TechSpot

Aggressive, unremovable rootkit infection

Solved
By videoart
Dec 17, 2011
  1. Hi,

    My laptop (running Windows XP Professional Version Service Pack 2) is experiencing a heavy, relentless viral infection--although the effects so far are limited to website redirects, opening of additional windows (both in Firefox and my user profile folder at startup), and net speeds roughly 1/3 of what's possible. Additionally, I am being blocked from installing programs such as Spybot, AVG, and from updating virus definitions in several antivirus programs...

    Posting in multiple parts due to length

    Malwarebytes log:

    Database version: 8388

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    12/17/2011 5:22:23 PM
    mbam-log-2011-12-17 (17-22-23).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Objects scanned: 263567
    Time elapsed: 35 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Rootkit.0Access) -> Delete on reboot.

    GMER log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-17 16:46:46
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
    Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? kvgxbx.sys The system cannot find the file specified. !
    .text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43A8 1 Byte [1E]
    .text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43C8 2 Bytes [50, 03]
    .text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43DD 2 Bytes [54, 03]
    .text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43E5 1 Byte [BD]
    .text fltMgr.sys!FltNotifyFilterChangeDirectory F73F43EF 2 Bytes [64, 03]
    .text ...
    .text fltMgr.sys!FltSetCallbackDataDirty + 2 F73F48F4 35 Bytes [15, 8C, BD, 3F, F7, 56, 8A, ...]
    .text fltMgr.sys!FltClearCallbackDataDirty + 10 F73F4918 48 Bytes [8A, CB, FF, 15, 88, BD, 3F, ...]
    .text fltMgr.sys!FltRequestOperationStatusCallback + 14 F73F494A 63 Bytes [8B, 75, 08, 6A, 32, 83, C6, ...]
    .text fltMgr.sys!FltRequestOperationStatusCallback + 54 F73F498A 272 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
    .text fltMgr.sys!FltRequestOperationStatusCallback + 165 F73F4A9B 11 Bytes [40, D8, 89, 58, 10, 33, C0, ...]
    .text fltMgr.sys!FltRequestOperationStatusCallback + 171 F73F4AA7 6 Bytes [1C, C0, EB, 05, B8, 0D]
    .text fltMgr.sys!FltRequestOperationStatusCallback + 178 F73F4AAE 56 Bytes [00, C0, 5E, 5B, C9, C2, 0C, ...]
    .text ...
    .text fltMgr.sys!FltSupportsStreamContexts + 2 F73F5A62 10 Bytes [FF, 6A, 02, C7, 43, 68, 9A, ...] {JMP FAR DWORD [EDX+0x2]; MOV DWORD [EBX+0x68], 0xc000009a}
    .text fltMgr.sys!FltSupportsStreamContexts + D F73F5A6D 32 Bytes [4E, 14, 5A, C7, 45, E8, 01, ...]
    .text fltMgr.sys!FltReferenceContext + 6 F73F5A8E 203 Bytes [4E, 14, 6A, 02, 5A, E8, A4, ...]
    .text fltMgr.sys!FltReferenceContext + D2 F73F5B5A 294 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
    .text fltMgr.sys!FltDeleteFileContext + A F73F5C82 21 Bytes [7D, 08, 8B, 4D, 10, 83, 21, ...]
    .text fltMgr.sys!FltDeleteFileContext + 20 F73F5C98 24 Bytes [FF, FF, FF, 75, 0C, 8B, F0, ...]
    .text fltMgr.sys!FltDeleteFileContext + 39 F73F5CB1 132 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
    .text fltMgr.sys!FltAllocateContext + 4C F73F5D36 64 Bytes [55, 8B, EC, 8B, 45, 10, 85, ...]
    .text fltMgr.sys!FltAllocateContext + 8D F73F5D77 50 Bytes [70, 10, 51, FF, 15, 30, C0, ...]
    .text fltMgr.sys!FltAllocateContext + C0 F73F5DAA 30 Bytes [EC, 0F, B7, 45, 0C, 53, 56, ...]
    .text fltMgr.sys!FltAllocateContext + DF F73F5DC9 13 Bytes [00, 00, 8B, 4D, 10, 8B, 5D, ...]
    .text fltMgr.sys!FltAllocateContext + ED F73F5DD7 41 Bytes [00, 83, C1, 28, EB, 2D, 0F, ...]
    .text fltMgr.sys!FltGetVolumeContext + 25 F73F5E01 111 Bytes [74, 04, 3B, C8, 72, 1D, 8B, ...]
    .text fltMgr.sys!FltGetVolumeContext + 95 F73F5E71 39 Bytes [8B, C6, EB, 11, 8B, 45, 18, ...]
    .text fltMgr.sys!FltGetInstanceContext + 1D F73F5E99 37 Bytes [18, 68, 70, C1, 3F, F7, E8, ...]
    .text fltMgr.sys!FltGetInstanceContext + 43 F73F5EBF 91 Bytes [50, FF, 15, A8, BD, 3F, F7, ...]
    .text fltMgr.sys!FltGetInstanceContext + 9F F73F5F1B 1 Byte [75]
    .text fltMgr.sys!FltGetInstanceContext + 9F F73F5F1B 28 Bytes [75, 0C, 8D, 8E, 20, 02, 00, ...]
    .text fltMgr.sys!FltGetInstanceContext + BC F73F5F38 57 Bytes [6A, 14, 68, 80, C1, 3F, F7, ...]
    .text fltMgr.sys!FltGetContexts + 37 F73F5F73 7 Bytes [89, 38, C7, 45, E0, 25, 02]
    .text fltMgr.sys!FltGetContexts + 3F F73F5F7B 27 Bytes [C0, EB, 12, 8D, 48, 24, 33, ...]
    .text fltMgr.sys!FltGetContexts + 5C F73F5F98 7 Bytes [00, 8B, 45, E0, E8, E2, 5C] {ADD [EBX-0x1d171fbb], CL; POP ESP}
    .text fltMgr.sys!FltGetContexts + 65 F73F5FA1 18 Bytes [C2, 08, 00, 8B, 75, 08, 8D, ...] {RET 0x8; MOV ESI, [EBP+0x8]; LEA ECX, [ESI+0x3c]; CALL [0xf73fbdb4]; MOV CL, [EBP-0x19]}
    .text fltMgr.sys!FltGetContexts + 78 F73F5FB4 36 Bytes [15, 88, BD, 3F, F7, C3, CC, ...]
    .text ...
    .text fltMgr.sys!FltReleaseContexts + 20 F73F60D0 38 Bytes [76, 0C, EB, C4, 8B, 46, 0C, ...]
    .text fltMgr.sys!FltReleaseContext + 10 F73F60F8 82 Bytes [8B, 4D, F4, 41, 83, F9, 06, ...]
    .text fltMgr.sys!FltDeleteContext + 49 F73F614B 41 Bytes [08, 83, 20, 00, 6A, 01, 50, ...]
    .text fltMgr.sys!FltDeleteContext + 73 F73F6175 13 Bytes [8B, B7, F0, C0, 3F, F7, 03, ...] {MOV ESI, [EDI-0x8c03f10]; ADD ESI, [EBP+0x8]; MOV EAX, [ESI]; TEST EAX, EAX}
    .text fltMgr.sys!FltDeleteContext + 81 F73F6183 144 Bytes [0C, 83, C0, D8, 50, E8, 95, ...]
    .text fltMgr.sys!FltSetVolumeContext + 2A F73F6214 5 Bytes [57, E8, 06, 4C, 01]
    .text fltMgr.sys!FltSetVolumeContext + 30 F73F621A 56 Bytes [EB, 5C, 8B, 7E, 04, B1, 01, ...]
    .text fltMgr.sys!FltSetVolumeContext + 69 F73F6253 28 Bytes [8D, 9F, 20, 02, 00, 00, 53, ...]
    .text fltMgr.sys!FltSetVolumeContext + 86 F73F6270 132 Bytes CALL F740B2E7 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    .text fltMgr.sys!FltSetVolumeContext + 10B F73F62F5 38 Bytes [E7, 6A, 01, 8D, 87, 20, 02, ...]
    .text ...
    .text fltMgr.sys!FltDeleteVolumeContext + 48 F73F639A 2 Bytes [8B, 46]
    .text fltMgr.sys!FltDeleteVolumeContext + 4B F73F639D 87 Bytes [FF, 30, 8D, 46, E0, 50, 8D, ...]
    .text fltMgr.sys!FltDeleteVolumeContext + A3 F73F63F5 18 Bytes [7D, DC, 00, 74, 08, FF, 75, ...]
    .text fltMgr.sys!FltDeleteVolumeContext + B6 F73F6408 116 Bytes [C3, CC, CC, CC, CC, CC, 6A, ...]
    .text fltMgr.sys!FltSetInstanceContext + 52 F73F647E 40 Bytes [88, 45, E0, 8B, CB, FF, 15, ...]
    .text fltMgr.sys!FltSetInstanceContext + A6 F73F64D2 57 Bytes [00, FF, 15, B4, BD, 3F, F7, ...]
    .text fltMgr.sys!FltSetInstanceContext + E0 F73F650C 7 Bytes [78, 0C, 02, 74, 0A, B8, 0D]
    .text fltMgr.sys!FltSetInstanceContext + E8 F73F6514 6 Bytes [00, C0, E9, B8, 00, 00]
    .text fltMgr.sys!FltSetInstanceContext + 115 F73F6541 57 Bytes [15, 28, BE, 3F, F7, 83, 65, ...]
    .text fltMgr.sys!FltDeleteInstanceContext + 2D F73F657B 35 Bytes [48, 24, 33, D2, 42, F0, 0F, ...]
    .text fltMgr.sys!FltDeleteInstanceContext + 51 F73F659F 9 Bytes [07, 83, C0, 28, 89, 03, EB, ...]
    .text fltMgr.sys!FltDeleteInstanceContext + 5C F73F65AA 26 Bytes [89, 77, 74, 80, 4E, 22, 01, ...]
    .text fltMgr.sys!FltDeleteInstanceContext + 77 F73F65C5 44 Bytes [00, C0, 83, 4D, FC, FF, E8, ...]
    .text fltMgr.sys!FltDeleteInstanceContext + A4 F73F65F2 1 Byte [E0]
    .text ...
    .text fltMgr.sys!FltDeleteStreamContext + 26 F73F68D4 8 Bytes [00, C0, 83, 4D, FC, FF, E8, ...]
    .text fltMgr.sys!FltDeleteStreamContext + 2F F73F68DD 19 Bytes [00, 00, 8B, 45, DC, E8, 9C, ...] {ADD [EAX], AL; MOV EAX, [EBP-0x24]; CALL 0x53a6; RET 0x1c; CMP BYTE [EBP-0x19], 0x0; JZ 0x28}
    .text fltMgr.sys!FltDeleteStreamContext + 43 F73F68F1 14 Bytes [4D, E0, 83, C1, 28, FF, 15, ...] {DEC EBP; LOOPNZ 0xffffffffffffff86; SHR DWORD [EAX], 0xff; ADC EAX, 0xf73fbdb4; MOV CL, [EBP-0x1a]}
    .text fltMgr.sys!FltSetStreamHandleContext + 2 F73F6900 29 Bytes [15, 88, BD, 3F, F7, 83, 7D, ...]
    .text fltMgr.sys!FltSetStreamHandleContext + 20 F73F691E 3 Bytes CALL F740AE22 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    .text fltMgr.sys!FltDeleteStreamHandleContext + 1 F73F6939 124 Bytes [48, D8, 66, 83, 79, 0C, 08, ...]
    .text fltMgr.sys!FltDeleteStreamHandleContext + 7E F73F69B6 12 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x14]}
    .text fltMgr.sys!FltDeleteStreamHandleContext + 8C F73F69C4 72 Bytes [D8, 66, 83, 79, 0C, 10, 74, ...]
    .text fltMgr.sys!FltDeleteStreamHandleContext + D5 F73F6A0D 30 Bytes [6A, 00, FF, 75, 0C, FF, 76, ...]
    .text fltMgr.sys!FltDeleteStreamHandleContext + F4 F73F6A2C 31 Bytes [FF, FF, 75, 10, 8B, F8, E8, ...]
    .text ...
    .text fltMgr.sys!FltGetIrpName + 109 F73F6EC7 3 Bytes [3B, D1, 57] {CMP EDX, ECX; PUSH EDI}
    .text fltMgr.sys!FltGetIrpName + 10D F73F6ECB 2 Bytes [8F, 3E]
    .text fltMgr.sys!FltGetIrpName + 112 F73F6ED0 65 Bytes [0F, 84, 0F, 02, 00, 00, 83, ...]
    .text fltMgr.sys!FltGetIrpName + 154 F73F6F12 2 Bytes [85, F8] {TEST EAX, EDI}
    .text fltMgr.sys!FltGetIrpName + 159 F73F6F17 57 Bytes [85, C0, 0F, 84, F0, 02, 00, ...]
    .text ...
    .text fltMgr.sys!FltUninitializeOplock + 53 F73F80FD 25 Bytes [FF, 15, AC, BD, 3F, F7, F7, ...]
    .text fltMgr.sys!FltCheckOplock + 13 F73F8117 54 Bytes [F7, 56, 8B, 75, FC, 53, 56, ...]
    .text fltMgr.sys!FltCheckOplock + 4A F73F814E 76 Bytes [4E, 18, 8B, 45, 0C, 89, 48, ...]
    .text fltMgr.sys!FltCheckOplock + 97 F73F819B 21 Bytes JMP F8D08121
    .text fltMgr.sys!FltCheckOplock + AD F73F81B1 132 Bytes [05, 80, F0, 3F, F7, 88, 51, ...]
    .text fltMgr.sys!FltCheckOplock + 132 F73F8236 175 Bytes [6B, 00, 00, 00, 5C, 00, 44, ...]
    .text fltMgr.sys!FltAllocateCallbackData + 50 F73F82E6 8 Bytes [43, 0C, 40, 89, 46, 0C, 8D, ...]
    .text fltMgr.sys!FltAllocateCallbackData + 59 F73F82EF 8 Bytes [50, 8D, 46, 10, 50, E8, CD, ...]
    .text fltMgr.sys!FltAllocateCallbackData + 62 F73F82F8 83 Bytes [00, 89, 45, E4, 85, C0, 0F, ...]
    .text fltMgr.sys!FltAllocateCallbackData + B6 F73F834C 90 Bytes [08, 89, 50, 04, 89, 41, 04, ...]
    .text fltMgr.sys!FltAllocateCallbackData + 111 F73F83A7 14 Bytes [89, 4D, C0, 8B, 50, 04, 89, ...] {MOV [EBP-0x40], ECX; MOV EDX, [EAX+0x4]; MOV [EBP-0x44], EDX; MOV [EDX], ECX; MOV [ECX+0x4], EDX}
    .text ...
    .text fltMgr.sys!FltFreeCallbackData + 1D F73F867F 42 Bytes [4B, E4, 89, 48, 18, 8B, 4B, ...]
    .text fltMgr.sys!FltFreeCallbackData + 48 F73F86AA 60 Bytes [4E, 0C, 89, 48, 10, EB, 3C, ...]
    .text fltMgr.sys!FltReuseCallbackData + 1F F73F86E7 38 Bytes [74, 04, 83, 49, 08, 10, 8B, ...]
    .text fltMgr.sys!FltReuseCallbackData + 46 F73F870E 8 Bytes [4E, 18, 8B, 46, 28, 6A, 00, ...]
    .text fltMgr.sys!FltReuseCallbackData + 4F F73F8717 11 Bytes [8B, 4E, 1C, 6A, 00, FF, 75, ...] {MOV ECX, [ESI+0x1c]; PUSH 0x0; PUSH DWORD [EBP+0x10]; MOV [EAX+0x4], ECX}
    .text fltMgr.sys!FltReuseCallbackData + 5C F73F8724 2 Bytes [F4, BD]
    .text fltMgr.sys!FltReuseCallbackData + 60 F73F8728 23 Bytes [56, FF, 15, 18, BE, 3F, F7, ...]
    .text ...
    .text fltMgr.sys!FltPerformSynchronousIo + 5A F73F8986 7 Bytes [08, D2, FF, FF, 5E, 5D, C2]
    .text fltMgr.sys!FltPerformSynchronousIo + 62 F73F898E 33 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
    .text fltMgr.sys!FltPerformSynchronousIo + 89 F73F89B5 3 Bytes [8B, 7D, 18] {MOV EDI, [EBP+0x18]}
    .text fltMgr.sys!FltPerformSynchronousIo + 8D F73F89B9 28 Bytes [46, 60, 8B, 46, 64, 8A, 40, ...]
    .text fltMgr.sys!FltPerformSynchronousIo + AA F73F89D6 70 Bytes [BB, FF, FF, 89, 07, 83, 3F, ...]
    .text fltMgr.sys!FltPerformAsynchronousIo + 23 F73F8A1D 12 Bytes [FF, 75, 14, FF, 75, 0C, 56, ...] {PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0xc]; PUSH ESI; CALL 0xfffffffffffffe2f}
    .text fltMgr.sys!FltPerformAsynchronousIo + 30 F73F8A2A 4 Bytes [45, FC, 8B, 45]
    .text fltMgr.sys!FltPerformAsynchronousIo + 35 F73F8A2F 44 Bytes [5F, 5E, 5B, C9, C2, 14, 00, ...]
    .text fltMgr.sys!FltPerformAsynchronousIo + 62 F73F8A5C 90 Bytes [48, 20, 89, 4D, EC, 8B, 4E, ...]
    .text fltMgr.sys!FltPerformAsynchronousIo + BD F73F8AB7 44 Bytes [8B, D8, 3B, DF, 7D, 10, FF, ...]
    .text ...
    .text fltMgr.sys!FltReadFile + 1 F73F8B1B 2 Bytes [48, 3C]
    .text fltMgr.sys!FltReadFile + 4 F73F8B1E 18 Bytes [49, 28, 8B, 49, 2C, 83, 4D, ...]
    .text fltMgr.sys!FltReadFile + 17 F73F8B31 52 Bytes [4E, 08, 57, 33, FF, 89, 45, ...]
    .text fltMgr.sys!FltReadFile + 4C F73F8B66 1 Byte [10]
    .text fltMgr.sys!FltReadFile + 4C F73F8B66 58 Bytes [10, 89, 46, 0C, 56, 8B, D8, ...]
    .text ...
    .text fltMgr.sys!FltWriteFile + A F73F8C62 12 Bytes [10, 3B, C6, 74, 07, 8B, 18, ...]
    .text fltMgr.sys!FltWriteFile + 17 F73F8C6F 2 Bytes [5F, 38]
    .text fltMgr.sys!FltWriteFile + 1A F73F8C72 19 Bytes [47, 3C, 39, 75, 24, 89, 45, ...]
    .text fltMgr.sys!FltWriteFile + 2E F73F8C86 29 Bytes [1C, D1, E8, A8, 01, 75, 0C, ...]
    .text fltMgr.sys!FltWriteFile + 6B F73F8CC3 68 Bytes [F8, EB, 06, 89, 75, F4, 89, ...]
    .text ...
    .text fltMgr.sys!FltAcquireResourceExclusive + 4 F73F8DA6 28 Bytes [18, 8B, 40, 04, EB, 06, 8B, ...]
    .text fltMgr.sys!FltAcquireResourceShared + 1 F73F8DC3 135 Bytes [45, 1C, D1, E8, A8, 01, 75, ...]
    .text fltMgr.sys!FltAcquirePushLockShared + 21 F73F8E4B 215 Bytes [06, 8B, 46, 08, 83, 08, 01, ...]
    .text fltMgr.sys!FltReleasePushLock + C9 F73F8F23 14 Bytes [5D, C2, 04, 00, CC, CC, CC, ...] {POP EBP; RET 0x4; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
    .text fltMgr.sys!FltReleasePushLock + D8 F73F8F32 5 Bytes [15, AC, BD, 3F, F7] {ADC EAX, 0xf73fbdac}
    .text fltMgr.sys!FltReleasePushLock + DE F73F8F38 23 Bytes [4D, 08, 6A, 02, 5A, 33, C0, ...]
    .text fltMgr.sys!FltReleasePushLock + F6 F73F8F50 9 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP}
    .text fltMgr.sys!FltReleasePushLock + 100 F73F8F5A 58 Bytes [EC, 56, FF, 15, AC, BD, 3F, ...]
    .text ...
    .text fltMgr.sys!FltSendMessage + 56 F73F916A 1 Byte [55]
    .text fltMgr.sys!FltSendMessage + 56 F73F916A 21 Bytes [55, 8B, EC, 8B, 45, 08, 53, ...]
    .text fltMgr.sys!FltSendMessage + 6C F73F9180 86 Bytes [4F, 58, 8D, 50, 40, 3B, CA, ...]
    .text fltMgr.sys!FltSendMessage + C3 F73F91D7 48 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
    .text fltMgr.sys!FltSendMessage + F4 F73F9208 5 Bytes [75, D4, 89, 75, C4] {JNZ 0xffffffffffffffd6; MOV [EBP-0x3c], ESI}
    .text ...
    .text fltMgr.sys!FltGetFileNameInformation F73F9EF4 11 Bytes [02, 00, 00, 0F, 8C, FF, 00, ...]
    .text fltMgr.sys!FltGetFileNameInformation + C F73F9F00 1 Byte [47]
    .text fltMgr.sys!FltGetFileNameInformation + C F73F9F00 118 Bytes [47, 08, 3B, 81, C8, 02, 00, ...]
    .text fltMgr.sys!FltGetFileNameInformation + 83 F73F9F77 22 Bytes [75, F4, FF, 75, FC, E8, 01, ...]
    .text fltMgr.sys!FltGetFileNameInformation + 9A F73F9F8E 114 Bytes [F0, 09, 47, 28, 33, C0, 83, ...]
    .text ...
    .text fltMgr.sys!FltDecodeParameters + 2 F73FA12C 8 Bytes CALL F7409B8D fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    .text fltMgr.sys!FltDecodeParameters + B F73FA135 22 Bytes [F0, 85, F6, 7C, 1F, FF, 75, ...]
    .text fltMgr.sys!FltDecodeParameters + 22 F73FA14C 21 Bytes [48, 30, 8B, 55, 10, 89, 0A, ...]
    .text fltMgr.sys!FltDecodeParameters + 38 F73FA162 26 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...]
    .text fltMgr.sys!FltDecodeParameters + 53 F73FA17D 5 Bytes [B8, 9A, 00, 00, C0] {MOV EAX, 0xc000009a}
    .text ...
    .text fltMgr.sys!FltLockUserBuffer + 3A F73FA274 70 Bytes [50, 0C, 8B, 4D, 10, 85, C9, ...]
    .text fltMgr.sys!FltLockUserBuffer + 82 F73FA2BC 48 Bytes [C6, 45, E7, 00, 8D, 45, D4, ...]
    .text fltMgr.sys!FltLockUserBuffer + B3 F73FA2ED 21 Bytes [00, 8B, 4D, DC, 3B, CB, 0F, ...]
    .text fltMgr.sys!FltLockUserBuffer + C9 F73FA303 60 Bytes [31, 8B, 45, D8, FF, 30, FF, ...]
    .text fltMgr.sys!FltLockUserBuffer + 106 F73FA340 8 Bytes [BF, 3F, F7, EB, 23, 83, 65, ...]
    .text ...
    .text fltMgr.sys!FltRetainSwappedBufferMdlAddress + B F73FA875 109 Bytes [4A, 14, 89, 48, 14, EB, 09, ...]
    .text fltMgr.sys!FltRetainSwappedBufferMdlAddress + 79 F73FA8E3 155 Bytes [89, 4D, F8, 88, 4D, FF, 8B, ...]
    .text fltMgr.sys!FltCompletePendedPreOperation + F F73FA97F 47 Bytes [4B, 14, 33, D2, 42, E8, B3, ...]
    .text fltMgr.sys!FltCompletePendedPreOperation + 3F F73FA9AF 11 Bytes [46, 08, 56, 89, 70, 34, E8, ...] {INC ESI; OR [ESI-0x77], DL; JO 0x3a; CALL 0xffffffffffffacc1}
    .text fltMgr.sys!FltCompletePendedPreOperation + 4B F73FA9BB 2 Bytes [45, F8] {INC EBP; CLC }
    .text fltMgr.sys!FltCompletePendedPreOperation + 4F F73FA9BF 65 Bytes [F8, 5F, 5E, 5B, C9, C2, 0C, ...]
    .text fltMgr.sys!FltCompletePendedPreOperation + 91 F73FAA01 97 Bytes [20, 8B, 4D, 0C, 89, 48, 4C, ...]
    .text fltMgr.sys!FltCompletePendedPostOperation + 4D F73FAA63 29 Bytes [FF, 55, 8B, EC, 51, 51, 8B, ...]
    .text fltMgr.sys!FltCompletePendedPostOperation + 6B F73FAA81 6 Bytes [46, 20, 33, FF, 57, 57] {INC ESI; AND [EBX], DH; CALL [EDI+0x57]}
    .text fltMgr.sys!FltCompletePendedPostOperation + 72 F73FAA88 78 Bytes [45, FC, 57, 8D, 45, 08, 50, ...]
    .text fltMgr.sys!FltAllocatePoolAlignedWithTag + 1 F73FAAD7 2 Bytes [45, 08]
    .text fltMgr.sys!FltAllocatePoolAlignedWithTag + 4 F73FAADA 1 Byte [00]
    .text fltMgr.sys!FltAllocatePoolAlignedWithTag + 4 F73FAADA 9 Bytes [00, 8B, 5D, FC, 89, 43, 04, ...]
    .text fltMgr.sys!FltFreePoolAlignedWithTag + C F73FAB3A 2 Bytes [71, 5C] {JNO 0x5e}
    .text fltMgr.sys!FltFreePoolAlignedWithTag + F F73FAB3D 42 Bytes [FE, 07, FF, 75, 14, 76, 21, ...]
    .text fltMgr.sys!FltFreePoolAlignedWithTag + 3A F73FAB68 16 Bytes [0C, FF, 15, E4, BE, 3F, F7, ...] {OR AL, 0xff; ADC EAX, 0xf73fbee4; POP ESI; POP EBP; RET 0x10; INT 3 ; INT 3 ; INT 3 ; INT 3 }
    .text fltMgr.sys!FltFreePoolAlignedWithTag + 4B F73FAB79 61 Bytes [CC, 8B, FF, 55, 8B, EC, 8B, ...]
    .text fltMgr.sys!FltFreePoolAlignedWithTag + 89 F73FABB7 62 Bytes [00, 33, F6, 89, 75, D8, C6, ...]
    .text ...
    .text fltMgr.sys!FltCancelIo + 1D F73FADE3 72 Bytes [32, C0, EB, 07, 50, FF, 15, ...]
    .text fltMgr.sys!FltIsIoCanceled + 12 F73FAE2C 59 Bytes [EC, 8B, 45, 08, F6, 00, 01, ...]
    .text fltMgr.sys!FltCbdqDisable + 2 F73FAE68 37 Bytes [D7, 5F, 5E, 5D, C2, 08, 00, ...]
    .text fltMgr.sys!FltCbdqEnable + 2 F73FAE8E 37 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
    .text fltMgr.sys!FltCbdqEnable + 28 F73FAEB4 71 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
    .text fltMgr.sys!FltCbdqEnable + 70 F73FAEFC 13 Bytes [55, 8B, EC, 8B, 45, 0C, FF, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0xc]; PUSH DWORD [EAX+0x44]; MOV EAX, [EBP+0x8]; PUSH EAX}
    .text fltMgr.sys!FltCbdqEnable + 7E F73FAF0A 55 Bytes [50, 2C, 5D, C2, 08, 00, CC, ...]
    .text fltMgr.sys!FltCbdqEnable + B6 F73FAF42 63 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
    .text ...
    .text fltMgr.sys!FltCbdqInsertIo + 3B F73FAFCB 13 Bytes [F8, 85, FF, 7D, 08, FF, 76, ...] {CLC ; TEST EDI, EDI; JGE 0xd; PUSH DWORD [ESI+0x24]; CALL 0x2c7}
    .text fltMgr.sys!FltCbdqRemoveIo + 1 F73FAFD9 31 Bytes [C7, 5F, 5E, 5D, C2, 10, 00, ...]
    .text fltMgr.sys!FltCbdqRemoveIo + 21 F73FAFF9 51 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
    .text fltMgr.sys!FltCbdqRemoveNextIo + 21 F73FB02D 47 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
    .text fltMgr.sys!FltSetCancelCompletion + 1D F73FB05D 61 Bytes [C1, A4, 89, 48, 44, 89, 50, ...]
    .text fltMgr.sys!FltDoCompletionProcessingWhenSafe + 30 F73FB09C 101 Bytes [08, 02, 75, 3C, 38, 48, 21, ...]
    .text fltMgr.sys!FltAllocateDeferredIoWorkItem + E F73FB104 475 Bytes [68, 00, ED, 3F, F7, E8, 52, ...]
    .text fltMgr.sys!FltObjectDereference + 5C F73FB2E0 33 Bytes [76, 14, 56, FF, 15, E0, BF, ...]
    .text fltMgr.sys!FltObjectDereference + 7E F73FB302 34 Bytes [EC, 8B, 45, 08, 8B, 00, 56, ...]
    .text fltMgr.sys!FltObjectDereference + A1 F73FB325 2 Bytes [FF, 55]
    .text fltMgr.sys!FltObjectDereference + A4 F73FB328 87 Bytes [EC, 8B, 45, 08, 8B, 08, 85, ...]
    .text fltMgr.sys!FltObjectDereference + FC F73FB380 7 Bytes [00, CC, CC, CC, CC, CC, 8B]
    .text ...
    .text fltMgr.sys!FltIs32bitProcess + 8 F73FB68C 47 Bytes [8B, 11, F6, C2, 01, 56, 75, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + 6 F73FB6BC 43 Bytes [15, F4, BD, 3F, F7, 5E, C3, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + 32 F73FB6E8 45 Bytes [D8, 74, EC, 8B, C2, 83, E3, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + 60 F73FB716 2 Bytes [F2, 64]
    .text fltMgr.sys!FltGetRequestorProcessId + 63 F73FB719 102 Bytes [B6, 05, 51, 00, 00, 00, 33, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + CA F73FB780 17 Bytes [7B, 4C, 8B, 07, 83, F8, 01, ...] {JNP 0x4e; MOV EAX, [EDI]; CMP EAX, 0x1; JNZ 0xe; MOV ESI, [EDI+0x8]; JMP 0x1a; CMP EAX, 0x2}
    .text ...
    PAGE fltMgr.sys!FltAttachVolume + 7 F73FF0F3 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolume + C F73FF0F8 19 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltAttachVolume + 20 F73FF10C 12 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 7 F73FF119 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 12 F73FF124 14 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 21 F73FF133 20 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 36 F73FF148 62 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 75 F73FF187 16 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH EBX; PUSH ESI; PUSH EDI; PUSH DWORD [EBP+0xc]; CALL [0xf73fc034]}
    PAGE ...
    PAGE fltMgr.sys!FltDetachVolume + 63 F73FF705 53 Bytes [39, 7D, E0, 7C, 09, 8B, 45, ...]
    PAGE fltMgr.sys!FltDetachVolume + 9A F73FF73C 40 Bytes [E0, 8B, 75, 0C, 8B, 7E, 28, ...]
    PAGE fltMgr.sys!FltDetachVolume + C7 F73FF769 121 Bytes [89, 45, E0, 3B, C3, 0F, 8C, ...]
    PAGE fltMgr.sys!FltDetachVolume + 141 F73FF7E3 22 Bytes [74, 0A, 8B, CE, FF, 15, 94, ...]
    PAGE fltMgr.sys!FltDetachVolume + 158 F73FF7FA 18 Bytes [48, 04, 89, 4D, C0, 89, 03, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetVolumeFromInstance + 1E F7400CB8 43 Bytes [8D, 46, 0C, 89, 40, 04, 89, ...]
    PAGE fltMgr.sys!FltGetFilterFromInstance + 22 F7400CE4 65 Bytes [89, 18, 33, C0, 5F, 5E, 5B, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 3D F7400D27 110 Bytes [00, 89, 75, E0, C7, 45, E8, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + AC F7400D96 275 Bytes [00, 00, CC, CC, CC, CC, CC, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 1C0 F7400EAA 50 Bytes [45, 08, 8B, 40, 18, 56, 8B, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 225 F7400F0F 11 Bytes [74, 56, 48, 74, 3F, 48, 74, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 231 F7400F1B 19 Bytes JMP F740111C fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltEnumerateVolumes + F F7400F2F 143 Bytes [00, 00, 3B, C6, 0F, 85, E4, ...]
    PAGE fltMgr.sys!FltEnumerateVolumes + 9F F7400FBF 34 Bytes [03, 8B, 4D, 08, 66, 89, 46, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 16 F7400FE2 38 Bytes [45, 10, 0F, B7, C3, 03, C6, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 3D F7401009 47 Bytes [46, 08, 66, 89, 5E, 0A, 66, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 6D F7401039 93 Bytes [F8, 8B, 4D, 08, 66, 89, 46, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + CB F7401097 62 Bytes [45, F8, 50, FF, 15, 24, C0, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 10A F74010D6 12 Bytes [50, 66, 89, 4D, FA, FF, 15, ...]
    PAGE ...
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2 F74011D2 39 Bytes [15, AC, BD, 3F, F7, 6A, 01, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2C F74011FC 14 Bytes [FF, 45, FC, 83, 45, 0C, 04, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 3B F740120B 25 Bytes [14, 77, 1D, FF, 75, 08, E8, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 55 F7401225 38 Bytes [4D, FC, 83, 6D, 0C, 04, 8B, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 7C F740124C 72 Bytes [14, 76, 16, 8B, 45, 10, 8D, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 23 F7401295 52 Bytes [5E, 30, 53, FF, 15, A8, BD, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 58 F74012CA 57 Bytes [45, 08, 8B, 36, 3B, F7, 75, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 93 F7401305 7 Bytes [10, FF, 75, FC, E8, E6, FB]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 9B F740130D 45 Bytes [FF, FF, 75, FC, 8B, F0, E8, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + CA F740133C 2 Bytes [A8, BD] {TEST AL, 0xbd}
    PAGE ...
    PAGE fltMgr.sys!FltGetFilterFromName + 5F F74015F9 49 Bytes [15, B0, BD, 3F, F7, 0F, B7, ...]
    PAGE fltMgr.sys!FltGetFilterFromName + 91 F740162B 100 Bytes JMP 82E60932
    PAGE fltMgr.sys!FltGetVolumeInstanceFromName + 12 F7401690 120 Bytes [47, F4, 89, 45, FC, 6A, 01, ...]
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 5 F7401713 6 Bytes [FF, 75, 10, 8B, 45, 08] {PUSH DWORD [EBP+0x10]; MOV EAX, [EBP+0x8]}
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + C F740171A 34 Bytes [75, 0C, FF, 70, 14, E8, 7A, ...]
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 2F F740173D 11 Bytes [75, 0C, 8D, 46, 4C, 6A, 01, ...] {JNZ 0xe; LEA EAX, [ESI+0x4c]; PUSH 0x1; PUSH EAX; MOV [EBP+0xc], EAX}
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 3B F7401749 40 Bytes [15, A8, BD, 3F, F7, 8D, 9E, ...]
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 64 F7401772 83 Bytes [8D, 46, 2C, 50, FF, 15, E0, ...]
    PAGE fltMgr.sys!FltGetLowerInstance + 34 F74017C6 3 Bytes [FF, 75, 0C] {PUSH DWORD [EBP+0xc]}
    PAGE fltMgr.sys!FltGetLowerInstance + 38 F74017CA 2 Bytes [15, 34]
    PAGE fltMgr.sys!FltGetLowerInstance + 3B F74017CD 52 Bytes [3F, F7, 8B, 1D, 38, C0, 3F, ...]
    PAGE fltMgr.sys!FltGetUpperInstance + 2 F7401802 7 Bytes [8B, F7, 75, D1, B8, 0D, 00]
    PAGE fltMgr.sys!FltGetUpperInstance + A F740180A 57 Bytes [C0, 5F, 5E, 5B, 5D, C2, 0C, ...]
    PAGE fltMgr.sys!FltGetUpperInstance + 44 F7401844 62 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
    PAGE fltMgr.sys!FltGetTopInstance + 15 F7401883 109 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 15 F74018F1 53 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 4B F7401927 20 Bytes [00, 53, 56, 57, FF, 15, AC, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 60 F740193C 12 Bytes [08, FF, 15, A8, BD, 3F, F7, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 6D F7401949 20 Bytes [8B, 37, EB, 0F, 8D, 5E, F4, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 82 F740195E 49 Bytes [75, ED, 33, DB, C7, 45, FC, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetFilterInformation + 4B F74019ED 11 Bytes [5F, 89, 18, 8B, 45, FC, 5E, ...]
    PAGE fltMgr.sys!FltGetFilterInformation + 57 F74019F9 58 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
    PAGE fltMgr.sys!FltGetFilterInformation + 92 F7401A34 31 Bytes [15, B4, BD, 3F, F7, FF, 15, ...]
    PAGE fltMgr.sys!FltGetFilterInformation + B2 F7401A54 9 Bytes [55, 8B, EC, 8B, 45, 18, 83, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x18]; AND DWORD [EAX], 0x0}
     
  2. videoart

    videoart TS Rookie Topic Starter Posts: 40

    PAGE fltMgr.sys!FltGetFilterInformation + BC F7401A5E 2 Bytes [7D, 0C] {JGE 0xe}
    PAGE ...
    PAGE fltMgr.sys!FltEnumerateFilters + 63 F7401B53 102 Bytes [75, C7, 8D, 4E, 20, FF, 15, ...]
    PAGE fltMgr.sys!FltEnumerateFilters + CA F7401BBA 13 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX}
    PAGE fltMgr.sys!FltEnumerateFilters + D9 F7401BC9 143 Bytes [08, 83, 65, F8, 00, 83, 65, ...]
    PAGE fltMgr.sys!FltEnumerateFilters + 16A F7401C5A 117 Bytes [14, 5F, 89, 18, 8B, 45, F8, ...]
    PAGE fltMgr.sys!FltEnumerateFilters + 1E0 F7401CD0 141 Bytes [FF, 85, C0, 7C, 13, 8B, 45, ...]
    PAGE ...
    PAGE fltMgr.sys!FltEnumerateVolumeInformation + 2 F7401F9C 95 Bytes [15, 6C, BE, 3F, F7, 5F, 5E, ...]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 16 F7401FFC 1 Byte [D8]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 19 F7401FFF 1 Byte [10]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 19 F7401FFF 4 Bytes [10, FF, 70, 20] {ADC BH, BH; JO 0x24}
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 1E F7402004 31 Bytes [70, 08, FF, 75, 08, FF, 15, ...]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 3E F7402024 51 Bytes [70, 08, FF, 75, 08, FF, 15, ...]
    PAGE fltMgr.sys!FltCheckLockForReadAccess + 5 F7402061 25 Bytes [56, 57, BE, E8, C7, 3F, F7, ...]
    PAGE fltMgr.sys!FltCheckLockForReadAccess + 1F F740207B 49 Bytes [C7, 08, 83, C6, 08, 83, FF, ...]
    PAGE fltMgr.sys!FltCheckLockForWriteAccess + 1 F74020AD 44 Bytes [F8, 8B, 46, 68, 85, C0, 7C, ...]
    PAGE fltMgr.sys!FltCheckLockForWriteAccess + 2E F74020DA 195 Bytes [5F, F6, 46, 05, 04, 74, 2B, ...]
    PAGE fltMgr.sys!FltFreeFileLock + 5A F740219E 158 Bytes [F0, F6, 41, 04, 04, 75, 0B, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 1 F740223D 2 Bytes [5D, 0C]
    PAGE fltMgr.sys!FltProcessFileLock + 4 F7402240 35 Bytes [73, 60, 8D, 46, DC, 6A, 07, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 28 F7402264 28 Bytes [48, 20, C6, 40, 03, E0, 83, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 45 F7402281 38 Bytes [57, 57, 57, 57, 8D, 45, EC, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 6C F74022A8 12 Bytes [EB, 0C, 6A, 08, FF, 75, 08, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCurrentBatchOplock + 5 F7404561 122 Bytes [51, 53, 8B, 1D, 38, BE, 3F, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + E F74045DC 10 Bytes [BF, A4, 01, 00, 00, 85, FF, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + 19 F74045E7 53 Bytes [4D, 6C, 61, 57, FF, 15, 30, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + 4F F740461D 5 Bytes [D7, 3B, C3, 74, 2A] {XLATB ; CMP EAX, EBX; JZ 0x2f}
    PAGE fltMgr.sys!FltOplockFsctrl + 55 F7404623 83 Bytes [0D, 10, E9, 3F, F7, 49, 85, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + A9 F7404677 39 Bytes [00, 00, 56, 89, 86, A0, 01, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 1 F7405789 11 Bytes [45, EC, 56, 50, 6A, 01, 89, ...] {INC EBP; IN AL, DX ; PUSH ESI; PUSH EAX; PUSH 0x1; MOV [EBP-0xc], EAX; CALL EDI}
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + D F7405795 9 Bytes [D8, 85, DB, 75, B6, E9, 59, ...]
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 17 F740579F 3 Bytes [66, 8B, 43]
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 1B F74057A3 90 Bytes [FF, 75, 1C, 66, 2D, 02, 00, ...]
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 76 F74057FE 201 Bytes [45, E4, 01, 00, 00, C0, 89, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCreateFileEx + 11 F7406153 56 Bytes [80, 7D, 13, 00, 89, 33, 66, ...]
    PAGE fltMgr.sys!FltCreateFileEx + 4A F740618C 26 Bytes [FC, 8D, 46, 08, 8B, 08, C6, ...]
    PAGE fltMgr.sys!FltCreateFileEx + 65 F74061A7 96 Bytes [51, 14, 8B, 00, 83, 08, 01, ...]
    PAGE fltMgr.sys!FltCreateFileEx + C6 F7406208 54 Bytes [8D, 45, 08, 50, FF, 75, 0C, ...]
    PAGE fltMgr.sys!FltCreateFileEx + FD F740623F 9 Bytes [15, E4, BE, 3F, F7, 8B, D8, ...] {ADC EAX, 0xf73fbee4; MOV EBX, EAX; CMP EBX, EDI}
    PAGE ...
    PAGE fltMgr.sys!FltCreateFile + 15 F7406691 130 Bytes [15, 14, BF, 3F, F7, 84, C0, ...]
    PAGE fltMgr.sys!FltTagFile + 4 F7406714 71 Bytes JMP F74067B0 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltTagFile + 4C F740675C 1 Byte [E7]
    PAGE fltMgr.sys!FltTagFile + 4C F740675C 11 Bytes [E7, 00, 74, 5F, 81, 7D, E0, ...] {OUT 0x0, EAX; JZ 0x63; CMP DWORD [EBP-0x20], 0x80000016}
    PAGE fltMgr.sys!FltTagFile + 58 F7406768 57 Bytes [56, 8B, 4D, E0, B8, 00, 00, ...]
    PAGE fltMgr.sys!FltTagFile + 93 F74067A3 51 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...]
    PAGE ...
    PAGE fltMgr.sys!FltUntagFile + 1A F7406844 14 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...]
    PAGE fltMgr.sys!FltUntagFile + 29 F7406853 24 Bytes [1C, FF, 75, 18, FF, 75, 14, ...]
    PAGE fltMgr.sys!FltUntagFile + 42 F740686C 94 Bytes [5D, C2, 20, 00, CC, CC, CC, ...]
    PAGE fltMgr.sys!FltUntagFile + A1 F74068CB 5 Bytes [49, 08, 89, 48, 40]
    PAGE fltMgr.sys!FltUntagFile + A7 F74068D1 62 Bytes [45, F0, 83, 60, 04, FB, 53, ...]
    PAGE fltMgr.sys!FltQueryInformationFile + 2 F7406910 17 Bytes [00, 00, 0B, C8, 8D, 45, F4, ...] {ADD [EAX], AL; OR ECX, EAX; LEA EAX, [EBP-0xc]; PUSH EAX; XOR EDI, EDI; PUSH EDI; PUSH 0x1; PUSH 0x1; MOV [ESI], ECX}
    PAGE fltMgr.sys!FltQueryInformationFile + 37 F7406945 6 Bytes [00, 00, 8B, 45, F0, 83]
    PAGE fltMgr.sys!FltQueryInformationFile + 3E F740694C 31 Bytes [04, 08, 8B, 46, 08, 8A, 40, ...]
    PAGE fltMgr.sys!FltQueryInformationFile + 5E F740696C 14 Bytes [15, 30, C0, 3F, F7, 8B, 45, ...] {ADC EAX, 0xf73fc030; MOV EAX, [EBP-0x14]; MOV [EBX+0x14], EDI; MOV [EAX+0x54], EDI}
    PAGE fltMgr.sys!FltQueryEaFile + 1 F740697B 2 Bytes [45, F0]
    PAGE fltMgr.sys!FltQueryEaFile + 4 F740697E 16 Bytes [40, 40, 81, 60, 2C, FF, BF, ...]
    PAGE fltMgr.sys!FltQueryEaFile + 15 F740698F 30 Bytes [FF, EB, 0A, 57, 8D, 45, E8, ...]
    PAGE fltMgr.sys!FltQueryEaFile + 35 F74069AF 105 Bytes [0C, 89, 43, 0C, 8B, 46, 10, ...]
    PAGE fltMgr.sys!FltSetEaFile + 1D F7406A51 21 Bytes [FF, 55, 8B, EC, 83, EC, 58, ...]
    PAGE fltMgr.sys!FltSetEaFile + 33 F7406A67 148 Bytes JMP F7406BB3 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltQuerySecurityObject + 7 F7406AFD 1 Byte [08]
    PAGE fltMgr.sys!FltQuerySecurityObject + 7 F7406AFD 39 Bytes [08, 50, 57, FF, 77, 1C, C7, ...]
    PAGE fltMgr.sys!FltQuerySecurityObject + 2F F7406B25 27 Bytes [83, 78, 14, 0B, 75, 19, 38, ...]
    PAGE fltMgr.sys!FltQuerySecurityObject + 4B F7406B41 9 Bytes [C0, EB, 6D, 53, 8D, 45, F8, ...]
    PAGE fltMgr.sys!FltQuerySecurityObject + 56 F7406B4C 11 Bytes [3F, F7, 53, FF, 30, FF, 75, ...] {AAS ; NOT DWORD [EBX-0x1]; XOR BH, BH; JNZ 0x4; PUSH DWORD [EBP+0x8]}
    PAGE ...
    PAGE fltMgr.sys!FltSetSecurityObject + 1E F7406B84 22 Bytes CALL F7405D71 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltSetSecurityObject + 36 F7406B9C 13 Bytes [18, 8B, 45, 18, 8B, 4D, 08, ...]
    PAGE fltMgr.sys!FltSetSecurityObject + 44 F7406BAA 23 Bytes CALL F7405D70 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltFlushBuffers + A F7406BC2 16 Bytes [55, 8B, EC, 51, 51, 53, 8D, ...]
    PAGE fltMgr.sys!FltFlushBuffers + 1B F7406BD3 46 Bytes [08, 89, 5D, F8, 89, 5D, FC, ...]
    PAGE fltMgr.sys!FltFlushBuffers + 4A F7406C02 4 Bytes [10, 8B, 46, 08]
    PAGE fltMgr.sys!FltFlushBuffers + 4F F7406C07 5 Bytes [58, 18, 8B, 46, 08]
    PAGE fltMgr.sys!FltFlushBuffers + 55 F7406C0D 108 Bytes [58, 1C, 8B, 56, 08, 8B, 45, ...]
    PAGE ...
    PAGE fltMgr.sys!FltDeviceIoControlFile + C F7406FD0 15 Bytes [5E, 8B, C3, 5B, 5D, C2, 04, ...]
    PAGE fltMgr.sys!FltDeviceIoControlFile + 1C F7406FE0 61 Bytes [55, 8B, EC, 8B, 4D, 08, 33, ...]
    PAGE fltMgr.sys!FltReissueSynchronousIo + 2A F740701E 19 Bytes [4F, 74, 6E, 4F, 74, 24, 4F, ...] {DEC EDI; JZ 0x71; DEC EDI; JZ 0x2a; DEC EDI; JZ 0x1d; DEC EDI; JNZ 0x13f; PUSH DWORD [EBP+0x8]}
    PAGE fltMgr.sys!FltReissueSynchronousIo + 3E F7407032 92 Bytes JMP F7407159 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltReissueSynchronousIo + 9B F740708F 3 Bytes [83, F9, 0C] {CMP ECX, 0xc}
    PAGE fltMgr.sys!FltReissueSynchronousIo + 9F F7407093 47 Bytes [04, 16, 0F, 82, BD, 00, 00, ...]
    PAGE fltMgr.sys!FltReissueSynchronousIo + CF F74070C3 52 Bytes [0F, B7, 58, 06, 03, D3, 3B, ...]
    PAGE ...
    PAGE fltMgr.sys!FltSetInformationFile + 70 F7407396 14 Bytes [00, 83, 4D, FC, FF, E8, 22, ...]
    PAGE fltMgr.sys!FltSetInformationFile + B4 F74073DA 10 Bytes [FF, D0, 83, 27, 00, 80, BD, ...]
    PAGE fltMgr.sys!FltSetInformationFile + BF F74073E5 121 Bytes [00, 74, 12, 8D, 8B, 44, 01, ...]
    PAGE fltMgr.sys!FltSetInformationFile + 139 F740745F 10 Bytes [15, AC, BD, 3F, F7, 8D, 46, ...] {ADC EAX, 0xf73fbdac; LEA EAX, [ESI+0x20]; PUSH 0x1}
    PAGE fltMgr.sys!FltSetInformationFile + 144 F740746A 32 Bytes [FF, 15, A8, BD, 3F, F7, 8D, ...]
    PAGE ...
    PAGE fltMgr.sys!FltLoadFilter + 15 F7407949 239 Bytes [8D, 4A, FE, 83, E1, FD, 8B, ...]
    PAGE fltMgr.sys!FltLoadFilter + 105 F7407A39 14 Bytes [89, 45, E0, 3B, C3, 7D, 08, ...]
    PAGE fltMgr.sys!FltLoadFilter + 114 F7407A48 40 Bytes [8B, 45, DC, 83, C0, 18, 33, ...]
    PAGE fltMgr.sys!FltLoadFilter + 13D F7407A71 173 Bytes [00, 00, 89, 5D, 84, C7, 45, ...]
    PAGE fltMgr.sys!FltLoadFilter + 1EB F7407B1F 35 Bytes [68, FF, FF, FF, 7F, 33, F6, ...]
    PAGE ...
    PAGE fltMgr.sys!FltUnloadFilter + 4 F7407C78 9 Bytes [45, DC, FF, 70, 0C, E8, 10, ...]
    PAGE fltMgr.sys!FltUnloadFilter + E F7407C82 5 Bytes [33, DB, 83, 4D, FC]
    PAGE fltMgr.sys!FltUnloadFilter + 14 F7407C88 42 Bytes CALL F7407C9A fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltUnloadFilter + 42 F7407CB6 1 Byte [40]
    PAGE fltMgr.sys!FltUnloadFilter + 46 F7407CBA 66 Bytes [EB, 1A, 8B, 45, DC, 3B, C3, ...]
    PAGE fltMgr.sys!FltCreateCommunicationPort + B F7407CFD 112 Bytes [00, FF, 15, 90, BD, 3F, F7, ...]
    PAGE fltMgr.sys!FltCreateCommunicationPort + 7C F7407D6E 94 Bytes [08, 89, 0F, 89, 79, 04, 83, ...]
    PAGE fltMgr.sys!FltCreateCommunicationPort + DB F7407DCD 53 Bytes [0B, 00, 74, 0A, 8D, 43, 18, ...]
    PAGE fltMgr.sys!FltClose + 21 F7407E03 12 Bytes [15, 94, BD, 3F, F7, FF, 73, ...]
    PAGE fltMgr.sys!FltClose + 2E F7407E10 13 Bytes [5F, 5E, 5B, 5D, C2, 04, 00, ...]
    PAGE fltMgr.sys!FltClose + 3C F7407E1E 43 Bytes [55, 8B, EC, 83, 7D, 18, 01, ...]
    PAGE fltMgr.sys!FltClose + 6A F7407E4C 5 Bytes [8B, FF, 55, 8B, EC] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
    F73FADE3 72 Bytes [32, C0, EB, 07, 50, FF, 15, ...]
    .text fltMgr.sys!FltIsIoCanceled + 12 F73FAE2C 59 Bytes [EC, 8B, 45, 08, F6, 00, 01, ...]
    .text fltMgr.sys!FltCbdqDisable + 2 F73FAE68 37 Bytes [D7, 5F, 5E, 5D, C2, 08, 00, ...]
    .text fltMgr.sys!FltCbdqEnable + 2 F73FAE8E 37 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
    .text fltMgr.sys!FltCbdqEnable + 28 F73FAEB4 71 Bytes [56, 38, 5E, 5D, C2, 04, 00, ...]
    .text fltMgr.sys!FltCbdqEnable + 70 F73FAEFC 13 Bytes [55, 8B, EC, 8B, 45, 0C, FF, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0xc]; PUSH DWORD [EAX+0x44]; MOV EAX, [EBP+0x8]; PUSH EAX}
    .text fltMgr.sys!FltCbdqEnable + 7E F73FAF0A 55 Bytes [50, 2C, 5D, C2, 08, 00, CC, ...]
    .text fltMgr.sys!FltCbdqEnable + B6 F73FAF42 63 Bytes [00, CC, CC, CC, CC, CC, 8B, ...]
    .text ...
    .text fltMgr.sys!FltCbdqInsertIo + 3B F73FAFCB 13 Bytes [F8, 85, FF, 7D, 08, FF, 76, ...] {CLC ; TEST EDI, EDI; JGE 0xd; PUSH DWORD [ESI+0x24]; CALL 0x2c7}
    .text fltMgr.sys!FltCbdqRemoveIo + 1 F73FAFD9 31 Bytes [C7, 5F, 5E, 5D, C2, 10, 00, ...]
    .text fltMgr.sys!FltCbdqRemoveIo + 21 F73FAFF9 51 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
    .text fltMgr.sys!FltCbdqRemoveNextIo + 21 F73FB02D 47 Bytes [85, C0, 74, 0D, FF, 77, 24, ...]
    .text fltMgr.sys!FltSetCancelCompletion + 1D F73FB05D 61 Bytes [C1, A4, 89, 48, 44, 89, 50, ...]
    .text fltMgr.sys!FltDoCompletionProcessingWhenSafe + 30 F73FB09C 101 Bytes [08, 02, 75, 3C, 38, 48, 21, ...]
    .text fltMgr.sys!FltAllocateDeferredIoWorkItem + E F73FB104 475 Bytes [68, 00, ED, 3F, F7, E8, 52, ...]
    .text fltMgr.sys!FltObjectDereference + 5C F73FB2E0 33 Bytes [76, 14, 56, FF, 15, E0, BF, ...]
    .text fltMgr.sys!FltObjectDereference + 7E F73FB302 34 Bytes [EC, 8B, 45, 08, 8B, 00, 56, ...]
    .text fltMgr.sys!FltObjectDereference + A1 F73FB325 2 Bytes [FF, 55]
    .text fltMgr.sys!FltObjectDereference + A4 F73FB328 87 Bytes [EC, 8B, 45, 08, 8B, 08, 85, ...]
    .text fltMgr.sys!FltObjectDereference + FC F73FB380 7 Bytes [00, CC, CC, CC, CC, CC, 8B]
    .text ...
    .text fltMgr.sys!FltIs32bitProcess + 8 F73FB68C 47 Bytes [8B, 11, F6, C2, 01, 56, 75, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + 6 F73FB6BC 43 Bytes [15, F4, BD, 3F, F7, 5E, C3, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + 32 F73FB6E8 45 Bytes [D8, 74, EC, 8B, C2, 83, E3, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + 60 F73FB716 2 Bytes [F2, 64]
    .text fltMgr.sys!FltGetRequestorProcessId + 63 F73FB719 102 Bytes [B6, 05, 51, 00, 00, 00, 33, ...]
    .text fltMgr.sys!FltGetRequestorProcessId + CA F73FB780 17 Bytes [7B, 4C, 8B, 07, 83, F8, 01, ...] {JNP 0x4e; MOV EAX, [EDI]; CMP EAX, 0x1; JNZ 0xe; MOV ESI, [EDI+0x8]; JMP 0x1a; CMP EAX, 0x2}
    .text ...
    PAGE fltMgr.sys!FltAttachVolume + 7 F73FF0F3 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolume + C F73FF0F8 19 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltAttachVolume + 20 F73FF10C 12 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 7 F73FF119 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 12 F73FF124 14 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 21 F73FF133 20 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 36 F73FF148 62 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltAttachVolumeAtAltitude + 75 F73FF187 16 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH EBX; PUSH ESI; PUSH EDI; PUSH DWORD [EBP+0xc]; CALL [0xf73fc034]}
    PAGE ...
    PAGE fltMgr.sys!FltDetachVolume + 63 F73FF705 53 Bytes [39, 7D, E0, 7C, 09, 8B, 45, ...]
    PAGE fltMgr.sys!FltDetachVolume + 9A F73FF73C 40 Bytes [E0, 8B, 75, 0C, 8B, 7E, 28, ...]
    PAGE fltMgr.sys!FltDetachVolume + C7 F73FF769 121 Bytes [89, 45, E0, 3B, C3, 0F, 8C, ...]
    PAGE fltMgr.sys!FltDetachVolume + 141 F73FF7E3 22 Bytes [74, 0A, 8B, CE, FF, 15, 94, ...]
    PAGE fltMgr.sys!FltDetachVolume + 158 F73FF7FA 18 Bytes [48, 04, 89, 4D, C0, 89, 03, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetVolumeFromInstance + 1E F7400CB8 43 Bytes [8D, 46, 0C, 89, 40, 04, 89, ...]
    PAGE fltMgr.sys!FltGetFilterFromInstance + 22 F7400CE4 65 Bytes [89, 18, 33, C0, 5F, 5E, 5B, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 3D F7400D27 110 Bytes [00, 89, 75, E0, C7, 45, E8, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + AC F7400D96 275 Bytes [00, 00, CC, CC, CC, CC, CC, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 1C0 F7400EAA 50 Bytes [45, 08, 8B, 40, 18, 56, 8B, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 225 F7400F0F 11 Bytes [74, 56, 48, 74, 3F, 48, 74, ...]
    PAGE fltMgr.sys!FltGetInstanceInformation + 231 F7400F1B 19 Bytes JMP F740111C fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltEnumerateVolumes + F F7400F2F 143 Bytes [00, 00, 3B, C6, 0F, 85, E4, ...]
    PAGE fltMgr.sys!FltEnumerateVolumes + 9F F7400FBF 34 Bytes [03, 8B, 4D, 08, 66, 89, 46, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 16 F7400FE2 38 Bytes [45, 10, 0F, B7, C3, 03, C6, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 3D F7401009 47 Bytes [46, 08, 66, 89, 5E, 0A, 66, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 6D F7401039 93 Bytes [F8, 8B, 4D, 08, 66, 89, 46, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + CB F7401097 62 Bytes [45, F8, 50, FF, 15, 24, C0, ...]
    PAGE fltMgr.sys!FltEnumerateInstances + 10A F74010D6 12 Bytes [50, 66, 89, 4D, FA, FF, 15, ...]
    PAGE ...
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2 F74011D2 39 Bytes [15, AC, BD, 3F, F7, 6A, 01, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 2C F74011FC 14 Bytes [FF, 45, FC, 83, 45, 0C, 04, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 3B F740120B 25 Bytes [14, 77, 1D, FF, 75, 08, E8, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 55 F7401225 38 Bytes [4D, FC, 83, 6D, 0C, 04, 8B, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByFilter + 7C F740124C 72 Bytes [14, 76, 16, 8B, 45, 10, 8D, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 23 F7401295 52 Bytes [5E, 30, 53, FF, 15, A8, BD, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 58 F74012CA 57 Bytes [45, 08, 8B, 36, 3B, F7, 75, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 93 F7401305 7 Bytes [10, FF, 75, FC, E8, E6, FB]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + 9B F740130D 45 Bytes [FF, FF, 75, FC, 8B, F0, E8, ...]
    PAGE fltMgr.sys!FltEnumerateInstanceInformationByVolume + CA F740133C 2 Bytes [A8, BD] {TEST AL, 0xbd}
    PAGE ...
    PAGE fltMgr.sys!FltGetFilterFromName + 5F F74015F9 49 Bytes [15, B0, BD, 3F, F7, 0F, B7, ...]
    PAGE fltMgr.sys!FltGetFilterFromName + 91 F740162B 100 Bytes JMP 82E60932
    PAGE fltMgr.sys!FltGetVolumeInstanceFromName + 12 F7401690 120 Bytes [47, F4, 89, 45, FC, 6A, 01, ...]
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 5 F7401713 6 Bytes [FF, 75, 10, 8B, 45, 08] {PUSH DWORD [EBP+0x10]; MOV EAX, [EBP+0x8]}
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + C F740171A 34 Bytes [75, 0C, FF, 70, 14, E8, 7A, ...]
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 2F F740173D 11 Bytes [75, 0C, 8D, 46, 4C, 6A, 01, ...] {JNZ 0xe; LEA EAX, [ESI+0x4c]; PUSH 0x1; PUSH EAX; MOV [EBP+0xc], EAX}
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 3B F7401749 40 Bytes [15, A8, BD, 3F, F7, 8D, 9E, ...]
    PAGE fltMgr.sys!FltGetVolumeFromDeviceObject + 64 F7401772 83 Bytes [8D, 46, 2C, 50, FF, 15, E0, ...]
    PAGE fltMgr.sys!FltGetLowerInstance + 34 F74017C6 3 Bytes [FF, 75, 0C] {PUSH DWORD [EBP+0xc]}
    PAGE fltMgr.sys!FltGetLowerInstance + 38 F74017CA 2 Bytes [15, 34]
    PAGE fltMgr.sys!FltGetLowerInstance + 3B F74017CD 52 Bytes [3F, F7, 8B, 1D, 38, C0, 3F, ...]
    PAGE fltMgr.sys!FltGetUpperInstance + 2 F7401802 7 Bytes [8B, F7, 75, D1, B8, 0D, 00]
    PAGE fltMgr.sys!FltGetUpperInstance + A F740180A 57 Bytes [C0, 5F, 5E, 5B, 5D, C2, 0C, ...]
    PAGE fltMgr.sys!FltGetUpperInstance + 44 F7401844 62 Bytes [55, 8B, EC, 51, 83, 65, FC, ...]
    PAGE fltMgr.sys!FltGetTopInstance + 15 F7401883 109 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 15 F74018F1 53 Bytes [EB, 33, FF, C7, 45, FC, 1A, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 4B F7401927 20 Bytes [00, 53, 56, 57, FF, 15, AC, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 60 F740193C 12 Bytes [08, FF, 15, A8, BD, 3F, F7, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 6D F7401949 20 Bytes [8B, 37, EB, 0F, 8D, 5E, F4, ...]
    PAGE fltMgr.sys!FltGetBottomInstance + 82 F740195E 49 Bytes [75, ED, 33, DB, C7, 45, FC, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetFilterInformation + 4B F74019ED 11 Bytes [5F, 89, 18, 8B, 45, FC, 5E, ...]
    PAGE fltMgr.sys!FltGetFilterInformation + 57 F74019F9 58 Bytes [CC, CC, CC, CC, CC, 8B, FF, ...]
    PAGE fltMgr.sys!FltGetFilterInformation + 92 F7401A34 31 Bytes [15, B4, BD, 3F, F7, FF, 15, ...]
    PAGE fltMgr.sys!FltGetFilterInformation + B2 F7401A54 9 Bytes [55, 8B, EC, 8B, 45, 18, 83, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x18]; AND DWORD [EAX], 0x0}
    PAGE fltMgr.sys!FltGetFilterInformation + BC F7401A5E 2 Bytes [7D, 0C] {JGE 0xe}
    PAGE ...
    PAGE fltMgr.sys!FltEnumerateFilters + 63 F7401B53 102 Bytes [75, C7, 8D, 4E, 20, FF, 15, ...]
    PAGE fltMgr.sys!FltEnumerateFilters + CA F7401BBA 13 Bytes [CC, CC, CC, CC, CC, CC, 8B, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX}
    PAGE fltMgr.sys!FltEnumerateFilters + D9 F7401BC9 143 Bytes [08, 83, 65, F8, 00, 83, 65, ...]
    PAGE fltMgr.sys!FltEnumerateFilters + 16A F7401C5A 117 Bytes [14, 5F, 89, 18, 8B, 45, F8, ...]
    PAGE fltMgr.sys!FltEnumerateFilters + 1E0 F7401CD0 141 Bytes [FF, 85, C0, 7C, 13, 8B, 45, ...]
    PAGE ...
    PAGE fltMgr.sys!FltEnumerateVolumeInformation + 2 F7401F9C 95 Bytes [15, 6C, BE, 3F, F7, 5F, 5E, ...]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 16 F7401FFC 1 Byte [D8]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 19 F7401FFF 1 Byte [10]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 19 F7401FFF 4 Bytes [10, FF, 70, 20] {ADC BH, BH; JO 0x24}
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 1E F7402004 31 Bytes [70, 08, FF, 75, 08, FF, 15, ...]
    PAGE fltMgr.sys!FltEnumerateFilterInformation + 3E F7402024 51 Bytes [70, 08, FF, 75, 08, FF, 15, ...]
    PAGE fltMgr.sys!FltCheckLockForReadAccess + 5 F7402061 25 Bytes [56, 57, BE, E8, C7, 3F, F7, ...]
    PAGE fltMgr.sys!FltCheckLockForReadAccess + 1F F740207B 49 Bytes [C7, 08, 83, C6, 08, 83, FF, ...]
    PAGE fltMgr.sys!FltCheckLockForWriteAccess + 1 F74020AD 44 Bytes [F8, 8B, 46, 68, 85, C0, 7C, ...]
    PAGE fltMgr.sys!FltCheckLockForWriteAccess + 2E F74020DA 195 Bytes [5F, F6, 46, 05, 04, 74, 2B, ...]
    PAGE fltMgr.sys!FltFreeFileLock + 5A F740219E 158 Bytes [F0, F6, 41, 04, 04, 75, 0B, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 1 F740223D 2 Bytes [5D, 0C]
    PAGE fltMgr.sys!FltProcessFileLock + 4 F7402240 35 Bytes [73, 60, 8D, 46, DC, 6A, 07, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 28 F7402264 28 Bytes [48, 20, C6, 40, 03, E0, 83, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 45 F7402281 38 Bytes [57, 57, 57, 57, 8D, 45, EC, ...]
    PAGE fltMgr.sys!FltProcessFileLock + 6C F74022A8 12 Bytes [EB, 0C, 6A, 08, FF, 75, 08, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCurrentBatchOplock + 5 F7404561 122 Bytes [51, 53, 8B, 1D, 38, BE, 3F, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + E F74045DC 10 Bytes [BF, A4, 01, 00, 00, 85, FF, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + 19 F74045E7 53 Bytes [4D, 6C, 61, 57, FF, 15, 30, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + 4F F740461D 5 Bytes [D7, 3B, C3, 74, 2A] {XLATB ; CMP EAX, EBX; JZ 0x2f}
    PAGE fltMgr.sys!FltOplockFsctrl + 55 F7404623 83 Bytes [0D, 10, E9, 3F, F7, 49, 85, ...]
    PAGE fltMgr.sys!FltOplockFsctrl + A9 F7404677 39 Bytes [00, 00, 56, 89, 86, A0, 01, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 1 F7405789 11 Bytes [45, EC, 56, 50, 6A, 01, 89, ...] {INC EBP; IN AL, DX ; PUSH ESI; PUSH EAX; PUSH 0x1; MOV [EBP-0xc], EAX; CALL EDI}
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + D F7405795 9 Bytes [D8, 85, DB, 75, B6, E9, 59, ...]
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 17 F740579F 3 Bytes [66, 8B, 43]
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 1B F74057A3 90 Bytes [FF, 75, 1C, 66, 2D, 02, 00, ...]
    PAGE fltMgr.sys!FltCompareInstanceAltitudes + 76 F74057FE 201 Bytes [45, E4, 01, 00, 00, C0, 89, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCreateFileEx + 11 F7406153 56 Bytes [80, 7D, 13, 00, 89, 33, 66, ...]
    PAGE fltMgr.sys!FltCreateFileEx + 4A F740618C 26 Bytes [FC, 8D, 46, 08, 8B, 08, C6, ...]
    PAGE fltMgr.sys!FltCreateFileEx + 65 F74061A7 96 Bytes [51, 14, 8B, 00, 83, 08, 01, ...]
    PAGE fltMgr.sys!FltCreateFileEx + C6 F7406208 54 Bytes [8D, 45, 08, 50, FF, 75, 0C, ...]
    PAGE fltMgr.sys!FltCreateFileEx + FD F740623F 9 Bytes [15, E4, BE, 3F, F7, 8B, D8, ...] {ADC EAX, 0xf73fbee4; MOV EBX, EAX; CMP EBX, EDI}
    PAGE ...
    PAGE fltMgr.sys!FltCreateFile + 15 F7406691 130 Bytes [15, 14, BF, 3F, F7, 84, C0, ...]
    PAGE fltMgr.sys!FltTagFile + 4 F7406714 71 Bytes JMP F74067B0 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltTagFile + 4C F740675C 1 Byte [E7]
    PAGE fltMgr.sys!FltTagFile + 4C F740675C 11 Bytes [E7, 00, 74, 5F, 81, 7D, E0, ...] {OUT 0x0, EAX; JZ 0x63; CMP DWORD [EBP-0x20], 0x80000016}
    PAGE fltMgr.sys!FltTagFile + 58 F7406768 57 Bytes [56, 8B, 4D, E0, B8, 00, 00, ...]
    PAGE fltMgr.sys!FltTagFile + 93 F74067A3 51 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...]
    PAGE ...
    PAGE fltMgr.sys!FltUntagFile + 1A F7406844 14 Bytes [CC, CC, 8B, FF, 55, 8B, EC, ...]
    PAGE fltMgr.sys!FltUntagFile + 29 F7406853 24 Bytes [1C, FF, 75, 18, FF, 75, 14, ...]
    PAGE fltMgr.sys!FltUntagFile + 42 F740686C 94 Bytes [5D, C2, 20, 00, CC, CC, CC, ...]
    PAGE fltMgr.sys!FltUntagFile + A1 F74068CB 5 Bytes [49, 08, 89, 48, 40]
    PAGE fltMgr.sys!FltUntagFile + A7 F74068D1 62 Bytes [45, F0, 83, 60, 04, FB, 53, ...]
    PAGE fltMgr.sys!FltQueryInformationFile + 2 F7406910 17 Bytes [00, 00, 0B, C8, 8D, 45, F4, ...] {ADD [EAX], AL; OR ECX, EAX; LEA EAX, [EBP-0xc]; PUSH EAX; XOR EDI, EDI; PUSH EDI; PUSH 0x1; PUSH 0x1; MOV [ESI], ECX}
    PAGE fltMgr.sys!FltQueryInformationFile + 37 F7406945 6 Bytes [00, 00, 8B, 45, F0, 83]
    PAGE fltMgr.sys!FltQueryInformationFile + 3E F740694C 31 Bytes [04, 08, 8B, 46, 08, 8A, 40, ...]
    PAGE fltMgr.sys!FltQueryInformationFile + 5E F740696C 14 Bytes [15, 30, C0, 3F, F7, 8B, 45, ...] {ADC EAX, 0xf73fc030; MOV EAX, [EBP-0x14]; MOV [EBX+0x14], EDI; MOV [EAX+0x54], EDI}
    PAGE fltMgr.sys!FltQueryEaFile + 1 F740697B 2 Bytes [45, F0]
    PAGE fltMgr.sys!FltQueryEaFile + 4 F740697E 16 Bytes [40, 40, 81, 60, 2C, FF, BF, ...]
    PAGE fltMgr.sys!FltQueryEaFile + 15 F740698F 30 Bytes [FF, EB, 0A, 57, 8D, 45, E8, ...]
    PAGE fltMgr.sys!FltQueryEaFile + 35 F74069AF 105 Bytes [0C, 89, 43, 0C, 8B, 46, 10, ...]
    PAGE fltMgr.sys!FltSetEaFile + 1D F7406A51 21 Bytes [FF, 55, 8B, EC, 83, EC, 58, ...]
    PAGE fltMgr.sys!FltSetEaFile + 33 F7406A67 148 Bytes JMP F7406BB3 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltQuerySecurityObject + 7 F7406AFD 1 Byte [08]
    PAGE fltMgr.sys!FltQuerySecurityObject + 7 F7406AFD 39 Bytes [08, 50, 57, FF, 77, 1C, C7, ...]
    PAGE fltMgr.sys!FltQuerySecurityObject + 2F F7406B25 27 Bytes [83, 78, 14, 0B, 75, 19, 38, ...]
    PAGE fltMgr.sys!FltQuerySecurityObject + 4B F7406B41 9 Bytes [C0, EB, 6D, 53, 8D, 45, F8, ...]
    PAGE fltMgr.sys!FltQuerySecurityObject + 56 F7406B4C 11 Bytes [3F, F7, 53, FF, 30, FF, 75, ...] {AAS ; NOT DWORD [EBX-0x1]; XOR BH, BH; JNZ 0x4; PUSH DWORD [EBP+0x8]}
    PAGE ...
    PAGE fltMgr.sys!FltSetSecurityObject + 1E F7406B84 22 Bytes CALL F7405D71 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltSetSecurityObject + 36 F7406B9C 13 Bytes [18, 8B, 45, 18, 8B, 4D, 08, ...]
    PAGE fltMgr.sys!FltSetSecurityObject + 44 F7406BAA 23 Bytes CALL F7405D70 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltFlushBuffers + A F7406BC2 16 Bytes [55, 8B, EC, 51, 51, 53, 8D, ...]
    PAGE fltMgr.sys!FltFlushBuffers + 1B F7406BD3 46 Bytes [08, 89, 5D, F8, 89, 5D, FC, ...]
    PAGE fltMgr.sys!FltFlushBuffers + 4A F7406C02 4 Bytes [10, 8B, 46, 08]
    PAGE fltMgr.sys!FltFlushBuffers + 4F F7406C07 5 Bytes [58, 18, 8B, 46, 08]
    PAGE fltMgr.sys!FltFlushBuffers + 55 F7406C0D 108 Bytes [58, 1C, 8B, 56, 08, 8B, 45, ...]
    PAGE ...
    PAGE fltMgr.sys!FltDeviceIoControlFile + C F7406FD0 15 Bytes [5E, 8B, C3, 5B, 5D, C2, 04, ...]
    PAGE fltMgr.sys!FltDeviceIoControlFile + 1C F7406FE0 61 Bytes [55, 8B, EC, 8B, 4D, 08, 33, ...]
    PAGE fltMgr.sys!FltReissueSynchronousIo + 2A F740701E 19 Bytes [4F, 74, 6E, 4F, 74, 24, 4F, ...] {DEC EDI; JZ 0x71; DEC EDI; JZ 0x2a; DEC EDI; JZ 0x1d; DEC EDI; JNZ 0x13f; PUSH DWORD [EBP+0x8]}
    PAGE fltMgr.sys!FltReissueSynchronousIo + 3E F7407032 92 Bytes JMP F7407159 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltReissueSynchronousIo + 9B F740708F 3 Bytes [83, F9, 0C] {CMP ECX, 0xc}
    PAGE fltMgr.sys!FltReissueSynchronousIo + 9F F7407093 47 Bytes [04, 16, 0F, 82, BD, 00, 00, ...]
    PAGE fltMgr.sys!FltReissueSynchronousIo + CF F74070C3 52 Bytes [0F, B7, 58, 06, 03, D3, 3B, ...]
    PAGE ...
    PAGE fltMgr.sys!FltSetInformationFile + 70 F7407396 14 Bytes [00, 83, 4D, FC, FF, E8, 22, ...]
    PAGE fltMgr.sys!FltSetInformationFile + B4 F74073DA 10 Bytes [FF, D0, 83, 27, 00, 80, BD, ...]
    PAGE fltMgr.sys!FltSetInformationFile + BF F74073E5 121 Bytes [00, 74, 12, 8D, 8B, 44, 01, ...]
    PAGE fltMgr.sys!FltSetInformationFile + 139 F740745F 10 Bytes [15, AC, BD, 3F, F7, 8D, 46, ...] {ADC EAX, 0xf73fbdac; LEA EAX, [ESI+0x20]; PUSH 0x1}
    PAGE fltMgr.sys!FltSetInformationFile + 144 F740746A 32 Bytes [FF, 15, A8, BD, 3F, F7, 8D, ...]
    PAGE ...
    PAGE fltMgr.sys!FltLoadFilter + 15 F7407949 239 Bytes [8D, 4A, FE, 83, E1, FD, 8B, ...]
    PAGE fltMgr.sys!FltLoadFilter + 105 F7407A39 14 Bytes [89, 45, E0, 3B, C3, 7D, 08, ...]
    PAGE fltMgr.sys!FltLoadFilter + 114 F7407A48 40 Bytes [8B, 45, DC, 83, C0, 18, 33, ...]
    PAGE fltMgr.sys!FltLoadFilter + 13D F7407A71 173 Bytes [00, 00, 89, 5D, 84, C7, 45, ...]
    PAGE fltMgr.sys!FltLoadFilter + 1EB F7407B1F 35 Bytes [68, FF, FF, FF, 7F, 33, F6, ...]
    PAGE ...
    PAGE fltMgr.sys!FltUnloadFilter + 4 F7407C78 9 Bytes [45, DC, FF, 70, 0C, E8, 10, ...]
    PAGE fltMgr.sys!FltUnloadFilter + E F7407C82 5 Bytes [33, DB, 83, 4D, FC]
    PAGE fltMgr.sys!FltUnloadFilter + 14 F7407C88 42 Bytes CALL F7407C9A fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltUnloadFilter + 42 F7407CB6 1 Byte [40]
    PAGE fltMgr.sys!FltUnloadFilter + 46 F7407CBA 66 Bytes [EB, 1A, 8B, 45, DC, 3B, C3, ...]
    PAGE fltMgr.sys!FltCreateCommunicationPort + B F7407CFD 112 Bytes [00, FF, 15, 90, BD, 3F, F7, ...]
    PAGE fltMgr.sys!FltCreateCommunicationPort + 7C F7407D6E 94 Bytes [08, 89, 0F, 89, 79, 04, 83, ...]
    PAGE fltMgr.sys!FltCreateCommunicationPort + DB F7407DCD 53 Bytes [0B, 00, 74, 0A, 8D, 43, 18, ...]
    PAGE fltMgr.sys!FltClose + 21 F7407E03 12 Bytes [15, 94, BD, 3F, F7, FF, 73, ...]
    PAGE fltMgr.sys!FltClose + 2E F7407E10 13 Bytes [5F, 5E, 5B, 5D, C2, 04, 00, ...]
    PAGE fltMgr.sys!FltClose + 3C F7407E1E 43 Bytes [55, 8B, EC, 83, 7D, 18, 01, ...]
    PAGE fltMgr.sys!FltClose + 6A F7407E4C 5 Bytes [8B, FF, 55, 8B, EC] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}PAGE fltMgr.sys!FltClose + 70 F7407E52 7 Bytes [45, 0C, 83, 38, 02, 74, 10] {INC EBP; OR AL, 0x83; CMP [EDX], AL; JZ 0x17}
    PAGE ...
    PAGE fltMgr.sys!FltBuildDefaultSecurityDescriptor + 1A2 F740806A 135 Bytes [15, 24, C0, 3F, F7, 83, 7E, ...]
    PAGE fltMgr.sys!FltCloseClientPort + 4E F74080F2 134 Bytes [15, 30, C0, 3F, F7, 5D, C2, ...]
    PAGE fltMgr.sys!FltCloseClientPort + D5 F7408179 26 Bytes [76, 28, FF, 76, 18, FF, 76, ...]
    PAGE fltMgr.sys!FltCloseClientPort + F0 F7408194 110 Bytes [78, 0C, 85, DB, 7C, 29, 80, ...]
    PAGE fltMgr.sys!FltCloseClientPort + 15F F7408203 17 Bytes [00, 74, 10, 83, 4E, 08, 02, ...]
    PAGE fltMgr.sys!FltCloseClientPort + 172 F7408216 62 Bytes [5E, C9, C2, 04, 00, CC, CC, ...]
    PAGE ...
     
  3. videoart

    videoart TS Rookie Topic Starter Posts: 40

    PAGE fltMgr.sys!FltReleaseFileNameInformation + 1 F7408871 31 Bytes [45, 08, 05, 5C, 02, 00, 00, ...]
    PAGE fltMgr.sys!FltReleaseFileNameInformation + 21 F7408891 21 Bytes [00, 3B, F0, 74, 55, 83, C6, ...]
    PAGE fltMgr.sys!FltReleaseFileNameInformation + 37 F74088A7 32 Bytes [15, B4, BD, 3F, F7, 8A, 4D, ...]
    PAGE fltMgr.sys!FltReleaseFileNameInformation + 58 F74088C8 7 Bytes [56, FF, 75, 08, E8, F1, FE]
    PAGE fltMgr.sys!FltReleaseFileNameInformation + 60 F74088D0 122 Bytes [FF, B1, 01, 89, 75, F8, FF, ...]
    PAGE ...
    PAGE fltMgr.sys!FltIsDirectory + 41 F7408FBB 183 Bytes [56, 8B, 75, 0C, 57, 33, FF, ...]
    PAGE fltMgr.sys!FltIsDirectory + F9 F7409073 10 Bytes CALL BE6CDF03
    PAGE fltMgr.sys!FltIsDirectory + 105 F740907F 50 Bytes [00, 89, 7D, E0, 89, 4D, E4, ...]
    PAGE fltMgr.sys!FltIsDirectory + 138 F74090B2 107 Bytes [10, 00, 8D, 45, FC, 50, E8, ...]
    PAGE fltMgr.sys!FltIsDirectory + 1A4 F740911E 40 Bytes [8B, 55, 08, 8B, 4E, 04, 33, ...]
    PAGE ...
    PAGE fltMgr.sys!FltPurgeFileNameInformationCache + 1A F74093A2 65 Bytes [75, 10, 85, F6, 74, 03, 83, ...]
    PAGE fltMgr.sys!FltGetFileNameInformationUnsafe + 8 F74093E4 111 Bytes [F8, F3, A5, 8B, CA, 83, E1, ...]
    PAGE fltMgr.sys!FltGetFileNameInformationUnsafe + 78 F7409454 74 Bytes CALL F7409398 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltGetFileNameInformationUnsafe + C3 F740949F 3 Bytes [C0, 7C, 35]
    PAGE fltMgr.sys!FltGetFileNameInformationUnsafe + C7 F74094A3 95 Bytes [7E, 04, 8D, 45, FC, 50, 0F, ...]
    PAGE fltMgr.sys!FltGetFileNameInformationUnsafe + 127 F7409503 46 Bytes [15, 38, C0, 3F, F7, 8B, C7, ...]
    PAGE ...
    PAGE fltMgr.sys!FltParseFileName + 3D F7409997 61 Bytes [FC, 9A, 00, 00, C0, EB, 04, ...]
    PAGE fltMgr.sys!FltParseFileName + 7B F74099D5 132 Bytes [D0, 89, 73, 68, 8B, 45, FC, ...]
    PAGE fltMgr.sys!FltParseFileNameInformation + 4 F7409A5A 81 Bytes [0F, 66, 89, 08, 8B, 76, 2C, ...]
    PAGE fltMgr.sys!FltParseFileNameInformation + 56 F7409AAC 13 Bytes [66, 89, 45, F4, 8B, 46, 34, ...]
    PAGE fltMgr.sys!FltParseFileNameInformation + 64 F7409ABA 32 Bytes [F4, 50, FF, 15, 94, BF, 3F, ...]
    PAGE fltMgr.sys!FltParseFileNameInformation + 85 F7409ADB 40 Bytes [46, 30, 6A, 7E, 50, FF, 76, ...]
    PAGE fltMgr.sys!FltParseFileNameInformation + AE F7409B04 14 Bytes [EC, 51, 83, 65, FC, 00, 53, ...] {IN AL, DX ; PUSH ECX; AND DWORD [EBP-0x4], 0x0; PUSH EBX; MOV EBX, [EBP+0x10]; AND DWORD [EBX], 0x0; PUSH ESI}
    PAGE ...
    PAGE fltMgr.sys!FltGetVolumeName + 5B F7409BBF 136 Bytes [4D, 14, 89, 4A, 18, 8B, 16, ...]
    PAGE fltMgr.sys!FltGetVolumeName + E4 F7409C48 15 Bytes [00, 00, 6A, 01, 52, 52, 52, ...] {ADD [EAX], AL; PUSH 0x1; PUSH EDX; PUSH EDX; PUSH EDX; PUSH EDX; PUSH EDX; PUSH 0x1000102; PUSH EDX}
    PAGE fltMgr.sys!FltGetVolumeName + F4 F7409C58 232 Bytes [FF, 76, 04, 8D, 45, FC, 50, ...]
    PAGE fltMgr.sys!FltCheckAndGrowNameControl + 51 F7409D41 25 Bytes [0A, BF, 05, 00, 1C, C0, E9, ...]
    PAGE fltMgr.sys!FltCheckAndGrowNameControl + 6B F7409D5B 93 Bytes [79, 0C, 4F, 4F, 3B, C7, 76, ...]
    PAGE fltMgr.sys!FltCheckAndGrowNameControl + C9 F7409DB9 42 Bytes [41, 34, 40, 40, 89, 45, FC, ...]
    PAGE fltMgr.sys!FltCheckAndGrowNameControl + F4 F7409DE4 27 Bytes [F8, 85, FF, 7C, 21, FF, 76, ...]
    PAGE fltMgr.sys!FltCheckAndGrowNameControl + 110 F7409E00 2 Bytes CALL F740811D fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE ...
    PAGE fltMgr.sys!FltGetTunneledName + 28 F740A3E0 42 Bytes [8B, F8, 85, FF, 7C, 0E, 56, ...]
    PAGE fltMgr.sys!FltGetTunneledName + 53 F740A40B 8 Bytes [25, EF, FF, FF, 84, C0, 75, ...]
    PAGE fltMgr.sys!FltGetTunneledName + 5C F740A414 28 Bytes CALL F7409FCC fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    PAGE fltMgr.sys!FltGetTunneledName + 79 F740A431 24 Bytes [50, FF, 15, B0, BF, 3F, F7, ...]
    PAGE fltMgr.sys!FltGetTunneledName + 92 F740A44A 284 Bytes [15, A8, BF, 3F, F7, 89, 46, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetDestinationFileNameInformation + 15 F740B1F7 74 Bytes [E8, 18, 00, 8B, 58, 1C, 57, ...]
    PAGE fltMgr.sys!FltGetDestinationFileNameInformation + 60 F740B242 51 Bytes [70, 18, 8B, 70, 10, 56, 50, ...]
    PAGE fltMgr.sys!FltGetDestinationFileNameInformation + 94 F740B276 63 Bytes [FF, FF, 5E, 5D, C2, 04, 00, ...]
    PAGE fltMgr.sys!FltGetDestinationFileNameInformation + D4 F740B2B6 1 Byte [55]
    PAGE fltMgr.sys!FltGetDestinationFileNameInformation + D4 F740B2B6 25 Bytes [55, 8B, EC, 8B, 4D, 08, 83, ...]
    PAGE ...
    PAGE fltMgr.sys!FltCreateSystemVolumeInformationFolder + 1 F740BD9F 2 Bytes [48, 1C]
    PAGE fltMgr.sys!FltCreateSystemVolumeInformationFolder + 4 F740BDA2 57 Bytes [49, 5C, 89, 4E, 0C, 8B, 48, ...]
    PAGE fltMgr.sys!FltCreateSystemVolumeInformationFolder + 3E F740BDDC 1 Byte [46]
    PAGE fltMgr.sys!FltCreateSystemVolumeInformationFolder + 3E F740BDDC 340 Bytes [46, 2C, 89, 46, 20, 8D, 46, ...]
    PAGE fltMgr.sys!FltGetRoutineAddress + 15 F740BF31 22 Bytes [00, 6F, 00, 69, 00, 6E, 00, ...]
    PAGE fltMgr.sys!FltGetRoutineAddress + 2E F740BF4A 149 Bytes [CC, CC, CC, CC, CC, CC, 6A, ...]
    PAGE fltMgr.sys!FltGetRoutineAddress + C4 F740BFE0 64 Bytes [D0, 89, 55, DC, 3B, D7, 0F, ...]
    PAGE fltMgr.sys!FltGetRoutineAddress + 105 F740C021 94 Bytes [6A, 00, 6A, 01, 8D, 45, 94, ...]
    PAGE fltMgr.sys!FltGetRoutineAddress + 164 F740C080 138 Bytes [D0, 8B, 4D, D8, FF, 15, 84, ...]
    PAGE fltMgr.sys!FltRegisterFilter + 47 F740C10B 28 Bytes [03, C6, 89, 45, B8, 66, 83, ...]
    PAGE fltMgr.sys!FltRegisterFilter + 65 F740C129 49 Bytes [00, 66, 39, 18, 0F, 85, B5, ...]
    PAGE fltMgr.sys!FltRegisterFilter + 97 F740C15B 16 Bytes [66, 83, 78, 08, 56, 0F, 85, ...] {CMP WORD [EAX+0x8], 0x56; JNZ 0x8d; CMP WORD [EAX+0xa], 0x6f}
    PAGE fltMgr.sys!FltRegisterFilter + A8 F740C16C 70 Bytes [7B, 66, 83, 78, 0C, 6C, 75, ...]
    PAGE fltMgr.sys!FltRegisterFilter + EF F740C1B3 56 Bytes [83, 7D, E4, 00, 7C, 48, 8B, ...]
    PAGE ...
    PAGE fltMgr.sys!FltUnregisterFilter F740C3F8 14 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; CMP BYTE [EBP+0xc], 0x0; PUSH EBX}
    PAGE fltMgr.sys!FltUnregisterFilter + F F740C407 20 Bytes [8B, 75, 08, 57, 8B, 7E, 28, ...]
    PAGE fltMgr.sys!FltUnregisterFilter + 24 F740C41C 113 Bytes [8D, 5F, 68, 53, FF, 15, 28, ...]
    PAGE fltMgr.sys!FltUnregisterFilter + 96 F740C48E 2 Bytes [47, 40] {INC EDI; INC EAX}
    PAGE fltMgr.sys!FltUnregisterFilter + 99 F740C491 34 Bytes [46, 0C, 8B, 35, B4, BD, 3F, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetVolumeProperties + A F740C538 27 Bytes [8B, 00, 89, 45, 08, EB, D1, ...]
    PAGE fltMgr.sys!FltGetVolumeProperties + 26 F740C554 182 Bytes [4E, 4C, FF, D7, FF, D3, 56, ...]
    PAGE fltMgr.sys!FltGetVolumeProperties + DD F740C60B 65 Bytes [45, 08, 8B, 70, 14, 89, 75, ...]
    PAGE fltMgr.sys!FltGetVolumeProperties + 120 F740C64E 8 Bytes [8B, 4D, DC, 3B, C8, 0F, 84, ...]
    PAGE fltMgr.sys!FltGetVolumeProperties + 12A F740C658 75 Bytes [00, 8D, 79, F4, 89, 7D, D8, ...]
    PAGE fltMgr.sys!FltIsVolumeWritable + 3C F740C6A4 22 Bytes [6A, 01, 57, FF, 75, 08, E8, ...]
    PAGE fltMgr.sys!FltIsVolumeWritable + 53 F740C6BB 17 Bytes [D3, 6A, 01, 8D, 46, 68, 50, ...]
    PAGE fltMgr.sys!FltIsVolumeWritable + 87 F740C6EF 1 Byte [04]
    PAGE fltMgr.sys!FltIsVolumeWritable + 87 F740C6EF 32 Bytes [04, 00, 8B, 7D, D8, 8B, 75, ...]
    PAGE fltMgr.sys!FltIsVolumeWritable + BD F740C725 60 Bytes [FF, 15, B4, BD, 3F, F7, FF, ...]
    PAGE fltMgr.sys!FltGetVolumeGuidName + 36 F740C762 91 Bytes [86, D0, 02, 00, 00, 89, 45, ...]
    PAGE fltMgr.sys!FltGetVolumeGuidName + 92 F740C7BE 221 Bytes [45, D8, 8D, 4B, 5C, 8B, 45, ...]
    PAGE fltMgr.sys!FltGetVolumeGuidName + 170 F740C89C 38 Bytes [66, 14, FD, 8D, 8B, 0C, 01, ...]
    PAGE fltMgr.sys!FltGetVolumeGuidName + 197 F740C8C3 105 Bytes [CC, CC, CC, 8B, FF, 55, 8B, ...]
    PAGE fltMgr.sys!FltGetVolumeGuidName + 201 F740C92D 36 Bytes [FF, 75, FC, FF, 75, 08, E8, ...]
    PAGE ...
    PAGE fltMgr.sys!FltGetDiskDeviceObject + 1 F740CA2D 17 Bytes [F0, 85, F6, 7C, 1F, FF, 75, ...]
    PAGE fltMgr.sys!FltGetDiskDeviceObject + 13 F740CA3F 25 Bytes [75, 08, FF, 15, F0, BF, 3F, ...]
    PAGE fltMgr.sys!FltGetDeviceObject F740CA5C 5 Bytes [CC, CC, 8B, FF, 55] {INT 3 ; INT 3 ; MOV EDI, EDI; PUSH EBP}
    PAGE fltMgr.sys!FltGetDeviceObject + 6 F740CA62 10 Bytes [EC, 83, EC, 10, 8B, 45, 10, ...] {IN AL, DX ; SUB ESP, 0x10; MOV EAX, [EBP+0x10]; MOVZX EAX, [EAX]}
    PAGE fltMgr.sys!FltGetDeviceObject + 11 F740CA6D 7 Bytes [4D, 14, 0F, B7, 09, 03, C1] {DEC EBP; ADC AL, 0xf; MOV BH, 0x9; ADD EAX, ECX}
    PAGE fltMgr.sys!FltGetDeviceObject + 19 F740CA75 103 Bytes [4D, 18, 0F, B7, 09, 53, 56, ...]
    PAGE fltMgr.sys!FltGetDeviceObject + 81 F740CADD 30 Bytes [7E, 4C, 89, 46, 20, 89, 5F, ...]
    PAGE ...
    PAGE fltMgr.sys!FltOpenVolume + C F740CB78 35 Bytes [11, 66, 89, 56, 3E, 0F, B7, ...]
    PAGE fltMgr.sys!FltOpenVolume + 30 F740CB9C 17 Bytes [56, 46, 0F, B7, 11, 51, 50, ...]
    PAGE fltMgr.sys!FltOpenVolume + 42 F740CBAE 6 Bytes [8D, 46, 2C, 66, 83, 20]
    PAGE fltMgr.sys!FltOpenVolume + 49 F740CBB5 27 Bytes [89, 7E, 30, 66, 8B, 11, 66, ...]
    PAGE fltMgr.sys!FltOpenVolume + 65 F740CBD1 75 Bytes [56, 66, 89, 7E, 34, 66, C7, ...]
    PAGE ...
    PAGE fltMgr.sys!FltQueryVolumeInformation + 21 F740D179 1 Byte [51]
    PAGE fltMgr.sys!FltQueryVolumeInformation + 21 F740D179 44 Bytes [51, 10, 5D, C2, 08, 00, CC, ...]
    PAGE fltMgr.sys!FltSetVolumeInformation + 8 F740D1A6 55 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltSetVolumeInformation + 40 F740D1DE 19 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltSetVolumeInformation + 54 F740D1F2 67 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    PAGE fltMgr.sys!FltSetVolumeInformation + 99 F740D237 94 Bytes [00, 25, 63, 00, 00, 42, 72, ...]
    PAGE fltMgr.sys!FltSetVolumeInformation + F9 F740D297 104 Bytes [00, 42, 72, 65, 61, 6B, 70, ...]
    PAGE ...
    PAGE fltMgr.sys!FltNotifyFilterChangeDirectory + 20 F740D63C 50 Bytes [5D, 08, 8B, 4B, 08, 56, 8B, ...]
    PAGE fltMgr.sys!FltNotifyFilterChangeDirectory + 53 F740D66F 42 Bytes [00, 89, 45, F4, 0F, 95, C1, ...]
    PAGE fltMgr.sys!FltNotifyFilterChangeDirectory + 82 F740D69E 22 Bytes [8B, FF, 55, 8B, EC, 53, 56, ...]
    PAGE fltMgr.sys!FltNotifyFilterChangeDirectory + 99 F740D6B5 13 Bytes [47, 04, 8B, 40, 74, 80, C1, ...]
    PAGE fltMgr.sys!FltNotifyFilterChangeDirectory + A7 F740D6C3 40 Bytes [C6, 45, 0F, 00, 74, 16, F6, ...]
    PAGE ...
    .text ipsec.sys AA5F7300 208 Bytes [90, 90, 90, 90, 90, 90, 90, ...]
    .text ipsec.sys AA5F73D1 696 Bytes [AA, 0F, 85, 1C, 1C, 00, 00, ...]
    .text ipsec.sys AA5F768A 440 Bytes [6A, 60, AA, FF, 15, F0, 67, ...]
    .text ipsec.sys AA5F7843 189 Bytes [0F, 84, 9C, 13, 00, 00, E8, ...]
    .text ipsec.sys AA5F7901 180 Bytes [EB, D4, 8B, F0, EB, C1, BE, ...]
    .text ...
    .INIT C:\WINDOWS\system32\DRIVERS\ipsec.sys entry point in ".INIT" section [0xAA604920]
    ? C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious PE modification
    pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA9BD3F00, 0x24000, 0x48000000]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[2256] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 01263690 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\WINDOWS\system32\svchost.exe[2568] USER32.dll!DialogBoxIndirectParamAorW 77D56F20 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18}
    .text C:\WINDOWS\system32\WgaTray.exe[2924] WININET.dll!InternetErrorDlg 7722D415 5 Bytes JMP 0101211B C:\WINDOWS\system32\WgaTray.exe (Windows Genuine Advantage Notification/Microsoft Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3448] USER32.dll!SetWindowLongA 77D4D61D 5 Bytes JMP 106ACCFA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3448] USER32.dll!SetWindowLongW 77D4D63B 5 Bytes JMP 106ACC8C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3448] USER32.dll!GetWindowInfo 77D4E78C 5 Bytes JMP 1045E78C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3448] USER32.dll!TrackPopupMenu 77D94EDE 5 Bytes JMP 1045ED49 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT fltMgr.sys[HAL.dll!KeReleaseInStackQueuedSpinLock] [804EF1EA] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    IAT fltMgr.sys[HAL.dll!KeAcquireInStackQueuedSpinLock] [804EF15A] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    IAT fltMgr.sys[HAL.dll!KfLowerIrql] [80500134] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    IAT fltMgr.sys[HAL.dll!KfRaiseIrql] [804FFCAC] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    IAT fltMgr.sys[HAL.dll!ExAcquireFastMutex] [805AB40C] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    IAT fltMgr.sys[HAL.dll!ExReleaseFastMutex] [804EF8D6] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    IAT fltMgr.sys[HAL.dll!KeGetCurrentIrql] [805AB37E] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

    ---- Modules - GMER 1.0.15 ----

    Module (noname) (*** hidden *** ) F6392000-F639C000 (40960 bytes)
    Module (noname) (*** hidden *** ) F63F2000-F6400000 (57344 bytes)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:728] F6396E40
    Thread System [4:732] F6396E40
    Thread System [4:736] 85FF6520
    Thread System [4:740] 85FF6520
    Thread System [4:3676] F7869EDE
    Thread System [4:3664] F786A616
    Thread System [4:3688] F786A364
    Thread System [4:1020] F786B040

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB43314$\3304507242 0 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350 0 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\L\wjnylfea 74752 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\loader.tlb 2632 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@00000001 45968 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@000000c0 3072 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@000000cb 3072 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@000000cf 1536 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@80000000 26112 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@800000c0 32768 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@800000cb 24064 bytes
    File C:\WINDOWS\$NtUninstallKB43314$\866346350\U\@800000cf 31744 bytes

    ---- EOF - GMER 1.0.15 ----

    DDS Logs:

    DDS.txt
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
    Run by Chris Wright at 20:01:20 on 2011-12-17
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.566 [GMT -6:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\imapi.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:60667
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\chris wright\local settings\application data\fbqhlwce\neitvwlr.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: Interfaces\{D4897913-61E2-4C84-B4CF-FED1EB3E4C59} : NameServer = 69.78.96.14 66.174.92.14
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-17 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-17 314456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-17 20568]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-17 44768]
    R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-7-15 35088]
    R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2011-12-14 28256]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2011-12-14 28256]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\d0.tmp --> c:\windows\system32\D0.tmp [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-12-17 23:46:31 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-17 23:46:11 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-17 23:45:52 -------- d-----w- c:\program files\AVAST Software
    2011-12-17 23:45:52 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2011-12-16 02:36:38 -------- d-----w- c:\documents and settings\chris wright\DoctorWeb
    2011-12-16 01:12:40 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-16 00:08:03 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-12-16 00:06:29 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-12-15 01:28:37 -------- d-sh--w- c:\documents and settings\chris wright\local settings\application data\33a3656e
    2011-12-15 00:27:14 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-12-15 00:27:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-12-15 00:27:11 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-12-15 00:27:11 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-12-15 00:27:11 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-12-15 00:27:11 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-12-15 00:27:10 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-12-15 00:27:10 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-12-15 00:20:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-14 22:34:07 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
    2011-12-14 22:32:14 -------- d-----w- c:\program files\Replay Media Catcher
    2011-12-14 22:25:05 28256 ----a-w- c:\windows\system32\drivers\appliand.sys
    2011-12-14 22:24:44 -------- d-----w- c:\documents and settings\chris wright\application data\Replay Media Catcher 4
    2011-12-14 22:24:44 -------- d-----w- c:\documents and settings\all users\application data\Applian
    2011-12-14 04:20:20 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2011-12-14 03:02:55 -------- d-sha-r- C:\cmdcons
    2011-12-14 03:00:33 98816 ----a-w- c:\windows\sed.exe
    2011-12-14 03:00:33 518144 ----a-w- c:\windows\SWREG.exe
    2011-12-14 03:00:33 256000 ----a-w- c:\windows\PEV.exe
    2011-12-14 03:00:33 208896 ----a-w- c:\windows\MBR.exe
    2011-12-11 03:34:50 -------- d-----w- c:\documents and settings\chris wright\local settings\application data\RipTiger
    2011-12-10 04:52:48 -------- d-----w- c:\program files\WinPcap
    2011-12-06 03:25:43 -------- d-----w- c:\documents and settings\chris wright\application data\.minecraft
    2011-12-06 02:09:24 -------- d-----w- c:\documents and settings\chris wright\application data\Malwarebytes
    .
    ==================== Find3M ====================
    .
    2011-12-15 00:29:20 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2011-12-15 00:29:20 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2009-09-05 00:01:10 525656 ----a-w- c:\program files\DXSETUP.exe
    2009-09-05 00:01:08 94024 ----a-w- c:\program files\DSETUP.dll
    2009-09-05 00:01:08 1691464 ----a-w- c:\program files\dsetup32.dll
    .
    ============= FINISH: 20:04:22.23 ===============

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/6/2011 4:47:12 AM
    System Uptime: 12/17/2011 7:52:35 PM (1 hours ago)
    .
    Motherboard: Quanta | | 30BB
    Processor: Genuine Intel(R) CPU T2130 @ 1.86GHz | U2E1 | 1862/533mhz
    Processor: Genuine Intel(R) CPU T2130 @ 1.86GHz | U2E1 | 1862/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 112 GiB total, 22.915 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Modem Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_5045&SUBSYS_103C30BB&REV_1001\4&D5F8BB4&0&0002
    Manufacturer:
    Name: Modem Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_5045&SUBSYS_103C30BB&REV_1001\4&D5F8BB4&0&0002
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30BB103C&REV_01\4&6B16D5B&0&2AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30BB103C&REV_01\4&6B16D5B&0&2AF0
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30BB103C&REV_0A\4&6B16D5B&0&2BF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30BB103C&REV_0A\4&6B16D5B&0&2BF0
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_30BB103C&REV_05\4&6B16D5B&0&2CF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_30BB103C&REV_05\4&6B16D5B&0&2CF0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP46: 9/20/2011 11:21:05 PM - System Checkpoint
    RP47: 9/26/2011 10:42:34 PM - System Checkpoint
    RP48: 9/28/2011 4:00:36 PM - System Checkpoint
    RP49: 10/1/2011 1:14:14 AM - System Checkpoint
    RP50: 10/2/2011 10:38:56 PM - System Checkpoint
    RP51: 10/5/2011 10:21:36 PM - System Checkpoint
    RP52: 10/8/2011 11:13:54 PM - System Checkpoint
    RP53: 10/11/2011 6:38:34 PM - System Checkpoint
    RP54: 10/12/2011 8:04:34 PM - System Checkpoint
    RP55: 10/13/2011 10:48:42 PM - System Checkpoint
    RP56: 10/15/2011 8:07:21 PM - System Checkpoint
    RP57: 10/17/2011 5:32:40 PM - System Checkpoint
    RP58: 10/19/2011 12:04:57 AM - System Checkpoint
    RP59: 10/20/2011 10:35:37 PM - System Checkpoint
    RP60: 10/22/2011 1:56:00 PM - System Checkpoint
    RP61: 10/23/2011 4:19:37 PM - Installed Caesar IV
    RP62: 10/23/2011 4:26:38 PM - Installed DirectX
    RP63: 10/23/2011 4:27:22 PM - Installed MySQL Connector/ODBC 3.51
    RP64: 10/23/2011 4:28:43 PM - Configured Caesar IV
    RP65: 10/25/2011 11:32:59 PM - System Checkpoint
    RP66: 10/29/2011 10:41:57 PM - System Checkpoint
    RP67: 11/1/2011 10:17:04 PM - System Checkpoint
    RP68: 11/2/2011 11:44:44 PM - System Checkpoint
    RP69: 11/4/2011 9:00:53 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP70: 11/7/2011 11:04:20 AM - System Checkpoint
    RP71: 11/12/2011 9:06:26 PM - System Checkpoint
    RP72: 11/13/2011 9:41:09 PM - System Checkpoint
    RP73: 11/15/2011 9:17:19 AM - System Checkpoint
    RP74: 11/18/2011 1:56:53 PM - System Checkpoint
    RP75: 11/19/2011 11:33:13 PM - System Checkpoint
    RP76: 11/20/2011 8:24:46 PM - Removed Caesar IV
    RP77: 11/22/2011 12:32:48 PM - System Checkpoint
    RP78: 11/23/2011 1:53:00 PM - System Checkpoint
    RP79: 11/24/2011 4:10:10 PM - System Checkpoint
    RP80: 11/25/2011 11:40:31 PM - System Checkpoint
    RP81: 11/27/2011 3:40:28 PM - System Checkpoint
    RP82: 11/29/2011 5:35:28 PM - System Checkpoint
    RP83: 12/1/2011 1:39:32 PM - System Checkpoint
    RP84: 12/2/2011 3:28:04 PM - System Checkpoint
    RP85: 12/3/2011 6:20:40 PM - System Checkpoint
    RP86: 12/5/2011 1:03:03 PM - System Checkpoint
    RP87: 12/7/2011 4:18:48 PM - System Checkpoint
    RP88: 12/9/2011 1:36:23 AM - System Checkpoint
    RP89: 12/12/2011 2:01:11 PM - System Checkpoint
    RP90: 12/13/2011 3:04:21 PM - System Checkpoint
    RP91: 12/15/2011 12:12:48 PM - System Checkpoint
    RP92: 12/16/2011 12:18:34 PM - System Checkpoint
    RP93: 12/17/2011 2:53:56 PM - Installed Windows XP KB914882.
    RP94: 12/17/2011 5:45:52 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    µTorrent
    7-Zip 9.20
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.1.0
    Annihilator
    Apple Application Support
    Apple Software Update
    Audacity 1.2.6
    avast! Free Antivirus
    CDisplay 1.8
    Conexant HD Audio
    DVD Flick 1.3.0.7
    ffdshow [beta 1] [2006-12-11]
    Google Earth Plug-in
    Google Update Helper
    Handbrake 0.9.4
    HP Product Detection
    HP Quick Launch Buttons
    Intel(R) PRO Network Connections Drivers
    Java Auto Updater
    Java(TM) 6 Update 26
    K-Lite Mega Codec Pack 5.7.0
    Launch Manager
    LG USB Modem driver
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 2.0
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Minecraft Beta Cracked
    Mozilla Firefox 8.0.1 (x86 en-US)
    MSVCRT
    MySQL Connector/ODBC 3.51
    NVIDIA Drivers
    QLBCASL
    QuickTime
    Replay Media Catcher 3.02
    Replay Media Catcher 4 (4.3.0)
    Segoe UI
    Sins of a Solar Empire
    Sins of a Solar Empire Trinity
    Software Update for Web Folders
    Update for Windows XP (KB914882)
    VirtualCloneDrive
    VLC media player 1.1.10
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinPcap 4.1.2
    WinRAR 4.01 (32-bit)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/17/2011 7:58:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    12/17/2011 7:58:28 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/17/2011 7:57:58 PM, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
    12/17/2011 7:57:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Java Quick Starter service to connect.
    12/17/2011 7:57:58 PM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/16/2011 10:40:40 PM, error: PlugPlayManager [11] - The device Root\LEGACY_TMCOMM\0000 disappeared from the system without first being prepared for removal.
    12/16/2011 10:32:51 PM, error: Service Control Manager [7000] - The StarOpen service failed to start due to the following error: The system cannot find the file specified.
    12/15/2011 11:29:45 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    12/14/2011 4:25:28 PM, error: PSched [14107] - QoS [Adapter NDISWANIP]: The Packet Scheduler could not initialize the virtual miniport with NDIS.
    12/13/2011 9:07:55 PM, error: PlugPlayManager [11] - The device Root\LEGACY_MICORSOFT_WINDOWS_SERVICE\0000 disappeared from the system without first being prepared for removal.
    12/13/2011 5:11:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    12/13/2011 5:10:29 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    .
    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  5. videoart

    videoart TS Rookie Topic Starter Posts: 40

    A new wrinkle has occurred. The laptop can no longer connect to the net--I get an Error 720 now. I suppose the file corruptions due to the virus have reached critical mass. Despite the TDSS log below, it's still an active, destructive infection: it has disabled real-time shields in avast and avast pop-ups keep appearing warning of attempts to contact dubious urls, etc...


    20:17:55.0781 3720 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
    20:17:55.0812 3720 ============================================================
    20:17:55.0812 3720 Current date / time: 2011/12/18 20:17:55.0812
    20:17:55.0812 3720 SystemInfo:
    20:17:55.0812 3720
    20:17:55.0812 3720 OS Version: 5.1.2600 ServicePack: 2.0
    20:17:55.0812 3720 Product type: Workstation
    20:17:55.0812 3720 ComputerName: COMPUTER_1
    20:17:55.0812 3720 UserName: Chris Wright
    20:17:55.0812 3720 Windows directory: C:\WINDOWS
    20:17:55.0812 3720 System windows directory: C:\WINDOWS
    20:17:55.0812 3720 Processor architecture: Intel x86
    20:17:55.0812 3720 Number of processors: 2
    20:17:55.0812 3720 Page size: 0x1000
    20:17:55.0812 3720 Boot type: Normal boot
    20:17:55.0812 3720 ============================================================
    20:17:56.0312 3720 Initialize success
    20:18:00.0890 0540 ============================================================
    20:18:00.0890 0540 Scan started
    20:18:00.0890 0540 Mode: Manual;
    20:18:00.0890 0540 ============================================================
    20:18:01.0312 0540 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
    20:18:01.0312 0540 Aavmker4 - ok
    20:18:01.0343 0540 Abiosdsk - ok
    20:18:01.0343 0540 abp480n5 - ok
    20:18:01.0421 0540 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    20:18:01.0421 0540 ACPI - ok
    20:18:01.0453 0540 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    20:18:01.0453 0540 ACPIEC - ok
    20:18:01.0468 0540 adpu160m - ok
    20:18:01.0500 0540 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    20:18:01.0500 0540 aec - ok
    20:18:01.0531 0540 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
    20:18:01.0531 0540 AFD - ok
    20:18:01.0531 0540 Aha154x - ok
    20:18:01.0546 0540 aic78u2 - ok
    20:18:01.0562 0540 aic78xx - ok
    20:18:01.0578 0540 AliIde - ok
    20:18:01.0593 0540 amsint - ok
    20:18:01.0640 0540 appliand (69370f2e2827ffba910d0bfa9e62e484) C:\WINDOWS\system32\DRIVERS\appliand.sys
    20:18:01.0640 0540 appliand - ok
    20:18:01.0640 0540 appliandMP (69370f2e2827ffba910d0bfa9e62e484) C:\WINDOWS\system32\DRIVERS\appliand.sys
    20:18:01.0656 0540 appliandMP - ok
    20:18:01.0671 0540 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    20:18:01.0671 0540 Arp1394 - ok
    20:18:01.0687 0540 asc - ok
    20:18:01.0703 0540 asc3350p - ok
    20:18:01.0718 0540 asc3550 - ok
    20:18:01.0781 0540 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    20:18:01.0781 0540 aswFsBlk - ok
    20:18:01.0812 0540 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
    20:18:01.0828 0540 aswMon2 - ok
    20:18:01.0843 0540 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
    20:18:01.0843 0540 aswRdr - ok
    20:18:01.0890 0540 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
    20:18:01.0890 0540 aswSnx - ok
    20:18:01.0937 0540 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
    20:18:01.0953 0540 aswSP - ok
    20:18:01.0984 0540 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
    20:18:01.0984 0540 aswTdi - ok
    20:18:02.0015 0540 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    20:18:02.0015 0540 AsyncMac - ok
    20:18:02.0062 0540 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    20:18:02.0062 0540 atapi - ok
    20:18:02.0078 0540 Atdisk - ok
    20:18:02.0125 0540 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    20:18:02.0125 0540 Atmarpc - ok
    20:18:02.0187 0540 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    20:18:02.0187 0540 audstub - ok
    20:18:02.0234 0540 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    20:18:02.0234 0540 Beep - ok
    20:18:02.0359 0540 catchme - ok
    20:18:02.0515 0540 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    20:18:02.0531 0540 cbidf2k - ok
    20:18:02.0562 0540 cd20xrnt - ok
    20:18:02.0625 0540 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    20:18:02.0625 0540 Cdaudio - ok
    20:18:02.0656 0540 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    20:18:02.0656 0540 Cdfs - ok
    20:18:02.0703 0540 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    20:18:02.0718 0540 Cdrom - ok
    20:18:02.0718 0540 Changer - ok
    20:18:02.0781 0540 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    20:18:02.0781 0540 CmBatt - ok
    20:18:02.0796 0540 CmdIde - ok
    20:18:02.0859 0540 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    20:18:02.0859 0540 Compbatt - ok
    20:18:02.0890 0540 Cpqarray - ok
    20:18:02.0906 0540 dac2w2k - ok
    20:18:02.0921 0540 dac960nt - ok
    20:18:02.0968 0540 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    20:18:02.0968 0540 Disk - ok
    20:18:03.0000 0540 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
    20:18:03.0000 0540 DKbFltr - ok
    20:18:03.0093 0540 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    20:18:03.0156 0540 dmboot - ok
    20:18:03.0328 0540 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
    20:18:03.0328 0540 dmio - ok
    20:18:03.0359 0540 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    20:18:03.0359 0540 dmload - ok
    20:18:03.0390 0540 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    20:18:03.0390 0540 DMusic - ok
    20:18:03.0406 0540 dpti2o - ok
    20:18:03.0453 0540 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    20:18:03.0453 0540 drmkaud - ok
    20:18:03.0484 0540 E100B (6ca101f9aa3d845ba31f6e13c01301a8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    20:18:03.0500 0540 E100B - ok
    20:18:03.0531 0540 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
    20:18:03.0531 0540 ElbyCDIO - ok
    20:18:03.0593 0540 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    20:18:03.0609 0540 Fastfat - ok
    20:18:03.0656 0540 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    20:18:03.0656 0540 Fdc - ok
    20:18:03.0687 0540 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    20:18:03.0687 0540 Fips - ok
    20:18:03.0718 0540 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    20:18:03.0718 0540 Flpydisk - ok
    20:18:03.0765 0540 FltMgr (54fd90f0038f07920cb9fb6591bde82f) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    20:18:03.0781 0540 FltMgr - ok
    20:18:03.0812 0540 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    20:18:03.0812 0540 Fs_Rec - ok
    20:18:03.0843 0540 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    20:18:03.0859 0540 Ftdisk - ok
    20:18:03.0890 0540 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    20:18:03.0890 0540 Gpc - ok
    20:18:03.0937 0540 HBtnKey (fc657b7751729efe54e2ff24f50e5bab) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
    20:18:03.0953 0540 HBtnKey - ok
    20:18:04.0000 0540 HdAudAddService (4905d28aa09f63e6a2f4e93ed6dd7d19) C:\WINDOWS\system32\drivers\CHDAud.sys
    20:18:04.0015 0540 HdAudAddService - ok
    20:18:04.0046 0540 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    20:18:04.0046 0540 HDAudBus - ok
    20:18:04.0078 0540 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    20:18:04.0093 0540 HidUsb - ok
    20:18:04.0109 0540 hpn - ok
    20:18:04.0156 0540 HTTP (909d110c9634b0f1487eaaea837317d9) C:\WINDOWS\system32\Drivers\HTTP.sys
    20:18:04.0156 0540 HTTP - ok
    20:18:04.0171 0540 i2omgmt - ok
    20:18:04.0187 0540 i2omp - ok
    20:18:04.0250 0540 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    20:18:04.0265 0540 i8042prt - ok
    20:18:04.0343 0540 ialm (85d42b7f0dd406adf5e3ec7659a279ec) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    20:18:04.0390 0540 ialm - ok
    20:18:04.0406 0540 Imapi (12c59b8929121ace2f55acc86682cf12) C:\WINDOWS\system32\DRIVERS\imapi.sys
    20:18:04.0406 0540 Imapi - ok
    20:18:04.0437 0540 ini910u - ok
    20:18:04.0468 0540 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    20:18:04.0468 0540 IntelIde - ok
    20:18:04.0515 0540 intelppm (db8a1859cf9e48914dcc0a7206d87be5) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    20:18:04.0515 0540 intelppm - ok
    20:18:04.0531 0540 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    20:18:04.0546 0540 Ip6Fw - ok
    20:18:04.0578 0540 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    20:18:04.0578 0540 IpFilterDriver - ok
    20:18:04.0625 0540 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    20:18:04.0625 0540 IpInIp - ok
    20:18:04.0640 0540 IpNat (472c75f85e631f8aa87d21c9fee6238d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    20:18:04.0656 0540 IpNat - ok
    20:18:04.0687 0540 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    20:18:04.0703 0540 IRENUM - ok
    20:18:04.0734 0540 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    20:18:04.0734 0540 isapnp - ok
    20:18:04.0796 0540 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    20:18:04.0796 0540 Kbdclass - ok
    20:18:04.0828 0540 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    20:18:04.0843 0540 kbdhid - ok
    20:18:04.0875 0540 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    20:18:04.0890 0540 kmixer - ok
    20:18:04.0921 0540 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    20:18:04.0921 0540 KSecDD - ok
    20:18:04.0937 0540 lbrtfdc - ok
    20:18:04.0968 0540 MBAMSwissArmy - ok
    20:18:04.0984 0540 MEMSWEEP2 - ok
    20:18:05.0015 0540 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    20:18:05.0015 0540 mnmdd - ok
    20:18:05.0046 0540 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    20:18:05.0062 0540 Modem - ok
    20:18:05.0078 0540 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    20:18:05.0078 0540 Mouclass - ok
    20:18:05.0125 0540 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    20:18:05.0125 0540 mouhid - ok
    20:18:05.0156 0540 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    20:18:05.0156 0540 MountMgr - ok
    20:18:05.0171 0540 mraid35x - ok
    20:18:05.0187 0540 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    20:18:05.0203 0540 MRxDAV - ok
    20:18:05.0234 0540 MRxSmb (28fdfec0a3cd3037020200d141a75d97) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    20:18:05.0250 0540 MRxSmb - ok
    20:18:05.0281 0540 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    20:18:05.0281 0540 Msfs - ok
    20:18:05.0312 0540 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    20:18:05.0312 0540 MSKSSRV - ok
    20:18:05.0328 0540 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    20:18:05.0328 0540 MSPCLOCK - ok
    20:18:05.0359 0540 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    20:18:05.0375 0540 MSPQM - ok
    20:18:05.0406 0540 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    20:18:05.0406 0540 mssmbios - ok
    20:18:05.0437 0540 Mup (f66b6b1cddee6ca87cefc016eb7a0d8e) C:\WINDOWS\system32\drivers\Mup.sys
    20:18:05.0437 0540 Mup - ok
    20:18:05.0500 0540 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    20:18:05.0500 0540 NDIS - ok
    20:18:05.0546 0540 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    20:18:05.0546 0540 NdisTapi - ok
    20:18:05.0578 0540 Ndisuio (f08bd495ba387229606d015cb4f459c9) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    20:18:05.0593 0540 Ndisuio - ok
    20:18:05.0609 0540 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    20:18:05.0609 0540 NdisWan - ok
    20:18:05.0640 0540 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    20:18:05.0656 0540 NDProxy - ok
    20:18:05.0671 0540 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    20:18:05.0687 0540 NetBIOS - ok
    20:18:05.0734 0540 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    20:18:05.0734 0540 NetBT - ok
    20:18:05.0859 0540 NETw3x32 (f43da6b7e26fff9ac4d3210f2f9b5d8c) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
    20:18:05.0953 0540 NETw3x32 - ok
    20:18:05.0968 0540 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    20:18:05.0968 0540 NIC1394 - ok
    20:18:06.0015 0540 npf (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
    20:18:06.0015 0540 npf - ok
    20:18:06.0046 0540 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    20:18:06.0046 0540 Npfs - ok
    20:18:06.0078 0540 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    20:18:06.0093 0540 Ntfs - ok
    20:18:06.0125 0540 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    20:18:06.0125 0540 Null - ok
    20:18:06.0187 0540 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    20:18:06.0187 0540 NwlnkFlt - ok
    20:18:06.0218 0540 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    20:18:06.0218 0540 NwlnkFwd - ok
    20:18:06.0265 0540 ohci1394 (fc128c3d7d5ad30a13742dc3737b9df7) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    20:18:06.0265 0540 ohci1394 - ok
    20:18:06.0312 0540 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    20:18:06.0312 0540 Parport - ok
    20:18:06.0359 0540 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    20:18:06.0359 0540 PartMgr - ok
    20:18:06.0390 0540 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    20:18:06.0390 0540 ParVdm - ok
    20:18:06.0421 0540 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    20:18:06.0421 0540 PCI - ok
    20:18:06.0421 0540 PCIDump - ok
    20:18:06.0453 0540 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    20:18:06.0453 0540 PCIIde - ok
    20:18:06.0515 0540 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    20:18:06.0515 0540 Pcmcia - ok
    20:18:06.0531 0540 PDCOMP - ok
    20:18:06.0546 0540 PDFRAME - ok
    20:18:06.0562 0540 PDRELI - ok
    20:18:06.0562 0540 PDRFRAME - ok
    20:18:06.0578 0540 perc2 - ok
    20:18:06.0593 0540 perc2hib - ok
    20:18:06.0656 0540 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    20:18:06.0656 0540 PptpMiniport - ok
    20:18:06.0671 0540 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    20:18:06.0687 0540 PSched - ok
    20:18:06.0687 0540 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    20:18:06.0703 0540 Ptilink - ok
    20:18:06.0703 0540 ql1080 - ok
    20:18:06.0718 0540 Ql10wnt - ok
    20:18:06.0734 0540 ql12160 - ok
    20:18:06.0750 0540 ql1240 - ok
    20:18:06.0765 0540 ql1280 - ok
    20:18:06.0796 0540 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    20:18:06.0812 0540 RasAcd - ok
    20:18:06.0828 0540 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    20:18:06.0828 0540 Rasl2tp - ok
    20:18:06.0843 0540 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    20:18:06.0859 0540 RasPppoe - ok
    20:18:06.0875 0540 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    20:18:06.0875 0540 Raspti - ok
    20:18:06.0906 0540 Rdbss (b48441a6dc703ee4c36db14ee51a189c) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    20:18:06.0921 0540 Rdbss - ok
    20:18:06.0953 0540 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    20:18:06.0953 0540 RDPCDD - ok
    20:18:07.0015 0540 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    20:18:07.0015 0540 rdpdr - ok
    20:18:07.0093 0540 RDPWD (047bea21274c8a4a233674a76c958c2c) C:\WINDOWS\system32\drivers\RDPWD.sys
    20:18:07.0093 0540 RDPWD - ok
    20:18:07.0140 0540 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    20:18:07.0140 0540 redbook - ok
    20:18:07.0218 0540 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    20:18:07.0218 0540 sdbus - ok
    20:18:07.0250 0540 Secdrv (07f7f501ad50de2ba2d5842d9b6d6155) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    20:18:07.0265 0540 Secdrv - ok
    20:18:07.0296 0540 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    20:18:07.0312 0540 Serial - ok
    20:18:07.0343 0540 sffdisk (1d9f1bec651815741f088a8fb88e17ee) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
    20:18:07.0359 0540 sffdisk - ok
    20:18:07.0359 0540 sffp_sd (586499fd312ffd7f78553f408e71682e) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
    20:18:07.0375 0540 sffp_sd - ok
    20:18:07.0390 0540 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    20:18:07.0390 0540 Sfloppy - ok
    20:18:07.0406 0540 Simbad - ok
    20:18:07.0421 0540 Sparrow - ok
    20:18:07.0468 0540 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    20:18:07.0468 0540 splitter - ok
    20:18:07.0500 0540 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    20:18:07.0500 0540 sr - ok
    20:18:07.0531 0540 Srv (58bb0cc6be72899190505741e3b83464) C:\WINDOWS\system32\DRIVERS\srv.sys
    20:18:07.0546 0540 Srv - ok
    20:18:07.0562 0540 StarOpen - ok
    20:18:07.0593 0540 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    20:18:07.0609 0540 swenum - ok
    20:18:07.0640 0540 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    20:18:07.0656 0540 swmidi - ok
    20:18:07.0671 0540 symc810 - ok
    20:18:07.0671 0540 symc8xx - ok
    20:18:07.0687 0540 sym_hi - ok
    20:18:07.0703 0540 sym_u3 - ok
    20:18:07.0765 0540 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    20:18:07.0765 0540 sysaudio - ok
    20:18:07.0812 0540 Tcpip (b2220c618b42a2212a59d91ebd6fc4b4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    20:18:07.0828 0540 Tcpip - ok
    20:18:07.0875 0540 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    20:18:07.0875 0540 TDPIPE - ok
    20:18:07.0890 0540 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    20:18:07.0890 0540 TDTCP - ok
    20:18:07.0937 0540 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    20:18:07.0953 0540 TermDD - ok
    20:18:07.0968 0540 TosIde - ok
    20:18:08.0015 0540 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    20:18:08.0031 0540 Udfs - ok
    20:18:08.0031 0540 ultra - ok
    20:18:08.0093 0540 Update (a4815a4884898f355a3513e60843a4fd) C:\WINDOWS\system32\DRIVERS\update.sys
    20:18:08.0109 0540 Update - ok
    20:18:08.0171 0540 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    20:18:08.0171 0540 usbbus - ok
    20:18:08.0203 0540 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    20:18:08.0203 0540 usbccgp - ok
    20:18:08.0218 0540 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    20:18:08.0218 0540 UsbDiag - ok
    20:18:08.0265 0540 usbehci (b0d7020386c7187ef9c5a9643f289cd3) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    20:18:08.0281 0540 usbehci - ok
    20:18:08.0312 0540 usbhub (97aa6d1c813700c57211249d8e00be87) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    20:18:08.0328 0540 usbhub - ok
    20:18:08.0375 0540 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    20:18:08.0375 0540 USBModem - ok
    20:18:08.0421 0540 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    20:18:08.0421 0540 USBSTOR - ok
    20:18:08.0468 0540 usbuhci (ff6e4fdeb82dc228efa490336409c6bd) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    20:18:08.0468 0540 usbuhci - ok
    20:18:08.0515 0540 VClone (fce98c43b5c5db8e0da8ea0e2b45e044) C:\WINDOWS\system32\DRIVERS\VClone.sys
    20:18:08.0515 0540 VClone - ok
    20:18:08.0546 0540 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    20:18:08.0562 0540 VgaSave - ok
    20:18:08.0562 0540 ViaIde - ok
    20:18:08.0593 0540 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    20:18:08.0593 0540 VolSnap - ok
    20:18:08.0656 0540 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    20:18:08.0656 0540 Wanarp - ok
    20:18:08.0671 0540 WDICA - ok
    20:18:08.0718 0540 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    20:18:08.0718 0540 wdmaud - ok
    20:18:08.0781 0540 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    20:18:08.0781 0540 WmiAcpi - ok
    20:18:08.0859 0540 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    20:18:08.0984 0540 \Device\Harddisk0\DR0 - ok
    20:18:08.0984 0540 Boot (0x1200) (0ef00cf2d9c1d307d6e977d440c25758) \Device\Harddisk0\DR0\Partition0
    20:18:08.0984 0540 \Device\Harddisk0\DR0\Partition0 - ok
    20:18:08.0984 0540 ============================================================
    20:18:08.0984 0540 Scan finished
    20:18:08.0984 0540 ============================================================
    20:18:09.0000 3540 Detected object count: 0
    20:18:09.0000 3540 Actual detected object count: 0
     
  6. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    We'll see if can fix your internet connection but first we have to make your computer more stable.

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes" (skip this step since you can't connect)
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. videoart

    videoart TS Rookie Topic Starter Posts: 40

    aswMBR.exe results in the BSOD while running, What do I need to do about this?
     
  8. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  9. videoart

    videoart TS Rookie Topic Starter Posts: 40

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  10. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Go ahead with Combofix
     
  11. videoart

    videoart TS Rookie Topic Starter Posts: 40

    ComboFix 11-12-18.02 - Chris Wright 12/19/2011 16:47:27.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.758 [GMT -6:00]
    Running from: c:\documents and settings\Chris Wright\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Chris Wright\Local Settings\Application Data\bxjpqoce.log
    c:\documents and settings\Chris Wright\Local Settings\Application Data\dqamdngk.log
    c:\documents and settings\Chris Wright\Local Settings\Application Data\oiilwyqq.log
    c:\documents and settings\Chris Wright\Local Settings\Application Data\pypysvxm.log
    c:\documents and settings\Chris Wright\Local Settings\Application Data\qvfrqdbh.log
    c:\documents and settings\Chris Wright\Local Settings\Application Data\trdjyrkl.log
    c:\windows\$NtUninstallKB43314$
    c:\windows\$NtUninstallKB43314$\3304507242
    c:\windows\$NtUninstallKB43314$\866346350\@
    c:\windows\$NtUninstallKB43314$\866346350\L\wjnylfea
    c:\windows\$NtUninstallKB43314$\866346350\loader.tlb
    c:\windows\$NtUninstallKB43314$\866346350\U\@00000001
    c:\windows\$NtUninstallKB43314$\866346350\U\@000000c0
    c:\windows\$NtUninstallKB43314$\866346350\U\@000000cb
    c:\windows\$NtUninstallKB43314$\866346350\U\@000000cf
    c:\windows\$NtUninstallKB43314$\866346350\U\@80000000
    c:\windows\$NtUninstallKB43314$\866346350\U\@800000c0
    c:\windows\$NtUninstallKB43314$\866346350\U\@800000cb
    c:\windows\$NtUninstallKB43314$\866346350\U\@800000cf
    c:\windows\system32\
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-19 to 2011-12-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-17 23:46 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-12-17 23:46 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-12-17 23:46 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-12-17 23:46 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-17 23:46 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-12-17 23:46 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-12-17 23:46 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-12-17 23:46 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-12-17 23:46 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-17 23:45 . 2011-12-17 23:45 -------- d-----w- c:\program files\AVAST Software
    2011-12-17 23:45 . 2011-12-17 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-12-16 02:36 . 2011-12-16 02:36 -------- d-----w- c:\documents and settings\Chris Wright\DoctorWeb
    2011-12-16 01:12 . 2011-12-16 01:12 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-16 00:08 . 2011-12-16 00:08 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-12-16 00:06 . 2011-12-16 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-12-15 01:38 . 2011-12-15 01:38 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
    2011-12-15 01:28 . 2011-12-17 04:04 -------- d-sh--w- c:\documents and settings\Chris Wright\Local Settings\Application Data\33a3656e
    2011-12-15 00:27 . 2011-12-15 00:27 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-12-15 00:27 . 2011-12-15 00:27 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-12-15 00:27 . 2011-12-15 00:27 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-12-15 00:27 . 2011-12-15 00:27 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-12-15 00:27 . 2011-12-15 00:27 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-12-15 00:27 . 2011-12-15 00:27 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-12-15 00:27 . 2011-12-15 00:27 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-12-15 00:27 . 2011-12-15 00:27 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-12-15 00:20 . 2011-12-15 00:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-14 22:34 . 2011-12-15 00:29 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
    2011-12-14 22:32 . 2011-12-15 04:17 -------- d-----w- c:\program files\Replay Media Catcher
    2011-12-14 22:25 . 2011-06-26 00:56 28256 ----a-w- c:\windows\system32\drivers\appliand.sys
    2011-12-14 22:24 . 2011-12-14 22:27 -------- d-----w- c:\documents and settings\Chris Wright\Application Data\Replay Media Catcher 4
    2011-12-14 22:24 . 2011-12-14 22:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Applian
    2011-12-14 04:20 . 2011-12-15 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-12-11 03:34 . 2011-12-11 03:34 -------- d-----w- c:\documents and settings\Chris Wright\Local Settings\Application Data\RipTiger
    2011-12-10 04:52 . 2011-12-10 04:52 -------- d-----w- c:\program files\WinPcap
    2011-12-06 03:25 . 2011-12-17 20:35 -------- d-----w- c:\documents and settings\Chris Wright\Application Data\.minecraft
    2011-12-06 02:09 . 2011-12-06 02:09 -------- d-----w- c:\documents and settings\Chris Wright\Application Data\Malwarebytes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-15 00:29 . 2011-09-14 16:20 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
    2011-12-15 00:29 . 2011-09-14 16:20 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
    2009-09-05 00:01 . 2009-09-05 00:01 525656 ----a-w- c:\program files\DXSETUP.exe
    2009-09-05 00:01 . 2009-09-05 00:01 94024 ----a-w- c:\program files\DSETUP.dll
    2009-09-05 00:01 . 2009-09-05 00:01 1691464 ----a-w- c:\program files\dsetup32.dll
    2011-12-15 00:27 . 2011-12-15 00:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-04-23 206392]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 458752]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Kalypso\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
    "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
    "c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
    "c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
    "c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 28256]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\D0.tmp [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-07-16 35088]
    S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 28256]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-16 02:56]
    .
    2011-12-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-16 02:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-19 17:04
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\D0.tmp"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\igfxext.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-19 17:05:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-19 23:05
    ComboFix2.txt 2011-12-14 03:18
    .
    Pre-Run: 24,598,147,072 bytes free
    Post-Run: 24,776,364,032 bytes free
    .
    - - End Of File - - 602748106ECA20814B7D39A85510A231
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  13. videoart

    videoart TS Rookie Topic Starter Posts: 40

    OTL.Txt

    No Avast popup warnings as before, although Real-time shields still can't be activated--I don't know if this is due to all the file corruption or the presence of more suspect files...

    OTL logfile created on: 12/19/2011 7:08:49 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Chris Wright\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1013.98 Mb Total Physical Memory | 724.63 Mb Available Physical Memory | 71.46% Memory free
    2.38 Gb Paging File | 2.23 Gb Available in Paging File | 93.38% Paging File free
    Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 111.78 Gb Total Space | 23.10 Gb Free Space | 20.67% Space Free | Partition Type: NTFS

    Computer Name: COMPUTER_1 | User Name: Chris Wright | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/12/19 19:04:14 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris Wright\Desktop\OTL.exe
    PRC - [2011/11/28 12:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/11/28 12:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2008/04/23 02:38:16 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    PRC - [2006/08/15 15:21:03 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/12/01 16:38:38 | 000,458,752 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\QtZgAcer.EXE


    ========== Modules (No Company Name) ==========

    MOD - [2011/12/17 12:11:00 | 001,647,616 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11121702\algo.dll
    MOD - [2011/12/14 19:31:12 | 000,241,528 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11121702\aswRep.dll
    MOD - [2011/05/28 21:04:56 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
    MOD - [2005/07/06 12:50:14 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\HokHIDKC.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011/11/28 12:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2005/10/06 17:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/11/28 11:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/11/28 11:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/11/28 11:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/11/28 11:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/11/28 11:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011/11/28 11:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2011/11/28 11:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011/06/25 18:56:44 | 000,028,256 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\appliand.sys -- (appliandMP)
    DRV - [2011/06/25 18:56:44 | 000,028,256 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\appliand.sys -- (appliand)
    DRV - [2010/07/15 18:45:44 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
    DRV - [2009/03/19 10:40:10 | 000,009,216 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
    DRV - [2008/11/11 12:42:00 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
    DRV - [2008/11/11 12:41:00 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
    DRV - [2008/11/11 12:41:00 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
    DRV - [2006/07/27 14:44:42 | 000,581,632 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

    IE - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
    IE - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
    FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.7
    FF - prefs.js..extensions.enabledItems: {cd617375-6743-4ee8-bac4-fbf10f35729e}:2.8.7
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..extensions.enabledItems: {ab91efd4-6975-4081-8552-1b3922ed79e2}:1.0.5.1
    FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.13
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 60667
    FF - prefs.js..network.proxy.type: 0


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.81\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.81\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/17 17:46:14 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/14 18:27:15 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/14 18:27:15 | 000,000,000 | ---D | M]

    [2011/07/06 13:50:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Extensions
    [2011/12/14 18:27:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Firefox\Profiles\onriyp6p.default\extensions
    [2011/12/07 22:06:25 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Firefox\Profiles\onriyp6p.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    [2011/08/23 14:00:43 | 000,000,000 | ---D | M] (HP Detect) -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Firefox\Profiles\onriyp6p.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
    [2011/12/07 22:06:26 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Firefox\Profiles\onriyp6p.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    [2011/07/06 14:45:22 | 000,000,000 | ---D | M] ("RightToClick") -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Firefox\Profiles\onriyp6p.default\extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}
    [2011/12/07 22:06:25 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Chris Wright\Application Data\Mozilla\Firefox\Profiles\onriyp6p.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    [2011/12/14 18:27:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    () (No name found) -- C:\DOCUMENTS AND SETTINGS\CHRIS WRIGHT\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\ONRIYP6P.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    [2011/12/17 17:46:14 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2011/12/14 18:27:13 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2011/12/14 18:27:09 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/12/14 18:27:09 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2011/12/19 17:01:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)
    O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
    O7 - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Chris Wright\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Chris Wright\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/11/30 15:34:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2011/12/14 17:27:47 | 000,000,000 | R--D | M] - C:\autorun.inf -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
    Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/12/19 19:07:34 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Chris Wright\Desktop\OTL.exe
    [2011/12/19 16:39:14 | 004,344,515 | R--- | C] (Swearware) -- C:\Documents and Settings\Chris Wright\Desktop\ComboFix.exe
    [2011/12/18 21:19:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\Desktop\bootkit_remover
    [2011/12/18 20:45:52 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Chris Wright\Desktop\aswMBR.exe
    [2011/12/18 20:17:18 | 001,577,264 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Chris Wright\Desktop\tdsskiller.exe
    [2011/12/17 17:46:34 | 000,020,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011/12/17 17:46:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
    [2011/12/17 17:46:33 | 000,314,456 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011/12/17 17:46:32 | 000,034,392 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011/12/17 17:46:31 | 000,435,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011/12/17 17:46:31 | 000,052,952 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011/12/17 17:46:30 | 000,111,320 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011/12/17 17:46:30 | 000,105,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011/12/17 17:46:30 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011/12/17 17:46:11 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011/12/17 17:45:52 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/12/17 17:45:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011/12/17 17:26:50 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Chris Wright\Desktop\dds.scr
    [2011/12/15 20:36:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\DoctorWeb
    [2011/12/15 19:12:40 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2011/12/15 18:08:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2011/12/15 18:06:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2011/12/14 19:28:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Chris Wright\Local Settings\Application Data\33a3656e
    [2011/12/14 17:27:47 | 000,000,000 | R--D | C] -- C:\autorun.inf
    [2011/12/14 16:34:07 | 000,323,584 | ---- | C] (Stefan Toengi) -- C:\WINDOWS\System32\AUDIOGENIE2.DLL
    [2011/12/14 16:32:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Replay Media Catcher
    [2011/12/14 16:32:14 | 000,000,000 | ---D | C] -- C:\Program Files\Replay Media Catcher
    [2011/12/14 16:25:05 | 000,028,256 | ---- | C] (Applian Technologies Inc.) -- C:\WINDOWS\System32\drivers\appliand.sys
    [2011/12/14 16:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\Application Data\Replay Media Catcher 4
    [2011/12/14 16:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applian
    [2011/12/13 22:20:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2011/12/13 21:02:55 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/12/13 21:00:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/12/13 21:00:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/12/13 21:00:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/12/13 21:00:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/12/13 21:00:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/12/13 21:00:14 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/12/13 21:00:09 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Chris Wright\Start Menu\Programs\Administrative Tools
    [2011/12/10 21:34:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\Local Settings\Application Data\RipTiger
    [2011/12/09 22:52:48 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
    [2011/12/05 21:25:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\Application Data\.minecraft
    [2011/12/05 20:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\Desktop\Minecraft 1.0.0
    [2011/12/05 20:09:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Chris Wright\Application Data\Malwarebytes
    [2009/09/04 18:01:10 | 000,525,656 | ---- | C] (Microsoft Corporation) -- C:\Program Files\DXSETUP.exe
    [2009/09/04 18:01:08 | 001,691,464 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dsetup32.dll
    [2009/09/04 18:01:08 | 000,094,024 | ---- | C] (Microsoft Corporation) -- C:\Program Files\DSETUP.dll
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/12/19 19:08:11 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/12/19 19:06:54 | 000,003,989 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\otl.rtf
    [2011/12/19 19:06:34 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/12/19 19:06:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/12/19 19:04:14 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris Wright\Desktop\OTL.exe
    [2011/12/19 17:01:58 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/12/18 20:58:10 | 004,344,515 | R--- | M] (Swearware) -- C:\Documents and Settings\Chris Wright\Desktop\ComboFix.exe
    [2011/12/18 20:44:20 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Chris Wright\Desktop\aswMBR.exe
    [2011/12/18 20:15:58 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Chris Wright\Desktop\tdsskiller.exe
    [2011/12/18 19:57:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/12/17 22:01:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/12/17 21:57:01 | 000,508,230 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\hCKEV.gif
    [2011/12/17 17:46:34 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2011/12/17 17:46:30 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2011/12/17 17:45:30 | 064,207,032 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\setup_av_free.exe
    [2011/12/17 17:26:52 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Chris Wright\Desktop\dds.scr
    [2011/12/17 14:57:36 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe
    [2011/12/17 14:55:48 | 000,002,324 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2011/12/15 20:35:49 | 074,384,952 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\h4gd5quy.exe
    [2011/12/15 19:39:50 | 000,125,658 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\33930_1612442269253_1182159235_31698350_683809_n.jpg
    [2011/12/15 19:12:24 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2011/12/14 18:29:20 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
    [2011/12/14 18:29:20 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
    [2011/12/14 18:29:16 | 000,323,584 | ---- | M] (Stefan Toengi) -- C:\WINDOWS\System32\AUDIOGENIE2.DLL
    [2011/12/14 17:22:56 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\Flash_Disinfector.exe
    [2011/12/14 16:32:18 | 000,001,702 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Application Data\Microsoft\Internet Explorer\Quick Launch\Replay Media Catcher.lnk
    [2011/12/13 21:03:00 | 000,000,437 | RHS- | M] () -- C:\boot.ini
    [2011/12/11 14:10:19 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/12/10 21:12:24 | 000,000,213 | ---- | M] () -- C:\Documents and Settings\Chris Wright\.swfinfo
    [2011/12/10 20:01:01 | 000,011,463 | ---- | M] () -- C:\Documents and Settings\Chris Wright\.recently-used.xbel
    [2011/12/09 22:17:35 | 248,979,363 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\480_696_8tZuP-G260-.flv
    [2011/11/28 12:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011/11/28 11:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011/11/28 11:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011/11/28 11:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011/11/28 11:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011/11/28 11:52:02 | 000,111,320 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011/11/28 11:51:59 | 000,105,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011/11/28 11:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011/11/28 11:48:49 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011/11/25 22:48:06 | 000,270,142 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\Minecraft.exe
    [2011/11/23 11:54:48 | 000,413,614 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/11/23 11:54:48 | 000,061,372 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/12/19 19:07:34 | 000,003,989 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\otl.rtf
    [2011/12/17 21:56:52 | 000,508,230 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\hCKEV.gif
    [2011/12/17 17:46:34 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2011/12/17 17:28:21 | 064,207,032 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\setup_av_free.exe
    [2011/12/17 14:57:31 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe
    [2011/12/17 14:54:32 | 000,002,324 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
    [2011/12/15 19:53:00 | 074,384,952 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\h4gd5quy.exe
    [2011/12/15 19:39:49 | 000,125,658 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\33930_1612442269253_1182159235_31698350_683809_n.jpg
    [2011/12/14 18:27:16 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
    [2011/12/14 17:22:54 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\Flash_Disinfector.exe
    [2011/12/14 16:32:18 | 000,001,702 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Application Data\Microsoft\Internet Explorer\Quick Launch\Replay Media Catcher.lnk
    [2011/12/13 21:03:00 | 000,000,321 | ---- | C] () -- C:\Boot.bak
    [2011/12/13 21:02:57 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/12/13 21:00:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/12/13 21:00:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/12/13 21:00:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/12/13 21:00:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/12/13 21:00:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/12/10 21:12:24 | 000,000,213 | ---- | C] () -- C:\Documents and Settings\Chris Wright\.swfinfo
    [2011/12/10 20:01:01 | 000,011,463 | ---- | C] () -- C:\Documents and Settings\Chris Wright\.recently-used.xbel
    [2011/12/09 20:09:20 | 248,979,363 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\480_696_8tZuP-G260-.flv
    [2011/11/25 22:44:46 | 000,270,142 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Desktop\Minecraft.exe
    [2011/11/02 13:12:48 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\annihilator.dll
    [2011/09/27 20:06:11 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Chris Wright\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/09/14 10:20:10 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
    [2011/07/06 13:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NT.INI
    [2011/05/05 17:02:47 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/02/15 21:39:44 | 008,676,883 | ---- | C] () -- C:\WINDOWS\System32\mp3Media2.dll
    [2010/12/01 17:14:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2010/12/01 17:14:27 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2010/12/01 17:14:27 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2010/12/01 17:14:25 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2010/12/01 17:14:25 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2010/12/01 17:14:25 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2010/12/01 17:14:23 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2010/12/01 09:10:38 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4670.dll
    [2010/11/30 15:40:49 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/11/30 15:30:48 | 000,022,704 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/11/30 09:26:02 | 000,004,328 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/11/30 09:24:37 | 000,093,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/07/15 18:45:44 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    [2009/09/04 18:01:20 | 001,550,796 | ---- | C] () -- C:\Program Files\Nov2008_d3dx9_40_x86.cab
    [2009/09/04 18:01:20 | 001,412,894 | ---- | C] () -- C:\Program Files\OCT2006_d3dx9_31_x64.cab
    [2009/09/04 18:01:20 | 001,127,209 | ---- | C] () -- C:\Program Files\OCT2006_d3dx9_31_x86.cab
    [2009/09/04 18:01:20 | 000,994,154 | ---- | C] () -- C:\Program Files\Nov2008_d3dx10_40_x64.cab
    [2009/09/04 18:01:20 | 000,273,960 | ---- | C] () -- C:\Program Files\Nov2008_XAudio_x64.cab
    [2009/09/04 18:01:20 | 000,272,603 | ---- | C] () -- C:\Program Files\Nov2008_XAudio_x86.cab
    [2009/09/04 18:01:20 | 000,182,361 | ---- | C] () -- C:\Program Files\OCT2006_XACT_x64.cab
    [2009/09/04 18:01:20 | 000,138,009 | ---- | C] () -- C:\Program Files\OCT2006_XACT_x86.cab
    [2009/09/04 18:01:20 | 000,121,786 | ---- | C] () -- C:\Program Files\Nov2008_XACT_x64.cab
    [2009/09/04 18:01:20 | 000,092,676 | ---- | C] () -- C:\Program Files\Nov2008_XACT_x86.cab
    [2009/09/04 18:01:20 | 000,086,029 | ---- | C] () -- C:\Program Files\Oct2005_xinput_x64.cab
    [2009/09/04 18:01:20 | 000,054,522 | ---- | C] () -- C:\Program Files\Nov2008_X3DAudio_x64.cab
    [2009/09/04 18:01:20 | 000,045,351 | ---- | C] () -- C:\Program Files\Oct2005_xinput_x86.cab
    [2009/09/04 18:01:20 | 000,021,843 | ---- | C] () -- C:\Program Files\Nov2008_X3DAudio_x86.cab
    [2009/09/04 18:01:18 | 001,906,870 | ---- | C] () -- C:\Program Files\Nov2008_d3dx9_40_x64.cab
    [2009/09/04 18:01:18 | 001,802,058 | ---- | C] () -- C:\Program Files\Nov2007_d3dx9_36_x64.cab
    [2009/09/04 18:01:18 | 001,709,360 | ---- | C] () -- C:\Program Files\Nov2007_d3dx9_36_x86.cab
    [2009/09/04 18:01:18 | 000,965,421 | ---- | C] () -- C:\Program Files\Nov2008_d3dx10_40_x86.cab
    [2009/09/04 18:01:18 | 000,803,876 | ---- | C] () -- C:\Program Files\Nov2007_d3dx10_36_x86.cab
    [2009/09/04 18:01:18 | 000,196,754 | ---- | C] () -- C:\Program Files\NOV2007_XACT_x64.cab
    [2009/09/04 18:01:18 | 000,148,264 | ---- | C] () -- C:\Program Files\NOV2007_XACT_x86.cab
    [2009/09/04 18:01:18 | 000,046,144 | ---- | C] () -- C:\Program Files\NOV2007_X3DAudio_x64.cab
    [2009/09/04 18:01:18 | 000,018,496 | ---- | C] () -- C:\Program Files\NOV2007_X3DAudio_x86.cab
    [2009/09/04 18:01:14 | 001,973,702 | ---- | C] () -- C:\Program Files\Mar2009_d3dx9_41_x64.cab
    [2009/09/04 18:01:14 | 001,612,446 | ---- | C] () -- C:\Program Files\Mar2009_d3dx9_41_x86.cab
    [2009/09/04 18:01:14 | 001,067,160 | ---- | C] () -- C:\Program Files\Mar2009_d3dx10_41_x64.cab
    [2009/09/04 18:01:14 | 001,040,737 | ---- | C] () -- C:\Program Files\Mar2009_d3dx10_41_x86.cab
    [2009/09/04 18:01:14 | 000,864,600 | ---- | C] () -- C:\Program Files\Nov2007_d3dx10_36_x64.cab
    [2009/09/04 18:01:14 | 000,275,036 | ---- | C] () -- C:\Program Files\Mar2009_XAudio_x64.cab
    [2009/09/04 18:01:14 | 000,273,010 | ---- | C] () -- C:\Program Files\Mar2009_XAudio_x86.cab
    [2009/09/04 18:01:14 | 000,251,186 | ---- | C] () -- C:\Program Files\Mar2008_XAudio_x64.cab
    [2009/09/04 18:01:14 | 000,226,242 | ---- | C] () -- C:\Program Files\Mar2008_XAudio_x86.cab
    [2009/09/04 18:01:14 | 000,122,336 | ---- | C] () -- C:\Program Files\Mar2008_XACT_x64.cab
    [2009/09/04 18:01:14 | 000,121,506 | ---- | C] () -- C:\Program Files\Mar2009_XACT_x64.cab
    [2009/09/04 18:01:14 | 000,093,726 | ---- | C] () -- C:\Program Files\Mar2008_XACT_x86.cab
    [2009/09/04 18:01:14 | 000,092,732 | ---- | C] () -- C:\Program Files\Mar2009_XACT_x86.cab
    [2009/09/04 18:01:14 | 000,054,600 | ---- | C] () -- C:\Program Files\Mar2009_X3DAudio_x64.cab
    [2009/09/04 18:01:14 | 000,021,867 | ---- | C] () -- C:\Program Files\Mar2008_X3DAudio_x86.cab
    [2009/09/04 18:01:14 | 000,021,298 | ---- | C] () -- C:\Program Files\Mar2009_X3DAudio_x86.cab
    [2009/09/04 18:01:12 | 001,769,862 | ---- | C] () -- C:\Program Files\Mar2008_d3dx9_37_x64.cab
    [2009/09/04 18:01:12 | 001,443,274 | ---- | C] () -- C:\Program Files\Mar2008_d3dx9_37_x86.cab
    [2009/09/04 18:01:12 | 000,844,884 | ---- | C] () -- C:\Program Files\Mar2008_d3dx10_37_x64.cab
    [2009/09/04 18:01:12 | 000,818,260 | ---- | C] () -- C:\Program Files\Mar2008_d3dx10_37_x86.cab
    [2009/09/04 18:01:12 | 000,269,620 | ---- | C] () -- C:\Program Files\JUN2008_XAudio_x64.cab
    [2009/09/04 18:01:12 | 000,269,016 | ---- | C] () -- C:\Program Files\JUN2008_XAudio_x86.cab
    [2009/09/04 18:01:12 | 000,121,054 | ---- | C] () -- C:\Program Files\JUN2008_XACT_x64.cab
    [2009/09/04 18:01:12 | 000,093,128 | ---- | C] () -- C:\Program Files\JUN2008_XACT_x86.cab
    [2009/09/04 18:01:12 | 000,055,050 | ---- | C] () -- C:\Program Files\Mar2008_X3DAudio_x64.cab
    [2009/09/04 18:01:12 | 000,021,905 | ---- | C] () -- C:\Program Files\JUN2008_X3DAudio_x86.cab
    [2009/09/04 18:01:10 | 001,792,600 | ---- | C] () -- C:\Program Files\JUN2008_d3dx9_38_x64.cab
    [2009/09/04 18:01:10 | 001,607,766 | ---- | C] () -- C:\Program Files\JUN2007_d3dx9_34_x64.cab
    [2009/09/04 18:01:10 | 001,607,278 | ---- | C] () -- C:\Program Files\JUN2007_d3dx9_34_x86.cab
    [2009/09/04 18:01:10 | 001,463,878 | ---- | C] () -- C:\Program Files\JUN2008_d3dx9_38_x86.cab
    [2009/09/04 18:01:10 | 001,362,796 | ---- | C] () -- C:\Program Files\Feb2006_d3dx9_29_x64.cab
    [2009/09/04 18:01:10 | 001,336,002 | ---- | C] () -- C:\Program Files\Jun2005_d3dx9_26_x64.cab
    [2009/09/04 18:01:10 | 001,064,925 | ---- | C] () -- C:\Program Files\Jun2005_d3dx9_26_x86.cab
    [2009/09/04 18:01:10 | 000,867,828 | ---- | C] () -- C:\Program Files\JUN2008_d3dx10_38_x64.cab
    [2009/09/04 18:01:10 | 000,849,919 | ---- | C] () -- C:\Program Files\JUN2008_d3dx10_38_x86.cab
    [2009/09/04 18:01:10 | 000,699,044 | ---- | C] () -- C:\Program Files\JUN2007_d3dx10_34_x64.cab
    [2009/09/04 18:01:10 | 000,698,464 | ---- | C] () -- C:\Program Files\JUN2007_d3dx10_34_x86.cab
    [2009/09/04 18:01:10 | 000,197,114 | ---- | C] () -- C:\Program Files\JUN2007_XACT_x64.cab
    [2009/09/04 18:01:10 | 000,178,359 | ---- | C] () -- C:\Program Files\Feb2006_XACT_x64.cab
    [2009/09/04 18:01:10 | 000,152,901 | ---- | C] () -- C:\Program Files\JUN2007_XACT_x86.cab
    [2009/09/04 18:01:10 | 000,055,154 | ---- | C] () -- C:\Program Files\JUN2008_X3DAudio_x64.cab
    [2009/09/04 18:01:08 | 013,264,168 | ---- | C] () -- C:\Program Files\dxnt.cab
    [2009/09/04 18:01:08 | 001,247,499 | ---- | C] () -- C:\Program Files\Feb2005_d3dx9_24_x64.cab
    [2009/09/04 18:01:08 | 001,084,712 | ---- | C] () -- C:\Program Files\Feb2006_d3dx9_29_x86.cab
    [2009/09/04 18:01:08 | 001,013,225 | ---- | C] () -- C:\Program Files\Feb2005_d3dx9_24_x86.cab
    [2009/09/04 18:01:08 | 000,194,667 | ---- | C] () -- C:\Program Files\FEB2007_XACT_x64.cab
    [2009/09/04 18:01:08 | 000,180,777 | ---- | C] () -- C:\Program Files\JUN2006_XACT_x64.cab
    [2009/09/04 18:01:08 | 000,147,983 | ---- | C] () -- C:\Program Files\FEB2007_XACT_x86.cab
    [2009/09/04 18:01:08 | 000,133,663 | ---- | C] () -- C:\Program Files\JUN2006_XACT_x86.cab
    [2009/09/04 18:01:08 | 000,132,409 | ---- | C] () -- C:\Program Files\Feb2006_XACT_x86.cab
    [2009/09/04 18:01:08 | 000,095,637 | ---- | C] () -- C:\Program Files\dxupdate.cab
    [2009/09/04 18:01:08 | 000,044,440 | ---- | C] () -- C:\Program Files\dxdllreg_x86.cab
    [2009/09/04 18:01:06 | 000,145,591 | ---- | C] () -- C:\Program Files\DEC2006_XACT_x86.cab
    [2009/09/04 18:01:04 | 003,319,732 | ---- | C] () -- C:\Program Files\Aug2009_d3dcsx_42_x86.cab
    [2009/09/04 18:01:04 | 003,112,103 | ---- | C] () -- C:\Program Files\Aug2009_d3dcsx_42_x64.cab
    [2009/09/04 18:01:04 | 001,574,376 | ---- | C] () -- C:\Program Files\DEC2006_d3dx9_32_x86.cab
    [2009/09/04 18:01:04 | 001,571,154 | ---- | C] () -- C:\Program Files\DEC2006_d3dx9_32_x64.cab
    [2009/09/04 18:01:04 | 001,357,968 | ---- | C] () -- C:\Program Files\Dec2005_d3dx9_28_x64.cab
    [2009/09/04 18:01:04 | 001,155,483 | ---- | C] () -- C:\Program Files\BDANT.cab
    [2009/09/04 18:01:04 | 001,079,448 | ---- | C] () -- C:\Program Files\Dec2005_d3dx9_28_x86.cab
    [2009/09/04 18:01:04 | 000,975,148 | ---- | C] () -- C:\Program Files\BDAXP.cab
    [2009/09/04 18:01:04 | 000,930,108 | ---- | C] () -- C:\Program Files\Aug2009_d3dx9_42_x64.cab
    [2009/09/04 18:01:04 | 000,919,036 | ---- | C] () -- C:\Program Files\Aug2009_D3DCompiler_42_x64.cab
    [2009/09/04 18:01:04 | 000,900,598 | ---- | C] () -- C:\Program Files\Aug2009_D3DCompiler_42_x86.cab
    [2009/09/04 18:01:04 | 000,728,456 | ---- | C] () -- C:\Program Files\Aug2009_d3dx9_42_x86.cab
    [2009/09/04 18:01:04 | 000,273,264 | ---- | C] () -- C:\Program Files\Aug2009_XAudio_x64.cab
    [2009/09/04 18:01:04 | 000,272,634 | ---- | C] () -- C:\Program Files\Aug2009_XAudio_x86.cab
    [2009/09/04 18:01:04 | 000,271,404 | ---- | C] () -- C:\Program Files\Aug2008_XAudio_x64.cab
    [2009/09/04 18:01:04 | 000,271,038 | ---- | C] () -- C:\Program Files\Aug2008_XAudio_x86.cab
    [2009/09/04 18:01:04 | 000,232,635 | ---- | C] () -- C:\Program Files\Aug2009_d3dx10_42_x64.cab
    [2009/09/04 18:01:04 | 000,212,799 | ---- | C] () -- C:\Program Files\DEC2006_d3dx10_00_x64.cab
    [2009/09/04 18:01:04 | 000,192,467 | ---- | C] () -- C:\Program Files\DEC2006_XACT_x64.cab
    [2009/09/04 18:01:04 | 000,192,131 | ---- | C] () -- C:\Program Files\Aug2009_d3dx10_42_x86.cab
    [2009/09/04 18:01:04 | 000,191,712 | ---- | C] () -- C:\Program Files\DEC2006_d3dx10_00_x86.cab
    [2009/09/04 18:01:04 | 000,136,301 | ---- | C] () -- C:\Program Files\Aug2009_d3dx11_42_x64.cab
    [2009/09/04 18:01:04 | 000,122,408 | ---- | C] () -- C:\Program Files\Aug2009_XACT_x64.cab
    [2009/09/04 18:01:04 | 000,121,764 | ---- | C] () -- C:\Program Files\Aug2008_XACT_x64.cab
    [2009/09/04 18:01:04 | 000,105,036 | ---- | C] () -- C:\Program Files\Aug2009_d3dx11_42_x86.cab
    [2009/09/04 18:01:04 | 000,093,098 | ---- | C] () -- C:\Program Files\Aug2009_XACT_x86.cab
    [2009/09/04 18:01:04 | 000,092,996 | ---- | C] () -- C:\Program Files\Aug2008_XACT_x86.cab
    [2009/09/04 18:01:02 | 001,464,664 | ---- | C] () -- C:\Program Files\Aug2008_d3dx9_39_x86.cab
    [2009/09/04 18:01:00 | 001,800,152 | ---- | C] () -- C:\Program Files\AUG2007_d3dx9_35_x64.cab
    [2009/09/04 18:01:00 | 001,794,076 | ---- | C] () -- C:\Program Files\Aug2008_d3dx9_39_x64.cab
    [2009/09/04 18:01:00 | 001,708,144 | ---- | C] () -- C:\Program Files\AUG2007_d3dx9_35_x86.cab
    [2009/09/04 18:01:00 | 001,350,534 | ---- | C] () -- C:\Program Files\Aug2005_d3dx9_27_x64.cab
    [2009/09/04 18:01:00 | 001,077,644 | ---- | C] () -- C:\Program Files\Aug2005_d3dx9_27_x86.cab
    [2009/09/04 18:01:00 | 000,867,604 | ---- | C] () -- C:\Program Files\Aug2008_d3dx10_39_x64.cab
    [2009/09/04 18:01:00 | 000,852,286 | ---- | C] () -- C:\Program Files\AUG2007_d3dx10_35_x64.cab
    [2009/09/04 18:01:00 | 000,849,167 | ---- | C] () -- C:\Program Files\Aug2008_d3dx10_39_x86.cab
    [2009/09/04 18:01:00 | 000,796,859 | ---- | C] () -- C:\Program Files\AUG2007_d3dx10_35_x86.cab
    [2009/09/04 18:01:00 | 000,198,088 | ---- | C] () -- C:\Program Files\AUG2007_XACT_x64.cab
    [2009/09/04 18:01:00 | 000,182,903 | ---- | C] () -- C:\Program Files\AUG2006_XACT_x64.cab
    [2009/09/04 18:01:00 | 000,153,004 | ---- | C] () -- C:\Program Files\AUG2007_XACT_x86.cab
    [2009/09/04 18:01:00 | 000,137,235 | ---- | C] () -- C:\Program Files\AUG2006_XACT_x86.cab
    [2009/09/04 18:01:00 | 000,096,817 | ---- | C] () -- C:\Program Files\APR2007_xinput_x64.cab
    [2009/09/04 18:01:00 | 000,087,142 | ---- | C] () -- C:\Program Files\AUG2006_xinput_x64.cab
    [2009/09/04 18:01:00 | 000,053,294 | ---- | C] () -- C:\Program Files\APR2007_xinput_x86.cab
    [2009/09/04 18:01:00 | 000,046,058 | ---- | C] () -- C:\Program Files\AUG2006_xinput_x86.cab
    [2009/09/04 18:00:58 | 004,162,630 | ---- | C] () -- C:\Program Files\Apr2006_MDX1_x86_Archive.cab
    [2009/09/04 18:00:58 | 001,607,358 | ---- | C] () -- C:\Program Files\APR2007_d3dx9_33_x64.cab
    [2009/09/04 18:00:58 | 001,606,031 | ---- | C] () -- C:\Program Files\APR2007_d3dx9_33_x86.cab
    [2009/09/04 18:00:58 | 000,916,430 | ---- | C] () -- C:\Program Files\Apr2006_MDX1_x86.cab
    [2009/09/04 18:00:58 | 000,698,612 | ---- | C] () -- C:\Program Files\APR2007_d3dx10_33_x64.cab
    [2009/09/04 18:00:58 | 000,695,857 | ---- | C] () -- C:\Program Files\APR2007_d3dx10_33_x86.cab
    [2009/09/04 18:00:58 | 000,195,758 | ---- | C] () -- C:\Program Files\APR2007_XACT_x64.cab
    [2009/09/04 18:00:58 | 000,179,125 | ---- | C] () -- C:\Program Files\Apr2006_XACT_x64.cab
    [2009/09/04 18:00:58 | 000,151,225 | ---- | C] () -- C:\Program Files\APR2007_XACT_x86.cab
    [2009/09/04 18:00:58 | 000,133,095 | ---- | C] () -- C:\Program Files\Apr2006_XACT_x86.cab
    [2009/09/04 18:00:58 | 000,087,101 | ---- | C] () -- C:\Program Files\Apr2006_xinput_x64.cab
    [2009/09/04 18:00:58 | 000,046,002 | ---- | C] () -- C:\Program Files\Apr2006_xinput_x86.cab
    [2009/09/04 18:00:56 | 001,397,822 | ---- | C] () -- C:\Program Files\Apr2006_d3dx9_30_x64.cab
    [2009/09/04 18:00:56 | 001,347,354 | ---- | C] () -- C:\Program Files\Apr2005_d3dx9_25_x64.cab
    [2009/09/04 18:00:56 | 001,115,221 | ---- | C] () -- C:\Program Files\Apr2006_d3dx9_30_x86.cab
    [2009/09/04 18:00:56 | 001,078,954 | ---- | C] () -- C:\Program Files\Apr2005_d3dx9_25_x86.cab
    [2005/10/15 13:25:20 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\myodbc3i.exe
    [2005/10/15 13:25:20 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\myodbc3m.exe
    [2004/08/03 17:07:22 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2004/08/03 16:56:44 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
    [2004/08/02 06:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2001/08/23 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2001/08/23 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2001/08/23 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2001/08/23 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2001/08/23 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2001/08/23 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2001/08/23 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2001/08/23 05:00:00 | 000,413,614 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2001/08/23 05:00:00 | 000,061,372 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2001/08/23 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
     
  14. videoart

    videoart TS Rookie Topic Starter Posts: 40

    OTL.Txt 2

    ========== LOP Check ==========

    [2011/12/14 16:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applian
    [2011/12/17 17:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2010/12/01 20:20:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
    [2011/08/07 15:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
    [2011/12/15 18:08:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
    [2011/12/15 18:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2011/04/30 14:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Virtual Mechanics
    [2011/06/08 14:58:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Azureus
    [2010/12/05 20:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\CDisplayEx
    [2011/07/01 20:32:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\gtk-2.0
    [2011/01/24 16:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\HandBrake
    [2010/12/24 20:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\ImgBurn
    [2011/05/31 21:19:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\IObit
    [2011/04/30 14:41:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\KompoZer
    [2011/02/01 11:30:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Nvu
    [2011/04/05 12:44:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Rovio
    [2011/04/09 18:03:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Thunderbird
    [2011/04/30 13:48:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Trellian
    [2011/12/16 22:33:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\uTorrent
    [2011/04/30 14:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris\Application Data\Virtual Mechanics
    [2011/12/17 14:35:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\.minecraft
    [2011/08/07 15:07:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\Canneverbe Limited
    [2011/12/10 20:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\gtk-2.0
    [2011/11/04 14:12:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\HandBrake
    [2011/07/13 05:19:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\IObit
    [2011/07/13 06:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\Nvu
    [2011/12/14 16:27:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\Replay Media Catcher 4
    [2011/12/17 14:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Chris Wright\Application Data\uTorrent

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/11/30 15:34:09 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/12/01 09:03:29 | 000,000,090 | ---- | M] () -- C:\bcmwl5.log
    [2011/07/06 03:36:28 | 000,000,321 | ---- | M] () -- C:\Boot.bak
    [2011/12/13 21:03:00 | 000,000,437 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/12/19 17:05:56 | 000,011,051 | ---- | M] () -- C:\ComboFix.txt
    [2010/11/30 15:34:09 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2007/11/07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
    [2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
    [2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
    [2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
    [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
    [2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
    [2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
    [2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
    [2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
    [2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
    [2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
    [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
    [2010/11/30 15:34:09 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/01/20 18:23:02 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2011/07/05 22:57:56 | 000,000,512 | -H-- | M] () -- C:\mbr_backup.log
    [2010/11/30 15:34:09 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008/04/13 15:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/04/13 17:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/12/19 19:06:27 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
    [2011/03/04 15:18:49 | 000,005,490 | ---- | M] () -- C:\resetlog.txt
    [2011/12/13 20:40:31 | 000,045,478 | ---- | M] () -- C:\TDSSKiller.2.6.23.0_13.12.2011_20.38.54_log.txt
    [2011/12/18 20:21:29 | 000,046,992 | ---- | M] () -- C:\TDSSKiller.2.6.23.0_18.12.2011_20.17.55_log.txt
    [2007/11/07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
    [2007/11/07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
    [2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2011/07/06 03:42:55 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/11/28 12:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/09/04 18:00:56 | 001,347,354 | ---- | M] () -- C:\Program Files\Apr2005_d3dx9_25_x64.cab
    [2009/09/04 18:00:56 | 001,078,954 | ---- | M] () -- C:\Program Files\Apr2005_d3dx9_25_x86.cab
    [2009/09/04 18:00:56 | 001,397,822 | ---- | M] () -- C:\Program Files\Apr2006_d3dx9_30_x64.cab
    [2009/09/04 18:00:56 | 001,115,221 | ---- | M] () -- C:\Program Files\Apr2006_d3dx9_30_x86.cab
    [2009/09/04 18:00:58 | 000,916,430 | ---- | M] () -- C:\Program Files\Apr2006_MDX1_x86.cab
    [2009/09/04 18:00:58 | 004,162,630 | ---- | M] () -- C:\Program Files\Apr2006_MDX1_x86_Archive.cab
    [2009/09/04 18:00:58 | 000,179,125 | ---- | M] () -- C:\Program Files\Apr2006_XACT_x64.cab
    [2009/09/04 18:00:58 | 000,133,095 | ---- | M] () -- C:\Program Files\Apr2006_XACT_x86.cab
    [2009/09/04 18:00:58 | 000,087,101 | ---- | M] () -- C:\Program Files\Apr2006_xinput_x64.cab
    [2009/09/04 18:00:58 | 000,046,002 | ---- | M] () -- C:\Program Files\Apr2006_xinput_x86.cab
    [2009/09/04 18:00:58 | 000,698,612 | ---- | M] () -- C:\Program Files\APR2007_d3dx10_33_x64.cab
    [2009/09/04 18:00:58 | 000,695,857 | ---- | M] () -- C:\Program Files\APR2007_d3dx10_33_x86.cab
    [2009/09/04 18:00:58 | 001,607,358 | ---- | M] () -- C:\Program Files\APR2007_d3dx9_33_x64.cab
    [2009/09/04 18:00:58 | 001,606,031 | ---- | M] () -- C:\Program Files\APR2007_d3dx9_33_x86.cab
    [2009/09/04 18:00:58 | 000,195,758 | ---- | M] () -- C:\Program Files\APR2007_XACT_x64.cab
    [2009/09/04 18:00:58 | 000,151,225 | ---- | M] () -- C:\Program Files\APR2007_XACT_x86.cab
    [2009/09/04 18:01:00 | 000,096,817 | ---- | M] () -- C:\Program Files\APR2007_xinput_x64.cab
    [2009/09/04 18:01:00 | 000,053,294 | ---- | M] () -- C:\Program Files\APR2007_xinput_x86.cab
    [2009/09/04 18:01:00 | 001,350,534 | ---- | M] () -- C:\Program Files\Aug2005_d3dx9_27_x64.cab
    [2009/09/04 18:01:00 | 001,077,644 | ---- | M] () -- C:\Program Files\Aug2005_d3dx9_27_x86.cab
    [2009/09/04 18:01:00 | 000,182,903 | ---- | M] () -- C:\Program Files\AUG2006_XACT_x64.cab
    [2009/09/04 18:01:00 | 000,137,235 | ---- | M] () -- C:\Program Files\AUG2006_XACT_x86.cab
    [2009/09/04 18:01:00 | 000,087,142 | ---- | M] () -- C:\Program Files\AUG2006_xinput_x64.cab
    [2009/09/04 18:01:00 | 000,046,058 | ---- | M] () -- C:\Program Files\AUG2006_xinput_x86.cab
    [2009/09/04 18:01:00 | 000,852,286 | ---- | M] () -- C:\Program Files\AUG2007_d3dx10_35_x64.cab
    [2009/09/04 18:01:00 | 000,796,859 | ---- | M] () -- C:\Program Files\AUG2007_d3dx10_35_x86.cab
    [2009/09/04 18:01:00 | 001,800,152 | ---- | M] () -- C:\Program Files\AUG2007_d3dx9_35_x64.cab
    [2009/09/04 18:01:00 | 001,708,144 | ---- | M] () -- C:\Program Files\AUG2007_d3dx9_35_x86.cab
    [2009/09/04 18:01:00 | 000,198,088 | ---- | M] () -- C:\Program Files\AUG2007_XACT_x64.cab
    [2009/09/04 18:01:00 | 000,153,004 | ---- | M] () -- C:\Program Files\AUG2007_XACT_x86.cab
    [2009/09/04 18:01:00 | 000,867,604 | ---- | M] () -- C:\Program Files\Aug2008_d3dx10_39_x64.cab
    [2009/09/04 18:01:00 | 000,849,167 | ---- | M] () -- C:\Program Files\Aug2008_d3dx10_39_x86.cab
    [2009/09/04 18:01:00 | 001,794,076 | ---- | M] () -- C:\Program Files\Aug2008_d3dx9_39_x64.cab
    [2009/09/04 18:01:02 | 001,464,664 | ---- | M] () -- C:\Program Files\Aug2008_d3dx9_39_x86.cab
    [2009/09/04 18:01:04 | 000,121,764 | ---- | M] () -- C:\Program Files\Aug2008_XACT_x64.cab
    [2009/09/04 18:01:04 | 000,092,996 | ---- | M] () -- C:\Program Files\Aug2008_XACT_x86.cab
    [2009/09/04 18:01:04 | 000,271,404 | ---- | M] () -- C:\Program Files\Aug2008_XAudio_x64.cab
    [2009/09/04 18:01:04 | 000,271,038 | ---- | M] () -- C:\Program Files\Aug2008_XAudio_x86.cab
    [2009/09/04 18:01:04 | 000,919,036 | ---- | M] () -- C:\Program Files\Aug2009_D3DCompiler_42_x64.cab
    [2009/09/04 18:01:04 | 000,900,598 | ---- | M] () -- C:\Program Files\Aug2009_D3DCompiler_42_x86.cab
    [2009/09/04 18:01:04 | 003,112,103 | ---- | M] () -- C:\Program Files\Aug2009_d3dcsx_42_x64.cab
    [2009/09/04 18:01:04 | 003,319,732 | ---- | M] () -- C:\Program Files\Aug2009_d3dcsx_42_x86.cab
    [2009/09/04 18:01:04 | 000,232,635 | ---- | M] () -- C:\Program Files\Aug2009_d3dx10_42_x64.cab
    [2009/09/04 18:01:04 | 000,192,131 | ---- | M] () -- C:\Program Files\Aug2009_d3dx10_42_x86.cab
    [2009/09/04 18:01:04 | 000,136,301 | ---- | M] () -- C:\Program Files\Aug2009_d3dx11_42_x64.cab
    [2009/09/04 18:01:04 | 000,105,036 | ---- | M] () -- C:\Program Files\Aug2009_d3dx11_42_x86.cab
    [2009/09/04 18:01:04 | 000,930,108 | ---- | M] () -- C:\Program Files\Aug2009_d3dx9_42_x64.cab
    [2009/09/04 18:01:04 | 000,728,456 | ---- | M] () -- C:\Program Files\Aug2009_d3dx9_42_x86.cab
    [2009/09/04 18:01:04 | 000,122,408 | ---- | M] () -- C:\Program Files\Aug2009_XACT_x64.cab
    [2009/09/04 18:01:04 | 000,093,098 | ---- | M] () -- C:\Program Files\Aug2009_XACT_x86.cab
    [2009/09/04 18:01:04 | 000,273,264 | ---- | M] () -- C:\Program Files\Aug2009_XAudio_x64.cab
    [2009/09/04 18:01:04 | 000,272,634 | ---- | M] () -- C:\Program Files\Aug2009_XAudio_x86.cab
    [2009/09/04 18:01:04 | 001,155,483 | ---- | M] () -- C:\Program Files\BDANT.cab
    [2009/09/04 18:01:04 | 000,975,148 | ---- | M] () -- C:\Program Files\BDAXP.cab
    [2009/09/04 18:01:04 | 001,357,968 | ---- | M] () -- C:\Program Files\Dec2005_d3dx9_28_x64.cab
    [2009/09/04 18:01:04 | 001,079,448 | ---- | M] () -- C:\Program Files\Dec2005_d3dx9_28_x86.cab
    [2009/09/04 18:01:04 | 000,212,799 | ---- | M] () -- C:\Program Files\DEC2006_d3dx10_00_x64.cab
    [2009/09/04 18:01:04 | 000,191,712 | ---- | M] () -- C:\Program Files\DEC2006_d3dx10_00_x86.cab
    [2009/09/04 18:01:04 | 001,571,154 | ---- | M] () -- C:\Program Files\DEC2006_d3dx9_32_x64.cab
    [2009/09/04 18:01:04 | 001,574,376 | ---- | M] () -- C:\Program Files\DEC2006_d3dx9_32_x86.cab
    [2009/09/04 18:01:04 | 000,192,467 | ---- | M] () -- C:\Program Files\DEC2006_XACT_x64.cab
    [2009/09/04 18:01:06 | 000,145,591 | ---- | M] () -- C:\Program Files\DEC2006_XACT_x86.cab
    [2009/09/04 18:01:08 | 000,094,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\DSETUP.dll
    [2009/09/04 18:01:08 | 001,691,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\dsetup32.dll
    [2009/09/04 18:01:08 | 000,044,440 | ---- | M] () -- C:\Program Files\dxdllreg_x86.cab
    [2009/09/04 18:01:08 | 013,264,168 | ---- | M] () -- C:\Program Files\dxnt.cab
    [2009/09/04 18:01:10 | 000,525,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\DXSETUP.exe
    [2009/09/04 18:01:08 | 000,095,637 | ---- | M] () -- C:\Program Files\dxupdate.cab
    [2009/09/04 18:01:08 | 001,247,499 | ---- | M] () -- C:\Program Files\Feb2005_d3dx9_24_x64.cab
    [2009/09/04 18:01:08 | 001,013,225 | ---- | M] () -- C:\Program Files\Feb2005_d3dx9_24_x86.cab
    [2009/09/04 18:01:10 | 001,362,796 | ---- | M] () -- C:\Program Files\Feb2006_d3dx9_29_x64.cab
    [2009/09/04 18:01:08 | 001,084,712 | ---- | M] () -- C:\Program Files\Feb2006_d3dx9_29_x86.cab
    [2009/09/04 18:01:10 | 000,178,359 | ---- | M] () -- C:\Program Files\Feb2006_XACT_x64.cab
    [2009/09/04 18:01:08 | 000,132,409 | ---- | M] () -- C:\Program Files\Feb2006_XACT_x86.cab
    [2009/09/04 18:01:08 | 000,194,667 | ---- | M] () -- C:\Program Files\FEB2007_XACT_x64.cab
    [2009/09/04 18:01:08 | 000,147,983 | ---- | M] () -- C:\Program Files\FEB2007_XACT_x86.cab
    [2009/09/04 18:01:10 | 001,336,002 | ---- | M] () -- C:\Program Files\Jun2005_d3dx9_26_x64.cab
    [2009/09/04 18:01:10 | 001,064,925 | ---- | M] () -- C:\Program Files\Jun2005_d3dx9_26_x86.cab
    [2009/09/04 18:01:08 | 000,180,777 | ---- | M] () -- C:\Program Files\JUN2006_XACT_x64.cab
    [2009/09/04 18:01:08 | 000,133,663 | ---- | M] () -- C:\Program Files\JUN2006_XACT_x86.cab
    [2009/09/04 18:01:10 | 000,699,044 | ---- | M] () -- C:\Program Files\JUN2007_d3dx10_34_x64.cab
    [2009/09/04 18:01:10 | 000,698,464 | ---- | M] () -- C:\Program Files\JUN2007_d3dx10_34_x86.cab
    [2009/09/04 18:01:10 | 001,607,766 | ---- | M] () -- C:\Program Files\JUN2007_d3dx9_34_x64.cab
    [2009/09/04 18:01:10 | 001,607,278 | ---- | M] () -- C:\Program Files\JUN2007_d3dx9_34_x86.cab
    [2009/09/04 18:01:10 | 000,197,114 | ---- | M] () -- C:\Program Files\JUN2007_XACT_x64.cab
    [2009/09/04 18:01:10 | 000,152,901 | ---- | M] () -- C:\Program Files\JUN2007_XACT_x86.cab
    [2009/09/04 18:01:10 | 000,867,828 | ---- | M] () -- C:\Program Files\JUN2008_d3dx10_38_x64.cab
    [2009/09/04 18:01:10 | 000,849,919 | ---- | M] () -- C:\Program Files\JUN2008_d3dx10_38_x86.cab
    [2009/09/04 18:01:10 | 001,792,600 | ---- | M] () -- C:\Program Files\JUN2008_d3dx9_38_x64.cab
    [2009/09/04 18:01:10 | 001,463,878 | ---- | M] () -- C:\Program Files\JUN2008_d3dx9_38_x86.cab
    [2009/09/04 18:01:10 | 000,055,154 | ---- | M] () -- C:\Program Files\JUN2008_X3DAudio_x64.cab
    [2009/09/04 18:01:12 | 000,021,905 | ---- | M] () -- C:\Program Files\JUN2008_X3DAudio_x86.cab
    [2009/09/04 18:01:12 | 000,121,054 | ---- | M] () -- C:\Program Files\JUN2008_XACT_x64.cab
    [2009/09/04 18:01:12 | 000,093,128 | ---- | M] () -- C:\Program Files\JUN2008_XACT_x86.cab
    [2009/09/04 18:01:12 | 000,269,620 | ---- | M] () -- C:\Program Files\JUN2008_XAudio_x64.cab
    [2009/09/04 18:01:12 | 000,269,016 | ---- | M] () -- C:\Program Files\JUN2008_XAudio_x86.cab
    [2009/09/04 18:01:12 | 000,844,884 | ---- | M] () -- C:\Program Files\Mar2008_d3dx10_37_x64.cab
    [2009/09/04 18:01:12 | 000,818,260 | ---- | M] () -- C:\Program Files\Mar2008_d3dx10_37_x86.cab
    [2009/09/04 18:01:12 | 001,769,862 | ---- | M] () -- C:\Program Files\Mar2008_d3dx9_37_x64.cab
    [2009/09/04 18:01:12 | 001,443,274 | ---- | M] () -- C:\Program Files\Mar2008_d3dx9_37_x86.cab
    [2009/09/04 18:01:12 | 000,055,050 | ---- | M] () -- C:\Program Files\Mar2008_X3DAudio_x64.cab
    [2009/09/04 18:01:14 | 000,021,867 | ---- | M] () -- C:\Program Files\Mar2008_X3DAudio_x86.cab
    [2009/09/04 18:01:14 | 000,122,336 | ---- | M] () -- C:\Program Files\Mar2008_XACT_x64.cab
    [2009/09/04 18:01:14 | 000,093,726 | ---- | M] () -- C:\Program Files\Mar2008_XACT_x86.cab
    [2009/09/04 18:01:14 | 000,251,186 | ---- | M] () -- C:\Program Files\Mar2008_XAudio_x64.cab
    [2009/09/04 18:01:14 | 000,226,242 | ---- | M] () -- C:\Program Files\Mar2008_XAudio_x86.cab
    [2009/09/04 18:01:14 | 001,067,160 | ---- | M] () -- C:\Program Files\Mar2009_d3dx10_41_x64.cab
    [2009/09/04 18:01:14 | 001,040,737 | ---- | M] () -- C:\Program Files\Mar2009_d3dx10_41_x86.cab
    [2009/09/04 18:01:14 | 001,973,702 | ---- | M] () -- C:\Program Files\Mar2009_d3dx9_41_x64.cab
    [2009/09/04 18:01:14 | 001,612,446 | ---- | M] () -- C:\Program Files\Mar2009_d3dx9_41_x86.cab
    [2009/09/04 18:01:14 | 000,054,600 | ---- | M] () -- C:\Program Files\Mar2009_X3DAudio_x64.cab
    [2009/09/04 18:01:14 | 000,021,298 | ---- | M] () -- C:\Program Files\Mar2009_X3DAudio_x86.cab
    [2009/09/04 18:01:14 | 000,121,506 | ---- | M] () -- C:\Program Files\Mar2009_XACT_x64.cab
    [2009/09/04 18:01:14 | 000,092,732 | ---- | M] () -- C:\Program Files\Mar2009_XACT_x86.cab
    [2009/09/04 18:01:14 | 000,275,036 | ---- | M] () -- C:\Program Files\Mar2009_XAudio_x64.cab
    [2009/09/04 18:01:14 | 000,273,010 | ---- | M] () -- C:\Program Files\Mar2009_XAudio_x86.cab
    [2009/09/04 18:01:14 | 000,864,600 | ---- | M] () -- C:\Program Files\Nov2007_d3dx10_36_x64.cab
    [2009/09/04 18:01:18 | 000,803,876 | ---- | M] () -- C:\Program Files\Nov2007_d3dx10_36_x86.cab
    [2009/09/04 18:01:18 | 001,802,058 | ---- | M] () -- C:\Program Files\Nov2007_d3dx9_36_x64.cab
    [2009/09/04 18:01:18 | 001,709,360 | ---- | M] () -- C:\Program Files\Nov2007_d3dx9_36_x86.cab
    [2009/09/04 18:01:18 | 000,046,144 | ---- | M] () -- C:\Program Files\NOV2007_X3DAudio_x64.cab
    [2009/09/04 18:01:18 | 000,018,496 | ---- | M] () -- C:\Program Files\NOV2007_X3DAudio_x86.cab
    [2009/09/04 18:01:18 | 000,196,754 | ---- | M] () -- C:\Program Files\NOV2007_XACT_x64.cab
    [2009/09/04 18:01:18 | 000,148,264 | ---- | M] () -- C:\Program Files\NOV2007_XACT_x86.cab
    [2009/09/04 18:01:20 | 000,994,154 | ---- | M] () -- C:\Program Files\Nov2008_d3dx10_40_x64.cab
    [2009/09/04 18:01:18 | 000,965,421 | ---- | M] () -- C:\Program Files\Nov2008_d3dx10_40_x86.cab
    [2009/09/04 18:01:18 | 001,906,870 | ---- | M] () -- C:\Program Files\Nov2008_d3dx9_40_x64.cab
    [2009/09/04 18:01:20 | 001,550,796 | ---- | M] () -- C:\Program Files\Nov2008_d3dx9_40_x86.cab
    [2009/09/04 18:01:20 | 000,054,522 | ---- | M] () -- C:\Program Files\Nov2008_X3DAudio_x64.cab
    [2009/09/04 18:01:20 | 000,021,843 | ---- | M] () -- C:\Program Files\Nov2008_X3DAudio_x86.cab
    [2009/09/04 18:01:20 | 000,121,786 | ---- | M] () -- C:\Program Files\Nov2008_XACT_x64.cab
    [2009/09/04 18:01:20 | 000,092,676 | ---- | M] () -- C:\Program Files\Nov2008_XACT_x86.cab
    [2009/09/04 18:01:20 | 000,273,960 | ---- | M] () -- C:\Program Files\Nov2008_XAudio_x64.cab
    [2009/09/04 18:01:20 | 000,272,603 | ---- | M] () -- C:\Program Files\Nov2008_XAudio_x86.cab
    [2009/09/04 18:01:20 | 000,086,029 | ---- | M] () -- C:\Program Files\Oct2005_xinput_x64.cab
    [2009/09/04 18:01:20 | 000,045,351 | ---- | M] () -- C:\Program Files\Oct2005_xinput_x86.cab
    [2009/09/04 18:01:20 | 001,412,894 | ---- | M] () -- C:\Program Files\OCT2006_d3dx9_31_x64.cab
    [2009/09/04 18:01:20 | 001,127,209 | ---- | M] () -- C:\Program Files\OCT2006_d3dx9_31_x86.cab
    [2009/09/04 18:01:20 | 000,182,361 | ---- | M] () -- C:\Program Files\OCT2006_XACT_x64.cab
    [2009/09/04 18:01:20 | 000,138,009 | ---- | M] () -- C:\Program Files\OCT2006_XACT_x86.cab

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2011/07/05 20:25:45 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2011/07/05 22:58:18 | 000,032,768 | ---- | M] () -- C:\WINDOWS\System32\config\security.sav
    [2011/07/05 20:25:45 | 009,175,040 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2011/07/05 20:25:45 | 001,495,040 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2011/07/06 03:43:38 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/07/06 03:51:03 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Chris Wright\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2011/07/06 03:51:03 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/12/18 20:44:20 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Chris Wright\Desktop\aswMBR.exe
    [2011/12/14 17:25:52 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Chris Wright\Desktop\ATF-Cleaner.exe
    [2011/12/18 20:58:10 | 004,344,515 | R--- | M] (Swearware) -- C:\Documents and Settings\Chris Wright\Desktop\ComboFix.exe
    [2011/12/14 17:22:56 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\Flash_Disinfector.exe
    [2011/12/15 20:35:49 | 074,384,952 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\h4gd5quy.exe
    [2011/11/25 22:48:06 | 000,270,142 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\Minecraft.exe
    [2011/12/19 19:04:14 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Chris Wright\Desktop\OTL.exe
    [2011/12/17 14:57:36 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe
    [2011/12/17 17:45:30 | 064,207,032 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Desktop\setup_av_free.exe
    [2011/12/18 20:15:58 | 001,577,264 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Chris Wright\Desktop\tdsskiller.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/07/06 03:51:03 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Chris Wright\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/07/06 03:50:33 | 000,000,406 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/12/19 19:06:34 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Chris Wright\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2006/08/15 15:22:37 | 000,192,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 22:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2007/04/02 16:37:24 | 000,004,821 | R--- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2007/04/02 23:37:24 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 08:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 05:42:30 | 001,695,232 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2001/08/23 05:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2001/08/23 05:00:00 | 000,018,052 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2001/08/23 05:00:00 | 000,009,306 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2007/04/02 23:37:28 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2007/04/02 23:34:02 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "AutoInstallMinorUpdates" = 1

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
  15. videoart

    videoart TS Rookie Topic Starter Posts: 40

    Extras.txt

    OTL Extras logfile created on: 12/19/2011 7:08:49 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Chris Wright\Desktop
    Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1013.98 Mb Total Physical Memory | 724.63 Mb Available Physical Memory | 71.46% Memory free
    2.38 Gb Paging File | 2.23 Gb Available in Paging File | 93.38% Paging File free
    Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 111.78 Gb Total Space | 23.10 Gb Free Space | 20.67% Space Free | Partition Type: NTFS

    Computer Name: COMPUTER_1 | User Name: Chris Wright | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-1644491937-1202660629-1801674531-1003\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    https [open] -- Reg Error: Key error.
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Disabled:VLC media player -- ()
    "C:\Program Files\Kalypso\Sins of a Solar Empire\Sins of a Solar Empire.exe" = C:\Program Files\Kalypso\Sins of a Solar Empire\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire -- (Ironclad Games)
    "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)
    "C:\Program Files\Common Files\Java\Java Update\jucheck.exe" = C:\Program Files\Common Files\Java\Java Update\jucheck.exe:*:Enabled:Java(TM) Update Checker -- (Sun Microsystems, Inc.)
    "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
    "C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd\avgmfapx.exe" = C:\Documents and Settings\All Users\Application Data\MFAData\SelfUpd\avgmfapx.exe:*:Enabled:AVG Installer Application -- (AVG Technologies CZ, s.r.o.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0CB3C535-1171-4A20-B549-E2CB5DEB9723}" = MySQL Connector/ODBC 3.51
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 26
    "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
    "{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
    "{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
    "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
    "{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
    "{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
    "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F1D7AC58-554A-4A58-B784-B61558B1449A}" = QLBCASL
    "7-Zip" = 7-Zip 9.20
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Audacity_is1" = Audacity 1.2.6
    "avast" = avast! Free Antivirus
    "CDisplay_is1" = CDisplay 1.8
    "CNXT_HDAUDIO" = Conexant HD Audio
    "DVD Flick_is1" = DVD Flick 1.3.0.7
    "ffdshow_is1" = ffdshow [beta 1] [2006-12-11]
    "Handbrake" = Handbrake 0.9.4
    "KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.7.0
    "LManager" = Launch Manager
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Minecraft Beta Cracked" = Minecraft Beta Cracked
    "Mozilla Firefox 8.0.1 (x86 en-US)" = Mozilla Firefox 8.0.1 (x86 en-US)
    "NVIDIA Drivers" = NVIDIA Drivers
    "PROSet" = Intel(R) PRO Network Connections Drivers
    "Replay Media Catcher 3.02" = Replay Media Catcher 3.02
    "Replay Media Catcher 4" = Replay Media Catcher 4 (4.3.0)
    "Sins of a Solar Empire Trinity_is1" = Sins of a Solar Empire Trinity
    "SINSOASE_is1" = Sins of a Solar Empire
    "ST5UNST #1" = Annihilator
    "uTorrent" = µTorrent
    "VirtualCloneDrive" = VirtualCloneDrive
    "VLC media player" = VLC media player 1.1.10
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WinPcapInst" = WinPcap 4.1.2
    "WinRAR archiver" = WinRAR 4.01 (32-bit)

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 9/28/2011 12:14:02 AM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
    Description = Faulting application winrott_full_v2.24.exe, version 1.2.2.0, faulting
    module winrott_full_v2.24.exe, version 1.2.2.0, fault address 0x0011ee25.

    Error - 10/7/2011 8:19:57 PM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
    Description = Faulting application winrott_full_v2.24.exe, version 1.2.2.0, faulting
    module winrott_full_v2.24.exe, version 1.2.2.0, fault address 0x000fdd90.

    Error - 10/8/2011 6:49:07 PM | Computer Name = COMPUTER_1 | Source = Application Error | ID = 1000
    Description = Faulting application winrott_full_v2.24.exe, version 1.2.2.0, faulting
    module winrott_full_v2.24.exe, version 1.2.2.0, fault address 0x0011ee25.

    [ System Events ]
    Error - 12/18/2011 11:04:02 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7003
    Description = The TCP/IP Protocol Driver service depends on the following nonexistent
    service: IPSec

    Error - 12/18/2011 11:04:02 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7001
    Description = The Network Location Awareness (NLA) service depends on the TCP/IP
    Protocol Driver service which failed to start because of the following error: %%1075

    Error - 12/19/2011 6:28:57 PM | Computer Name = COMPUTER_1 | Source = NetBT | ID = 4311
    Description = Initialization failed because the driver device could not be created.

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7001
    Description = The DHCP Client service depends on the TCP/IP Protocol Driver service
    which failed to start because of the following error: %%31

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7001
    Description = The DNS Client service depends on the TCP/IP Protocol Driver service
    which failed to start because of the following error: %%31

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7000
    Description = The StarOpen service failed to start due to the following error: %%2

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7003
    Description = The IPSEC Services service depends on the following nonexistent service:
    IPSec

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7001
    Description = The Universal Plug and Play Device Host service depends on the SSDP
    Discovery Service service which failed to start because of the following error:
    %%0

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7023
    Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
    with the following error: %%2

    Error - 12/19/2011 6:31:13 PM | Computer Name = COMPUTER_1 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    Tcpip


    < End of report >
     
  16. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Possibly Avast got corrupted.
    I suggest you reinstall it.

    OTL log is clean.

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  17. videoart

    videoart TS Rookie Topic Starter Posts: 40

    I can't thank you enough for all your help--it has been invaluable!

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 2 x86
    Out of date service pack!!
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    avast! Free Antivirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 26
    Out of date Java installed!
    Adobe Flash Player ( 10.3.183.11) Flash Player Out of Date!
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    ``````````End of Log````````````
     
  18. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    You're very welcome [​IMG]

    Update IE to version 8.

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
     
  19. videoart

    videoart TS Rookie Topic Starter Posts: 40

    Windows Firewall is disabled, when trying to turn it on, I get this message--"Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Service."
     
  20. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Follow my previous reply, complete Eset scan and then remind me about firewall issue.
     
  21. videoart

    videoart TS Rookie Topic Starter Posts: 40

    Still getting an Error 720, so I can't connect to run the ESET online scan or apply the IE, Flash and Java updates...
     
  22. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    OK, you said you had a problem with Windows firewall.
    When exactly did you loose internet connection?
    What is the exact error?
     
  23. videoart

    videoart TS Rookie Topic Starter Posts: 40

    I lost my connection just prior to seeking help here.

    This is the Firewall warning:

    Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

    I click "yes", then get the following:

    Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.
     
  24. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  25. videoart

    videoart TS Rookie Topic Starter Posts: 40

    This is the net connection warning:

    Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection. For further assistance, click More Info or search Help and Support Center for this error number.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.