Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

NTOSKRNL-HOOK [Solved]

Started by tgshaw , Sep 20 2009 02:20 PM

This topic is locked

#1
tgshaw

Posted 20 September 2009 - 02:20 PM

Member

Member
12 posts

Details from the McAfee scan:
File name: NTOSKRNL-HOOK
Detection name: Generic Rootkit.d!rootkit

--------

I guess I'm lucky in that this hasn't caused me any problems yet, but I want to get rid of it before it does! As with others who've reported the problem, on both quick scan and full scan, McAfee reports this as a trojan and says it's removed it, but it keeps showing up on all subsequent scans.

Here's what I've tried already:

First, I'm on automatic update for Windows XP, and my history does show some recent updates, so I'm assuming my system is up to date.

I scanned with system restore disabled, which got rid of something like this for me several years ago. It did get rid of one other thing that had been hiding there, but not NTOSKRNL-HOOK.

The one solution offered on the McAfee forum is to scan in safe mode, but for some reason my system refuses to restart in safe mode. When I choose it, I get the message that the system did not start successfully and I should choose how I want it to start. It gives me safe mode as an option again, but when I select it the message just comes up again. It starts fine if I tell it to restart normally.

Results from my efforts with your "Malware and Spyware Cleaning Guide":

SysRestorePoint.exe gives me an error message saying it needs .NET framework. According to my administrative listings, my computer has .NET framework 1.1 - a search for it on the Windows update site shows no results.

Root Repeal gives me an error message of "invalid PE image found" - I have no idea what this means. I had high hopes for this, since the problem does seem to be a rootkit (at least it says it is).

The instructions for ERUNT were so complex that I knew I'd just be courting trouble if I tried them on my own.

Malwarebytes' Anti-Malware is the one thing that did some good - found a dozen things McAfee hadn't, and eliminated them: but NTOSKRNL-HOOK was still there on reboot.

-- So, where do I go from here?

#2
hammerman

Posted 22 September 2009 - 11:36 AM

Member 4k

Member
4,183 posts

Hello tgshaw and welcome to GeeksToGo

I'm hammerman and I'm going to help you fix your problem.

Before we begin, I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.

Do you have the results of the Malwarebytes scan you can post?
If not, please carry out another scan and post the results.

Please follow these steps.

-- Step 1 --

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

-- Step 2 --

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

#3
tgshaw

Posted 23 September 2009 - 06:11 AM

Member

Topic Starter
Member
12 posts

Well, that was silly of me. I had the Malware scan results saved and then didn't post them:

______________________

Malwarebytes' Anti-Malware 1.41
Database version: 2823
Windows 5.1.2600 Service Pack 3

9/18/2009 10:08:18 PM
mbam-log-2009-09-18 (22-08-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 235534
Time elapsed: 41 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\kbiwkmwkfjpiem.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RList (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16285934 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\kbiwkmwkfjpiem.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmtuunmoej.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmvjnwrkcx.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmwkfjpiem.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\kbiwkmfvuuylwh.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\kbiwkmhntjbvjmtf.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\TMP463.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\09MBSTMV\sys[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16285934\16285934 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16285934\pc16285934ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\ANTI_files.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Program Files\DelphiMM.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\FTLoo01.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmkurdxxxs.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmtqlwoygt.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

___________________________________

Thanks for your help. Now that it's the middle of the week, I'll probably need to work through the two steps separately, as I have a fulltime+ day job - which I have to head off to soon. I'll post results as soon as I can.

Edited by tgshaw, 23 September 2009 - 06:15 AM.

#4
hammerman

Posted 23 September 2009 - 06:59 AM

Member 4k

Member
4,183 posts

Hello,

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

1. All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.

2. Banking and credit card institutions should be notified of the possible security breach.

#5
tgshaw

Posted 24 September 2009 - 09:18 PM

Member

Topic Starter
Member
12 posts

I finally had a few minutes to start working on the problem, and wasn't expecting to see this when I checked in - thanks for the warning. I might be at a little less danger than some people because I don't have/use any credit cards, but I do have some other vulnerabilities that I should be able to take care of as soon as I can get to my office computer tomorrow morning. In the meantime, I'll see what I can do with the other scans.

Is this related to the NTOSKRNL-HOOK trojan, or is it something else entirely?

_______

ETA: I'll try attaching the OTS scan

OTS.Txt 153.78KB 210 downloads

Edited by tgshaw, 24 September 2009 - 09:32 PM.

#6
tgshaw

Posted 24 September 2009 - 10:15 PM

Member

Topic Starter
Member
12 posts

Here's the log from SysProt.
After scanning awhile, I got an error message saying "There is no disk in the drive. Please insert a disk into drive \Device\Harddisk1\DR3". If I hit "continue," it repeated the same message, just increasing the numbers until it reached "...Harddisk9\DR11". Then it seemed satisfied and completed the scan. I'm mentioning this in case it's something that shouldn't have happened.

____________________________

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 616
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 684
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 752
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 940
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1008
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1116
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1208
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1324
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LEXBCES.EXE
PID: 1512
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1540
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LEXPPS.EXE
PID: 1548
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1880
Hidden: No
Window Visible: No

Name: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PID: 2040
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxtray.exe
PID: 124
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 128
Hidden: No
Window Visible: No

Name: C:\WINDOWS\zHotkey.exe
PID: 184
Hidden: No
Window Visible: No

Name: C:\Program Files\Digital Media Reader\shwiconEM.exe
PID: 216
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SOUNDMAN.EXE
PID: 232
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ALCWZRD.EXE
PID: 240
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 300
Hidden: No
Window Visible: No

Name: C:\Program Files\QuickTime\qttask.exe
PID: 316
Hidden: No
Window Visible: No

Name: C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
PID: 324
Hidden: No
Window Visible: No

Name: C:\Program Files\McAfee.com\Agent\mcagent.exe
PID: 332
Hidden: No
Window Visible: No

Name: C:\Program Files\EarthLink TotalAccess\FastLane2\ipmon32.exe
PID: 412
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 420
Hidden: No
Window Visible: No

Name: C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
PID: 428
Hidden: No
Window Visible: No

Name: C:\Program Files\Messenger\msmsgs.exe
PID: 964
Hidden: No
Window Visible: No

Name: C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
PID: 1108
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1196
Hidden: No
Window Visible: No

Name: C:\Program Files\Logitech\SetPoint\SetPoint.exe
PID: 1276
Hidden: No
Window Visible: No

Name: C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
PID: 1280
Hidden: No
Window Visible: No

Name: C:\Program Files\WinZip\WZQKPICK.EXE
PID: 1404
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PID: 1440
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
PID: 1800
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PID: 896
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
PID: 588
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 608
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PID: 1648
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2084
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wdfmgr.exe
PID: 2240
Hidden: No
Window Visible: No

Name: C:\Program Files\Canon\CAL\CALMAIN.exe
PID: 2712
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 3648
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
PID: 4012
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\WinZip\WINZIP32.EXE
PID: 2108
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owner\My Documents\Unzipped\SysProt\SysProt\SysProt.exe
PID: 1472
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmfvuuylwh.sys
Service Name: kbiwkmarjuejxt
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Owner\My Documents\Unzipped\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A9BE3000
Module End: A9BEE000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FF000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FF000
Module End: 8071FD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8A84000
Module End: F8A86000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8994000
Module End: F8997000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F8535000
Module End: F8563000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F8A86000
Module End: F8A88000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F8524000
Module End: F8535000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F8584000
Module End: F858E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F8B4C000
Module End: F8B4D000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F8804000
Module End: F880B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: F8A88000
Module End: F8A8A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: F8A8A000
Module End: F8A8C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: F8A8C000
Module End: F8A8E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: F8A8E000
Module End: F8A90000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F8A90000
Module End: F8A92000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F8594000
Module End: F859F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F8505000
Module End: F8524000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F880C000
Module End: F8811000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F85A4000
Module End: F85B1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: F8998000
Module End: F899C000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F84ED000
Module End: F8505000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F84D5000
Module End: F84ED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: F899C000
Module End: F89A0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: F8814000
Module End: F8819000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: F89A0000
Module End: F89A4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: F85B4000
Module End: F85C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: F89A4000
Module End: F89A8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: F85C4000
Module End: F85CD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: F89A8000
Module End: F89AB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: F881C000
Module End: F8823000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: F89AC000
Module End: F89B0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: F8824000
Module End: F8829000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: F882C000
Module End: F8831000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: F89B0000
Module End: F89B4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: F85D4000
Module End: F85DE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: F85E4000
Module End: F85F2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: F8834000
Module End: F883C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: F883C000
Module End: F8843000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: F8844000
Module End: F884C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: F884C000
Module End: F8852000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: F8854000
Module End: F885A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: F8A92000
Module End: F8A94000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: F85F4000
Module End: F85FD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: F84BC000
Module End: F84D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: F885C000
Module End: F8861000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: F8604000
Module End: F860E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: F8614000
Module End: F8620000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: F8624000
Module End: F8630000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: F8864000
Module End: F886B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: F8A94000
Module End: F8A96000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: F886C000
Module End: F8873000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: F89B4000
Module End: F89B8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: F8490000
Module End: F84BC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F8634000
Module End: F863D000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F8644000
Module End: F8651000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F845E000
Module End: F8470000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F8447000
Module End: F845E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F83BA000
Module End: F8447000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F838D000
Module End: F83BA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sisagp.sys
Service Name: sisagp
Module Base: F8654000
Module End: F865E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: F8664000
Module End: F866F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F8674000
Module End: F8684000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F8684000
Module End: F8692000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F8373000
Module End: F838D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F8694000
Module End: F869F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: F86A4000
Module End: F86AF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: F86B4000
Module End: F86BF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: F86C4000
Module End: F86CF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F8794000
Module End: F87A4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F8714000
Module End: F871D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: F7B9F000
Module End: F7C54000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F7B8B000
Module End: F7B9F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F7B63000
Module End: F7B8B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F88AC000
Module End: F88B2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F7B3F000
Module End: F7B63000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F88B4000
Module End: F88BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Service Name: HSFHWBS2
Module Base: F7B09000
Module End: F7B3F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F7AE6000
Module End: F7B09000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Service Name: HSF_DP
Module Base: F79E7000
Module End: F7AE6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: F793F000
Module End: F79E7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F88BC000
Module End: F88C4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Service Name: E100B
Module Base: F7919000
Module End: F793F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F7905000
Module End: F7919000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F8724000
Module End: F8731000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
Service Name: L8042mou
Module Base: F8734000
Module End: F8742000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
Service Name: LMouKE
Module Base: F78F3000
Module End: F7905000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F88C4000
Module End: F88CA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F8744000
Module End: F8754000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F8A7C000
Module End: F8A80000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8754000
Module End: F875F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8764000
Module End: F8774000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8774000
Module End: F8783000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8C8F000
Module End: F8C90000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F8784000
Module End: F8791000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F82AB000
Module End: F82AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F78DC000
Module End: F78F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F87A4000
Module End: F87AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F87B4000
Module End: F87C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F88CC000
Module End: F88D1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F78CB000
Module End: F78DC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F87C4000
Module End: F87CD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F88D4000
Module End: F88D9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F8904000
Module End: F8909000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F87D4000
Module End: F87DE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F88DC000
Module End: F88E2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F8ABA000
Module End: F8ABC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F786D000
Module End: F78CB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F8297000
Module End: F829B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F87F4000
Module End: F87FE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: AA594000
Module End: AA7C0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: AA570000
Module End: AA594000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F8353000
Module End: F8362000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F8333000
Module End: F8342000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F8AD2000
Module End: F8AD4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: F8A50000
Module End: F8A53000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F8AE0000
Module End: F8AE2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8BAE000
Module End: F8BAF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F8AE2000
Module End: F8AE4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F891C000
Module End: F8923000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F8924000
Module End: F892A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F8AE4000
Module End: F8AE6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F8AE6000
Module End: F8AE8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F892C000
Module End: F8931000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F8934000
Module End: F893C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F8A5C000
Module End: F8A5F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: AA38D000
Module End: AA3A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: AA334000
Module End: AA38D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Mpfp.sys
Service Name: MPFP
Module Base: AA30D000
Module End: AA334000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: AA2C6000
Module End: AA2EC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7CA4000
Module End: F7CAD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
Service Name: IpFilterDriver
Module Base: F7C94000
Module End: F7C9D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: AA1D6000
Module End: AA1FE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7C84000
Module End: F7C93000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: F8A70000
Module End: F8A73000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: AA1B4000
Module End: AA1D6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7C74000
Module End: F7C7D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: AA189000
Module End: AA1B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: AA119000
Module End: AA189000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys
Service Name: mfehidk
Module Base: AA0E6000
Module End: AA119000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7C54000
Module End: F7C5F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F8954000
Module End: F895C000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys
Service Name: SunkFilt39
Module Base: F895C000
Module End: F8964000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F8964000
Module End: F896B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F759C000
Module End: F759F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F87E4000
Module End: F87ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
Service Name: LHidFilt
Module Base: F8974000
Module End: F897C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Service Name: ---
Module Base: AA2A6000
Module End: AA2B3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Service Name: Wdf01000
Module Base: A9EAF000
Module End: A9F2A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F757C000
Module End: F7580000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: A9DEB000
Module End: A9E0F000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A9DD3000
Module End: A9DEB000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8B1E000
Module End: F8B20000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: AA21E000
Module End: AA221000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F88FC000
Module End: F8901000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F8BBB000
Module End: F8BBC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A9D73000
Module End: A9D77000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A9B66000
Module End: A9B7B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AA510000
Module End: AA51F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A9611000
Module End: A963E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: A9866000
Module End: A9876000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Service Name: ASCTRM
Module Base: F8AA0000
Module End: F8AA2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A9580000
Module End: A95C1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A9506000
Module End: A9558000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: A93E6000
Module End: A93E9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\npf.sys
Service Name: npf
Module Base: A9F72000
Module End: A9F79000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfebopk.sys
Service Name: mfebopk
Module Base: F889C000
Module End: F88A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfeavfk.sys
Service Name: mfeavfk
Module Base: A8EB4000
Module End: A8EC6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mfesmfk.sys
Service Name: mfesmfk
Module Base: AA4B0000
Module End: AA4B9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: A9C7B000
Module End: A9C7F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F887C000
Module End: F8883000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: A8989000
Module End: A89B4000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwYieldExecution
At Address: 80515A6A
Jump To: AA0FF518
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwUnmapViewOfSection
At Address: 8057DEF1
Jump To: AA0FF544
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwUnloadKey
At Address: 80654DD6
Jump To: AA0FF64C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwTerminateProcess
At Address: 8058E695
Jump To: AA0FF55D
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetValueKey
At Address: 8058228C
Jump To: AA0FF5DB
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetInformationProcess
At Address: 8057CFC0
Jump To: AA0FF4C6
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSetContextThread
At Address: 80635967
Jump To: AA0FF4DA
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwSaveKeyEx
At Address: 80656259
Jump To: 82762872
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 8065616E
Jump To: 827628AA
Module Name: _unknown_

Hooked Function: ZwRestoreKey
At Address: 8065606D
Jump To: AA0FF676
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwReplaceKey
At Address: 806564D8
Jump To: AA0FF68A
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwRenameKey
At Address: 80655B78
Jump To: AA0FF5AF
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryValueKey
At Address: 80573037
Jump To: AA0FF5F1
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryMultipleValueKey
At Address: 806556FC
Jump To: AA0FF607
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwQueryKey
At Address: 80578A14
Jump To: AA0FF69E
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwProtectVirtualMemory
At Address: 80581889
Jump To: AA0FF502
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenThread
At Address: 805E1939
Jump To: AA0FF488
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenProcess
At Address: 80581702
Jump To: AA0FF474
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwOpenKey
At Address: 80572BF4
Jump To: AA0FF571
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwNotifyChangeKey
At Address: 805E218F
Jump To: AA0FF662
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwMapViewOfSection
At Address: 8057E369
Jump To: AA0FF52E
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwFlushInstructionCache
At Address: 80587BFB
Jump To: 827625E4
Module Name: _unknown_

Hooked Function: ZwEnumerateValueKey
At Address: 80587693
Jump To: AA0FF61D
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwEnumerateKey
At Address: 80578E14
Jump To: 8276261C
Module Name: _unknown_

Hooked Function: ZwDeleteValueKey
At Address: 80591F8B
Jump To: AA0FF5C5
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwDeleteKey
At Address: 80593334
Jump To: AA0FF599
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcessEx
At Address: 8058B7CD
Jump To: AA0FF4B0
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateProcess
At Address: 805B0470
Jump To: AA0FF49C
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateKey
At Address: 8057791D
Jump To: AA0FF585
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: ZwCreateFile
At Address: 8057C328
Jump To: AA0FF4EE
Module Name: C:\WINDOWS\system32\drivers\mfehidk.sys

Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 8275F3FB
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 8276188B
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: YOUR-E0A65F95D4:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: YOUR-E0A65F95D4:1029
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: YOUR-E0A65F95D4:8097
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
State: LISTENING

Local Address: YOUR-E0A65F95D4:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: LISTENING

Local Address: YOUR-E0A65F95D4:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\LEXPPS.EXE
State: LISTENING

Local Address: YOUR-E0A65F95D4:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: YOUR-E0A65F95D4:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: YOUR-E0A65F95D4:6646
Remote Address: NA
Type: UDP
Process: C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
State: NA

Local Address: YOUR-E0A65F95D4:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-E0A65F95D4:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: YOUR-E0A65F95D4:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: YOUR-E0A65F95D4:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-E0A65F95D4:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-E0A65F95D4:1032
Remote Address: NA
Type: UDP
Process: C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
State: NA

Local Address: YOUR-E0A65F95D4:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: YOUR-E0A65F95D4:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: YOUR-E0A65F95D4:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: YOUR-E0A65F95D4:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}
Status: Access denied

#7
hammerman

Posted 25 September 2009 - 12:48 AM

Member 4k

Member
4,183 posts

Hello,

Is this related to the NTOSKRNL-HOOK trojan, or is it something else entirely?

Yes, they are related.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#8
tgshaw

Posted 26 September 2009 - 10:20 AM

Member

Topic Starter
Member
12 posts

Here's my log from ComboFix. One possible problem is that McAfee was set to come back on at reboot - I didn't realize ComboFix would need to reboot the computer even before it did a scan (it needed to download a Microsoft Recovery Console). So McAfee was running during the scan. A window popped up saying it had quarantined a virus. Can you tell from the log whether I need to run ComboFix again? I can set the McAfee reactivation to "never". -- I thought about just running it again to be sure, but I don't know the significance of the virus that McAfee quarantined, i.e., whether it's part of ComboFix.

ETA: Something that seems odd to me - maybe just because I don't understand it - is the list of FireFox plug-ins. I use FireFox, but I've **never** knowingly downloaded a plug-in. I'm pretty careful about what I download from anywhere online.

ETAx2: After using ComboFix (results being the following log), I did a McAfee scan and it came up with one trojan, which it quaranteened (Artemis!FEED43C9EA24). After that, I did a second scan and it came up clean. Does that mean everything's okay -- or not?

Thanks.
____________

ComboFix 09-09-25.01 - Owner 09/26/2009 10:49.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.191 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ZbThumbnail.info
c:\program files\update.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-3567101909-1873327289-937637500-1003
c:\recycler\S-1-5-21-607596077-1373116870-870251531-1003
c:\recycler\S-1-5-21-870827304-736682203-2654022710-1003
c:\windows\Installer\1763a.msi
c:\windows\Installer\393ac89.msp
c:\windows\Installer\393ac8c.msp
c:\windows\Installer\e6b6.msp
c:\windows\system32\drivers\kbiwkmfvuuylwh.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\kbiwkmcnqgwqeo.dll
c:\windows\system32\kbiwkmkurdxxxs.dat
c:\windows\system32\kbiwkmqeecfubq.dll
c:\windows\system32\kbiwkmtqlwoygt.dat
c:\windows\system32\kbiwkmtuunmoej.dll
c:\windows\system32\kbiwkmvjnwrkcx.dll
c:\windows\system32\kbiwkmwkfjpiem.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmarjuejxt
-------\Legacy_kbiwkmarjuejxt
-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-25 03:20 . 2009-09-25 03:20 514560 ----a-w- c:\program files\OTS.exe
2009-09-20 19:19 . 2009-09-20 19:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ApplicationHistory
2009-09-19 02:23 . 2009-09-19 02:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-19 02:23 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 02:22 . 2009-09-19 02:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 02:22 . 2009-09-19 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 02:22 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 02:18 . 2009-09-19 02:18 4045536 ----a-w- c:\program files\mbam-setup.exe
2009-09-19 02:17 . 2009-09-19 02:17 791393 ----a-w- c:\program files\erunt_setup.exe
2009-09-19 02:15 . 2009-09-19 02:15 21504 ----a-w- c:\program files\SysRestorePoint.exe
2009-09-19 02:11 . 2009-09-19 02:11 0 ----a-w- c:\program files\settings.dat
2009-09-19 01:51 . 2009-09-19 01:51 472064 ----a-w- c:\program files\RootRepeal.exe
2009-09-18 19:44 . 2009-09-18 19:55 -------- d-----w- c:\windows\SxsCaPendDel
2009-09-18 19:13 . 2004-08-04 19:00 31744 -c--a-w- c:\windows\system32\dllcache\fxsroute.dll
2009-09-18 19:13 . 2004-08-04 19:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2009-09-18 19:13 . 2004-08-04 19:00 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2009-09-18 19:13 . 2004-08-04 19:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2009-09-18 19:13 . 2004-08-04 19:00 11264 -c--a-w- c:\windows\system32\dllcache\fxssend.exe
2009-09-18 19:13 . 2004-08-04 19:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2009-09-18 19:13 . 2004-08-04 19:00 111104 -c--a-w- c:\windows\system32\dllcache\fxscfgwz.dll
2009-09-18 19:13 . 2004-08-04 19:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2009-09-09 03:40 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 12:28 . 2005-05-15 19:02 -------- d-----w- c:\program files\Common Files\EarthLink
2009-09-23 11:55 . 2005-03-06 15:08 4632 -c--a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-09-22 02:14 . 2007-08-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-09-22 02:11 . 2007-07-08 02:54 -------- d-----w- c:\program files\CoffeeCup Software
2009-09-18 19:44 . 2005-05-14 20:17 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-24 12:13 . 2005-05-15 16:33 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2009-08-24 12:13 . 2005-05-15 16:32 -------- d-----w- c:\program files\McAfee
2009-08-24 12:13 . 2004-11-17 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-22 16:12 . 2009-08-22 16:12 42 ----a-w- c:\program files\options.dat
2009-08-22 15:56 . 2009-08-22 15:56 -------- d-----w- c:\program files\DATA
2009-08-22 15:56 . 1999-01-07 02:31 29 ----a-w- c:\program files\OPT.BIN
2009-08-22 15:56 . 2009-08-22 15:56 -------- d-----w- c:\program files\scripts
2009-08-22 15:56 . 2009-08-22 15:56 -------- d-----w- c:\program files\Common Files\Borland Shared
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-26 16:12 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-26 16:12 915456 ----a-w- c:\windows\system32\wininet.dll
2008-10-15 20:38 . 2008-10-15 20:38 346930 ----a-w- c:\program files\Deluxe.chm
2008-10-15 20:31 . 2008-10-15 20:31 2202112 ----a-w- c:\program files\MANUAL.DOC
2008-10-04 13:47 . 2008-10-04 13:47 600329 -c--a-w- c:\program files\gallery2_2_4.zip
2008-10-04 13:46 . 2008-10-04 13:46 1193262 -c--a-w- c:\program files\blog1_4_2.zip
2008-10-04 13:44 . 2008-10-04 13:44 6483761 -c--a-w- c:\program files\board2_3_6.zip
2008-09-17 21:36 . 2009-08-22 16:12 3444 ----a-w- c:\program files\a.htm
2008-09-17 21:36 . 2008-09-17 21:36 3444 ----a-w- c:\program files\PRIMA.HTM
2008-09-17 19:13 . 2008-09-17 19:13 4213760 ----a-w- c:\program files\DELUXE.EXE
2008-09-12 21:06 . 2008-09-12 21:06 1640960 ----a-w- c:\program files\DESIGNER.EXE
2008-05-14 21:21 . 2008-05-14 21:21 4002904 -c--a-w- c:\program files\pcshowbuzz10.exe
2008-03-26 03:08 . 2008-02-21 20:24 2249 ----a-w- c:\program files\fractal.ini
2007-11-27 01:37 . 2007-11-27 01:37 5 ----a-w- c:\program files\DELUXE.TXT
2007-08-25 17:11 . 2007-08-25 17:11 9479520 -c--a-w- c:\program files\winzip111.exe
2007-07-11 22:10 . 2007-07-11 22:10 478720 ----a-w- c:\program files\bdesetup.exe
2006-07-06 23:46 . 2006-07-06 23:46 465 ----a-w- c:\program files\MASTER.DBF
2006-07-06 23:46 . 2006-07-06 23:46 4096 ----a-w- c:\program files\MASTER.MDX
2006-04-11 17:46 . 2006-04-11 17:46 143 ----a-w- c:\program files\NET.TXT
2005-10-17 01:16 . 2005-10-17 01:16 1601 ----a-w- c:\program files\idapi32_cfg.dlx
2005-01-29 21:36 . 2005-01-29 21:36 3799040 -c--a-w- c:\program files\fe.exe
2005-01-29 21:34 . 2005-01-29 21:34 631 ----a-w- c:\program files\fe.exe.manifest
2005-01-29 21:27 . 2005-01-29 21:27 39552 -c--a-w- c:\program files\HistoryE.txt
2005-01-29 20:44 . 2005-01-29 20:44 2775 -c--a-w- c:\program files\file_id.diz
2005-01-13 05:03 . 2005-01-13 05:03 46196 ----a-w- c:\program files\compiler.htm
2005-01-13 04:56 . 2005-01-13 04:56 48161 -c--a-w- c:\program files\Complex.pas
2004-09-27 03:31 . 2004-09-27 03:31 4716 -c--a-w- c:\program files\fe.css
2004-07-26 02:56 . 2004-07-26 02:56 6560 -c--a-w- c:\program files\ComplexQ.pas
2003-05-01 02:40 . 2003-05-01 02:40 739 -c--a-w- c:\program files\_Default.frp
2001-08-19 19:27 . 2001-08-19 19:27 32768 -c--a-w- c:\program files\FEParser.exe
1999-03-05 21:45 . 1999-03-05 21:45 6694 ----a-w- c:\program files\HINTS.TXT
1999-03-03 23:34 . 1999-03-03 23:34 61 ----a-w- c:\program files\PRG.BIN
1998-01-30 20:45 . 1998-01-30 20:45 1468 ----a-w- c:\program files\IMPORTNT.TXT
1997-10-07 18:09 . 1997-10-07 18:09 401408 ----a-w- c:\program files\CRDE96V1.DLL
1997-05-09 18:02 . 1997-05-09 18:02 1848 ----a-w- c:\program files\LICENSE.TXT
1997-05-08 20:42 . 1997-05-08 20:42 21892 ----a-w- c:\program files\AV_EU.INI
1997-04-14 22:54 . 1997-04-14 22:54 25719 ----a-w- c:\program files\AV_NA.INI
1997-03-11 00:11 . 1997-03-11 00:11 46576 ----a-w- c:\program files\AWMODEM.INI
1996-07-13 16:13 . 1996-07-13 16:13 66 ----a-w- c:\program files\LIST.DBF
1996-07-13 16:13 . 1996-07-13 16:13 4096 ----a-w- c:\program files\LIST.MDX
2002-08-01 00:55 . 2007-07-23 02:03 104 -csh--w- c:\windows\WSYS049.SYS
2005-05-23 12:34 . 2005-05-23 12:34 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-17 98304]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"IPInSightMonitor 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPMon32.exe" [2005-08-11 122880]
"IPInSightLAN 01"="c:\program files\EarthLink TotalAccess\FastLane2\IPClient.exe" [2005-08-11 380928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-09-24 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-25 2559488]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-5-10 809488]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-23 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-02-19 05:30 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteSITE Builder\\program\\csb.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-23 16:53]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-23 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dj6fmni2.default\
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://start.earthlink.net/
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(768)
c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll

- - - - - - - > 'explorer.exe'(1076)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2009-09-26 11:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 16:04

Pre-Run: 173,288,357,888 bytes free
Post-Run: 173,222,944,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

286 --- E O F --- 2009-09-09 08:02

Edited by tgshaw, 26 September 2009 - 01:14 PM.

#9
hammerman

Posted 26 September 2009 - 02:17 PM

Member 4k

Member
4,183 posts

Hello,

The plugins are for Java (quite normal) and Viewpoint. Viewpoint is considered foistware and you can uninstall this if you wish. There is an article about it here. If you decide to remove Viewpoint, then uninstall the following (if they exist) using Add or Remove Programs.

Viewpoint, Viewpoint Manager, Viewpoint Media Player

Please follow these steps.

-- Step 1 --

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 2 --

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

-- Step 3 --

Run Malwarebytes' Anti-Malware.

Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
Select the Scanner tab, select "Perform full scan", then click Scan
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

-- Step 4 --

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

#10
tgshaw

Posted 27 September 2009 - 06:54 AM

Member

Topic Starter
Member
12 posts

Thanks.

Is all of this just for removing Viewpoint, or do I still have other problems?

#11
hammerman

Posted 27 September 2009 - 07:56 AM

Member 4k

Member
4,183 posts

Hi,

We are still in the process of making sure your computer is clean. Those steps are nothing to do with Viewpoint. Removing Viewpoint is completely optional and your decision.

When you reply with the log's, can you give me an update on how your computer's running.

#12
tgshaw

Posted 27 September 2009 - 07:02 PM

Member

Topic Starter
Member
12 posts

Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2866
Windows 5.1.2600 Service Pack 3

9/27/2009 7:34:35 PM
mbam-log-2009-09-27 (19-34-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 232643
Time elapsed: 1 hour(s), 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1491\A0109549.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

_________________

I only see one log for OTL. Here it is:

OTS logfile created on: 9/27/2009 7:42:44 PM - Run 2
OTS by OldTimer - Version 3.0.12.1	 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
501.71 Mb Total Physical Memory | 181.61 Mb Available Physical Memory | 36.20% Memory free
1.20 Gb Paging File | 0.86 Gb Available in Paging File | 71.68% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 182.07 Gb Total Space | 161.35 Gb Free Space | 88.62% Space Free | Partition Type: NTFS
Drive D: | 4.23 Gb Total Space | 1.68 Gb Free Space | 39.77% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: YOUR-E0A65F95D4
Current User Name: Owner
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
alcwzrd.exe -> C:\WINDOWS\ALCWZRD.EXE -> [2004/09/24 21:06:46 | 02,559,488 | ---- | M] (RealTek Semicoductor Corp.)
calmain.exe -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2005/06/02 16:54:34 | 00,086,606 | ---- | M] (Canon Inc.)
explorer.exe -> C:\WINDOWS\Explorer.EXE -> [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
hkcmd.exe -> C:\WINDOWS\System32\hkcmd.exe -> [2004/08/20 18:51:14 | 00,118,784 | ---- | M] (Intel Corporation)
igfxtray.exe -> C:\WINDOWS\System32\igfxtray.exe -> [2004/08/20 18:55:14 | 00,155,648 | ---- | M] (Intel Corporation)
ipclient.exe -> C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe -> [2005/08/10 22:10:36 | 00,380,928 | R--- | M] (Visual Networks)
ipmon32.exe -> C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe -> [2005/08/10 22:10:36 | 00,122,880 | R--- | M] (Visual Networks)
khalmnpr.exe -> C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE -> [2009/02/19 00:28:52 | 00,076,304 | ---- | M] (Logitech, Inc.)
lexbces.exe -> C:\WINDOWS\System32\LEXBCES.EXE -> [2003/08/29 08:54:16 | 00,307,200 | ---- | M] (Lexmark International, Inc.)
lexpps.exe -> C:\WINDOWS\System32\LEXPPS.EXE -> [2003/08/29 08:50:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.)
mcagent.exe -> C:\Program Files\McAfee.com\Agent\mcagent.exe -> [2009/01/08 21:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.)
mcmscsvc.exe -> C:\Program Files\McAfee\MSC\mcmscsvc.exe -> [2009/01/08 21:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.)
mcnasvc.exe -> c:\program files\common files\mcafee\mna\mcnasvc.exe -> [2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.)
mcproxy.exe -> c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -> [2009/01/09 09:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.)
mcshield.exe -> C:\Program Files\McAfee\VirusScan\Mcshield.exe -> [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.)
mcsysmon.exe -> C:\Program Files\McAfee\VirusScan\mcsysmon.exe -> [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.)
mdm.exe -> C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
msmsgs.exe -> C:\Program Files\Messenger\msmsgs.exe -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
opwarese2.exe -> C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe -> [2003/05/08 12:00:58 | 00,049,152 | ---- | M] (ScanSoft, Inc.)
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/09/24 22:22:54 | 00,514,560 | ---- | M] (OldTimer Tools)
pdvdserv.exe -> C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe -> [2003/10/31 22:42:40 | 00,032,768 | ---- | M] (Cyberlink Corp.)
prismxl.sys -> C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -> [2004/11/17 09:19:53 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.)
qttask.exe -> C:\Program Files\QuickTime\qttask.exe -> [2004/11/17 09:17:35 | 00,098,304 | ---- | M] (Apple Computer, Inc.)
setpoint.exe -> C:\Program Files\Logitech\SetPoint\SetPoint.exe -> [2009/02/19 00:33:08 | 00,809,488 | ---- | M] (Logitech, Inc.)
shwiconem.exe -> C:\Program Files\Digital Media Reader\shwiconem.exe -> [2004/10/18 17:05:12 | 00,135,168 | ---- | M] (Alcor Micro, Corp.)
soundman.exe -> C:\WINDOWS\SOUNDMAN.EXE -> [2004/09/23 22:27:18 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.)
taskpanl.exe -> C:\Program Files\EarthLink TotalAccess\TaskPanl.exe -> [2005/09/01 17:24:56 | 00,942,080 | ---- | M] (EarthLink, Inc.)
wdfmgr.exe -> C:\WINDOWS\System32\wdfmgr.exe -> [2004/08/11 04:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation)
wkufind.exe -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe -> [2003/06/07 06:32:32 | 00,050,688 | ---- | M] (Microsoft® Corporation)
wmonitor.exe -> C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -> [2005/01/26 11:47:42 | 00,065,604 | ---- | M] (Boingo Wireless, Inc.)
wzqkpick.exe -> C:\Program Files\WinZip\WZQKPICK.EXE -> [2008/09/23 11:20:00 | 00,415,072 | R--- | M] (WinZip Computing, S.L.)
zhotkey.exe -> C:\WINDOWS\zHotkey.exe -> [2004/05/17 21:30:04 | 00,543,232 | ---- | M] ()
 
[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/15 02:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(CCALib8) Canon Camera Access Library 8 [Win32_Own | Auto | Running] -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2005/06/02 16:54:34 | 00,086,606 | ---- | M] (Canon Inc.)
(EarthLinkMonitor) EarthLink Monitor Service [Win32_Own | Auto | Running] -> C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe -> [2005/01/26 11:47:42 | 00,065,604 | ---- | M] (Boingo Wireless, Inc.)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -> [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
(LBTServ) Logitech Bluetooth Service [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -> [2009/02/19 00:30:20 | 00,121,360 | ---- | M] (Logitech, Inc.)
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> C:\WINDOWS\System32\LEXBCES.EXE -> [2003/08/29 08:54:16 | 00,307,200 | ---- | M] (Lexmark International, Inc.)
(mcmscsvc) McAfee Services [Win32_Own | Auto | Running] -> C:\Program Files\McAfee\MSC\mcmscsvc.exe -> [2009/01/08 21:30:26 | 00,797,864 | ---- | M] (McAfee, Inc.)
(McNASvc) McAfee Network Agent [Win32_Own | Auto | Running] -> c:\program files\common files\mcafee\mna\mcnasvc.exe -> [2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.)
(McODS) McAfee Scanner [Win32_Own | On_Demand | Stopped] -> C:\Program Files\McAfee\VirusScan\mcods.exe -> [2009/04/01 14:21:30 | 00,365,072 | ---- | M] (McAfee, Inc.)
(McProxy) McAfee Proxy Service [Win32_Own | Auto | Running] -> c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -> [2009/01/09 09:06:52 | 00,359,952 | ---- | M] (McAfee, Inc.)
(McShield) McAfee Real-time Scanner [Win32_Own | Unknown | Running] -> C:\Program Files\McAfee\VirusScan\Mcshield.exe -> [2009/03/25 11:05:48 | 00,144,704 | ---- | M] (McAfee, Inc.)
(McSysmon) McAfee SystemGuards [Win32_Own | On_Demand | Running] -> C:\Program Files\McAfee\VirusScan\mcsysmon.exe -> [2009/03/24 00:03:18 | 00,606,736 | ---- | M] (McAfee, Inc.)
(MDM) Machine Debug Manager [Win32_Own | Auto | Running] -> C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(PrismXL) PrismXL [Win32_Own | Auto | Running] -> C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -> [2004/11/17 09:19:53 | 00,172,032 | ---- | M] (New Boundary Technologies, Inc.)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> C:\WINDOWS\System32\wdfmgr.exe -> [2004/08/11 04:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(AliIde) AliIde [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\aliide.sys -> [2001/08/17 22:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\amdagp.sys -> [2008/04/13 13:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(asc) asc [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\asc.sys -> [2001/08/17 22:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\asc3550.sys -> [2001/08/17 22:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(ASCTRM) ASCTRM [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\asctrm.sys -> [2004/11/17 09:17:06 | 00,008,552 | ---- | M] (Windows (R) 2000 DDK provider)
(BW2NDIS5) BW2NDIS5 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\BW2NDIS5.sys -> [2004/11/01 14:16:34 | 00,017,536 | R--- | M] (Printing Communications Assoc., Inc. (PCAUSA))
(CmdIde) CmdIde [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\cmdide.sys -> [2001/08/17 22:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -> [2001/08/17 22:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\e100b325.sys -> [2004/02/10 16:49:14 | 00,154,112 | ---- | M] (Intel Corporation)
(ENUM1394) %1394\031887&040892.DeviceDesc% [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\enum1394.sys -> [2001/08/17 16:46:40 | 00,006,400 | ---- | M] (Microsoft Corporation)
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\drivers\HdAudio.sys -> [2004/03/17 18:10:40 | 00,113,664 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -> [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HSFHWBS2) HSFHWBS2 [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -> [2004/06/17 17:56:22 | 00,220,032 | ---- | M] (Conexant Systems, Inc.)
(HSF_DP) HSF_DP [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\HSF_DP.sys -> [2004/06/17 17:55:04 | 01,041,536 | ---- | M] (Conexant Systems, Inc.)
(ialm) ialm [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -> [2004/08/20 19:26:00 | 00,737,874 | ---- | M] (Intel Corporation)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\drivers\RtkHDAud.sys -> [2004/09/24 21:14:40 | 02,276,672 | ---- | M] (Realtek Semiconductor Corp.)
(L8042Kbd) Logitech SetPoint Keyboard Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\L8042Kbd.sys -> [2007/04/11 15:32:30 | 00,020,496 | ---- | M] (Logitech Inc.)
(L8042mou) SetPoint PS/2 Mouse Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\L8042mou.Sys -> [2008/12/18 23:43:12 | 00,063,248 | ---- | M] (Logitech, Inc.)
(LHidFilt) Logitech SetPoint KMDF HID Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\LHidFilt.Sys -> [2008/12/18 23:43:40 | 00,035,472 | ---- | M] (Logitech, Inc.)
(LMouKE) SetPoint Mouse Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\LMouKE.Sys -> [2008/12/18 23:43:54 | 00,079,248 | ---- | M] (Logitech, Inc.)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -> [2004/03/17 14:04:14 | 00,013,059 | ---- | M] (Conexant)
(mfeavfk) McAfee Inc. mfeavfk [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\drivers\mfeavfk.sys -> [2009/03/25 11:06:28 | 00,079,880 | ---- | M] (McAfee, Inc.)
(mfebopk) McAfee Inc. mfebopk [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\drivers\mfebopk.sys -> [2009/03/25 11:06:28 | 00,035,272 | ---- | M] (McAfee, Inc.)
(mfehidk) McAfee Inc. mfehidk [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\mfehidk.sys -> [2009/03/25 11:06:28 | 00,214,024 | ---- | M] (McAfee, Inc.)
(mferkdk) McAfee Inc. mferkdk [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\drivers\mferkdk.sys -> [2009/03/25 11:05:54 | 00,034,216 | ---- | M] (McAfee, Inc.)
(mfesmfk) McAfee Inc. mfesmfk [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\drivers\mfesmfk.sys -> [2009/03/25 11:06:30 | 00,040,552 | ---- | M] (McAfee, Inc.)
(MPFP) MPFP [Kernel | System | Running] -> C:\WINDOWS\System32\Drivers\Mpfp.sys -> [2008/10/23 14:08:54 | 00,120,136 | ---- | M] (McAfee, Inc.)
(mraid35x) mraid35x [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\mraid35x.sys -> [2001/08/17 22:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(mxnic) Macronix MX987xx Family Fast Ethernet NT Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\mxnic.sys -> [2001/08/17 15:49:32 | 00,019,968 | ---- | M] (Macronix International Co., Ltd.											   )
(nv) nv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -> [2004/08/04 00:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\ptilink.sys -> [2004/08/04 14:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(ql1080) ql1080 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\ql1080.sys -> [2001/08/17 22:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\ql12160.sys -> [2001/08/17 22:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\ql1280.sys -> [2001/08/17 22:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\secdrv.sys -> [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\sisagp.sys -> [2008/04/13 13:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\sparrow.sys -> [2001/08/17 23:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(SunkFilt) Alcor Micro Corp - 9360 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\Drivers\sunkfilt.sys -> [2004/10/20 14:39:32 | 00,040,724 | ---- | M] (Alcor Micro Corp.)
(SunkFilt39) Alcor Micro Corp - 3239 [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\Drivers\sunkfilt39.sys -> [2004/10/18 17:05:12 | 00,042,968 | ---- | M] (Alcor Micro Corp.)
(symc810) symc810 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\symc810.sys -> [2001/08/17 23:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\symc8xx.sys -> [2001/08/17 23:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\sym_hi.sys -> [2001/08/17 23:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\sym_u3.sys -> [2001/08/17 23:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(ultra) ultra [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\ultra.sys -> [2001/08/17 22:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(winachsf) winachsf [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -> [2004/06/17 17:55:38 | 00,685,056 | ---- | M] (Conexant Systems, Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" ->  [binary data] -> 
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 -> 
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"Default_Search_URL" -> http://www.earthlink.net/partner/more/msie/button/search.html -> 
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_CURRENT_USER\: Main\\"Page_Transitions" -> 1 -> 
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://start.earthlink.net/ -> 
HKEY_CURRENT_USER\: URLSearchHooks\\"{44F9B173-041C-4825-A9B9-D914BD9DCBB3}" [HKLM] -> C:\Program Files\EarthLink TotalAccess\ElnIE.dll [SrchHook Class] -> [2005/09/20 16:09:10 | 00,069,632 | ---- | M] (EarthLink, Inc.)
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\dj6fmni2.default\prefs.js -> 
browser.search.selectedEngine -> "Live Search" ->
browser.search.useDBForOrder -> true ->
browser.startup.homepage -> "http://start.earthlink.net/" ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3 ->
network.proxy.type -> 1 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components -> C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2009/09/10 18:46:23 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins -> C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2009/09/18 14:44:04 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
 -> C:\Documents and Settings\Owner\Application Data\mozilla\Extensions -> [2008/08/30 10:08:25 | 00,000,000 | ---D | M]
 -> C:\Documents and Settings\Owner\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} -> [2008/08/30 10:08:25 | 00,000,000 | ---D | M]
 -> C:\Documents and Settings\Owner\Application Data\mozilla\Firefox\Profiles\dj6fmni2.default\extensions -> [2009/09/10 18:46:35 | 00,101,869 | ---- | M] ()
< FireFox SearchPlugins [User Folders] > -> 
C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\dj6fmni2.default\searchplugins\ -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\dj6fmni2.default\searchplugins -> [2008/05/30 07:29:48 | 00,000,000 | ---D | M]
live-search.xml -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\dj6fmni2.default\searchplugins\live-search.xml -> [2008/05/30 07:29:48 | 00,001,944 | ---- | M] ()
< FireFox Extensions [Program Folders] > -> 
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions -> [2009/09/10 18:46:23 | 10,776,568 | ---- | M] (Mozilla Foundation)
 -> C:\PROGRAM FILES\MOZILLA FIREFOX\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} -> [2009/09/10 18:46:23 | 10,776,568 | ---- | M] (Mozilla Foundation)
< FireFox Components [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\components\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\components -> [2009/09/10 18:46:23 | 00,000,000 | ---D | M]
browserdirprovider.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\browserdirprovider.dll -> [2009/09/10 18:46:17 | 00,023,544 | ---- | M] (Mozilla Foundation)
brwsrcmp.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\components\brwsrcmp.dll -> [2009/09/10 18:46:17 | 00,137,208 | ---- | M] (Mozilla Foundation)
< FireFox Plugins [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins -> [2009/09/18 14:44:04 | 00,000,000 | ---D | M]
flashplayer.xpt -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\flashplayer.xpt -> [2007/11/20 16:51:00 | 00,000,856 | ---- | M] ()
npnul32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npnul32.dll -> [2009/09/10 18:46:18 | 00,065,016 | ---- | M] (mozilla.org)
nppdf32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\nppdf32.dll -> [2008/10/14 21:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.)
NPSWF32.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPSWF32.dll -> [2007/11/20 17:52:00 | 02,884,992 | ---- | M] ()
NPSWF32_FlashUtil.exe -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\NPSWF32_FlashUtil.exe -> [2007/11/20 17:52:00 | 00,218,496 | ---- | M] (Adobe Systems, Inc.)
< FireFox SearchPlugins [Program Folders] > -> 
C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\ -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins -> [2009/09/05 12:16:39 | 00,000,000 | ---D | M]
amazondotcom.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\amazondotcom.xml -> [2009/09/05 12:16:35 | 00,001,394 | ---- | M] ()
answers.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\answers.xml -> [2009/09/05 12:16:35 | 00,002,193 | ---- | M] ()
creativecommons.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\creativecommons.xml -> [2009/09/05 12:16:35 | 00,001,534 | ---- | M] ()
eBay.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\eBay.xml -> [2009/09/05 12:16:35 | 00,002,344 | ---- | M] ()
google.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\google.xml -> [2009/09/05 12:16:35 | 00,002,371 | ---- | M] ()
wikipedia.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\wikipedia.xml -> [2009/09/05 12:16:35 | 00,001,178 | ---- | M] ()
yahoo.xml -> C:\PROGRAM FILES\MOZILLA FIREFOX\searchplugins\yahoo.xml -> [2009/09/05 12:16:35 | 00,000,792 | ---- | M] ()
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts -> 
Reset Hosts
127.0.0.1	   localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/22 23:08:42 | 00,062,080 | ---- | M] (Adobe Systems Incorporated)
{512ACF1B-64D9-4928-B382-A80556F28DB4} [HKLM] -> C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll [ElnkPubBHO Class] -> [2009/09/25 07:26:14 | 00,255,296 | ---- | M] (EarthLink, Inc.)
{656EC4B7-072B-4698-B504-2A414C1F0037} [HKLM] -> C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll [IE_PopupBlocker Class] -> [2005/02/02 19:33:24 | 00,049,152 | R--- | M] (Propel Software Corporation)
{68F9551E-0411-48E4-9AAF-4BC42A6A46BE} [HKLM] -> C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [EWPBrowseObject Class] -> [2005/10/20 21:16:26 | 00,034,304 | ---- | M] ()
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} [HKLM] -> C:\Program Files\McAfee\VirusScan\scriptsn.dll [scriptproxy] -> [2009/03/25 11:05:56 | 00,062,784 | ---- | M] (McAfee, Inc.)
{9579D574-D4D8-4335-9560-FE8641A013BD} [HKLM] -> C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll [ElnkProtectionBHO Class] -> [2009/09/25 07:26:23 | 00,415,040 | ---- | M] (EarthLink, Inc.)
{E713904C-DF05-4C79-BBAD-02DB923253BE} [HKLM] -> C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll [ElnkLegacyUninstBHO Class] -> [2009/09/25 07:26:30 | 00,279,872 | ---- | M] (EarthLink, Inc.)
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{327C2873-E90D-4c37-AA9D-10AC9BABA46C}" [HKLM] -> C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [Easy-WebPrint] -> [2005/10/20 21:18:00 | 00,552,960 | ---- | M] ()
"{C7768536-96F8-4001-B1A2-90EE21279187}" [HKLM] -> C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll [EarthLink Toolbar] -> [2009/09/25 07:26:29 | 01,033,536 | ---- | M] (EarthLink, Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{C7768536-96F8-4001-B1A2-90EE21279187}" [HKLM] -> C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll [EarthLink Toolbar] -> [2009/09/25 07:26:29 | 01,033,536 | ---- | M] (EarthLink, Inc.)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Adobe Reader Speed Launcher" -> C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> [2008/10/15 01:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated)
"AlcWzrd" -> C:\WINDOWS\ALCWZRD.EXE [ALCWZRD.EXE] -> [2004/09/24 21:06:46 | 02,559,488 | ---- | M] (RealTek Semicoductor Corp.)
"CHotkey" -> C:\WINDOWS\zHotkey.exe [zHotkey.exe] -> [2004/05/17 21:30:04 | 00,543,232 | ---- | M] ()
"High Definition Audio Property Page Shortcut" -> C:\WINDOWS\System32\Hdaudpropshortcut.exe [HDAudPropShortcut.exe] -> [2004/03/17 18:10:40 | 00,061,952 | ---- | M] (Windows (R) Server 2003 DDK provider)
"HotKeysCmds" -> C:\WINDOWS\System32\hkcmd.exe [C:\WINDOWS\system32\hkcmd.exe] -> [2004/08/20 18:51:14 | 00,118,784 | ---- | M] (Intel Corporation)
"IgfxTray" -> C:\WINDOWS\System32\igfxtray.exe [C:\WINDOWS\system32\igfxtray.exe] -> [2004/08/20 18:55:14 | 00,155,648 | ---- | M] (Intel Corporation)
"IPInSightLAN 01" -> C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe ["C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe" -l] -> [2005/08/10 22:10:36 | 00,380,928 | R--- | M] (Visual Networks)
"IPInSightMonitor 01" -> C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe ["C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe"] -> [2005/08/10 22:10:36 | 00,122,880 | R--- | M] (Visual Networks)
"Kernel and Hardware Abstraction Layer" -> C:\WINDOWS\KHALMNPR.Exe [KHALMNPR.EXE] -> [2008/12/18 23:42:58 | 00,076,304 | ---- | M] (Logitech, Inc.)
"Logitech Hardware Abstraction Layer" -> C:\WINDOWS\KHALMNPR.Exe [KHALMNPR.EXE] -> [2008/12/18 23:42:58 | 00,076,304 | ---- | M] (Logitech, Inc.)
"Malwarebytes Anti-Malware (reboot)" -> C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe ["C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript] -> [2009/09/10 14:53:56 | 01,312,080 | ---- | M] (Malwarebytes Corporation)
"mcagent_exe" -> C:\Program Files\McAfee.com\Agent\mcagent.exe ["C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey] -> [2009/01/08 21:30:26 | 00,645,328 | ---- | M] (McAfee, Inc.)
"Microsoft Works Update Detection" -> C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe] -> [2003/06/07 06:32:32 | 00,050,688 | ---- | M] (Microsoft® Corporation)
"NeroFilterCheck" -> C:\WINDOWS\System32\NeroCheck.exe [C:\WINDOWS\system32\NeroCheck.exe] -> [2001/07/09 14:50:42 | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"OpwareSE2" -> C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe ["C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"] -> [2003/05/08 12:00:58 | 00,049,152 | ---- | M] (ScanSoft, Inc.)
"QuickTime Task" -> C:\Program Files\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2004/11/17 09:17:35 | 00,098,304 | ---- | M] (Apple Computer, Inc.)
"Recguard" -> C:\WINDOWS\SMINST\RECGUARD.EXE [C:\WINDOWS\SMINST\RECGUARD.EXE] -> [2002/09/13 15:42:26 | 00,212,992 | ---- | M] ()
"RemoteControl" -> C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe ["C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"] -> [2003/10/31 22:42:40 | 00,032,768 | ---- | M] (Cyberlink Corp.)
"ShowWnd" -> C:\WINDOWS\ShowWnd.exe [ShowWnd.exe] -> [2003/09/19 12:09:22 | 00,036,864 | ---- | M] ()
"SoundMan" -> C:\WINDOWS\SOUNDMAN.EXE [SOUNDMAN.EXE] -> [2004/09/23 22:27:18 | 00,077,824 | ---- | M] (Realtek Semiconductor Corp.)
"SunKistEM" -> C:\Program Files\Digital Media Reader\shwiconem.exe [C:\Program Files\Digital Media Reader\shwiconem.exe] -> [2004/10/18 17:05:12 | 00,135,168 | ---- | M] (Alcor Micro, Corp.)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"E6TaskPanel" -> C:\Program Files\EarthLink TotalAccess\TaskPanl.exe ["C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart] -> [2005/09/01 17:24:56 | 00,942,080 | ---- | M] (EarthLink, Inc.)
"MoneyAgent" -> C:\Program Files\Microsoft Money\System\mnyexpr.exe ["C:\Program Files\Microsoft Money\System\mnyexpr.exe"] -> [2003/06/18 15:00:00 | 00,200,704 | ---- | M] (Microsoft Corp.)
"MSMSGS" -> C:\Program Files\Messenger\msmsgs.exe ["C:\Program Files\Messenger\msmsgs.exe" /background] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe -> [2009/02/19 00:33:08 | 00,809,488 | ---- | M] (Logitech, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK.EXE -> [2008/09/23 11:20:00 | 00,415,072 | R--- | M] (WinZip Computing, S.L.)
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
\Control Panel\\"Connwiz Admin Lock" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" ->  [0] -> File not found
\\"legalnoticecaption" ->  [] -> File not found
\\"legalnoticetext" ->  [] -> File not found
\\"shutdownwithoutlogon" ->  [1] -> File not found
\\"undockwithoutlogon" ->  [1] -> File not found
\\"DisableRegistryTools" ->  [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000] -> [2003/08/13 03:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)
EarthLink Google Search -> C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll [res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html] -> [2009/09/25 07:26:25 | 00,415,040 | ---- | M] (EarthLink, Inc.)
Easy-WebPrint Add To Print List -> C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html] -> [2005/10/20 21:18:00 | 00,552,960 | ---- | M] ()
Easy-WebPrint High Speed Print -> C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html] -> [2005/10/20 21:18:00 | 00,552,960 | ---- | M] ()
Easy-WebPrint Preview -> C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html] -> [2005/10/20 21:18:00 | 00,552,960 | ---- | M] ()
Easy-WebPrint Print -> C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html] -> [2005/10/20 21:18:00 | 00,552,960 | ---- | M] ()
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 23:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 19:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. -> 
internet .[about] -> Trusted sites -> 
mcafee.com .[http] -> Trusted sites -> 
mcafee.com .[https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [HKLM] -> http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab [McAfee.com Operating System Class] -> 
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} [HKLM] -> http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab [DwnldGroupMgr Class] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{150DF96D-A5E8-4D01-90C0-C290CB1E2944}\\DhcpNameServer -> 192.168.1.1   (Intel(R) PRO/100 VE Network Connection) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> C:\WINDOWS\System32\igfxsrvc.dll -> [2004/08/20 18:50:54 | 00,344,064 | ---- | M] (Intel Corporation)
LBTWlgn -> c:\program files\common files\logitech\bluetooth\LBTWlgn.dll -> [2009/02/19 00:30:52 | 00,072,208 | ---- | M] (Logitech, Inc.)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\System32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\America Online 9.0\waol.exe" -> C:\Program Files\America Online 9.0\waol.exe [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL] -> File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" -> C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL] -> File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" -> C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 13:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\System32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 19:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" -> C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe [C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent] -> [2009/01/09 12:31:16 | 02,482,848 | ---- | M] (McAfee, Inc.)
"C:\Program Files\GlobalSCAPE\CuteSITE Builder\program\csb.exe" -> C:\Program Files\GlobalSCAPE\CuteSITE Builder\program\csb.exe [C:\Program Files\GlobalSCAPE\CuteSITE Builder\program\csb.exe:*:Enabled:CuteSITE Builder] -> [2003/06/05 13:53:36 | 00,046,864 | ---- | M] (GlobalSCAPE Texas, LP)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2004/08/26 13:04:39 | 00,000,000 | ---- | M] ()
D:\autorun.inf.aug.8 [[AUTORUN] | OPEN=Info.exe folder.htt 480 480 | ] -> D:\autorun.inf [ FAT32 ] -> File not found
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
 
 
[Files/Folders - Created Within 30 Days]
JavaRa.zip -> C:\Documents and Settings\Owner\Desktop\JavaRa.zip -> [2009/09/27 18:07:18 | 00,071,798 | ---- | C] ()
RECYCLER -> C:\RECYCLER -> [2009/09/27 17:59:13 | 00,000,000 | -HSD | C]
TFC.exe -> C:\Documents and Settings\Owner\Desktop\TFC.exe -> [2009/09/27 17:57:52 | 00,271,872 | ---- | C] (OldTimer Tools)
spring.zip -> C:\Documents and Settings\Owner\My Documents\spring.zip -> [2009/09/26 20:03:18 | 03,692,120 | ---- | C] ()
summersun.zip -> C:\Documents and Settings\Owner\My Documents\summersun.zip -> [2009/09/26 20:02:16 | 01,981,405 | ---- | C] ()
polar.zip -> C:\Documents and Settings\Owner\My Documents\polar.zip -> [2009/09/26 20:01:14 | 02,088,015 | ---- | C] ()
purple.zip -> C:\Documents and Settings\Owner\My Documents\purple.zip -> [2009/09/26 20:00:16 | 01,586,447 | ---- | C] ()
patterns.zip -> C:\Documents and Settings\Owner\My Documents\patterns.zip -> [2009/09/26 19:59:10 | 02,197,969 | ---- | C] ()
oxfordgrey.zip -> C:\Documents and Settings\Owner\My Documents\oxfordgrey.zip -> [2009/09/26 19:58:07 | 01,652,189 | ---- | C] ()
mauve.zip -> C:\Documents and Settings\Owner\My Documents\mauve.zip -> [2009/09/26 19:57:10 | 01,650,644 | ---- | C] ()
lines.zip -> C:\Documents and Settings\Owner\My Documents\lines.zip -> [2009/09/26 19:55:40 | 00,975,323 | ---- | C] ()
pinkblue.zip -> C:\Documents and Settings\Owner\My Documents\pinkblue.zip -> [2009/09/26 19:54:42 | 01,460,908 | ---- | C] ()
gas.zip -> C:\Documents and Settings\Owner\My Documents\gas.zip -> [2009/09/26 19:53:44 | 00,546,373 | ---- | C] ()
heat.zip -> C:\Documents and Settings\Owner\My Documents\heat.zip -> [2009/09/26 19:52:43 | 01,042,490 | ---- | C] ()
darker.zip -> C:\Documents and Settings\Owner\My Documents\darker.zip -> [2009/09/26 19:51:24 | 01,876,611 | ---- | C] ()
blackwhite.zip -> C:\Documents and Settings\Owner\My Documents\blackwhite.zip -> [2009/09/26 19:49:37 | 01,384,858 | ---- | C] ()
greige.zip -> C:\Documents and Settings\Owner\My Documents\greige.zip -> [2009/09/26 19:46:42 | 00,994,883 | ---- | C] ()
Boot.bak -> C:\Boot.bak -> [2009/09/26 10:39:12 | 00,000,211 | ---- | C] ()
cmldr -> C:\cmldr -> [2009/09/26 10:39:09 | 00,260,272 | ---- | C] ()
cmdcons -> C:\cmdcons -> [2009/09/26 10:39:08 | 00,000,000 | RHSD | C]
PEV.exe -> C:\WINDOWS\PEV.exe -> [2009/09/26 10:37:32 | 00,229,888 | ---- | C] ()
SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2009/09/26 10:37:32 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2009/09/26 10:37:32 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2009/09/26 10:37:32 | 00,136,704 | ---- | C] (SteelWerX)
sed.exe -> C:\WINDOWS\sed.exe -> [2009/09/26 10:37:32 | 00,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2009/09/26 10:37:32 | 00,080,412 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2009/09/26 10:37:32 | 00,068,096 | ---- | C] ()
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2009/09/26 10:37:32 | 00,031,232 | ---- | C] (NirSoft)
ERDNT -> C:\WINDOWS\ERDNT -> [2009/09/26 10:37:26 | 00,000,000 | ---D | C]
Qoobox -> C:\Qoobox -> [2009/09/26 10:36:56 | 00,000,000 | ---D | C]
Combo-Fix.exe -> C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe -> [2009/09/26 10:23:29 | 03,321,356 | R--- | C] ()
Unzipped -> C:\Documents and Settings\Owner\My Documents\Unzipped -> [2009/09/24 22:39:14 | 00,000,000 | ---D | C]
SysProt -> C:\Documents and Settings\Owner\Desktop\SysProt -> [2009/09/24 22:36:24 | 00,000,000 | ---D | C]
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/09/24 22:22:54 | 00,514,560 | ---- | C] (OldTimer Tools)
OTS.exe -> C:\Program Files\OTS.exe -> [2009/09/24 22:20:29 | 00,514,560 | ---- | C] (OldTimer Tools)
frosty.zip -> C:\Documents and Settings\Owner\My Documents\frosty.zip -> [2009/09/21 21:50:59 | 02,831,128 | ---- | C] ()
WinZip.lnk -> C:\Documents and Settings\All Users\Desktop\WinZip.lnk -> [2009/09/21 21:14:18 | 00,001,732 | ---- | C] ()
WinZip Quick Pick.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -> [2009/09/21 21:14:18 | 00,001,660 | ---- | C] ()
ApplicationHistory -> C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory -> [2009/09/20 14:19:56 | 00,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\Owner\Application Data\Malwarebytes -> [2009/09/18 21:23:25 | 00,000,000 | ---D | C]
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/09/18 21:23:21 | 00,000,696 | ---- | C] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/09/18 21:23:01 | 00,038,224 | ---- | C] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/09/18 21:22:59 | 00,019,160 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2009/09/18 21:22:59 | 00,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2009/09/18 21:22:59 | 00,000,000 | ---D | C]
mbam-setup.exe -> C:\Program Files\mbam-setup.exe -> [2009/09/18 21:18:40 | 04,045,536 | ---- | C] (Malwarebytes Corporation									)
erunt_setup.exe -> C:\Program Files\erunt_setup.exe -> [2009/09/18 21:17:41 | 00,791,393 | ---- | C] (Lars Hederer												)
SysRestorePoint.exe -> C:\Program Files\SysRestorePoint.exe -> [2009/09/18 21:15:10 | 00,021,504 | ---- | C] (Doug Knox)
settings.dat -> C:\Program Files\settings.dat -> [2009/09/18 21:11:32 | 00,000,000 | ---- | C] ()
RootRepeal.exe -> C:\Program Files\RootRepeal.exe -> [2009/09/18 20:51:38 | 00,472,064 | ---- | C] ( )
ISO1.nri -> C:\Documents and Settings\Owner\My Documents\ISO1.nri -> [2009/09/18 19:48:57 | 00,504,793 | ---- | C] ()
Adobe Reader 8.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk -> [2009/09/18 14:44:54 | 00,001,729 | ---- | C] ()
SxsCaPendDel -> C:\WINDOWS\SxsCaPendDel -> [2009/09/18 14:44:27 | 00,000,000 | ---D | C]
fxsclntR.dll -> C:\WINDOWS\System32\fxsclntR.dll -> [2009/09/18 14:13:55 | 00,132,608 | ---- | C] (Microsoft Corporation)
fxsclntr.dll -> C:\WINDOWS\System32\dllcache\fxsclntr.dll -> [2009/09/18 14:13:55 | 00,132,608 | ---- | C] ()
fxscfgwz.dll -> C:\WINDOWS\System32\fxscfgwz.dll -> [2009/09/18 14:13:55 | 00,111,104 | ---- | C] (Microsoft Corporation)
fxscfgwz.dll -> C:\WINDOWS\System32\dllcache\fxscfgwz.dll -> [2009/09/18 14:13:55 | 00,111,104 | ---- | C] ()
fxsroute.dll -> C:\WINDOWS\System32\fxsroute.dll -> [2009/09/18 14:13:55 | 00,031,744 | ---- | C] (Microsoft Corporation)
fxsroute.dll -> C:\WINDOWS\System32\dllcache\fxsroute.dll -> [2009/09/18 14:13:55 | 00,031,744 | ---- | C] ()
fxssend.exe -> C:\WINDOWS\System32\fxssend.exe -> [2009/09/18 14:13:55 | 00,011,264 | ---- | C] (Microsoft Corporation)
fxssend.exe -> C:\WINDOWS\System32\dllcache\fxssend.exe -> [2009/09/18 14:13:55 | 00,011,264 | ---- | C] ()
fxsperf.ini -> C:\WINDOWS\System32\fxsperf.ini -> [2009/09/18 14:13:55 | 00,001,793 | ---- | C] ()
fxscount.h -> C:\WINDOWS\System32\fxscount.h -> [2009/09/18 14:13:55 | 00,001,361 | ---- | C] ()
mapisvc.inf -> C:\WINDOWS\System32\mapisvc.inf -> [2009/09/18 14:13:55 | 00,000,535 | ---- | C] ()
MRT.INI -> C:\WINDOWS\System32\MRT.INI -> [2009/09/09 03:02:37 | 00,000,129 | ---- | C] ()
triedit.dll -> C:\WINDOWS\System32\dllcache\triedit.dll -> [2009/09/08 22:40:32 | 00,153,088 | ---- | C] (Microsoft Corporation)
JascCmdPrint.INI -> C:\WINDOWS\JascCmdPrint.INI -> [2009/09/06 13:27:01 | 00,000,072 | ---- | C] ()
Minidump -> C:\WINDOWS\Minidump -> [2009/09/05 18:31:23 | 00,000,000 | ---D | C]
JascCmdFile.INI -> C:\WINDOWS\JascCmdFile.INI -> [2009/05/14 14:35:50 | 00,000,054 | ---- | C] ()
WSYS049.SYS -> C:\WINDOWS\WSYS049.SYS -> [2007/07/22 21:03:24 | 00,000,104 | -HS- | C] ()
CNMVS7O.DLL -> C:\WINDOWS\System32\CNMVS7O.DLL -> [2007/01/01 23:02:13 | 00,008,704 | ---- | C] ()
MAXLINK.INI -> C:\WINDOWS\MAXLINK.INI -> [2007/01/01 22:55:17 | 00,000,532 | ---- | C] ()
OpPrintServer.INI -> C:\WINDOWS\OpPrintServer.INI -> [2006/10/29 23:14:06 | 00,000,000 | ---- | C] ()
NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2005/12/28 09:49:35 | 00,000,049 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2005/12/10 15:55:48 | 00,000,376 | ---- | C] ()
AuthMgr.INI -> C:\WINDOWS\AuthMgr.INI -> [2005/05/15 14:10:44 | 00,000,034 | ---- | C] ()
SIERRA.INI -> C:\WINDOWS\SIERRA.INI -> [2005/03/12 20:08:10 | 00,000,334 | ---- | C] ()
lexstat.ini -> C:\WINDOWS\lexstat.ini -> [2005/03/06 22:05:49 | 00,000,332 | ---- | C] ()
lxblvs.dll -> C:\WINDOWS\System32\lxblvs.dll -> [2005/03/06 22:05:27 | 00,040,960 | ---- | C] ()
LXBLLCNP.DLL -> C:\WINDOWS\System32\LXBLLCNP.DLL -> [2005/03/06 22:05:11 | 00,077,824 | ---- | C] ()
msoffice.ini -> C:\WINDOWS\msoffice.ini -> [2005/03/06 09:10:23 | 00,000,002 | ---- | C] ()
PIC.dll -> C:\WINDOWS\PIC.dll -> [2004/11/17 09:22:21 | 00,532,544 | ---- | C] ()
HKNTDLL.dll -> C:\WINDOWS\HKNTDLL.dll -> [2004/11/17 09:22:21 | 00,024,576 | ---- | C] ()
RTCOMDLL.dll -> C:\WINDOWS\System32\RTCOMDLL.dll -> [2004/11/17 09:14:28 | 00,192,512 | ---- | C] ()
RTLCPAPI.dll -> C:\WINDOWS\System32\RTLCPAPI.dll -> [2004/11/17 09:14:28 | 00,156,160 | ---- | C] ()
e100bmsg.dll -> C:\WINDOWS\System32\e100bmsg.dll -> [2004/11/17 09:01:41 | 00,012,288 | ---- | C] ()
smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2004/08/27 05:50:59 | 00,000,061 | ---- | C] ()
emver.ini -> C:\WINDOWS\System32\emver.ini -> [2004/08/26 11:12:43 | 00,000,462 | ---- | C] ()
OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2004/08/26 11:12:43 | 00,000,437 | ---- | C] ()
win.ini -> C:\WINDOWS\win.ini -> [2004/08/26 11:12:21 | 00,000,598 | ---- | C] ()
system.ini -> C:\WINDOWS\system.ini -> [2004/08/26 11:12:17 | 00,000,227 | ---- | C] ()
OUTLPERF.INI -> C:\WINDOWS\System32\OUTLPERF.INI -> [2003/01/07 16:05:08 | 00,002,695 | ---- | C] ()
zlib.dll -> C:\WINDOWS\System32\zlib.dll -> [2002/03/13 15:46:46 | 00,053,248 | R--- | C] ()
 
[Files/Folders - Modified Within 30 Days]
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2009/09/27 19:39:27 | 00,001,170 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2009/09/27 19:38:55 | 00,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2009/09/27 19:38:53 | 00,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2009/09/27 19:38:52 | 52,615,9872 | -HS- | M] ()
NTUSER.DAT -> C:\Documents and Settings\Owner\NTUSER.DAT -> [2009/09/27 19:37:40 | 07,864,320 | ---- | M] ()
ntuser.ini -> C:\Documents and Settings\Owner\ntuser.ini -> [2009/09/27 19:37:40 | 00,000,178 | -HS- | M] ()
JavaRa.zip -> C:\Documents and Settings\Owner\Desktop\JavaRa.zip -> [2009/09/27 18:07:21 | 00,071,798 | ---- | M] ()
TFC.exe -> C:\Documents and Settings\Owner\Desktop\TFC.exe -> [2009/09/27 17:57:53 | 00,271,872 | ---- | M] (OldTimer Tools)
spring.zip -> C:\Documents and Settings\Owner\My Documents\spring.zip -> [2009/09/26 20:03:19 | 03,692,120 | ---- | M] ()
summersun.zip -> C:\Documents and Settings\Owner\My Documents\summersun.zip -> [2009/09/26 20:02:17 | 01,981,405 | ---- | M] ()
polar.zip -> C:\Documents and Settings\Owner\My Documents\polar.zip -> [2009/09/26 20:01:15 | 02,088,015 | ---- | M] ()
purple.zip -> C:\Documents and Settings\Owner\My Documents\purple.zip -> [2009/09/26 20:00:17 | 01,586,447 | ---- | M] ()
patterns.zip -> C:\Documents and Settings\Owner\My Documents\patterns.zip -> [2009/09/26 19:59:11 | 02,197,969 | ---- | M] ()
oxfordgrey.zip -> C:\Documents and Settings\Owner\My Documents\oxfordgrey.zip -> [2009/09/26 19:58:07 | 01,652,189 | ---- | M] ()
mauve.zip -> C:\Documents and Settings\Owner\My Documents\mauve.zip -> [2009/09/26 19:57:10 | 01,650,644 | ---- | M] ()
lines.zip -> C:\Documents and Settings\Owner\My Documents\lines.zip -> [2009/09/26 19:55:40 | 00,975,323 | ---- | M] ()
pinkblue.zip -> C:\Documents and Settings\Owner\My Documents\pinkblue.zip -> [2009/09/26 19:54:42 | 01,460,908 | ---- | M] ()
gas.zip -> C:\Documents and Settings\Owner\My Documents\gas.zip -> [2009/09/26 19:53:44 | 00,546,373 | ---- | M] ()
heat.zip -> C:\Documents and Settings\Owner\My Documents\heat.zip -> [2009/09/26 19:52:43 | 01,042,490 | ---- | M] ()
darker.zip -> C:\Documents and Settings\Owner\My Documents\darker.zip -> [2009/09/26 19:51:24 | 01,876,611 | ---- | M] ()
blackwhite.zip -> C:\Documents and Settings\Owner\My Documents\blackwhite.zip -> [2009/09/26 19:49:37 | 01,384,858 | ---- | M] ()
greige.zip -> C:\Documents and Settings\Owner\My Documents\greige.zip -> [2009/09/26 19:46:42 | 00,994,883 | ---- | M] ()
system.ini -> C:\WINDOWS\system.ini -> [2009/09/26 11:00:19 | 00,000,227 | ---- | M] ()
hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2009/09/26 10:59:55 | 00,000,027 | ---- | M] ()
boot.ini -> C:\boot.ini -> [2009/09/26 10:39:12 | 00,000,281 | RHS- | M] ()
Combo-Fix.exe -> C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe -> [2009/09/26 10:23:29 | 03,321,356 | R--- | M] ()
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2009/09/24 22:22:54 | 00,514,560 | ---- | M] (OldTimer Tools)
OTS.exe -> C:\Program Files\OTS.exe -> [2009/09/24 22:20:31 | 00,514,560 | ---- | M] (OldTimer Tools)
wklnhst.dat -> C:\Documents and Settings\Owner\Application Data\wklnhst.dat -> [2009/09/23 06:55:28 | 00,004,632 | ---- | M] ()
frosty.zip -> C:\Documents and Settings\Owner\My Documents\frosty.zip -> [2009/09/21 21:51:01 | 02,831,128 | ---- | M] ()
WinZip.lnk -> C:\Documents and Settings\All Users\Desktop\WinZip.lnk -> [2009/09/21 21:14:18 | 00,001,732 | ---- | M] ()
WinZip Quick Pick.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -> [2009/09/21 21:14:18 | 00,001,660 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/09/18 21:23:21 | 00,000,696 | ---- | M] ()
mbam-setup.exe -> C:\Program Files\mbam-setup.exe -> [2009/09/18 21:18:54 | 04,045,536 | ---- | M] (Malwarebytes Corporation									)
erunt_setup.exe -> C:\Program Files\erunt_setup.exe -> [2009/09/18 21:17:41 | 00,791,393 | ---- | M] (Lars Hederer												)
SysRestorePoint.exe -> C:\Program Files\SysRestorePoint.exe -> [2009/09/18 21:15:11 | 00,021,504 | ---- | M] (Doug Knox)
settings.dat -> C:\Program Files\settings.dat -> [2009/09/18 21:11:32 | 00,000,000 | ---- | M] ()
RootRepeal.exe -> C:\Program Files\RootRepeal.exe -> [2009/09/18 20:51:38 | 00,472,064 | ---- | M] ( )
ISO1.nri -> C:\Documents and Settings\Owner\My Documents\ISO1.nri -> [2009/09/18 20:05:53 | 00,504,793 | ---- | M] ()
Adobe Reader 8.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk -> [2009/09/18 14:51:51 | 00,001,729 | ---- | M] ()
PerfStringBackup.INI -> C:\WINDOWS\System32\PerfStringBackup.INI -> [2009/09/18 14:13:57 | 00,440,176 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2009/09/18 14:13:57 | 00,381,692 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2009/09/18 14:13:57 | 00,053,436 | ---- | M] ()
mapisvc.inf -> C:\WINDOWS\System32\mapisvc.inf -> [2009/09/18 14:13:55 | 00,000,535 | ---- | M] ()
spider.sav -> C:\Documents and Settings\Owner\My Documents\spider.sav -> [2009/09/17 22:11:33 | 00,000,572 | ---- | M] ()
McDefragTask.job -> C:\WINDOWS\tasks\McDefragTask.job -> [2009/09/15 01:00:04 | 00,000,350 | ---- | M] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2009/09/14 02:12:36 | 00,229,888 | ---- | M] ()
CuteSITEBuilder.tlex -> C:\Documents and Settings\Owner\My Documents\CuteSITEBuilder.tlex -> [2009/09/13 08:32:52 | 00,002,525 | ---- | M] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation)
MRT.INI -> C:\WINDOWS\System32\MRT.INI -> [2009/09/09 03:02:37 | 00,000,129 | ---- | M] ()
imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2009/09/09 03:00:43 | 00,001,355 | ---- | M] ()
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/09/08 22:41:16 | 00,005,543 | ---- | M] ()
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/09/08 22:41:16 | 00,004,232 | ---- | M] ()
JascCmdPrint.INI -> C:\WINDOWS\JascCmdPrint.INI -> [2009/09/06 13:27:01 | 00,000,072 | ---- | M] ()
McQcTask.job -> C:\WINDOWS\tasks\McQcTask.job -> [2009/09/01 01:01:03 | 00,000,352 | ---- | M] ()
CalMRU.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\CalMRU.dat -> [2009/08/09 14:32:05 | 00,001,804 | ---- | M] ()
hhcolreg.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\hhcolreg.dat -> [2008/07/04 22:56:55 | 00,011,075 | ---- | M] ()
opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [2005/12/10 16:49:16 | 00,008,206 | ---- | M] ()
wklntsk1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wklntsk1.dat -> [2005/03/06 10:17:12 | 00,172,544 | ---- | M] ()
wkcalcat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Works\wkcalcat.dat -> [2005/03/06 10:08:24 | 00,016,384 | ---- | M] ()
ylpgscat.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\ylpgscat.dat -> [2003/06/18 15:00:00 | 12,283,223 | ---- | M] ()
college.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\college.dat -> [2003/06/18 15:00:00 | 00,327,746 | ---- | M] ()
about.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\about.dat -> [2003/06/18 15:00:00 | 00,001,528 | ---- | M] ()
moreinfo.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Money\12.0\Webcache\moreinfo.dat -> [2003/06/18 15:00:00 | 00,000,102 | ---- | M] ()
< End of report >

____________________________

As through all of this, my computer's working just fine. The only way I knew the virus was there was that it kept showing up on the McAfee scans. AFAIK it caused no problems. I'm waiting until I know it's clean before doing any business through it.

Edited by tgshaw, 27 September 2009 - 07:13 PM.

#13
hammerman

Posted 27 September 2009 - 11:18 PM

Member 4k

Member
4,183 posts

Hello,

One more scan to run.

Please follow these steps.

-- Step 1 --

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" [HKLM] -> [Reg Error: Key error.]
< Drives with AutoRun files > ->
YY -> D:\autorun.inf.aug.8 -> D:\autorun.inf [ FAT32 ]
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

-- Step 2 --

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

#14
tgshaw

Posted 28 September 2009 - 08:44 PM

Member

Topic Starter
Member
12 posts

Here's the OTS log:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
File D:\autorun.inf not found.
[Empty Temp Folders]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 2 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 75258311 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 71.90 mb

< End of fix log >
OTS by OldTimer - Version 3.0.12.1 fix logfile created on 09282009_213017

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

__________________

It was a long day at work, and Step 2 is way too complicated for me to attempt with my brain as tired as it is right now. Hopefully I'll get home earlier tomorrow. If I don't, it may have to wait until Thursday because Wednesday will be a *very* long day.

Step 2 does involve the one thing my computer wouldn't do earlier - start in safe mode. We'll see how it goes.

Thanks again.

#15
tgshaw

Posted 01 October 2009 - 04:23 PM

Member

Topic Starter
Member
12 posts

Well, I'm glad I waited until I had a day off - the Kaspersky scan took about 6.5 hours.

Some weird things -

I was able to start in safe mode, and everything seemed to go according to plan, except for the length of time it took, until after I clicked on the "save to file" button. It would not let me save the file. The dialogue box opened and the file type was shown as .txt, but the file name box was empty. My cursor blinked in the box, but I wasn't able to type anything. I tried choosing a file that was already there and then changing the name, but I couldn't do that either - it only let me completely delete the name and go back to the blank box.

There was one detected item, which I was able to delete. Since I couldn't save the report, I wrote down as much info on it as I could. "As much as I could" because, I suppose because I was in safe mode, my monitor resolution reverted to default and I couldn't change it - default is 600x800, so the information went farther to the right than I could see it. What I was able to see follows (My name and email address were shown correctly - I haven't included them):

__________________

deleted: Trojan program Trojan-Spy.HTML.Fraud.gen(modification) Email message body: Main Identity\Local folders\Sent items\[from: "my correct name" <my correct email address>][Subject: Message includes suspi
_________________

-- that's it.

I hated to close the program without saving the report because of how long the scan had taken, but I just couldn't find any way to save it.

Another weird thing, though, was that instead of uninstalling itself, the program actually opened up again at reboot. Just the original screen - not the scan results.

____________________

Something else weird that's happened - some time after we started doing these scans, etc., but before the latest ones - is that in every folder I look in there's a file titled Thumbs.db . It shows up in every level, e.g., in the desktop, in My Documents, and in My Pictures. It's labeled as a database file, and when I set the view on thumbnails, it shows a database icon but is "grayed out". Properties says that it opens with "unknown application".

And something new just now - when I rebooted after the Kaspersky scan - is a file in My Pictures titled Desktop.ini . Label says that its type is configuration settings, and it also shows a grayed-out icon. I haven't seen this in any other folders, but maybe that's because it's new. Properties says it opens with notepad, but I haven't attempted it.

These files all show different creation and last modified dates, although two of the Thumbs.db files have creation dates only a week apart (March 8 and March 17, 2005). So far I've seen creation dates ranging from August 26, 2004, to August 20, 2007, and a modification date as recent as July 19, 2009.

I've never seen anything like this before! Do you have any idea what might be happening?

- As with everything else, these files don't seem to be affecting how my computer works, but I'm getting to be afraid to use it.

Edited by tgshaw, 01 October 2009 - 04:27 PM.