53.41 Gb Free Space | 47.78% Space Free | Partition Type: NTFS
Computer Name:
Current User Name:
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan
========== Processes (SafeList) ==========
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\SpywareGuard\sgmain.exe ()
PRC - C:\Program Files\SpywareGuard\sgbhp.exe ()
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc.)
PRC - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\System32\vmnat.exe (VMware, Inc.)
PRC - C:\WINDOWS\System32\vmnetdhcp.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (VMware, Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\Program Files\WinRAR\WinRAR.exe ()
PRC - C:\Documents and Settings\Ken\Desktop\RootRepeal.exe ( )
PRC - C:\Documents and Settings\Ken\Desktop\OTL.exe (OldTimer Tools)
========== Win32 Services (SafeList) ==========
SRV - (AntiVirSchedulerService [Auto | Running]) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (AntiVirService [Auto | Running]) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gupdate1ca03632347c192 [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (LPDSVC [On_Demand | Stopped]) -- C:\WINDOWS\System32\tcpsvcs.exe (Microsoft Corporation)
SRV - (McAfeeFramework [Unknown | Stopped]) -- File not found
SRV - (MySql [Auto | Stopped]) -- File not found
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (nTuneService [Auto | Running]) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (ufad-ws60 [On_Demand | Stopped]) -- C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe (VMware, Inc.)
SRV - (UMWdf [On_Demand | Stopped]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
SRV - (UxTuneUp [Auto | Stopped]) -- C:\WINDOWS\System32\uxtuneup.dll (TuneUp Software GmbH)
SRV - (VMAuthdService [Auto | Running]) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe (VMware, Inc.)
SRV - (VMnetDHCP [Auto | Running]) -- C:\WINDOWS\System32\vmnetdhcp.exe (VMware, Inc.)
SRV - (VMware NAT Service [Auto | Running]) -- C:\WINDOWS\System32\vmnat.exe (VMware, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - user.js..network.proxy.type: 0
FF - user.js..network.proxy.http: ""
FF - user.js..network.proxy.http_port: 0
FF - user.js..network.proxy.ssl: ""
FF - user.js..network.proxy.ssl_port: 0
FF - user.js..network.proxy.ftp: ""
FF - user.js..network.proxy.ftp_port: 0
FF - user.js..network.proxy.gopher: ""
FF - user.js..network.proxy.gopher_port: 0
FF - user.js..network.proxy.socks_version: 5
FF - user.js..network.proxy.socks: ""
FF - user.js..network.proxy.socks_port: 0
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/28 18:34:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/07/09 18:33:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/25 18:53:19 | 00,000,000 | ---D | M]
[2008/09/02 15:49:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\mozilla\Extensions
[2008/09/02 15:49:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/07/20 14:54:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\mozilla\Firefox\Profiles\e00lryfw.default\extensions
[2009/06/28 22:08:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\mozilla\Firefox\Profiles\e00lryfw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/07/20 14:54:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/14 15:35:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/05/15 19:54:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2009/06/14 15:35:13 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/14 15:35:13 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/08/15 18:30:54 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2007/09/05 19:03:36 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2009/02/06 12:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/06/14 15:35:16 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2008/10/14 22:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/02/07 20:51:44 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/01/09 12:36:08 | 00,819,200 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npxmoge.dll
[2009/04/30 14:34:27 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/30 14:34:27 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/30 14:34:27 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/30 14:34:27 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/30 14:34:27 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/30 14:34:27 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/30 14:34:28 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml
O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Ken\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 26 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1199928135921 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (C:\Documents) - File not found
O20 - HKLM Winlogon: UIHost - (and) - File not found
O20 - HKLM Winlogon: UIHost - (Settings\All) - File not found
O20 - HKLM Winlogon: UIHost - (Users\Application) - File not found
O20 - HKLM Winlogon: UIHost - (Data\TuneUp) - File not found
O20 - HKLM Winlogon: UIHost - (Software\TuneUp) - File not found
O20 - HKLM Winlogon: UIHost - (Utilities\WinStyler\tu_logonui.exe) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/14 04:47:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/05/11 18:13:39 | 00,000,279 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
========== Files/Folders - Created Within 14 Days ==========
[2009/07/21 11:51:32 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2009/07/21 11:46:58 | 00,000,014 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\settings.dat
[2009/07/21 11:46:54 | 00,469,504 | ---- | C] ( ) -- C:\Documents and Settings\Ken\Desktop\RootRepeal.exe
[2009/07/21 11:26:20 | 00,462,508 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\RootRepeal.zip
[2009/07/12 22:57:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\Temp
[2009/07/12 22:52:18 | 00,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/07/12 22:52:18 | 00,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/07/12 22:37:28 | 00,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/07/12 22:37:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2009/07/10 17:16:15 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\Spybot - Search & Destroy.lnk
[2009/07/10 17:12:38 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/07/10 12:36:41 | 00,000,000 | --SD | C] -- C:\Combo-Fix
========== Files - Modified Within 14 Days ==========
[2009/07/21 11:51:32 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2009/07/21 11:47:30 | 00,000,014 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\settings.dat
[2009/07/21 11:26:21 | 00,462,508 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\RootRepeal.zip
[2009/07/21 10:57:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/07/21 10:34:00 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/07/21 10:34:00 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/07/21 10:33:44 | 00,179,592 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/07/21 10:33:42 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/07/21 10:33:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/07/21 10:33:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/07/21 01:36:07 | 05,900,292 | -H-- | M] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\IconCache.db
[2009/07/20 17:09:20 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/07/12 21:39:46 | 00,469,504 | ---- | M] ( ) -- C:\Documents and Settings\Ken\Desktop\RootRepeal.exe
[2009/07/10 17:16:15 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Spybot - Search & Destroy.lnk
[2009/07/10 17:15:15 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/07/10 12:43:40 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/07/10 12:36:24 | 03,053,811 | R--- | M] () -- C:\Documents and Settings\Ken\Desktop\Combo-Fix.exe
========== LOP Check ==========
[2009/07/12 22:37:28 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/14 15:13:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AA3DeployClient
[2009/05/21 09:38:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acoustica
[2008/06/02 18:23:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2008/10/14 17:39:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Blizzard
[2008/12/29 19:45:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2008/02/13 21:11:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Getic
[2009/05/09 18:43:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2009/07/10 13:16:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/12/20 02:58:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/06/28 22:45:58 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Ken\Application Data
[2007/09/15 15:38:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\acccore
[2008/01/18 21:41:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\AVG7
[2008/03/11 19:25:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\DAEMON Tools
[2009/06/19 18:47:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\FileZilla
[2009/07/14 17:30:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\FrostWire
[2009/05/13 17:07:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\OpenOffice.org
[2009/05/13 16:57:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\OpenOffice.org2
[2008/02/05 18:22:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\PE Explorer
[2008/02/16 00:39:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\Ringtone
[2007/09/27 15:51:16 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Ken\Application Data\SecuROM
[2007/12/20 02:58:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\TuneUp Software
[2008/02/25 02:50:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\U3
[2009/07/07 01:43:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\uTorrent
[2007/12/28 14:47:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\ViStart
[2009/07/10 17:15:15 | 00,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2004/08/04 08:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/07/21 10:34:00 | 00,000,868 | ---- | M] () -- C:\WINDOWS\Tasks\Google Software Updater.job
[2009/07/21 10:33:42 | 00,000,882 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
[2009/07/21 10:57:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
[2009/07/21 10:33:36 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >