Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SOB SUSP_IRP_MJ_CREATE

Started by Armor500 , Sep 14 2010 08:53 AM

  • This topic is locked This topic is locked

#1
Armor500
Posted 14 September 2010 - 08:53 AM

Armor500

    Member

  • Member
  • PipPip
  • 21 posts
Well the SUSP deal has hijacked both of my browsers.
Got firefox also.
Running on chrome but I bet will have this one soon any help appreciated on how to remove the SOB thing.
Any way to trace where it came from.
No porn here so that rules that out.
Hijackthis log here.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:00 AM, on 9/14/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1231969998\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1231969998\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus....ek_sys_ctrl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.co...sreqlab_nvd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1231607999246
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail....ol/MSNPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14990 bytes


Rootkit Unhooker file.


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x806237C8-->B80F887E [Lbd.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80621D3A-->B80F8BFE [Lbd.sys]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x8A9BA830 [4] System
0x8A5A5DA0 [216] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A6C0970 [272] C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe (Acronis, Acronis Scheduler 2)
0x8A135340 [304] C:\Program Files\Common Files\aol\acs\AOLacsd.exe (AOL LLC, AOL Connectivity Service)
0x8A170340 [328] C:\Program Files\Executive Software\Diskeeper\DkService.exe (Executive Software International, Inc., DKSERVICE.EXE)
0x8A171DA0 [496] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java™ Quick Starter Service)
0x89910020 [516] C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe (Lavasoft, Ad-Aware GUI)
0x89EDE870 [532] C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company, LightScribe Service)
0x8A724368 [700] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc, Yahoo! Application)
0x8A860368 [728] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x8A6F4888 [744] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe (Seagate, Seagate DiscWizard Monitor)
0x8A5A1DA0 [768] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe (Acronis, Monitor for Acronis True Image Backup Archive Explorer)
0x8A15A448 [784] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8A7754E0 [808] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x8A6ACAE0 [852] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x8A8C85A0 [856] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A536DA0 [864] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x8A6C5390 [1036] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 258.96)
0x89FE4970 [1080] C:\WINDOWS\system32\hphmon03.exe (Hewlett-Packard, HPHa3mon)
0x8A7536E8 [1092] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89EDA888 [1116] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc., -)
0x8A94A348 [1152] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89FE4C08 [1188] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation, GrooveMonitor Utility)
0x89FEADA0 [1200] C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe (Hewlett-Packard Company, Device Monitor Application)
0x89E98B08 [1208] C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Acronis, Acronis Scheduler Helper)
0x8A6F6DA0 [1216] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp., Realtek HD Audio Control Panel)
0x89F70B08 [1232] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc., McAfee Integrated Security Platform)
0x8A856C10 [1248] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A701718 [1312] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x89F72B08 [1316] C:\Program Files\Common Files\aol\1231969998\ee\aolsoftware.exe (AOL LLC, AOL)
0x89FDA5D8 [1340] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc., iTunesHelper Module)
0x89FE6350 [1344] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java™ Update Scheduler)
0x89F71468 [1356] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG, Nero Home)
0x8A839870 [1364] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A1B3B18 [1372] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x89E99720 [1396] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x89BB7020 [1408] C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe (McAfee, Inc., McAfee HTML UI Container)
0x89F683D0 [1416] C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc., AcroTray)
0x89E8EB28 [1456] C:\Program Files\Belkin Bulldog Plus\MUPS.exe
0x89FDA020 [1460] C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc., Logitech SetPoint Event Manager (UNICODE))
0x8A71B370 [1500] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A6C9870 [1548] C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft, Ad-Aware Service Application)
0x8A6C9DA0 [1624] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x89F905E0 [1876] C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe (Logitech, Inc., Logitech KHAL Main Process)
0x8A7E3B10 [1924] C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe (McAfee, Inc., McAfee Trusted Advisor Framework Exe)
0x8A6C0380 [1960] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x89ECCB08 [2164] C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (McAfee, Inc., McAfee Services)
0x89EC6510 [2304] C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe (McAfee, Inc., McAfee Network Agent)
0x89F8EB38 [2336] C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe (McAfee, Inc., McAfee Proxy Service Module)
0x89B83020 [2600] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft, Ad-Aware Tray Application)
0x89E069D8 [2724] C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe (McAfee, Inc., On-Access Scanner service)
0x89E02DA0 [2792] C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc., McAfee Personal Firewall Service)
0x89E3E9F8 [2868] C:\WINDOWS\system32\IoctlSvc.exe (Prolific Technology Inc., PLFlash DeviceIoControl Service)
0x89EECB08 [3104] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x89756868 [3152] C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc., Google Chrome)
0x89E57DA0 [3220] C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG, Nero Home)
0x897598B8 [3324] C:\Documents and Settings\Jeff Nolan\Desktop\oops\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)
0x8A87B370 [3348] C:\Program Files\Belkin Bulldog Plus\upsd.exe (Delta, upsd)
0x89E33870 [3396] C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc., AutoUpater Service Module)
0x89B21458 [3608] C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (McAfee, Inc., McAfee SystemGuards Service)
0x897A5DA0 [3624] C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc., Google Chrome)
0x89F0A830 [3640] C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG, Nero Home)
0x89745A20 [3656] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x8A8E0278 [3688] C:\WINDOWS\system32\hphipm09.exe (HP, PML Driver)
0x8A963020 [3840] C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc., Canon Camera Access Library 8)
0x89FE9768 [3964] C:\Program Files\iPod\bin\iPodService.exe (Apple Computer, Inc., iPodService Module)
0x8A35A340 [4060] C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation, WMI)
==============================================
>Drivers
==============================================
0xB6940000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10604544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 258.96 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6344704 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 258.96 )
0xB3BF9000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4874240 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB7E5B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB266B000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xB279D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB7DCE000 timntr.sys 393216 bytes (Acronis, Acronis True Image Backup Archive Explorer)
0xB68A6000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB28CF000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes
0xB12F6000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB1415000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB276A000 C:\WINDOWS\system32\drivers\mfehidk.sys 208896 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB147E000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7E2E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAE50A000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB280D000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB7380000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB285A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB2882000 C:\WINDOWS\System32\Drivers\Mpfp.sys 159744 bytes (McAfee, Inc., McAfee Personal Firewall Plus Driver)
0xB28A9000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB36FB000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB73A8000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB735D000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB2838000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7DB2000 snapman.sys 114688 bytes (Acronis, Acronis Snapshot API)
0xB7D98000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB7F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB7EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB6915000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB16DB000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB73CC000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB692C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB2928000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB0692000 C:\WINDOWS\system32\drivers\mfeavfk.sys 73728 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xB7EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB6904000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB73F0000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB8178000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB8148000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB8278000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB80F8000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xB8188000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB1850000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB8228000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB8138000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xB80E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB82F8000 C:\WINDOWS\system32\DRIVERS\hphid409.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xB8318000 C:\WINDOWS\System32\Drivers\hphs2k09.sys 53248 bytes (Hewlett-Packard, Printer Card Mass Storage Driver)
0xB8198000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB8308000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB81B8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB8158000 C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys 45056 bytes (D-Link , NDIS 5.0 miniport driver)
0xB82D8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB8168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB81A8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB80A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB8218000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB81D8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB80D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB82E8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB82A8000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xB18A0000 C:\WINDOWS\system32\drivers\mfesmfk.sys 36864 bytes (McAfee, Inc., System Monitor Filter Driver)
0xB81C8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB82B8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAE605000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB8298000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8340000 crpf.sys 32768 bytes (COMODO Security Solutions Inc., COMODO Safe Delete Filter)
0xB8348000 csdf.sys 32768 bytes (COMODO Security Solutions Inc., COMODO Safe Delete Filter)
0xB8410000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xB8418000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xB83E8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8438000 C:\WINDOWS\system32\DRIVERS\nvsmu.sys 32768 bytes (NVIDIA Corporation, NVIDIA® nForce™ SMU Microcontroller Driver)
0xB21BD000 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 32768 bytes (Acronis, Acronis True Image File System Filter)
0xB83F8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8448000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB8450000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 28672 bytes (GEAR Software Inc., CDRom Class Filter Driver)
0xB83D0000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB83B8000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xB83C0000 C:\WINDOWS\system32\drivers\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB8478000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB8480000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB8338000 pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver)
0xB83D8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB8470000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xB8408000 C:\WINDOWS\system32\DRIVERS\HidBatt.sys 20480 bytes (Microsoft Corporation, Hid Battery Driver)
0xB8400000 C:\WINDOWS\System32\drivers\hphius09.sys 20480 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xB83E0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8460000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8468000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB8458000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8440000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xB8430000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB84C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB29DA000 C:\WINDOWS\system32\DRIVERS\hphipr09.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xB29E6000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7D04000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB7D24000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB7D1C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB85A0000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB412B000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB01EA000 C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys 12288 bytes
0xB29E2000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7D10000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB7D34000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB8600000 C:\WINDOWS\system32\drivers\AsIO.sys 8192 bytes
0xB85F4000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB85F2000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB85F6000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB860C000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xB85F8000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB85DC000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB85E0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB871A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB87E4000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB87DD000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xB872A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0xB28CF000 WARNING: Virus alike driver modification [tcpip.sys], 364544 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D524, Type: Inline - RelativeJump 0x80504524-->805044B2 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateFile, Type: Inline - RelativeJump 0x80579084-->B278378E [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcess, Type: Inline - RelativeJump 0x805D11EA-->B278373C [mfehidk.sys]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x805D1134-->B2783750 [mfehidk.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x80623C64-->B278383B [mfehidk.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80623E34-->B2783867 [mfehidk.sys]
ntkrnlpa.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x80624014-->B27838D5 [mfehidk.sys]
ntkrnlpa.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x8062427E-->B27838BF [mfehidk.sys]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x805B1FE6-->B27837CE [mfehidk.sys]
ntkrnlpa.exe-->NtNotifyChangeKey, Type: Inline - RelativeJump 0x806259B6-->B2783901 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenKey, Type: Inline - RelativeJump 0x80624BA6-->B2783811 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x805CB3FA-->B2783714 [mfehidk.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805CB686-->B2783728 [mfehidk.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x805B83CA-->B27837A2 [mfehidk.sys]
ntkrnlpa.exe-->NtQueryKey, Type: Inline - RelativeJump 0x80624EE8-->B278393D [mfehidk.sys]
ntkrnlpa.exe-->NtQueryMultipleValueKey, Type: Inline - RelativeJump 0x80622916-->B27838A9 [mfehidk.sys]
ntkrnlpa.exe-->NtQueryValueKey, Type: Inline - RelativeJump 0x806219EC-->B2783893 [mfehidk.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Inline - RelativeJump 0x806231EA-->B2783851 [mfehidk.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Inline - RelativeJump 0x8062589C-->B2783929 [mfehidk.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Inline - RelativeJump 0x806251A8-->B2783915 [mfehidk.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Inline - RelativeJump 0x805D16F4-->B278377A [mfehidk.sys]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Inline - RelativeJump 0x805CDE44-->B2783766 [mfehidk.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x805D2982-->B27837FD [mfehidk.sys]
ntkrnlpa.exe-->NtUnloadKey, Type: Inline - RelativeJump 0x80622064-->B27838EB [mfehidk.sys]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x805B2DF4-->B27837E4 [mfehidk.sys]
ntkrnlpa.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x80504B08-->B27837B8 [mfehidk.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Thanks
  • 0

Advertisements

#2
heir
Posted 14 September 2010 - 09:10 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Hello Armor500 !

Welcome to the site! :) My nickname is heir and I'll be helping clean up your computer. :)

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
  • Make sure you reply to this thread using the Add Reply button: Posted Image

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.

Step 1.
ComboFix:

Download ComboFix from one of these locations:

Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
Armor500
Posted 14 September 2010 - 12:17 PM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks Heir for the help this is one that I can not find where it is hiding.

The program Combofix will not run on here.
Any other ideas?
ALso on a reboot had to use all kinds of ways to get back to windows,after Mcafee removed some files I also have Adware which is shut off also,now both back on.

I downloaded it 3 times but I am using Chrome so I had to move it to my desktop,from where it downloaded from.

Still a problem I think.

Thanks,so what else should I try?
  • 0

#4
heir
Posted 14 September 2010 - 01:20 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Do it like this, this time.

Delete the current ComboFix.exe on your desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
They may otherwise interfere with our tools


Double click on kombfiks.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .

  • 0

#5
Armor500
Posted 14 September 2010 - 02:12 PM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay thanks for that got the program on but it reboots and does not run again.
I am not signed on as Admin,so I have to start it over and well it reboots and all over again been doing this now for an hour.
So what should I do?
Well have tried it again for another hour same thing only goes so far a reboot and then I have to restart it again.
Any other ideas?
Thanks for the Help Heir.

Edited by Armor500, 14 September 2010 - 02:42 PM.

  • 0

#6
heir
Posted 14 September 2010 - 11:38 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's get another fresh set of logs.

Step 1.
OTL-scan:

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, tick the box beside Scan All Users at the top.
  • Underneath Output at the top set it to Standard Output.
  • Underneath the option Extra Registry set it to Use SafeList.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Download the following file scan.txt to your Desktop. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
  • Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2.
GMER-scan:

Posted Image GMER Rootkit Scanner - Download
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.


Step 3.
MBRCheck:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Step 4.
Things I would like to see in your reply:

  • The content of OTL.txt and Extras.txt from step 1.
  • The content of ark.txt from step 2.
  • The content of the report from MBR check in step 3.
  • Information on how your computer is running.

  • 0

#7
Armor500
Posted 15 September 2010 - 04:33 AM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Heir one quick question before I do the three steps above.

First I have a New copy of Vista never installed from Microsoft if I install it here over xp home,would this solve all the problems of the browser hijack?

Yes or no?

Could not get that scan txt file neither.

On the running part today I had one mess up on the desktop said a RunDll was messed up but the registry has been through [bleep] here.

Thanks for the help as to regards to the problem.

I will wait for your response first.

But I guess better to start those programs.

Cheers
Jeff

Edited by Armor500, 15 September 2010 - 04:42 AM.

  • 0

#8
heir
Posted 15 September 2010 - 04:48 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

First I have a New copy of Vista never installed from Microsoft if I install it here over xp home,would this solve all the problems of the browser hijack?

Yes or no?

Doing a fresh install of a new OS will yes.
I think this is fixable though.

Could not get that scan txt file neither.

Fixed the broken link. Works now.
  • 0

#9
Armor500
Posted 15 September 2010 - 06:34 AM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks Heir.
Okay the second one would not run,well it did first time a reboot ran it again locked up about 1 and hours a restart on that one.
Last two lines were something in the root of the drive.
Posting the main boot record one for now.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB84BC000 compbatt.sys
0xB84C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB8338000 pavboot.sys
0xB80C8000 VolSnap.sys
0xB7F31000 atapi.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7F11000 fltmgr.sys
0xB7EFF000 sr.sys
0xB8340000 crpf.sys
0xB8348000 csdf.sys
0xB80F8000 Lbd.sys
0xB7EE8000 KSecDD.sys
0xB7E5B000 Ntfs.sys
0xB7E2E000 NDIS.sys
0xB7DCE000 timntr.sys
0xB7DB2000 snapman.sys
0xB7D98000 Mup.sys
0xB8138000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB8148000 \SystemRoot\system32\DRIVERS\serial.sys
0xB7D10000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB7326000 \SystemRoot\system32\DRIVERS\parport.sys
0xB8428000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0xB8430000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB7302000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8438000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8158000 \SystemRoot\system32\DRIVERS\dlkfet5b.sys
0xB72DA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8168000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8178000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8188000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB72B7000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8440000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xB689A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6886000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB87A8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8198000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7D04000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB686F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB81A8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8448000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB685E000 \SystemRoot\system32\DRIVERS\psched.sys
0xB81C8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8450000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8458000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8460000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB81D8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8468000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8470000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB85D6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6800000 \SystemRoot\system32\DRIVERS\update.sys
0xB7BF3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8228000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8238000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB3B23000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB37B0000 \SystemRoot\system32\drivers\portcls.sys
0xB8278000 \SystemRoot\system32\drivers\drmk.sys
0xB860A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB87F4000 \SystemRoot\System32\Drivers\Null.SYS
0xB860C000 \SystemRoot\System32\Drivers\Beep.SYS
0xB83E0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB83E8000 \SystemRoot\System32\drivers\vga.sys
0xB860E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB8610000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB83F0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB83F8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB4061000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB3659000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB3600000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB35B2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8408000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB8410000 \SystemRoot\System32\drivers\hphius09.sys
0xB7D64000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB82B8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB358B000 \SystemRoot\System32\Drivers\Mpfp.sys
0xB73CA000 \SystemRoot\system32\DRIVERS\hphid409.sys
0xB73BA000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB3563000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB3541000 \SystemRoot\System32\drivers\afd.sys
0xB73AA000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB3516000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB34A6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB3473000 \SystemRoot\system32\drivers\mfehidk.sys
0xB738A000 \SystemRoot\System32\Drivers\Fips.SYS
0xB85E6000 \SystemRoot\system32\drivers\AsIO.sys
0xB8498000 \SystemRoot\system32\DRIVERS\HidBatt.sys
0xB84A0000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xB737A000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB33F8000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB7D48000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB7D44000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB84A8000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB736A000 \SystemRoot\System32\Drivers\hphs2k09.sys
0xB3767000 \SystemRoot\system32\DRIVERS\hphipr09.sys
0xB8248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB35E4000 \SystemRoot\System32\drivers\Dxapi.sys
0xB83A8000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8745000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB37DC000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xB35DC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB2CB4000 \SystemRoot\system32\drivers\wdmaud.sys
0xB82E8000 \SystemRoot\system32\drivers\sysaudio.sys
0xB2A7F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8654000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB2A16000 \SystemRoot\System32\Drivers\HTTP.sys
0xB86F6000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xB2857000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8490000 \SystemRoot\system32\drivers\mfebopk.sys
0xB1D7D000 \SystemRoot\system32\drivers\mfeavfk.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
688 C:\WINDOWS\system32\smss.exe
784 csrss.exe
812 C:\WINDOWS\system32\winlogon.exe
856 C:\WINDOWS\system32\services.exe
868 C:\WINDOWS\system32\lsass.exe
1036 C:\WINDOWS\system32\nvsvc32.exe
1084 C:\WINDOWS\system32\svchost.exe
1152 svchost.exe
1248 C:\WINDOWS\system32\svchost.exe
1336 svchost.exe
1504 svchost.exe
1600 C:\WINDOWS\system32\spoolsv.exe
1904 C:\WINDOWS\explorer.exe
1992 svchost.exe
2032 C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
212 C:\Program Files\Common Files\aol\acs\AOLacsd.exe
260 C:\Program Files\Executive Software\Diskeeper\DkService.exe
360 C:\Program Files\Java\jre6\bin\jqs.exe
436 C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
444 C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
452 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
500 C:\WINDOWS\system32\hphmon03.exe
508 C:\Program Files\QuickTime\qttask.exe
516 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
524 C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
548 C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
556 C:\WINDOWS\RTHDCPL.exe
572 C:\Program Files\McAfee.com\Agent\mcagent.exe
620 C:\WINDOWS\system32\rundll32.exe
628 C:\Program Files\Common Files\aol\1231969998\ee\aolsoftware.exe
488 C:\Program Files\iTunes\iTunesHelper.exe
196 C:\Program Files\Common Files\Java\Java Update\jusched.exe
676 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
780 C:\WINDOWS\system32\ctfmon.exe
736 C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
832 C:\Program Files\Logitech\SetPoint\SetPoint.exe
936 C:\Program Files\Belkin Bulldog Plus\MUPS.exe
1192 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1884 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
2148 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
2496 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
2584 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
2660 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
2776 C:\Program Files\McAfee\MPF\MpfSrv.exe
2832 C:\WINDOWS\system32\IoctlSvc.exe
2996 C:\WINDOWS\system32\svchost.exe
3120 C:\Program Files\Belkin Bulldog Plus\upsd.exe
3172 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3280 C:\WINDOWS\system32\wuauclt.exe
3484 C:\Program Files\Canon\CAL\CALMAIN.exe
3840 C:\Program Files\iPod\bin\iPodService.exe
2348 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
2448 C:\WINDOWS\system32\hphipm09.exe
2480 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
2920 C:\WINDOWS\system32\svchost.exe
3568 wmiprvse.exe
3364 C:\WINDOWS\system32\notepad.exe
3520 C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3500320AS, Rev: SD15
PhysicalDrive1 Model Number: ST3500320AS, Rev: SD15

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


Will post the other one if I get it to run.

Thanks again.
Jeff
  • 0

#10
heir
Posted 15 September 2010 - 06:40 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
If GMER fails again.

First make sure you've disabled your security programs as they can interfere.

I that also fails.
Then run it with only Sections and the C: ticked.

Please post the results from GMER and OTL in your reply.
  • 0

Advertisements

#11
Armor500
Posted 15 September 2010 - 06:54 AM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay will do and here for now is the other ones.

Sorry for the hang but Mcafee is off.




OTL logfile created on: 9/15/2010 7:44:09 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Jeff Nolan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 383.88 Gb Free Space | 82.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 403.80 Gb Free Space | 86.70% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-EE928C4A19
Current User Name: Jeff Nolan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/20 12:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009/07/10 12:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/02/03 08:15:18 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/06/24 13:34:50 | 000,041,824 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\1231969998\ee\aolsoftware.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/22 14:13:32 | 001,201,448 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2008/01/22 14:13:20 | 000,152,872 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2007/04/20 00:38:22 | 001,945,688 | ---- | M] (Acronis) -- C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
PRC - [2007/04/20 00:29:56 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
PRC - [2007/04/20 00:29:44 | 000,411,168 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2007/04/20 00:24:50 | 001,169,744 | ---- | M] (Seagate) -- C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
PRC - [2007/01/31 17:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\acs\AOLacsd.exe
PRC - [2004/01/06 14:47:06 | 000,327,792 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe
PRC - [2003/05/15 04:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2003/03/10 19:51:42 | 000,229,376 | ---- | M] (Delta) -- C:\Program Files\Belkin Bulldog Plus\upsd.exe
PRC - [2002/07/25 17:41:38 | 000,049,152 | ---- | M] () -- C:\Program Files\Belkin Bulldog Plus\MUPS.exe
PRC - [2001/08/09 20:06:46 | 000,045,056 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
PRC - [2001/08/03 21:24:38 | 000,311,296 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon03.exe
PRC - [2001/08/03 21:24:36 | 000,077,824 | ---- | M] (HP) -- C:\WINDOWS\system32\hphipm09.exe


========== Modules (SafeList) ==========

MOD - [2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
MOD - [2009/07/20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/20 12:25:22 | 000,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll
MOD - [2009/07/11 19:41:02 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
MOD - [2009/03/06 04:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll
MOD - [2009/02/12 15:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
MOD - [2009/02/12 15:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
MOD - [2008/10/25 11:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/05/14 12:34:52 | 001,766,696 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 12:39:24 | 002,897,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\xpsp2res.dll
MOD - [2008/04/13 12:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll
MOD - [2008/03/29 01:42:20 | 000,159,744 | ---- | M] () -- C:\Program Files\Essentials Codec Pack\Haali\mmfinfo.dll
MOD - [2008/03/29 01:41:52 | 000,023,552 | ---- | M] () -- C:\Program Files\Essentials Codec Pack\Haali\mkunicode.dll
MOD - [2003/03/19 10:20:00 | 001,060,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Ahead\Lib\MFC71.dll
MOD - [2003/03/19 10:14:52 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Ahead\Lib\msvcp71.dll
MOD - [2003/02/21 18:42:22 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Ahead\Lib\msvcr71.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/09/05 04:39:15 | 001,355,928 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/04/20 00:29:44 | 000,411,168 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/01/31 17:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2004/01/06 14:47:06 | 000,327,792 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2003/03/10 19:51:42 | 000,229,376 | ---- | M] (Delta) [Auto | Running] -- C:\Program Files\Belkin Bulldog Plus\upsd.exe -- (UPSentry_Smart)
SRV - [2001/08/03 21:24:36 | 000,077,824 | ---- | M] (HP) [On_Demand | Running] -- C:\WINDOWS\system32\hphipm09.exe -- (Pml Driver)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\PciCon.sys -- (PciCon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LMouKE.Sys -- (LMouKE)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\JEFFNO~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/08/11 08:02:26 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/07/09 17:38:00 | 010,604,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/07/06 12:28:45 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/05/10 10:44:48 | 000,022,328 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\DVDSYS32_100507.sys -- (MSI_DVD_010507)
DRV - [2010/05/10 10:44:42 | 000,025,912 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\msibios32_100507.sys -- (MSI_MSIBIOS_010507)
DRV - [2010/05/10 10:44:36 | 000,016,696 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\VGASYS32_100507.sys -- (MSI_VGASYS_010507)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/17 11:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 11:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/03/18 09:54:44 | 000,039,440 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\csdf.sys -- (csdf)
DRV - [2009/03/18 09:53:06 | 000,036,624 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\crpf.sys -- (crpf)
DRV - [2009/01/07 20:33:44 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/01/07 20:33:44 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/01/07 20:33:41 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2008/12/18 23:43:18 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/04/17 03:33:26 | 004,707,328 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/13 13:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 02:15:26 | 000,014,336 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/28 23:37:48 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/01/28 23:37:46 | 000,054,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2007/05/16 12:20:32 | 000,043,008 | ---- | M] (D-Link ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dlkfet5b.sys -- (FETNDISB)
DRV - [2006/10/18 14:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/08/15 00:09:48 | 000,083,200 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2006/07/02 01:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/13 13:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/06/23 16:31:20 | 000,045,568 | R--- | M] (D-Link Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DLKRTS.SYS -- (DLKRTS)
DRV - [2001/08/03 21:24:36 | 000,050,704 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphid409.sys -- (Dot4 HPH09)
DRV - [2001/08/03 21:24:36 | 000,050,051 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphs2k09.sys -- (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09)
DRV - [2001/08/03 21:24:36 | 000,018,864 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphius09.sys -- (Dot4Usb HPH09)
DRV - [2001/08/03 21:24:36 | 000,015,984 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphipr09.sys -- (Dot4Print HPH09)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-776561741-527237240-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/06 14:29:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/26 17:25:43 | 000,000,000 | ---D | M]

[2010/06/06 14:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Mozilla\Extensions
[2010/09/14 07:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Mozilla\Firefox\Profiles\s2pc2x1p.default\extensions
[2010/09/13 08:24:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jeff Nolan\Application Data\Mozilla\Firefox\Profiles\s2pc2x1p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/09/14 07:23:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/26 17:25:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2006/02/28 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll (BitComet)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [CXMon] C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe (Seagate)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\aol\1231969998\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\.DEFAULT..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-18..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-776561741-527237240-839522115-1004..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-776561741-527237240-839522115-1004..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-776561741-527237240-839522115-1004..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll (BitComet)
O15 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..Trusted Domains: com ([www.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-776561741-527237240-839522115-1004\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} http://support.asus....ek_sys_ctrl.cab (asusTek_sysctrl Class)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1231607999246 (WUWebControl Class)
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} http://das.microsoft...tail/DASAct.cab (DASWebDownload Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.ms...ine/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/02 11:42:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/04/01 18:56:16 | 000,000,183 | ---- | M] () - F:\AutoExec.zip -- [ NTFS ]
O32 - AutoRun File - [2009/03/06 22:18:17 | 000,000,578 | ---- | M] () - F:\AutoFix_2009-03-06_21-17-56.txt -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: VIDC.ACDV - ACDV.dll File not found
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (6477772755042304)

========== Files/Folders - Created Within 30 Days ==========

[2010/09/15 05:23:44 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
[2010/09/14 15:54:32 | 000,000,000 | --SD | C] -- C:\Kombfixs
[2010/09/14 14:47:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 14:45:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 14:45:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 14:45:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 14:45:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 14:44:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 14:44:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 13:35:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2010/09/14 13:33:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2010/09/14 13:33:42 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2010/09/14 13:33:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2010/09/14 10:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Onlinestatements
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Trackpins
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Fossils
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\fluorescence-red
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Style xp
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Simon
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Pics from desktop
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Pens
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Man
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\lee15
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Victor
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Rust
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Music
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\JEmima
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Jeep
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\image001
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Chuck
[2010/09/14 10:02:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/09/13 17:33:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/09/13 17:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\oops
[2010/09/13 10:54:41 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/09/13 10:54:30 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/09/12 09:38:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2010/09/05 08:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Figures
[2010/08/26 17:25:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/20 10:44:49 | 000,000,000 | ---D | C] -- C:\Program Files\FLV Player
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/15 07:39:23 | 000,019,265 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/15 07:23:06 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\WECPUpdate.job
[2010/09/15 07:23:02 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/15 07:23:00 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/15 07:22:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/15 05:34:54 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/09/15 05:26:40 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:25:12 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.zip
[2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
[2010/09/15 05:07:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-527237240-839522115-1004UA.job
[2010/09/15 05:00:41 | 002,994,590 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\2010_0905Image0023.jpg
[2010/09/15 04:58:15 | 000,000,687 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/14 20:33:25 | 006,553,600 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\NTUSER.DAT
[2010/09/14 19:07:00 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-527237240-839522115-1004Core.job
[2010/09/14 14:47:25 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2010/09/14 14:42:19 | 003,845,016 | R--- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/14 14:33:20 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/14 13:36:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/13 17:33:04 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\HijackThis.lnk
[2010/09/13 14:41:06 | 000,000,097 | ---- | M] () -- C:\LUO.bat
[2010/09/13 10:31:28 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 11:12:17 | 000,443,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/12 11:12:17 | 000,072,050 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/12 06:41:08 | 000,003,060 | ---- | M] () -- C:\WINDOWS\crpf.bin
[2010/09/08 21:00:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jeff Nolan\ntuser.ini
[2010/09/01 19:12:06 | 000,014,881 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\My Documents\The Discovery Channel MUST broadcast to the world their commitment to save the planet and to do the following IMMEDIATELY.docx
[2010/08/21 11:10:41 | 004,452,992 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\file____C__Documents%20and%20Settings_Jeff%20Nolan_Desktop_Armorama%20%20M4%20Aunt%20Jemima%20-%201-35%20scale.pdf
[2010/08/20 10:43:16 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/19 14:33:18 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/15 05:43:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.exe
[2010/09/15 05:26:40 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:25:12 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.zip
[2010/09/15 05:00:29 | 002,994,590 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\2010_0905Image0023.jpg
[2010/09/14 14:47:24 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2010/09/14 14:47:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 14:45:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 14:45:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 14:45:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 14:45:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 14:45:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 14:42:19 | 003,845,016 | R--- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/14 14:33:20 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/13 17:33:04 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\HijackThis.lnk
[2010/09/13 10:31:28 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 05:57:34 | 000,003,060 | ---- | C] () -- C:\WINDOWS\crpf.bin
[2010/09/01 19:12:06 | 000,014,881 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\My Documents\The Discovery Channel MUST broadcast to the world their commitment to save the planet and to do the following IMMEDIATELY.docx
[2010/08/21 11:10:40 | 004,452,992 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\file____C__Documents%20and%20Settings_Jeff%20Nolan_Desktop_Armorama%20%20M4%20Aunt%20Jemima%20-%201-35%20scale.pdf
[2009/10/07 14:25:47 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\fusioncache.dat
[2009/01/17 21:44:28 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/17 19:53:38 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/15 13:45:39 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/01/15 13:41:26 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2009/01/15 13:41:26 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2009/01/15 13:39:30 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2009/01/15 13:39:30 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2009/01/15 13:38:00 | 000,000,111 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 3170.ini
[2009/01/15 13:30:11 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2009/01/14 18:06:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/01/02 11:58:56 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/01/02 11:58:56 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/01/02 11:50:24 | 000,022,388 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/01/02 11:50:13 | 000,020,691 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/01/02 11:50:11 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/01/02 11:50:00 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/02/01 09:18:14 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007/06/28 11:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/09/17 20:37:42 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

========== LOP Check ==========

[2009/01/16 17:25:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2009/01/02 12:19:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/01/07 20:53:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2009/01/14 16:54:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/07/15 05:10:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
[2009/01/16 17:32:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\ACD Systems
[2010/07/17 20:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Amazon
[2009/11/12 07:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Deneba
[2009/10/25 11:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\EPSON
[2009/01/17 12:25:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\ieSpell
[2009/01/15 13:43:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Leadertech
[2009/01/15 13:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Smart Panel
[2009/03/06 16:32:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Uniblue
[2009/09/06 06:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jeff Nolan\Application Data\Windows Search
[2010/09/15 05:34:54 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2009/10/07 14:23:38 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/10/07 14:23:37 | 000,000,328 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/09/15 07:23:06 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\WECPUpdate.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/09/15 07:22:50 | 000,089,005 | ---- | M] () -- C:\aaw7boot.log
[2009/01/02 11:42:36 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/07/28 05:30:15 | 000,000,223 | ---- | M] () -- C:\Boot.bak
[2009/01/02 11:50:54 | 000,000,223 | RHS- | M] () -- C:\BOOT.BKK
[2010/09/14 14:47:25 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2009/01/02 11:42:36 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/01/02 11:42:36 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/09/13 14:41:06 | 000,000,097 | ---- | M] () -- C:\LUO.bat
[2009/01/02 11:42:36 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/01/10 14:40:29 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2009/09/10 18:15:15 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
[2009/09/10 18:15:15 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG
[2010/09/15 07:22:50 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/09/13 14:52:11 | 000,000,417 | ---- | M] () -- C:\rkill.log

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/01/02 11:42:17 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2010/01/27 18:02:57 | 000,001,674 | -H-- | M] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\LastFlashConfig.WFC

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/01/02 03:29:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/01/02 03:29:18 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/01/02 03:29:18 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/01/10 14:47:17 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >
[2008/04/10 22:52:08 | 000,648,192 | ---- | M] () -- C:\WINDOWS\system32\NEROINSTAEC43759.DB
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/01/10 14:55:27 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2009/01/21 07:22:30 | 000,000,101 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.exe
[2010/09/14 14:42:19 | 003,845,016 | R--- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/15 05:26:40 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >
[1998/10/02 15:04:32 | 000,071,680 | R--- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\Jeff Nolan\My Documents\Setup.exe
[2000/08/30 13:15:14 | 000,027,648 | R--- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\Jeff Nolan\My Documents\_ISDel.exe
[1998/10/02 15:06:10 | 000,027,648 | R--- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\Jeff Nolan\My Documents\_ISDel_old.exe

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2009/01/21 07:22:29 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Jeff Nolan\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2009/10/14 04:23:17 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\Jeff Nolan\Cookies\desktop.ini
[2010/09/15 07:38:45 | 000,802,816 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 23:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.exe >
[2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< %USERPROFILE%\Templates\*.tmp >

< %SYSTEMDRIVE%\explorexxx.exe\*.* >

< %Windir%\Installer\*.tmp >

< %systemroot%\System32\*.xco >

< %ProgramFiles%\system32\*.* >

< %systemroot%\System32\windos\*.* >

< %SystemRoot%\system32\sandbox\*.* >

< %SystemRoot%\system32\*.amo >

< %SystemRoot%\system32\Windows Live\*.* >

< %ProgramFiles%\logs\*.* >

< %ProgramFiles%\Bifrost\*.* >

< %SystemRoot%\system32\*.goo >

< %systemroot%\system32\IME\*.* >

< %systemroot%\BackUp\*.* >

< %systemroot%\system32\*.ico >

< %systemroot%\system\*.dat >

< %systemroot%\system\*.exe >

< %AppData%\Macromedia\Common\*.* >

< %SYSTEMDRIVE%\dir\*.* /s >

< %systemroot%\system32\ras\*.exe >

< %SYSTEMDRIVE%\MFILES\*.* >

< %SYSTEMDRIVE%\mDNSRespon.exe\*.* >

< %systemroot%\system32\services\*.* >

< %systemroot%\Spooler\*.* >

< %ProgramFiles%\system32\*.* >

< %systemroot%\system32\Setup\*.dll /x >

< %systemroot%\system32\*.mine >

< %SYSTEMDRIVE%\cleansweep.exe\*.* >

< %systemroot%\system32\ras\*.dll >

< %systemroot%\system32\ras\*.drv >

< %systemroot%\*.iq >

< %systemroot%\system32\XP\*.* >

< %SYSTEMDRIVE%\Extracted\*.* >

< %systemroot%\system32\windows\*.* >

< %systemroot%\logs\*.* >

< %SYSTEMDRIVE%\Win.Msi\*.* >

< %systemroot%\regedit\*.* >

< %systemroot%\system32\skype\*.* >

< %AppData%\Adobe\dlluplwin25\*.* >

< %UserProfile%\*.dat >
[2010/09/14 20:33:25 | 006,553,600 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\NTUSER.DAT

< %UserProfile%\*.dll >

< %systemroot%\system32\*.sxo >

< %SYSTEMDRIVE%\Gazma\*.* /s >

< %systemroot%\system32\spynet\*.* >

< %systemroot%\system32\System\*.* >

< %appdata%\Microsoft\Windows\*.* >

< %systemroot%\system32\WinDir\*.* >

< %systemroot%\_\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-14 01:27:51

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\LUO.bat:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\All Users\Documents\Microsoft Windows Office Xp 2006.zip:SummaryInformation
< End of report >






OTL Extras logfile created on: 9/15/2010 7:44:11 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Jeff Nolan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 383.88 Gb Free Space | 82.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 403.80 Gb Free Space | 86.70% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-EE928C4A19
Current User Name: Jeff Nolan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee 11.0.Browse] -- "C:\Program Files\ACD Systems\ACDSee\11.0\ACDSeeQV11.exe" "%1" (ACD Systems)
Directory [ACDSee Pro 2.5.Browse] -- "C:\Program Files\ACD Systems\ACDSee Pro\2.5\ACDSeeQVPro25.exe" "%1" (ACD Systems)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00FC6799-866E-44A1-A60C-DCF394CF56FD}" = iTunes
"{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Camera Window DS
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{152B782A-05F3-48EC-9AAC-4D3EB68D9E20}" = Quake 4™
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 21
"{2D95950E-6D76-43E7-94A5-D9DBA2FD29E4}" = ACDSee Pro 2.5
"{300578F9-9EFF-4B93-9AB1-C0E5707EF463}" = ACDSee Photo Manager 2009
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DBBF091-FACD-422C-B43C-786335BD5398}" = MovieEdit Task
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{81A60A13-224D-4637-8203-3EAC03B121A4}" = Seagate DiscWizard
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A809006-C25A-4A3A-9DAB-94659BCDB107}" = NVIDIA PhysX
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9509674F-3972-11DE-806D-005056806466}" = Google Earth
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{98EFD8F0-08DE-48DB-B922-A2EBAB711033}" = Nero 7 Essentials
"{9ACC9F63-CF54-46D7-9140-D40E57564EDA}_is1" = COMODO System Cleaner 1.1.64942.34(32bit)
"{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}" = EPSON Photo Print
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{AA67205C-3E80-4062-9198-253A059DEE38}" = Diskeeper Professional Edition
"{AC76BA86-1033-F400-7760-000000000001}" = Adobe Acrobat 6.0 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = RAW Image Task 2.2
"{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}" = Canon PhotoRecord
"{C0951118-6725-4BD7-9AA8-078C19729ADF}" = Canvas 9
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}" = 530TX+
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3D16DAD-1AEE-11D6-B82B-004033AA2C09}" = Belkin Bulldog Plus
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"BitComet" = BitComet 1.09
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CSCLIB" = Canon Camera Support Core Library
"eMule" = eMule
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FLV Player" = FLV Player 2.0 (build 25)
"HijackThis" = HijackThis 2.0.2
"HP Photo Imaging Software" = HP Photo Imaging Software
"HP Photo Printing Software" = HP Photo Printing Software
"hp photosmart 1315 series_Driver" = hp photosmart 1315 series
"hp photosmart printer series" = hp photosmart printer series (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ieSpell" = ieSpell
"InstallShield_{00FC6799-866E-44A1-A60C-DCF394CF56FD}" = iTunes
"InstallShield_{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Canon Camera Window DSLR 5 for ZoomBrowser EX
"InstallShield_{152B782A-05F3-48EC-9AAC-4D3EB68D9E20}" = Quake 4™
"InstallShield_{4DBBF091-FACD-422C-B43C-786335BD5398}" = Canon MovieEdit Task for ZoomBrowser EX
"InstallShield_{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}" = 530TX+
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PhotoStitch" = Canon Utilities PhotoStitch
"QuickTime" = QuickTime
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Silent Package Run-Time Sample" = EPSON PERF 3170Guide
"SystemRequirementsLab" = System Requirements Lab
"ViewpointMediaPlayer" = Viewpoint Media Player
"VN_VUIns_Rhine_D-Link" = D-Link PCI Fast Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.2c
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-776561741-527237240-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/13/2010 9:28:13 PM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/13/2010 9:28:13 PM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:00:25 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/14/2010 11:00:25 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:00:26 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:00:26 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:07:01 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/14/2010 11:07:01 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:07:02 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:07:02 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

[ Application Events ]
Error - 9/13/2010 9:28:13 PM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/13/2010 9:28:13 PM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:00:25 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/14/2010 11:00:25 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:00:26 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:00:26 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:07:01 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The server name or address could not be resolved

Error - 9/14/2010 11:07:01 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:07:02 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 9/14/2010 11:07:02 AM | Computer Name = HOME-EE928C4A19 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 9/15/2010 6:57:56 AM | Computer Name = HOME-EE928C4A19 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/15/2010 6:57:56 AM | Computer Name = HOME-EE928C4A19 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 9/15/2010 6:57:56 AM | Computer Name = HOME-EE928C4A19 | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 9/15/2010 6:58:30 AM | Computer Name = HOME-EE928C4A19 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the mcmscsvc service.

Error - 9/15/2010 8:23:20 AM | Computer Name = HOME-EE928C4A19 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 9/15/2010 8:23:20 AM | Computer Name = HOME-EE928C4A19 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 9/15/2010 8:23:25 AM | Computer Name = HOME-EE928C4A19 | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 9/15/2010 8:23:25 AM | Computer Name = HOME-EE928C4A19 | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 9/15/2010 8:23:58 AM | Computer Name = HOME-EE928C4A19 | Source = DCOM | ID = 10010
Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register
with DCOM within the required timeout.

Error - 9/15/2010 8:23:58 AM | Computer Name = HOME-EE928C4A19 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the mcmscsvc service.


< End of report >
  • 0

#12
Armor500
Posted 15 September 2010 - 08:36 AM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here is as far as I can go with gmer.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-15 08:12:06
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JEFFNO~1\LOCALS~1\Temp\kfndapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB80F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB80F8BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB34AB78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB34AB738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB34AB74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB34AB7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB34AB710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB34AB724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB34AB79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB34AB776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB34AB762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB34AB7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB34AB7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB34AB7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B34AB7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B34AB78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP B34AB7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP B34AB7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP B34AB7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP B34AB714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 2 Bytes JMP B34AB728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread + 3 805CB689 2 Bytes [EE, 32]
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP B34AB766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B34AB750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP B34AB73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP B34AB77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP B34AB7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB68B93A0, 0x59FFE5, 0xE8000020]
.rsrc C:\WINDOWS\system32\DRIVERS\tcpip.sys entry point in ".rsrc" section [0xB3673A94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F57
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070078
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F3C
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070093
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00070EFA
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070067
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F15
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F6F
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F80
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060022
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050067
.text C:\WINDOWS\system32\services.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050038
.text C:\WINDOWS\system32\services.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[856] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0051
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0F5C
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0040
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0F83
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD001B
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F35
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD007D
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00BD
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0098
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0EFF
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0F94
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD0062
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0FAF
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD000A
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F24
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FC0F7C
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FC001B
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FC0F8D
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FC0FA8
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1C, 89] {SBB AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\system32\lsass.exe[868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FB0FA1
.text C:\WINDOWS\system32\lsass.exe[868] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FB0FBC
.text C:\WINDOWS\system32\lsass.exe[868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\lsass.exe[868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FB0FE3
.text C:\WINDOWS\system32\lsass.exe[868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FB0036
.text C:\WINDOWS\system32\lsass.exe[868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\lsass.exe[868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FA0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024B0000
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024B0FA5
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024B009A
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024B0089
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024B006C
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024B0051
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024B00C8
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024B0F80
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024B0F4D
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024B0F5E
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024B00F7
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 024B0FCA
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 024B001B
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 024B00AB
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 024B0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 024B0036
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 024B0F6F
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 024A0FB9
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 024A0F80
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 024A0FCA
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 024A0000
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 024A003D
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 024A0FE5
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 024A002C
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 024A001B
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02490FA8
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 02490033
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02490FDE
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02490000
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02490FC3
.text C:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02490FEF
.text C:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40036
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40F41
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40F5C
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40067
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F15
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E400A7
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40082
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E400B8
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40F83
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40F26
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F04
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E30FAF
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E30040
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E30000
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E30FD4
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E30F83
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\svchost.exe[1156] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E30F9E
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E20055
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E20FCA
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E20029
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E2003A
.text C:\WINDOWS\system32\svchost.exe[1156] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E2000C
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03BC0000
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03BC0F74
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03BC0F85
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03BC005F
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03BC004E
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03BC003D
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03BC0090
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03BC0F48
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03BC0F12
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03BC0F23
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03BC00C6
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03BC0FB6
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03BC0FE5
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03BC0F59
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03BC002C
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03BC0011
.text C:\WINDOWS\System32\svchost.exe[1252] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03BC00A1
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03BB002C
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03BB0047
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03BB001B
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03BB000A
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03BB0F8A
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03BB0FEF
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03BB0F9B
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 8B]
.text C:\WINDOWS\System32\svchost.exe[1252] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03BB0FC0
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0370004C
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!system 77C293C7 5 Bytes JMP 0370003B
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03700FC1
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03700FEF
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03700016
.text C:\WINDOWS\System32\svchost.exe[1252] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03700FD2
.text C:\WINDOWS\System32\svchost.exe[1252] WS2_32.dll!socket 71AB4211 5 Bytes JMP 035F000A
.text C:\WINDOWS\System32\svchost.exe[1252] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 034A0FEF
.text C:\WINDOWS\System32\svchost.exe[1252] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 034A0FD4
.text C:\WINDOWS\System32\svchost.exe[1252] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 034A0FC3
.text C:\WINDOWS\System32\svchost.exe[1252] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 034A0014
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0081007A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00810069
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810058
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00810FA5
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0081003D
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008100B7
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008100A6
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00810F40
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008100E3
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00810F2F
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00810FC0
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0081001B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0081008B
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0081002C
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00810FDB
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008100D2
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00800073
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00800FCA
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00800062
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00800047
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00800036
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007F0F9A
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!system 77C293C7 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007F0FBC
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007F0FAB
.text C:\WINDOWS\system32\svchost.exe[1376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007F0FE3
.text C:\WINDOWS\system32\svchost.exe[1376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CA0FEF
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CA005B
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CA0040
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CA002F
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CA0F72
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CA0FA8
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CA0F30
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CA0F41
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CA0F0B
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CA00AE
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CA0EFA
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CA0F8D
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CA0FDE
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CA006C
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CA000A
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CA0FB9
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CA0093
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90036
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90098
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C9001B
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C9007D
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C90058
.text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90047
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80FAB
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80036
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80FC6
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02E90FEF
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02E9004E
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02E90F63
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E9003D
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02E9002C
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02E90F94
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02E90F17
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02E90F34
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02E9008B
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02E90EF2
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02E90ED7
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02E9001B
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02E90FD4
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02E9005F
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02E9000A
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02E90FC3
.text C:\WINDOWS\Explorer.EXE[1904] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02E90070
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02BD002C
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02BD0073
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02BD001B
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02BD0FE5
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02BD0062
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02BD0000
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02BD0047
.text C:\WINDOWS\Explorer.EXE[1904] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02BD0FC0
.text C:\WINDOWS\Explorer.EXE[1904] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02BA0FCA
.text C:\WINDOWS\Explorer.EXE[1904] msvcrt.dll!system 77C293C7 5 Bytes JMP 02BA0055
.text C:\WINDOWS\Explorer.EXE[1904] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02BA003A
.text C:\WINDOWS\Explorer.EXE[1904] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02BA0000
.text C:\WINDOWS\Explorer.EXE[1904] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02BA0FE5
.text C:\WINDOWS\Explorer.EXE[1904] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02BA001D
.text C:\WINDOWS\Explorer.EXE[1904] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\Explorer.EXE[1904] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00E00FDE
.text C:\WINDOWS\Explorer.EXE[1904] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00E00014
.text C:\WINDOWS\Explorer.EXE[1904] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00E00FC3
.text C:\WINDOWS\Explorer.EXE[1904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B90000
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F7A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F8B
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0065
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FA8
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00B6
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00A5
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F2E
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F49
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E2
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0FB9
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0094
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[2012] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE00C7
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0096008A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960040
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00960025
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00960FC3
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00960FD4
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B6, 88] {MOV DH, 0x88}
.text C:\WINDOWS\system32\svchost.exe[2012] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960051
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950F9C
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!system 77C293C7 5 Bytes JMP 0095001D
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950FC8
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FAD
.text C:\WINDOWS\system32\svchost.exe[2012] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950FE3
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00930FB9
.text C:\WINDOWS\system32\svchost.exe[2012] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00930FA8
.text C:\WINDOWS\system32\svchost.exe[2012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00940FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2540] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FEF
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0F6D
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0062
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0051
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0F9E
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0040
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D00A9
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0098
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D0F2B
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0F46
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0F1A
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0FAF
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FDE
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D0087
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D002F
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0014
.text C:\WINDOWS\System32\svchost.exe[2880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D00C4
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0025
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0F94
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C000A
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0051
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C0036
.text C:\WINDOWS\System32\svchost.exe[2880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FB9
.text C:\WINDOWS\System32\svchost.exe[2880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00410FCD
.text C:\WINDOWS\System32\svchost.exe[2880] msvcrt.dll!system 77C293C7 5 Bytes JMP 0041004E
.text C:\WINDOWS\System32\svchost.exe[2880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00410033
.text C:\WINDOWS\System32\svchost.exe[2880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00410FEF
.text C:\WINDOWS\System32\svchost.exe[2880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00410FDE
.text C:\WINDOWS\System32\svchost.exe[2880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00410018
.text C:\WINDOWS\System32\svchost.exe[2880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F68
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD005D
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F83
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0089
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F41
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00D0
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00B5
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00E1
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0078
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FD1
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[2944] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD00A4
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0FCD
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC006C
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FDE
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC005B
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC004A
.text C:\WINDOWS\system32\svchost.exe[2944] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0039
.text C:\WINDOWS\system32\svchost.exe[2944] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0F97
.text C:\WINDOWS\system32\svchost.exe[2944] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[2944] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[2944] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[2944] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FC6
.text C:\WINDOWS\system32\svchost.exe[2944] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02820FEF
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02820F4B
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02820F66
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02820F77
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02820F9E
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02820040
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02820F13
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0282005B
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0282008E
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0282007D
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0282009F
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02820FAF
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0282000A
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02820F3A
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02820FD4
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02820025
.text C:\WINDOWS\system32\wuauclt.exe[3328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0282006C
.text C:\WINDOWS\system32\wuauclt.exe[3328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02800049
.text C:\WINDOWS\system32\wuauclt.exe[3328] msvcrt.dll!system 77C293C7 5 Bytes JMP 02800FBE
.text C:\WINDOWS\system32\wuauclt.exe[3328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0280002E
.text C:\WINDOWS\system32\wuauclt.exe[3328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0280000C
.text C:\WINDOWS\system32\wuauclt.exe[3328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02800FCF
.text C:\WINDOWS\system32\wuauclt.exe[3328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0280001D
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02810014
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02810040
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02810FCD
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02810FDE
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02810025
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02810FEF
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02810F83
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A1, 8A]
.text C:\WINDOWS\system32\wuauclt.exe[3328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02810FA8
.text C:\WINDOWS\system32\wuauclt.exe[3328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027F0000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\tcpip.sys suspicious modification

---- EOF - GMER 1.0.15 ----
  • 0

#13
heir
Posted 15 September 2010 - 08:47 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
:)
Hang in there.

We'll try a different approach.

Step 1.
TDSSKiller:


Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Step 2.
OTL-scan:


  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the None button.
  • Under the Custom Scan box paste this in

    /md5start
    tcpip.sys
    /md5stop

  • Click the Run Scan button. The scan wont take long.
  • When the scan completes, it will open a notepad window with OTL.Txt that's saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of that file in your reply.


Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of OTL.txt from step 2.

  • 0

#14
Armor500
Posted 15 September 2010 - 09:31 AM

Armor500

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here are both Heir.

OTL logfile created on: 9/15/2010 10:24:24 AM - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Jeff Nolan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 383.83 Gb Free Space | 82.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 403.80 Gb Free Space | 86.70% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-EE928C4A19
Current User Name: Jeff Nolan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Modules (SafeList) ==========

MOD - [2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
MOD - [2009/07/20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/20 12:25:22 | 000,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll
MOD - [2009/07/11 19:41:02 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
MOD - [2009/03/06 04:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll
MOD - [2009/02/12 15:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
MOD - [2009/02/12 15:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
MOD - [2008/10/25 11:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 12:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\PciCon.sys -- (PciCon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LMouKE.Sys -- (LMouKE)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\JEFFNO~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/08/11 08:02:26 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/07/09 17:38:00 | 010,604,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/07/06 12:28:45 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/05/10 10:44:48 | 000,022,328 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\DVDSYS32_100507.sys -- (MSI_DVD_010507)
DRV - [2010/05/10 10:44:42 | 000,025,912 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\msibios32_100507.sys -- (MSI_MSIBIOS_010507)
DRV - [2010/05/10 10:44:36 | 000,016,696 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\VGASYS32_100507.sys -- (MSI_VGASYS_010507)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/17 11:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 11:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/03/18 09:54:44 | 000,039,440 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\csdf.sys -- (csdf)
DRV - [2009/03/18 09:53:06 | 000,036,624 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\crpf.sys -- (crpf)
DRV - [2009/01/07 20:33:44 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/01/07 20:33:44 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/01/07 20:33:41 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2008/12/18 23:43:18 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/04/17 03:33:26 | 004,707,328 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/13 13:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 02:15:26 | 000,014,336 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/28 23:37:48 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/01/28 23:37:46 | 000,054,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2007/05/16 12:20:32 | 000,043,008 | ---- | M] (D-Link ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dlkfet5b.sys -- (FETNDISB)
DRV - [2006/10/18 14:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/08/15 00:09:48 | 000,083,200 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2006/07/02 01:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/13 13:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/06/23 16:31:20 | 000,045,568 | R--- | M] (D-Link Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DLKRTS.SYS -- (DLKRTS)
DRV - [2001/08/03 21:24:36 | 000,050,704 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphid409.sys -- (Dot4 HPH09)
DRV - [2001/08/03 21:24:36 | 000,050,051 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphs2k09.sys -- (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09)
DRV - [2001/08/03 21:24:36 | 000,018,864 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphius09.sys -- (Dot4Usb HPH09)
DRV - [2001/08/03 21:24:36 | 000,015,984 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphipr09.sys -- (Dot4Print HPH09)


========== Files/Folders - Created Within 30 Days ==========

[2010/09/15 10:15:48 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff Nolan\Desktop\TDSSKiller.exe
[2010/09/15 05:23:44 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
[2010/09/14 15:54:32 | 000,000,000 | --SD | C] -- C:\Kombfixs
[2010/09/14 14:47:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 14:45:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 14:45:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 14:45:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 14:45:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 14:44:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 14:44:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 13:35:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2010/09/14 13:33:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2010/09/14 13:33:42 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2010/09/14 13:33:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2010/09/14 13:31:22 | 000,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2010/09/14 13:31:22 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2010/09/14 13:31:21 | 002,452,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dat
[2010/09/14 13:31:21 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2010/09/14 13:31:20 | 000,991,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll.mui
[2010/09/14 10:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Onlinestatements
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Trackpins
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Fossils
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\fluorescence-red
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Style xp
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Simon
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Pics from desktop
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Pens
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Man
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\lee15
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Victor
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Rust
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Music
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\JEmima
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Jeep
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\image001
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Chuck
[2010/09/14 10:02:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/09/14 05:34:21 | 000,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tcpip.sy@
[2010/09/13 17:33:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/09/13 17:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\oops
[2010/09/13 10:54:41 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/09/13 10:54:30 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/09/12 09:38:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2010/09/05 08:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Figures
[2010/08/26 17:25:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/26 17:25:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/26 17:25:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/26 17:25:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/20 10:44:49 | 000,000,000 | ---D | C] -- C:\Program Files\FLV Player
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/15 10:18:50 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\WECPUpdate.job
[2010/09/15 10:18:46 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/15 10:18:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/15 10:18:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/15 10:17:55 | 006,553,600 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\NTUSER.DAT
[2010/09/15 10:17:34 | 000,019,265 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/15 10:13:19 | 001,193,882 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\tdsskiller.zip
[2010/09/15 10:07:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-527237240-839522115-1004UA.job
[2010/09/15 05:34:54 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/09/15 05:26:40 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:25:12 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.zip
[2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
[2010/09/15 05:00:41 | 002,994,590 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\2010_0905Image0023.jpg
[2010/09/15 04:58:15 | 000,000,687 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/14 19:07:00 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-527237240-839522115-1004Core.job
[2010/09/14 14:47:25 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2010/09/14 14:42:19 | 003,845,016 | R--- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/14 14:33:20 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/14 13:36:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/13 17:33:04 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\HijackThis.lnk
[2010/09/13 14:41:06 | 000,000,097 | ---- | M] () -- C:\LUO.bat
[2010/09/13 10:31:28 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 11:12:17 | 000,443,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/12 11:12:17 | 000,072,050 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/12 06:41:08 | 000,003,060 | ---- | M] () -- C:\WINDOWS\crpf.bin
[2010/09/08 21:00:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jeff Nolan\ntuser.ini
[2010/09/07 14:44:52 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff Nolan\Desktop\TDSSKiller.exe
[2010/09/01 19:12:06 | 000,014,881 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\My Documents\The Discovery Channel MUST broadcast to the world their commitment to save the planet and to do the following IMMEDIATELY.docx
[2010/08/21 11:10:41 | 004,452,992 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\file____C__Documents%20and%20Settings_Jeff%20Nolan_Desktop_Armorama%20%20M4%20Aunt%20Jemima%20-%201-35%20scale.pdf
[2010/08/20 10:43:16 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/19 14:33:18 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/15 10:13:19 | 001,193,882 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\tdsskiller.zip
[2010/09/15 05:43:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.exe
[2010/09/15 05:26:40 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:25:12 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.zip
[2010/09/15 05:00:29 | 002,994,590 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\2010_0905Image0023.jpg
[2010/09/14 14:47:24 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2010/09/14 14:47:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 14:45:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 14:45:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 14:45:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 14:45:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 14:45:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 14:42:19 | 003,845,016 | R--- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/14 14:33:20 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/13 17:33:04 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\HijackThis.lnk
[2010/09/13 10:31:28 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 05:57:34 | 000,003,060 | ---- | C] () -- C:\WINDOWS\crpf.bin
[2010/09/01 19:12:06 | 000,014,881 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\My Documents\The Discovery Channel MUST broadcast to the world their commitment to save the planet and to do the following IMMEDIATELY.docx
[2010/08/21 11:10:40 | 004,452,992 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\file____C__Documents%20and%20Settings_Jeff%20Nolan_Desktop_Armorama%20%20M4%20Aunt%20Jemima%20-%201-35%20scale.pdf
[2009/10/07 14:25:47 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\fusioncache.dat
[2009/01/17 21:44:28 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/17 19:53:38 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/15 13:45:39 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/01/15 13:41:26 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2009/01/15 13:41:26 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2009/01/15 13:39:30 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2009/01/15 13:39:30 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2009/01/15 13:38:00 | 000,000,111 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 3170.ini
[2009/01/15 13:30:11 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2009/01/14 18:06:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/01/02 11:58:56 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/01/02 11:58:56 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/01/02 11:50:24 | 000,022,388 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/01/02 11:50:13 | 000,020,691 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/01/02 11:50:11 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/01/02 11:50:00 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/02/01 09:18:14 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007/06/28 11:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/09/17 20:37:42 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

========== Custom Scans ==========



< MD5 for: TCPIP.SYS >
[2008/04/13 14:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
[2008/04/13 14:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
[2008/06/20 06:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2010/09/15 10:18:21 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\drivers\tcpip.sys
[2006/02/28 07:00:00 | 000,359,040 | ---- | M] (Microsoft Corporation) MD5=9F4B36614A0FC234525BA224957DE55C -- C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
[2008/06/20 06:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\LUO.bat:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\All Users\Documents\Microsoft Windows Office Xp 2006.zip:SummaryInformation
< End of report >













Second one will be three of them.

oops

OTL logfile created on: 9/15/2010 10:24:24 AM - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Jeff Nolan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 383.83 Gb Free Space | 82.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 465.76 Gb Total Space | 403.80 Gb Free Space | 86.70% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-EE928C4A19
Current User Name: Jeff Nolan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Modules (SafeList) ==========

MOD - [2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
MOD - [2009/07/20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2009/07/20 12:25:22 | 000,064,016 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\GameHook.dll
MOD - [2009/07/11 19:41:02 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
MOD - [2009/03/06 04:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll
MOD - [2009/02/12 15:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
MOD - [2009/02/12 15:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
MOD - [2008/10/25 11:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 12:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- D:\PciCon.sys -- (PciCon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LMouKE.Sys -- (LMouKE)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\JEFFNO~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/08/11 08:02:26 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/07/09 17:38:00 | 010,604,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/07/06 12:28:45 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/05/10 10:44:48 | 000,022,328 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\DVDSYS32_100507.sys -- (MSI_DVD_010507)
DRV - [2010/05/10 10:44:42 | 000,025,912 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\msibios32_100507.sys -- (MSI_MSIBIOS_010507)
DRV - [2010/05/10 10:44:36 | 000,016,696 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\MSIWDev\VGASYS32_100507.sys -- (MSI_VGASYS_010507)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/17 11:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 11:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/03/18 09:54:44 | 000,039,440 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\csdf.sys -- (csdf)
DRV - [2009/03/18 09:53:06 | 000,036,624 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\crpf.sys -- (crpf)
DRV - [2009/01/07 20:33:44 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/01/07 20:33:44 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/01/07 20:33:41 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2008/12/18 23:43:18 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/04/17 03:33:26 | 004,707,328 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/13 13:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 02:15:26 | 000,014,336 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/28 23:37:48 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/01/28 23:37:46 | 000,054,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2007/05/16 12:20:32 | 000,043,008 | ---- | M] (D-Link ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dlkfet5b.sys -- (FETNDISB)
DRV - [2006/10/18 14:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/08/15 00:09:48 | 000,083,200 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2006/07/02 01:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/13 13:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/06/23 16:31:20 | 000,045,568 | R--- | M] (D-Link Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DLKRTS.SYS -- (DLKRTS)
DRV - [2001/08/03 21:24:36 | 000,050,704 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphid409.sys -- (Dot4 HPH09)
DRV - [2001/08/03 21:24:36 | 000,050,051 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphs2k09.sys -- (Dot4Storage HPH09) Storage Class Driver for IEEE-1284.4 (HPH09)
DRV - [2001/08/03 21:24:36 | 000,018,864 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphius09.sys -- (Dot4Usb HPH09)
DRV - [2001/08/03 21:24:36 | 000,015,984 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphipr09.sys -- (Dot4Print HPH09)


========== Files/Folders - Created Within 30 Days ==========

[2010/09/15 10:15:48 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff Nolan\Desktop\TDSSKiller.exe
[2010/09/15 05:23:44 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
[2010/09/14 15:54:32 | 000,000,000 | --SD | C] -- C:\Kombfixs
[2010/09/14 14:47:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/14 14:45:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/14 14:45:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/14 14:45:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/14 14:45:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/14 14:44:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/14 14:44:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/14 13:35:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2010/09/14 13:33:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2010/09/14 13:33:42 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2010/09/14 13:33:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2010/09/14 13:31:22 | 000,063,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\icardie.dll
[2010/09/14 13:31:22 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieudinit.exe
[2010/09/14 13:31:21 | 002,452,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dat
[2010/09/14 13:31:21 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieapfltr.dll
[2010/09/14 13:31:20 | 000,991,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll.mui
[2010/09/14 10:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Onlinestatements
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Trackpins
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Fossils
[2010/09/14 10:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\fluorescence-red
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Style xp
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Simon
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Pics from desktop
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Pens
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Man
[2010/09/14 10:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\lee15
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Victor
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Rust
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Music
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\JEmima
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Jeep
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\image001
[2010/09/14 10:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Chuck
[2010/09/14 10:02:11 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/09/14 05:34:21 | 000,361,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tcpip.sy@
[2010/09/13 17:33:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/09/13 17:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\oops
[2010/09/13 10:54:41 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/09/13 10:54:30 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/09/12 09:38:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2010/09/05 08:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff Nolan\Desktop\Figures
[2010/08/26 17:25:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/08/26 17:25:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/26 17:25:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/26 17:25:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/20 10:44:49 | 000,000,000 | ---D | C] -- C:\Program Files\FLV Player
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/15 10:18:50 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\WECPUpdate.job
[2010/09/15 10:18:46 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/15 10:18:42 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/15 10:18:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/15 10:17:55 | 006,553,600 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\NTUSER.DAT
[2010/09/15 10:17:34 | 000,019,265 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/15 10:13:19 | 001,193,882 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\tdsskiller.zip
[2010/09/15 10:07:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-527237240-839522115-1004UA.job
[2010/09/15 05:34:54 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/09/15 05:26:40 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:25:12 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.zip
[2010/09/15 05:23:44 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff Nolan\Desktop\OTL.exe
[2010/09/15 05:00:41 | 002,994,590 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\2010_0905Image0023.jpg
[2010/09/15 04:58:15 | 000,000,687 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/14 19:07:00 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-776561741-527237240-839522115-1004Core.job
[2010/09/14 14:47:25 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2010/09/14 14:42:19 | 003,845,016 | R--- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/14 14:33:20 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/14 13:36:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/13 17:33:04 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\HijackThis.lnk
[2010/09/13 14:41:06 | 000,000,097 | ---- | M] () -- C:\LUO.bat
[2010/09/13 10:31:28 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 11:12:17 | 000,443,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/12 11:12:17 | 000,072,050 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/12 06:41:08 | 000,003,060 | ---- | M] () -- C:\WINDOWS\crpf.bin
[2010/09/08 21:00:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jeff Nolan\ntuser.ini
[2010/09/07 14:44:52 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Jeff Nolan\Desktop\TDSSKiller.exe
[2010/09/01 19:12:06 | 000,014,881 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\My Documents\The Discovery Channel MUST broadcast to the world their commitment to save the planet and to do the following IMMEDIATELY.docx
[2010/08/21 11:10:41 | 004,452,992 | ---- | M] () -- C:\Documents and Settings\Jeff Nolan\Desktop\file____C__Documents%20and%20Settings_Jeff%20Nolan_Desktop_Armorama%20%20M4%20Aunt%20Jemima%20-%201-35%20scale.pdf
[2010/08/20 10:43:16 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/19 14:33:18 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/15 10:13:19 | 001,193,882 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\tdsskiller.zip
[2010/09/15 05:43:08 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.exe
[2010/09/15 05:26:40 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\MBRCheck.exe
[2010/09/15 05:25:12 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\gmer.zip
[2010/09/15 05:00:29 | 002,994,590 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\2010_0905Image0023.jpg
[2010/09/14 14:47:24 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2010/09/14 14:47:20 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/14 14:45:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/14 14:45:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/14 14:45:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/14 14:45:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/14 14:45:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/14 14:42:19 | 003,845,016 | R--- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\Kombfixs.exe
[2010/09/14 14:33:20 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/13 17:33:04 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\HijackThis.lnk
[2010/09/13 10:31:28 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\housecall.guid.cache
[2010/09/12 05:57:34 | 000,003,060 | ---- | C] () -- C:\WINDOWS\crpf.bin
[2010/09/01 19:12:06 | 000,014,881 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\My Documents\The Discovery Channel MUST broadcast to the world their commitment to save the planet and to do the following IMMEDIATELY.docx
[2010/08/21 11:10:40 | 004,452,992 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Desktop\file____C__Documents%20and%20Settings_Jeff%20Nolan_Desktop_Armorama%20%20M4%20Aunt%20Jemima%20-%201-35%20scale.pdf
[2009/10/07 14:25:47 | 000,000,133 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\fusioncache.dat
[2009/01/17 21:44:28 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/17 19:53:38 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Jeff Nolan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/15 13:45:39 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2009/01/15 13:41:26 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2009/01/15 13:41:26 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2009/01/15 13:39:30 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2009/01/15 13:39:30 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2009/01/15 13:38:00 | 000,000,111 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 3170.ini
[2009/01/15 13:30:11 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2009/01/14 18:06:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2009/01/02 11:58:56 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/01/02 11:58:56 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/01/02 11:50:24 | 000,022,388 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/01/02 11:50:13 | 000,020,691 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/01/02 11:50:11 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/01/02 11:50:00 | 000,012,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/02/01 09:18:14 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007/06/28 11:43:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/09/17 20:37:42 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

========== Custom Scans ==========



< MD5 for: TCPIP.SYS >
[2008/04/13 14:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
[2008/04/13 14:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
[2008/06/20 06:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2010/09/15 10:18:21 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\drivers\tcpip.sys
[2006/02/28 07:00:00 | 000,359,040 | ---- | M] (Microsoft Corporation) MD5=9F4B36614A0FC234525BA224957DE55C -- C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
[2008/06/20 06:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\LUO.bat:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\All Users\Documents\Microsoft Windows Office Xp 2006.zip:SummaryInformation
< End of report >







2010/09/15 10:15:53.0593 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/15 10:15:53.0593 ================================================================================
2010/09/15 10:15:53.0593 SystemInfo:
2010/09/15 10:15:53.0593
2010/09/15 10:15:53.0593 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/15 10:15:53.0593 Product type: Workstation
2010/09/15 10:15:53.0593 ComputerName: HOME-EE928C4A19
2010/09/15 10:15:53.0593 UserName: Jeff Nolan
2010/09/15 10:15:53.0593 Windows directory: C:\WINDOWS
2010/09/15 10:15:53.0593 System windows directory: C:\WINDOWS
2010/09/15 10:15:53.0593 Processor architecture: Intel x86
2010/09/15 10:15:53.0593 Number of processors: 2
2010/09/15 10:15:53.0593 Page size: 0x1000
2010/09/15 10:15:53.0593 Boot type: Normal boot
2010/09/15 10:15:53.0593 ================================================================================
2010/09/15 10:15:53.0828 Initialize success
2010/09/15 10:15:55.0687 ================================================================================
2010/09/15 10:15:55.0687 Scan started
2010/09/15 10:15:55.0687 Mode: Manual;
2010/09/15 10:15:55.0687 ================================================================================
2010/09/15 10:15:56.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/15 10:15:56.0906 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/15 10:15:56.0968 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/15 10:15:57.0015 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/15 10:15:57.0109 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/09/15 10:15:57.0203 AsIO (663f2fb92608073824ee3106886120f3) C:\WINDOWS\system32\drivers\AsIO.sys
2010/09/15 10:15:57.0250 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/15 10:15:57.0265 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/15 10:15:57.0296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/15 10:15:57.0343 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/15 10:15:57.0390 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/15 10:15:57.0515 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/15 10:15:57.0546 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/15 10:15:57.0578 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/15 10:15:57.0578 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/15 10:15:57.0640 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/09/15 10:15:57.0687 crpf (3784e30088eb99ea0f3b18ce57bd9e24) C:\WINDOWS\system32\drivers\crpf.sys
2010/09/15 10:15:57.0703 csdf (af3bb459f6045468c8c3e3eead750033) C:\WINDOWS\system32\drivers\csdf.sys
2010/09/15 10:15:57.0750 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/15 10:15:57.0781 DLKRTS (93be41e734ee36bfe71262fc8d684a86) C:\WINDOWS\system32\DRIVERS\DLKRTS.SYS
2010/09/15 10:15:57.0812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/15 10:15:57.0843 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/15 10:15:57.0875 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/15 10:15:57.0890 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/15 10:15:57.0921 Dot4 HPH09 (2068615663658b16192dd03ff859519f) C:\WINDOWS\system32\DRIVERS\hphid409.sys
2010/09/15 10:15:57.0937 Dot4Print HPH09 (dd5b51abff07b6b79ed87cbe1494c587) C:\WINDOWS\system32\DRIVERS\hphipr09.sys
2010/09/15 10:15:57.0953 Dot4Storage HPH09 (1f842d5b9477a97953bebf30cb75ed8e) C:\WINDOWS\system32\Drivers\hphs2k09.sys
2010/09/15 10:15:57.0968 Dot4Usb HPH09 (2d01d4e8685513be57f4eaf45756c8e8) C:\WINDOWS\system32\drivers\hphius09.sys
2010/09/15 10:15:58.0000 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/15 10:15:58.0031 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/15 10:15:58.0062 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/15 10:15:58.0093 FETNDISB (95bc4d8493fe30312f5e1ab57ef36083) C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys
2010/09/15 10:15:58.0109 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/15 10:15:58.0125 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/15 10:15:58.0156 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/15 10:15:58.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/15 10:15:58.0187 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/15 10:15:58.0218 GEARAspiWDM (8210b0b16e674586d331e804f81635bd) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/09/15 10:15:58.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/15 10:15:58.0250 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/15 10:15:58.0281 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2010/09/15 10:15:58.0296 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/15 10:15:58.0359 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/15 10:15:58.0421 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/15 10:15:58.0437 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/15 10:15:58.0562 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/09/15 10:15:58.0671 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/15 10:15:58.0765 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/15 10:15:58.0859 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/15 10:15:58.0937 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/15 10:15:59.0031 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/15 10:15:59.0062 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/15 10:15:59.0078 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/15 10:15:59.0093 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/15 10:15:59.0109 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/15 10:15:59.0140 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/15 10:15:59.0171 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/15 10:15:59.0218 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/09/15 10:15:59.0234 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/09/15 10:15:59.0265 LBeepKE (e254e5b2c5227ddbb47d045940a0a559) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2010/09/15 10:15:59.0296 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/09/15 10:15:59.0328 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/09/15 10:15:59.0406 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/09/15 10:15:59.0437 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/09/15 10:15:59.0468 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/09/15 10:15:59.0500 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2010/09/15 10:15:59.0515 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2010/09/15 10:15:59.0546 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/15 10:15:59.0578 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/15 10:15:59.0593 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/15 10:15:59.0625 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/15 10:15:59.0671 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/15 10:15:59.0703 MPFP (bc2a92cff784555ed622f861cb34f2e6) C:\WINDOWS\system32\Drivers\Mpfp.sys
2010/09/15 10:15:59.0734 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/15 10:15:59.0781 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/15 10:15:59.0828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/15 10:15:59.0859 MSI_DVD_010507 (09a00b8c911d32a0cfeb747be9ce5dab) C:\PROGRA~1\MSI\MSIWDev\DVDSYS32_100507.sys
2010/09/15 10:15:59.0890 MSI_MSIBIOS_010507 (3846c05a66a3f5cd1d33e1a323c1762c) C:\PROGRA~1\MSI\MSIWDev\msibios32_100507.sys
2010/09/15 10:15:59.0906 MSI_VGASYS_010507 (8d603678c3961bed302163964ad6a38e) C:\PROGRA~1\MSI\MSIWDev\VGASYS32_100507.sys
2010/09/15 10:15:59.0921 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/15 10:15:59.0937 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/15 10:15:59.0968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/15 10:15:59.0984 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/15 10:16:00.0000 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/09/15 10:16:00.0015 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/15 10:16:00.0062 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/15 10:16:00.0078 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/15 10:16:00.0093 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/15 10:16:00.0109 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/15 10:16:00.0125 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/15 10:16:00.0140 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/15 10:16:00.0156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/15 10:16:00.0187 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/15 10:16:00.0203 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/15 10:16:00.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/15 10:16:00.0437 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/15 10:16:00.0609 NVENETFD (45ba510db13a0496db1cd16826519e03) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/09/15 10:16:00.0640 nvnetbus (57cbdb934fb1afb7e03b413d151a6152) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/09/15 10:16:00.0671 nvsmu (03dbb885deae94f06c06ec06acdb8b47) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
2010/09/15 10:16:00.0718 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/15 10:16:00.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/15 10:16:00.0781 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/15 10:16:00.0796 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/15 10:16:00.0828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/15 10:16:00.0859 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2010/09/15 10:16:00.0875 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/15 10:16:00.0921 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/15 10:16:00.0937 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/15 10:16:01.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/15 10:16:01.0078 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/15 10:16:01.0109 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/15 10:16:01.0125 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/15 10:16:01.0203 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/15 10:16:01.0218 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/15 10:16:01.0250 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/15 10:16:01.0265 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/15 10:16:01.0281 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/15 10:16:01.0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/15 10:16:01.0343 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/15 10:16:01.0375 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/15 10:16:01.0406 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/09/15 10:16:01.0437 RTLE8023xp (25be98c05808c57e4d8d26477dc12d39) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/09/15 10:16:01.0468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/15 10:16:01.0484 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/15 10:16:01.0515 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/15 10:16:01.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/15 10:16:01.0593 snapman (b6aa9bbff890ffea333ffe81d0b888ff) C:\WINDOWS\system32\DRIVERS\snapman.sys
2010/09/15 10:16:01.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/15 10:16:01.0656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/15 10:16:01.0687 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/15 10:16:01.0734 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/15 10:16:01.0750 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/15 10:16:01.0812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/15 10:16:01.0859 Tcpip (aa552e57e88ceb3f64e21e7fc1304a0c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/15 10:16:01.0859 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: aa552e57e88ceb3f64e21e7fc1304a0c, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2010/09/15 10:16:01.0859 Tcpip - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/15 10:16:01.0890 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/15 10:16:01.0906 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/15 10:16:01.0921 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/15 10:16:01.0937 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2010/09/15 10:16:01.0968 timounter (74711884439bdf9ccf446c79cb05fac0) C:\WINDOWS\system32\DRIVERS\timntr.sys
2010/09/15 10:16:02.0015 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/15 10:16:02.0046 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/15 10:16:02.0093 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/15 10:16:02.0109 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/15 10:16:02.0125 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/15 10:16:02.0140 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/15 10:16:02.0171 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/15 10:16:02.0187 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/15 10:16:02.0234 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/15 10:16:02.0265 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/15 10:16:02.0281 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/09/15 10:16:02.0312 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/09/15 10:16:02.0343 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/15 10:16:02.0421 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/15 10:16:02.0437 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/15 10:16:02.0500 ================================================================================
2010/09/15 10:16:02.0500 Scan finished
2010/09/15 10:16:02.0500 ================================================================================
2010/09/15 10:16:02.0515 Detected object count: 1
2010/09/15 10:16:09.0265 Tcpip (aa552e57e88ceb3f64e21e7fc1304a0c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/15 10:16:09.0265 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: aa552e57e88ceb3f64e21e7fc1304a0c, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2010/09/15 10:16:09.0984 Backup copy found, using it..
2010/09/15 10:16:10.0000 C:\WINDOWS\system32\DRIVERS\tcpip.sys - will be cured after reboot
2010/09/15 10:16:10.0000 Rootkit.Win32.TDSS.tdl3(Tcpip) - User select action: Cure
2010/09/15 10:17:24.0890 Deinitialize success
  • 0

#15
heir
Posted 15 September 2010 - 09:41 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Please run Kombfiks.exe and post then content of C:\ComboFix.txt
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP