TechSpot

Malware infection need help plz

By mpete
Mar 29, 2011
  1. My son was on our computer and while on it a malware program was activated somehow? the malware was "Antimalware Doctor". Since then when I enter a search subject into any search engine and select a heading it will direct me to a generic page with similar search topics in it. I have run Malware Bytes and Spyhunter 4, they both showed certain portions of the progam as infections and I had them removed, it worked fine for a few hours or until it was rebooted and then I have the search problem again.

    I have done some reading and have run an ESET program, I will attach the log file form this scan to see if anyone has any advice for a fix.

    Does anyone know how to get rid of the last elements of this infection or are there more problems?

    Thank you,
     

    Attached Files:

    • log.txt
      File size:
      1.3 KB
      Views:
      0
  2. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Thank you, starting the 8 steps now.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    OK................
     
  5. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Broni,

    I have completed all the steps except I don't beleive the dds step went according to your directions. I downloaded dds to the desktop and blocked scripts on Avira nd McAfee when I ran the dds it automatically popped open notepad and it was filled with character letters and it did not give me any other screen or options, jsut stopped right there? I will attach the Malware Bytes and the gmer files.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6222

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    3/31/2011 5:20:13 PM
    mbam-log-2011-03-31 (17-20-13).txt

    Scan type: Quick scan
    Objects scanned: 179128
    Time elapsed: 6 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. mpete

    mpete TS Rookie Topic Starter Posts: 50

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-31 18:51:11
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD2500JS-60MHB1 rev.10.02E02
    Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwwcypob.sys


    ---- System - GMER 1.0.15 ----

    SSDT F7CEDE56 ZwCreateKey
    SSDT \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys ZwCreateSection [0xF7BEA700]
    SSDT F7CEDE4C ZwCreateThread
    SSDT F7CEDE5B ZwDeleteKey
    SSDT F7CEDE65 ZwDeleteValueKey
    SSDT F7CEDE6A ZwLoadKey
    SSDT F7CEDE38 ZwOpenProcess
    SSDT F7CEDE3D ZwOpenThread
    SSDT F7CEDE74 ZwReplaceKey
    SSDT F7CEDE6F ZwRestoreKey
    SSDT F7CEDE60 ZwSetValueKey

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED0CF64C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED0CF5FA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED0CF60E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xED0CF52C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xED0CF516]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED0CF68C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xED0CF558]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED0CF45C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED0CF660]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xED0CF59E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xED0CF500]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xED0CF4EA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED0CF4A2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED0CF638]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED0CF624]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED0CF6BB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xED0CF542]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED0CF6A2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED0CF676]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP ED0CF67A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 805790A8 5 Bytes JMP ED0CF650 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP ED0CF690 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP ED0CF6A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B841E 7 Bytes JMP ED0CF664 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE8A 5 Bytes JMP ED0CF628 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP ED0CF612 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 805D1230 5 Bytes JMP ED0CF5FE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 805D173A 5 Bytes JMP ED0CF63C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP ED0CF6BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryValueKey 80622314 7 Bytes JMP ED0CF4EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnloadKey 8062298C 7 Bytes JMP ED0CF546 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8062323E 7 Bytes JMP ED0CF504 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP ED0CF4A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 8062493C 7 Bytes JMP ED0CF530 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624BA6 7 Bytes JMP ED0CF51A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP ED0CF460 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryKey 80625810 7 Bytes JMP ED0CF5A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 806262DE 5 Bytes JMP ED0CF55C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF79A0300]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760FEF
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00760F77
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0076006C
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0076005B
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760F9E
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00760FC3
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00760F3F
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00760087
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007600B6
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00760F13
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00760F02
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0076004A
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0076000A
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00760F66
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0076002F
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00760FDE
    .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00760F2E
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0075000A
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00750F83
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00750FC3
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00750FD4
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00750040
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00750FEF
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00750025
    .text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00750F9E
    .text C:\WINDOWS\system32\services.exe[828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740047
    .text C:\WINDOWS\system32\services.exe[828] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740FB2
    .text C:\WINDOWS\system32\services.exe[828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00740FDE
    .text C:\WINDOWS\system32\services.exe[828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0074000C
    .text C:\WINDOWS\system32\services.exe[828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00740FCD
    .text C:\WINDOWS\system32\services.exe[828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00740FEF
    .text C:\WINDOWS\system32\services.exe[828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00730000
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A10F52
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A10F63
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A1003D
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A10F80
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A10FC0
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A10F26
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A10F37
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A100B5
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A100A4
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A100C6
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A10FA5
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A1001B
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A10062
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A1002C
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A10FE5
    .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A10089
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A00025
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A00065
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A00FD4
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A0000A
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A00054
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A00FEF
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A00FB2
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C0, 88]
    .text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A00FC3
    .text C:\WINDOWS\system32\lsass.exe[840] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009F0033
    .text C:\WINDOWS\system32\lsass.exe[840] msvcrt.dll!system 77C293C7 5 Bytes JMP 009F0022
    .text C:\WINDOWS\system32\lsass.exe[840] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009F0011
    .text C:\WINDOWS\system32\lsass.exe[840] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009F0FEF
    .text C:\WINDOWS\system32\lsass.exe[840] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009F0FBC
    .text C:\WINDOWS\system32\lsass.exe[840] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009F0000
    .text C:\WINDOWS\system32\lsass.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0FEF
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70000
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F3E
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70F59
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A7003D
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A7002C
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FA5
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A70F10
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70F21
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A70EC9
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A70EE4
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A7007D
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A70F8A
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70FE5
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A7004E
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70FB6
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A70011
    .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A70EFF
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A60FB2
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A6002F
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A60FC3
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A60FD4
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A60F72
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A60FE5
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A60F97
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C6, 88]
    .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A6001E
    .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A50F8D
    .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A50022
    .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A50000
    .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A50FE3
    .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A50011
    .text C:\WINDOWS\system32\svchost.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A50FD2
    .text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A40FEF
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F6F
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC006E
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0051
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0040
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC001E
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F3C
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F4D
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F21
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC00BA
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F10
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC002F
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FCA
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F5E
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FA8
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FB9
    .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC009F
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FB2
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F46
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FC3
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FDE
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F57
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0F72
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
    .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F97
    .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0F95
    .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FA6
    .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FD2
    .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
    .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FC1
    .text C:\WINDOWS\system32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FE3
    .text C:\WINDOWS\system32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90000
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C300C6
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C300AB
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C3008E
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C3007D
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30058
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C300F2
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C300E1
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30F63
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C30F7E
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C30117
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30FD1
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C3001B
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30FB6
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30047
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C3002C
    .text C:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F99
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C20FC0
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C20058
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C20011
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C20000
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C20047
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C20FEF
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C20036
    .text C:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C20FAF
    .text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C10FBE
    .text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C10049
    .text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C10038
    .text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C1000C
    .text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C10FD9
    .text C:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C1001D
    .text C:\WINDOWS\System32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C00FE5
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0206000A
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0206006C
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02060F77
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02060F88
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02060051
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02060036
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02060F4B
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02060093
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 020600B5
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 020600A4
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02060F0B
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02060FAF
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02060FEF
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02060F5C
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02060FD4
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02060025
    .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02060F26
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01A00FCA
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01A00F8A
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01A0001B
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01A00FE5
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01A00047
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01A00000
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01A00036
    .text C:\WINDOWS\System32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01A00FB9
    .text C:\WINDOWS\System32\svchost.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 019F0FD4
    .text C:\WINDOWS\System32\svchost.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 019F005F
    .text C:\WINDOWS\System32\svchost.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 019F0044
    .text C:\WINDOWS\System32\svchost.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 019F000C
    .text C:\WINDOWS\System32\svchost.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 019F0FE5
    .text C:\WINDOWS\System32\svchost.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 019F001D
    .text C:\WINDOWS\System32\svchost.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 019E0FEF
     
  7. mpete

    mpete TS Rookie Topic Starter Posts: 50

    .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 019D0FEF
    .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 019D0000
    .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 019D0FCA
    .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 019D0FB9
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0065000A
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00650FAF
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0065009A
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650089
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650FCA
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650051
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006500DA
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00650F88
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00650106
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00650F6D
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00650117
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0065006C
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0065001B
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006500BF
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00650FE5
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00650036
    .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006500EB
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00640FD1
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00640F79
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00640022
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00640011
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00640F94
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00640000
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00640FA5
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [84, 88]
    .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00640FC0
    .text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00630047
    .text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 00630FBC
    .text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00630011
    .text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00630000
    .text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0063002C
    .text C:\WINDOWS\system32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00630FD7
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C0FEF
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0039
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C0028
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C0F44
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C0F6B
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C0F97
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C005E
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F16
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C008A
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C0EF1
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0EE0
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0F7C
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FCA
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C0F33
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0FA8
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C0FB9
    .text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C006F
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0079
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0036
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0025
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0FB2
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B0000
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008B0FC3
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AB, 88]
    .text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B0FDE
    .text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0F89
    .text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0F9A
    .text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A000A
    .text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
    .text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FB5
    .text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FC6
    .text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60FEF
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60F7C
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60F8D
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A6005B
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60F9E
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60FCA
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A60F44
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A60F55
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A600DD
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A600CC
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A60F29
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60FAF
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A6000A
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A60082
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60036
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60025
    .text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A600B1
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A50051
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A5006C
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A5002C
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50011
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50FA5
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50000
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50FC0
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
    .text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50FE5
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40FB7
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40042
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40FD2
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A40000
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40031
    .text C:\WINDOWS\system32\svchost.exe[1488] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A40FE3
    .text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30000
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0FEF
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F9E
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0FAF
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0FC0
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA007D
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA0047
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F7C
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA00C4
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA00F0
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA0F61
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA0F32
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0062
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA000A
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA0F8D
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0036
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0025
    .text C:\WINDOWS\Explorer.EXE[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA00DF
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CC0FAF
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CC0051
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CC0FCA
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CC0000
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CC0F94
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CC0FEF
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CC002C
    .text C:\WINDOWS\Explorer.EXE[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CC001B
    .text C:\WINDOWS\Explorer.EXE[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00990F92
    .text C:\WINDOWS\Explorer.EXE[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00990FAD
    .text C:\WINDOWS\Explorer.EXE[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0099001D
    .text C:\WINDOWS\Explorer.EXE[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00990FEF
    .text C:\WINDOWS\Explorer.EXE[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00990FC8
    .text C:\WINDOWS\Explorer.EXE[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0099000C
    .text C:\WINDOWS\Explorer.EXE[1808] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00970FEF
    .text C:\WINDOWS\Explorer.EXE[1808] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0097000A
    .text C:\WINDOWS\Explorer.EXE[1808] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0097001B
    .text C:\WINDOWS\Explorer.EXE[1808] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00970040
    .text C:\WINDOWS\Explorer.EXE[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00980FE5
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1904] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50FE5
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50062
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50051
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50036
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50F83
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A5000A
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A50089
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F37
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500BC
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A500AB
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F08
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A5001B
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50FCA
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F48
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A50F9E
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A50FB9
    .text C:\WINDOWS\system32\svchost.exe[1980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A5009A
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930036
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093008E
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930025
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093000A
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930073
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930058
    .text C:\WINDOWS\system32\svchost.exe[1980] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930047
    .text C:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920049
    .text C:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920038
    .text C:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092000C
    .text C:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
    .text C:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920027
    .text C:\WINDOWS\system32\svchost.exe[1980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FDE
    .text C:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FEF
    .text C:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0090000A
    .text C:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FD4
    .text C:\WINDOWS\system32\svchost.exe[1980] WININET.dll!InternetOpenUrlW 3D998471 5 Bytes JMP 00900FB9
    .text C:\WINDOWS\system32\svchost.exe[1980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0000
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0F9E
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0FAF
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD007D
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD006C
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD0FDB
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD0F6D
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD00BF
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD0F30
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD0F41
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AD00DA
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AD0FCA
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AD001B
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AD00AE
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AD003D
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AD002C
    .text C:\WINDOWS\system32\svchost.exe[2584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AD0F5C
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AC0FAF
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AC0F68
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AC0FD4
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AC0FEF
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AC002F
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AC0000
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AC0F8D
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CC, 88]
    .text C:\WINDOWS\system32\svchost.exe[2584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AC0F9E
    .text C:\WINDOWS\system32\svchost.exe[2584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB003D
    .text C:\WINDOWS\system32\svchost.exe[2584] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB002C
    .text C:\WINDOWS\system32\svchost.exe[2584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FC6
    .text C:\WINDOWS\system32\svchost.exe[2584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0000
    .text C:\WINDOWS\system32\svchost.exe[2584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB001B
    .text C:\WINDOWS\system32\svchost.exe[2584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB0FD7
    .text C:\WINDOWS\system32\svchost.exe[2584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AA0FEF
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60000
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C600AE
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C6009D
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60080
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60065
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C6002F
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C600CB
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C60F83
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60101
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60F68
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60112
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C6004A
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C60FE5
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C60F9E
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60FC3
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C60FD4
    .text C:\WINDOWS\system32\svchost.exe[2736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600E6
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FCD
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50065
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C5001E
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FDE
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50FA8
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C5004A
    .text C:\WINDOWS\system32\svchost.exe[2736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50039
    .text C:\WINDOWS\system32\svchost.exe[2736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C4003D
    .text C:\WINDOWS\system32\svchost.exe[2736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40FB2
    .text C:\WINDOWS\system32\svchost.exe[2736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40FCD
    .text C:\WINDOWS\system32\svchost.exe[2736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FEF
    .text C:\WINDOWS\system32\svchost.exe[2736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C4002C
    .text C:\WINDOWS\system32\svchost.exe[2736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40FDE
    .text C:\Program Files\Webroot\Washer\WasherSvc.exe[2876] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0008ED99 C:\Program Files\Webroot\Washer\WasherSvc.exe (Window Washer Engine/Webroot Software, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  8. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  9. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Downloaded TDS nothing was found, hence no report made.
     
  10. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Take that back it didn't ask for report, but here is what was in the root directory

    2011/03/31 20:53:02.0260 0480 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/03/31 20:53:02.0479 0480 ================================================================================
    2011/03/31 20:53:02.0479 0480 SystemInfo:
    2011/03/31 20:53:02.0479 0480
    2011/03/31 20:53:02.0479 0480 OS Version: 5.1.2600 ServicePack: 3.0
    2011/03/31 20:53:02.0479 0480 Product type: Workstation
    2011/03/31 20:53:02.0479 0480 ComputerName: YOUR-55E5F9E3D2
    2011/03/31 20:53:02.0479 0480 UserName: HP_Administrator
    2011/03/31 20:53:02.0479 0480 Windows directory: C:\WINDOWS
    2011/03/31 20:53:02.0479 0480 System windows directory: C:\WINDOWS
    2011/03/31 20:53:02.0479 0480 Processor architecture: Intel x86
    2011/03/31 20:53:02.0479 0480 Number of processors: 2
    2011/03/31 20:53:02.0479 0480 Page size: 0x1000
    2011/03/31 20:53:02.0479 0480 Boot type: Normal boot
    2011/03/31 20:53:02.0479 0480 ================================================================================
    2011/03/31 20:53:03.0198 0480 Initialize success
    2011/03/31 20:53:06.0870 6060 ================================================================================
    2011/03/31 20:53:06.0870 6060 Scan started
    2011/03/31 20:53:06.0870 6060 Mode: Manual;
    2011/03/31 20:53:06.0870 6060 ================================================================================
    2011/03/31 20:53:09.0214 6060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/03/31 20:53:09.0293 6060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/03/31 20:53:09.0386 6060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/03/31 20:53:09.0496 6060 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/03/31 20:53:09.0605 6060 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/03/31 20:53:09.0949 6060 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
    2011/03/31 20:53:09.0980 6060 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
    2011/03/31 20:53:10.0058 6060 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
    2011/03/31 20:53:10.0074 6060 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
    2011/03/31 20:53:10.0152 6060 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/03/31 20:53:10.0261 6060 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
    2011/03/31 20:53:10.0574 6060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/03/31 20:53:10.0652 6060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/03/31 20:53:10.0793 6060 ati2mtag (99f6db087497f55d5f8d971f7689f054) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/03/31 20:53:10.0918 6060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/03/31 20:53:10.0965 6060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/03/31 20:53:11.0152 6060 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/03/31 20:53:11.0309 6060 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/03/31 20:53:11.0387 6060 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/03/31 20:53:11.0465 6060 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
    2011/03/31 20:53:11.0527 6060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/03/31 20:53:11.0605 6060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/03/31 20:53:11.0699 6060 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/03/31 20:53:11.0777 6060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/03/31 20:53:11.0840 6060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/03/31 20:53:11.0934 6060 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/03/31 20:53:12.0184 6060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/03/31 20:53:12.0262 6060 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/03/31 20:53:12.0434 6060 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/03/31 20:53:12.0527 6060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/03/31 20:53:12.0590 6060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/03/31 20:53:12.0668 6060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/03/31 20:53:12.0746 6060 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/03/31 20:53:12.0981 6060 esgiguard (051a2e2a75adb6d1c5c27e940fdabcba) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
    2011/03/31 20:53:13.0074 6060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/03/31 20:53:13.0137 6060 fasttx2k (1e580770bdece924494b368ac980749e) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
    2011/03/31 20:53:13.0184 6060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/03/31 20:53:13.0246 6060 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/03/31 20:53:13.0309 6060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/03/31 20:53:13.0403 6060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/03/31 20:53:13.0449 6060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/03/31 20:53:13.0481 6060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/03/31 20:53:13.0543 6060 ftsata2 (92e8443c7bf5c0137671cde080655dfc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
    2011/03/31 20:53:13.0637 6060 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/03/31 20:53:13.0746 6060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/03/31 20:53:13.0825 6060 hcwPP2 (41bbad646a8c842bc30ef6745a4f6ff3) C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
    2011/03/31 20:53:13.0918 6060 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/03/31 20:53:14.0090 6060 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/03/31 20:53:14.0231 6060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/03/31 20:53:14.0371 6060 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/03/31 20:53:14.0450 6060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/03/31 20:53:14.0715 6060 IntcAzAudAddService (b76d32231f56bb3df236bf25f49106ae) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/03/31 20:53:14.0887 6060 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/03/31 20:53:14.0965 6060 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/03/31 20:53:15.0043 6060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/03/31 20:53:15.0122 6060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/03/31 20:53:15.0184 6060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/03/31 20:53:15.0247 6060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/03/31 20:53:15.0340 6060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/03/31 20:53:15.0403 6060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/03/31 20:53:15.0465 6060 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/03/31 20:53:15.0528 6060 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/03/31 20:53:15.0606 6060 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/03/31 20:53:15.0778 6060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/03/31 20:53:15.0856 6060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/03/31 20:53:16.0044 6060 mfeavfk (64b96de8c492bd435372d9130a535f1d) C:\WINDOWS\system32\drivers\mfeavfk.sys
    2011/03/31 20:53:16.0075 6060 mfebopk (078e87a89d36cc3516f19d5fb518bddc) C:\WINDOWS\system32\drivers\mfebopk.sys
    2011/03/31 20:53:16.0122 6060 mfehidk (168c565101fd5b9db694efdec91fafa9) C:\WINDOWS\system32\drivers\mfehidk.sys
    2011/03/31 20:53:16.0200 6060 mferkdk (f7488fabf1dc4ced93be36907ebc4749) C:\WINDOWS\system32\drivers\mferkdk.sys
    2011/03/31 20:53:16.0247 6060 mfesmfk (63dd7b6d8a31dce0298e86de3873d013) C:\WINDOWS\system32\drivers\mfesmfk.sys
    2011/03/31 20:53:16.0294 6060 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    2011/03/31 20:53:16.0356 6060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/03/31 20:53:16.0450 6060 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/03/31 20:53:16.0528 6060 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/03/31 20:53:16.0591 6060 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/03/31 20:53:16.0716 6060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/03/31 20:53:16.0809 6060 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
    2011/03/31 20:53:16.0872 6060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/03/31 20:53:16.0981 6060 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/03/31 20:53:17.0169 6060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/03/31 20:53:17.0263 6060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/03/31 20:53:17.0294 6060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/03/31 20:53:17.0341 6060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/03/31 20:53:17.0372 6060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/03/31 20:53:17.0434 6060 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/03/31 20:53:17.0513 6060 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/03/31 20:53:17.0591 6060 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/03/31 20:53:17.0638 6060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/03/31 20:53:17.0716 6060 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/03/31 20:53:17.0794 6060 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/03/31 20:53:17.0856 6060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/03/31 20:53:17.0888 6060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/03/31 20:53:17.0935 6060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/03/31 20:53:17.0997 6060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/03/31 20:53:18.0044 6060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/03/31 20:53:18.0153 6060 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/03/31 20:53:18.0216 6060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/03/31 20:53:18.0294 6060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/03/31 20:53:18.0356 6060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/03/31 20:53:18.0513 6060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/03/31 20:53:18.0560 6060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/03/31 20:53:18.0591 6060 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/03/31 20:53:18.0700 6060 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/03/31 20:53:18.0778 6060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/03/31 20:53:18.0857 6060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/03/31 20:53:18.0888 6060 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/03/31 20:53:18.0966 6060 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/03/31 20:53:19.0028 6060 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/03/31 20:53:19.0294 6060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/03/31 20:53:19.0372 6060 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys
    2011/03/31 20:53:19.0419 6060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/03/31 20:53:19.0466 6060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/03/31 20:53:19.0560 6060 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/03/31 20:53:19.0716 6060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/03/31 20:53:19.0794 6060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/03/31 20:53:19.0825 6060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/03/31 20:53:19.0872 6060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/03/31 20:53:19.0950 6060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/03/31 20:53:19.0982 6060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/03/31 20:53:20.0075 6060 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/03/31 20:53:20.0232 6060 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/03/31 20:53:20.0294 6060 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/03/31 20:53:20.0388 6060 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/03/31 20:53:20.0529 6060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/03/31 20:53:20.0607 6060 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/03/31 20:53:20.0669 6060 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/03/31 20:53:20.0779 6060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/03/31 20:53:20.0888 6060 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/03/31 20:53:20.0998 6060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/03/31 20:53:21.0076 6060 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/03/31 20:53:21.0169 6060 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/03/31 20:53:21.0279 6060 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/03/31 20:53:21.0326 6060 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    2011/03/31 20:53:21.0388 6060 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/03/31 20:53:21.0466 6060 SunkFilt (61c7ce0d9789872aa1140c1a304143b0) C:\WINDOWS\System32\Drivers\sunkfilt.sys
    2011/03/31 20:53:21.0638 6060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/03/31 20:53:21.0716 6060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/03/31 20:53:21.0888 6060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/03/31 20:53:22.0013 6060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/03/31 20:53:22.0091 6060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/03/31 20:53:22.0170 6060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/03/31 20:53:22.0232 6060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/03/31 20:53:22.0357 6060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/03/31 20:53:22.0482 6060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/03/31 20:53:22.0592 6060 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/03/31 20:53:22.0685 6060 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/03/31 20:53:22.0732 6060 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/03/31 20:53:22.0826 6060 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/03/31 20:53:22.0982 6060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/03/31 20:53:23.0092 6060 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/03/31 20:53:23.0170 6060 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/03/31 20:53:23.0248 6060 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/03/31 20:53:23.0326 6060 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/03/31 20:53:23.0404 6060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/03/31 20:53:23.0498 6060 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/03/31 20:53:23.0545 6060 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/03/31 20:53:23.0623 6060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/03/31 20:53:23.0732 6060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/03/31 20:53:23.0920 6060 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/03/31 20:53:23.0967 6060 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/03/31 20:53:24.0060 6060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/03/31 20:53:24.0139 6060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/03/31 20:53:24.0248 6060 ================================================================================
    2011/03/31 20:53:24.0248 6060 Scan finished
    2011/03/31 20:53:24.0248 6060 ================================================================================
     
  11. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

    =====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  12. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Rootkit File

    RkU Version: 3.8.388.590, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 3)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0xEDF23000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4800512 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll)
    0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2154496 bytes
    0x804D7000 RAW 2154496 bytes
    0x804D7000 WMIxWDM 2154496 bytes
    0xBF800000 Win32k 1855488 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xF66B7000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
    0xF6501000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1097728 bytes (Agere Systems, SoftModem Device Driver)
    0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
    0xF734C000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xED0E9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xF6410000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
    0xED243000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xB8030000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
    0xBF391000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0xF7435000 ftsata2.sys 274432 bytes (Promise Technology, Inc., Promise Driver for Windows Server 2003)
    0xB80B0000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
    0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
    0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
    0xED0B6000 C:\WINDOWS\system32\drivers\mfehidk.sys 208896 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
    0xF646E000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
    0xF7521000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xB8209000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xF731F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xB6984000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
    0xED159000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xF667B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
    0xED1CE000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xF64DA000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 159744 bytes (Intel Corporation, Intel(R) PRO/100 Adapter NDIS 5.1 driver)
    0xF6630000 C:\WINDOWS\system32\DRIVERS\hcwPP2.sys 159744 bytes (Hauppauge Computer Works, Inc., WinTV PVR PCI II (v2) WDM Video Capture)
    0xED21C000 C:\WINDOWS\System32\Drivers\Mpfp.sys 159744 bytes (McAfee, Inc., McAfee Personal Firewall Plus Driver)
    0xED059000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
    0xF74CB000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
    0xED1F6000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
    0xECEBF000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0xEDEFF000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xF6657000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xF7490000 fasttx2k.sys 143360 bytes (Promise Technology, Inc., Promise FastTrak Series Driver for WindowsXP)
    0xF660D000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xED1AC000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0x806E5000 ACPI_HAL 134400 bytes
    0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xF7415000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xF74F1000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xF7305000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xB682B000 C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwwcypob.sys 102400 bytes
    0xF74B3000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xECEA7000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
    0xF7478000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
    0xF73EC000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xF64AF000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xB8773000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
    0xB843E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xF64C6000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
    0xF66A3000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0xED29C000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xF73D9000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xB6611000 C:\WINDOWS\system32\drivers\klmd.sys 73728 bytes
    0xB69AF000 C:\WINDOWS\system32\drivers\mfeavfk.sys 73728 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
    0xF7403000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xF7510000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xF649E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xED3C2000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0xF7810000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xF7730000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
    0xF76C0000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
    0xF7740000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
    0xF78B0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xF7820000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0xB8573000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xF77C0000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
    0xF6C57000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xF76D0000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
    0xF7690000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xF77F0000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
    0xF7830000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xF7670000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xF7850000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xF7720000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xF7800000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xF7660000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xF7840000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0xF7650000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xF7880000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xF7870000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xF76A0000 bb-run.sys 36864 bytes (Promise Technology, Inc., Promise Disk Accelerator)
    0xF7680000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xF77D0000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
    0xF77E0000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
    0xF6BE7000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
    0xB7B00000 C:\WINDOWS\system32\drivers\mfesmfk.sys 36864 bytes (McAfee, Inc., System Monitor Filter Driver)
    0xF7860000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xF6BD7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xB6904000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
    0xF76B0000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0xF7710000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xF7A40000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
    0xF7988000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xF79C0000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0xF7A38000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xF7970000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xECFFA000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
    0xF78D0000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xF7A50000 C:\WINDOWS\system32\DRIVERS\PS2.sys 28672 bytes (Hewlett-Packard Company, PS2 SYS)
    0xF79A0000 C:\WINDOWS\System32\Drivers\sunkfilt.sys 28672 bytes (Alcor Micro Corp., SunkFilt)
    0xF79D8000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
    0xF79A8000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0xF7A28000 C:\WINDOWS\system32\DRIVERS\aracpi.sys 24576 bytes (Microsoft Corporation, Microsoft AR ACPI Driver (Beta 2 Release 2))
    0xF78E8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0xF7A58000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xF7A48000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xF7998000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
    0xF7A30000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0xF7978000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xF79E0000 C:\WINDOWS\system32\DRIVERS\arhidfltr.sys 20480 bytes (Microsoft Corporation, Microsoft AR HID Filter Driver (Beta 2 Release 2))
    0xF7980000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xF78D8000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xF7938000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xF7918000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xF7910000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xF7A00000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xB6E99000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
    0xF7AF8000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xB876F000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xEDD4F000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
    0xF72D1000 C:\WINDOWS\system32\DRIVERS\arpolicy.sys 12288 bytes (Microsoft Corporation, Microsoft AR Policy Driver (Beta 2 Release 2))
    0xF7A60000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xEDC23000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xEDD4B000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0xF72CD000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xF7AEC000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xF7B8A000 C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2))
    0xF7B88000 C:\WINDOWS\system32\DRIVERS\armoucfltr.sys 8192 bytes (Microsoft Corporation, Microsoft AR PS/2 Mouse Filter Driver (Beta 2 Release 2))
    0xF7BC2000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
    0xF7BAE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xF7B58000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
    0xF7BD0000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
    0xF7BEA000 C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys 8192 bytes
    0xF7BAC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xF7B56000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0xF7B50000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xF7BB0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xF7B7C000 C:\WINDOWS\system32\drivers\MSPQM.sys 8192 bytes (Microsoft Corporation, MS Proxy Quality Manager)
    0xF7BB2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xF7B8C000 C:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
    0xF7B9C000 C:\WINDOWS\system32\drivers\splitter.sys 8192 bytes (Microsoft Corporation, Microsoft Kernel Audio Splitter)
    0xF7B8E000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xF7BA8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xF7B54000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0xF7B52000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xF7CD4000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xF7CF1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xF7CA4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xF7C18000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    ==============================================
    >Stealth
    ==============================================
    WARNING: Virus alike driver modification [cpqdap01.sys]
    WARNING: Virus alike driver modification [nikedrv.sys]
    WARNING: Virus alike driver modification [rio8drv.sys]
    WARNING: Virus alike driver modification [riodrv.sys]
    WARNING: Virus alike driver modification [ws2ifsl.sys]
    WARNING: Virus alike driver modification [fsvga.sys]
    WARNING: Virus alike driver modification [smclib.sys]
    WARNING: Virus alike driver modification [Hdaudio.sys]
    WARNING: Virus alike driver modification [tsbvcap.sys]
    WARNING: Virus alike driver modification [cinemst2.sys]
    WARNING: Virus alike driver modification [atmepvc.sys]
    WARNING: Virus alike driver modification [rawwan.sys]
    WARNING: Virus alike driver modification [atmuni.sys]
    WARNING: Virus alike driver modification [tosdvd.sys]
    WARNING: Virus alike driver modification [nwlnkspx.sys]
    WARNING: Virus alike driver modification [vdmindvd.sys]
    WARNING: Virus alike driver modification [rootmdm.sys]
    WARNING: Virus alike driver modification [nwlnknb.sys]
    WARNING: Virus alike driver modification [enum1394.sys]
    WARNING: Virus alike driver modification [mcd.sys]
     
  13. mpete

    mpete TS Rookie Topic Starter Posts: 50

    MBR Check File

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x02000ffc

    Kernel Drivers (total 152):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0xF7B50000 \WINDOWS\system32\KDCOM.DLL
    0xF7A60000 \WINDOWS\system32\BOOTVID.dll
    0xF7521000 ACPI.sys
    0xF7B52000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7510000 pci.sys
    0xF7650000 isapnp.sys
    0xF7C18000 pciide.sys
    0xF78D0000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7B54000 viaide.sys
    0xF7B56000 intelide.sys
    0xF7660000 MountMgr.sys
    0xF74F1000 ftdisk.sys
    0xF7B58000 dmload.sys
    0xF74CB000 dmio.sys
    0xF78D8000 PartMgr.sys
    0xF7670000 VolSnap.sys
    0xF74B3000 atapi.sys
    0xF7490000 fasttx2k.sys
    0xF7478000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF7435000 ftsata2.sys
    0xF7680000 disk.sys
    0xF7690000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7415000 fltmgr.sys
    0xF7403000 sr.sys
    0xF76A0000 bb-run.sys
    0xF76B0000 PxHelp20.sys
    0xF73EC000 KSecDD.sys
    0xF73D9000 WudfPf.sys
    0xF734C000 Ntfs.sys
    0xF731F000 NDIS.sys
    0xF76C0000 ohci1394.sys
    0xF76D0000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7305000 Mup.sys
    0xF7730000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF77E0000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7A28000 \SystemRoot\system32\DRIVERS\aracpi.sys
    0xF66B7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF66A3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF667B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7A30000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6657000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A38000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6630000 \SystemRoot\system32\DRIVERS\hcwPP2.sys
    0xF660D000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6501000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7A40000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF64DA000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF64C6000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF77F0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7A48000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7B88000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
    0xF7A50000 \SystemRoot\system32\DRIVERS\PS2.sys
    0xF7A58000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7B8A000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
    0xF7800000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7810000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7820000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF78E8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF72D1000 \SystemRoot\system32\DRIVERS\arpolicy.sys
    0xF7B8C000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xF7CD4000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7830000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF72CD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF64AF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7840000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7850000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7910000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF649E000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7860000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7938000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7918000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF646E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF7870000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7B8E000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6410000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7AF8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7880000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xEDF23000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xEDEFF000 \SystemRoot\system32\drivers\portcls.sys
    0xF78B0000 \SystemRoot\system32\drivers\drmk.sys
    0xF6C57000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7BA8000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7BAC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7CA4000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BAE000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7970000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF7978000 \SystemRoot\System32\drivers\vga.sys
    0xF7BB0000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BB2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7980000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7988000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7AEC000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xED29C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xED243000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xED21C000 \SystemRoot\System32\Drivers\Mpfp.sys
    0xED1F6000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF6BE7000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
    0xED1CE000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xED1AC000 \SystemRoot\System32\drivers\afd.sys
    0xF6BD7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF7998000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xF7710000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xED159000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xED0E9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xED0B6000 \SystemRoot\system32\drivers\mfehidk.sys
    0xF7720000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7740000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xED059000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF79A0000 \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
    0xF79A8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF7BC2000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF79C0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xEDD4F000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xF79D8000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF77C0000 \SystemRoot\system32\drivers\usbaudio.sys
    0xEDD4B000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF77D0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF79E0000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
    0xECEBF000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xED3C2000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xECEA7000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BD0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEDC23000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7A00000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7CF1000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF049000 \SystemRoot\System32\ati2cqag.dll
    0xBF07D000 \SystemRoot\System32\atikvmag.dll
    0xBF0B2000 \SystemRoot\System32\ati3duag.dll
    0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
    0xBF391000 \SystemRoot\System32\ATMFD.DLL
    0xB8773000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xB876F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB843E000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB8573000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB8209000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB80B0000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB8030000 \SystemRoot\system32\DRIVERS\srv.sys
    0xF7B7C000 \SystemRoot\system32\drivers\MSPQM.sys
    0xF7BEA000 \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
    0xB7B00000 \SystemRoot\system32\drivers\mfesmfk.sys
    0xECFFA000 \SystemRoot\system32\drivers\mfebopk.sys
    0xB69AF000 \SystemRoot\system32\drivers\mfeavfk.sys
    0xB6E99000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xB6984000 \SystemRoot\system32\drivers\kmixer.sys
    0xB682B000 \??\C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwwcypob.sys
    0xF7B9C000 \SystemRoot\system32\drivers\splitter.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 71):
    0 System Idle Process
    4 System
    688 C:\WINDOWS\system32\smss.exe
    752 csrss.exe
    784 C:\WINDOWS\system32\winlogon.exe
    828 C:\WINDOWS\system32\services.exe
    840 C:\WINDOWS\system32\lsass.exe
    1036 C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
    1048 C:\WINDOWS\system32\ati2evxx.exe
    1068 C:\WINDOWS\system32\svchost.exe
    1160 svchost.exe
    1256 C:\WINDOWS\system32\svchost.exe
    1296 C:\WINDOWS\system32\svchost.exe
    1368 svchost.exe
    1488 svchost.exe
    1648 C:\WINDOWS\system32\spoolsv.exe
    1668 C:\WINDOWS\system32\rundll32.exe
    1704 C:\WINDOWS\system32\rundll32.exe
    1764 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1980 svchost.exe
    172 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    196 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    200 C:\WINDOWS\arservice.exe
    256 C:\Program Files\Bonjour\mDNSResponder.exe
    280 C:\WINDOWS\ehome\ehrecvr.exe
    532 C:\WINDOWS\ehome\ehSched.exe
    704 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    748 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    1656 C:\WINDOWS\system32\ati2evxx.exe
    1808 C:\WINDOWS\explorer.exe
    1948 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1904 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    2248 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
    2324 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    2408 C:\Program Files\McAfee\MPF\MpfSrv.exe
    2584 svchost.exe
    2736 C:\WINDOWS\system32\svchost.exe
    2876 C:\Program Files\Webroot\Washer\WasherSvc.exe
    3152 C:\Program Files\McAfee.com\Agent\mcagent.exe
    3172 mcrdsvc.exe
    3380 C:\WINDOWS\arpwrmsg.exe
    3388 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    3420 C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    3460 C:\WINDOWS\RTHDCPL.EXE
    3520 C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    3696 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    3712 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    3772 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    3824 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIACA.EXE
    3872 C:\Program Files\iTunes\iTunesHelper.exe
    3912 C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    3928 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3960 C:\WINDOWS\system32\ctfmon.exe
    3984 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    512 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    1508 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    1872 C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    1348 C:\Program Files\Southwest Airlines\Ding\Ding.exe
    1728 C:\Program Files\iPod\bin\iPodService.exe
    2104 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    3372 alg.exe
    1188 C:\WINDOWS\system32\svchost.exe
    3208 C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\magicJack.exe
    3224 C:\WINDOWS\system32\WISPTIS.EXE
    3884 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
    4204 C:\hp\KBD\kbd.exe
    1792 C:\WINDOWS\system\hpsysdrv.exe
    3560 C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    4500 C:\Program Files\Internet Explorer\iexplore.exe
    296 C:\WINDOWS\system32\notepad.exe
    4196 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`00d12c00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: WDCWD2500JS-60MHB1, Rev: 10.02E02

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Legit MBR code detected
    SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972


    Done!
     
  14. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  15. mpete

    mpete TS Rookie Topic Starter Posts: 50

    ComboFix 11-03-31.01 - HP_Administrator 03/31/2011 21:49:25.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.466 [GMT -4:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
    c:\documents and settings\All Users\Desktop\weather.lnk
    c:\documents and settings\HP_Administrator\Application Data\274802E504A0CA1118D9EBD23D9E619C
    c:\documents and settings\HP_Administrator\Application Data\274802E504A0CA1118D9EBD23D9E619C\enemies-names.txt
    c:\documents and settings\HP_Administrator\Application Data\274802E504A0CA1118D9EBD23D9E619C\local.ini
    c:\documents and settings\HP_Administrator\Application Data\Adobe\plugs
    c:\documents and settings\HP_Administrator\Application Data\Adobe\shed
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{6863B15F-F322-456E-BDC0-8EBA989979A1}
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{6863B15F-F322-456E-BDC0-8EBA989979A1}\chrome.manifest
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{6863B15F-F322-456E-BDC0-8EBA989979A1}\chrome\content\_cfg.js
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{6863B15F-F322-456E-BDC0-8EBA989979A1}\chrome\content\overlay.xul
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{6863B15F-F322-456E-BDC0-8EBA989979A1}\install.rdf
    c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
    c:\program files\AutocompletePro
    c:\program files\AutocompletePro\AutocompletePro.dll
    c:\program files\AutocompletePro\chrome\autocompleteprochrome.crx
    c:\program files\AutocompletePro\FireFoxExtension.exe
    c:\program files\AutocompletePro\InstTracker.exe
    c:\program files\AutocompletePro\support@predictad.com\chrome.manifest
    c:\program files\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul
    c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.js
    c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.xul
    c:\program files\AutocompletePro\support@predictad.com\chrome\content\utils.js
    c:\program files\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js
    c:\program files\AutocompletePro\support@predictad.com\install.rdf
    c:\program files\AutocompletePro\unins000.dat
    c:\program files\AutocompletePro\unins000.exe
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-31 02:58 . 2011-03-31 02:58 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2011-03-31 00:44 . 2011-03-31 00:44 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Avira
    2011-03-31 00:40 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-31 00:40 . 2010-06-17 18:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-03-31 00:40 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-31 00:40 . 2010-06-17 18:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-03-31 00:40 . 2011-03-31 00:40 -------- d-----w- c:\program files\Avira
    2011-03-31 00:40 . 2011-03-31 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-03-31 00:29 . 2011-03-31 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-03-28 21:45 . 2011-03-28 21:45 -------- d-----w- c:\program files\ESET
    2011-03-26 16:17 . 2011-03-26 16:17 398760 ----a-r- c:\windows\cpnprt2.cid
    2011-03-26 16:17 . 2011-03-26 16:17 398760 ------w- c:\windows\system32\cpnprt2.cid
    2011-03-26 16:16 . 2011-03-26 16:16 -------- d-----w- c:\program files\Coupons
    2011-03-26 11:48 . 2011-03-27 10:45 0 ----a-w- c:\windows\Nrusupotovunikan.bin
    2011-03-24 01:31 . 2011-03-24 01:31 110080 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{FEFA34C3-6C95-492A-9F30-0B0B23689389}\IconF7A21AF7.exe
    2011-03-24 01:31 . 2011-03-24 01:31 110080 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{FEFA34C3-6C95-492A-9F30-0B0B23689389}\IconD7F16134.exe
    2011-03-24 01:31 . 2011-03-24 01:31 -------- d-----w- C:\sh4ldr
    2011-03-23 23:05 . 2011-03-23 23:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-03-10 00:46 . 2011-03-10 00:46 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Help
    2011-03-06 16:22 . 2011-03-06 16:22 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\WMTools Downloaded Files
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-18 18:32 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    2011-02-04 22:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
    2011-02-04 22:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
    2011-02-02 07:58 . 2004-08-10 12:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2004-08-10 12:00 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2004-08-10 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-04 16:08 . 2011-01-04 16:08 8192 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-31 68856]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "cdloader"="c:\documents and settings\HP_Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-10 61440]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
    "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-11 253952]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
    "Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
    "SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-03-17 4639136]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
    DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-8-10 61440]
    Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
    KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-08-06 03:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-05-12 13:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
    2005-06-02 06:35 49152 -c--a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 08:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Documents and Settings\\HP_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/30/2011 8:40 PM 135336]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [3/17/2011 2:25 PM 723872]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [10/2/2008 11:48 AM 598856]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 10:40 PM 135664]
    S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [1/27/2010 5:10 PM 5248]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 02:39]
    .
    2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 02:39]
    .
    2011-03-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-02 01:26]
    .
    2011-03-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-02 01:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = www.msn.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADScriptFile
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Jgukim - c:\windows\mscdist.dll
    AddRemove-AutocompletePro3_is1 - c:\program files\AutocompletePro\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-31 22:02
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(784)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(1744)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\arservice.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\windows\system32\Ati2evxx.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\ARPWRMSG.EXE
    c:\windows\RTHDCPL.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\hp\KBD\KBD.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-03-31 22:19:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-01 02:19
    .
    Pre-Run: 182,747,471,872 bytes free
    Post-Run: 182,747,021,312 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - C9AA41D851F866AF67A9ACA27D3960F6
     
  16. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    You're running two AV programs, Avira and McAfee.
    One of them has to go.
    Your choice.
    If you uninstalled McAfee in the past and I'm seeing just some leftovers, please, run this tool to remove them: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

    =====================================================================

    Combofix log looks good now.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  17. mpete

    mpete TS Rookie Topic Starter Posts: 50

    I haven't uninstalled mcafee yet, bc the instructons said not to do that. I installed avira in this process and I want to get rid of mcafee should I uninstall and then use the program you suggested or what do you recommend?

    The computer seems to be doing better so far.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Very well.
    Yes, you can uninstall McAfee now.
     
  19. mpete

    mpete TS Rookie Topic Starter Posts: 50

    OTL logfile created on: 3/31/2011 11:07:47 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 374.00 Mb Available Physical Memory | 37.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 224.86 Gb Total Space | 170.36 Gb Free Space | 75.76% Space Free | Partition Type: NTFS
    Drive D: | 8.00 Gb Total Space | 0.86 Gb Free Space | 10.76% Space Free | Partition Type: FAT32
    Drive K: | 1.64 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive L: | 17.59 Mb Total Space | 17.32 Mb Free Space | 98.44% Space Free | Partition Type: FAT

    Computer Name: YOUR-55E5F9E3D2 | User Name: HP_Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/03/31 23:06:52 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
    PRC - [2011/03/17 14:25:44 | 004,639,136 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    PRC - [2011/03/17 14:25:36 | 000,723,872 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
    PRC - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2011/03/04 14:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2008/09/30 14:06:50 | 000,485,208 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/11/26 14:47:40 | 000,598,856 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe
    PRC - [2007/06/21 23:56:14 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    PRC - [2006/06/22 15:15:48 | 000,462,848 | ---- | M] (Southwest Airlines) -- C:\Program Files\Southwest Airlines\Ding\Ding.exe
    PRC - [2005/09/14 22:59:31 | 000,241,772 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
    PRC - [2005/09/14 22:59:31 | 000,036,972 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    PRC - [2005/08/10 10:33:06 | 000,061,440 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    PRC - [2005/08/03 02:19:16 | 000,077,312 | ---- | M] (Microsoft) -- C:\WINDOWS\arpwrmsg.exe
    PRC - [2005/08/03 02:19:16 | 000,058,880 | ---- | M] (Microsoft) -- C:\WINDOWS\arservice.exe
    PRC - [2005/05/10 20:50:42 | 000,253,952 | ---- | M] (Hewlett-Packard Company) -- C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe
    PRC - [2005/02/07 23:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIACA.EXE
    PRC - [2004/02/27 10:05:54 | 000,135,168 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    PRC - [2004/02/13 15:12:08 | 000,016,423 | ---- | M] () -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/03/31 23:06:52 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
    MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2004/02/11 17:58:16 | 000,024,613 | ---- | M] (BackWeb) -- C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/03/17 14:25:36 | 000,723,872 | ---- | M] (Enigma Software Group USA, LLC.) [Auto | Running] -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe -- (SpyHunter 4 Service)
    SRV - [2011/03/04 14:37:00 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2011/03/04 14:36:52 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2008/10/12 20:31:37 | 000,085,096 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
    SRV - [2008/08/29 10:00:30 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
    SRV - [2007/11/26 14:47:40 | 000,598,856 | ---- | M] (Webroot Software, Inc.) [Auto | Running] -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc)
    SRV - [2005/08/03 02:19:16 | 000,058,880 | ---- | M] (Microsoft) [Auto | Running] -- C:\WINDOWS\arservice.exe -- (ARSVC)
    SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Boot | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/03/04 16:11:12 | 000,137,656 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2011/03/04 14:37:13 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2010/01/27 17:10:44 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
    DRV - [2007/10/25 06:29:00 | 004,623,872 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2005/08/10 01:35:00 | 001,273,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2005/07/28 21:07:58 | 000,156,800 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hcwPP2.sys -- (hcwPP2)
    DRV - [2005/07/04 03:30:34 | 000,026,624 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
    DRV - [2005/06/30 16:16:26 | 001,094,848 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2005/04/15 00:12:12 | 000,175,616 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
    DRV - [2004/08/04 08:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
    DRV - [2004/03/22 11:05:22 | 000,039,904 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
    DRV - [2003/12/03 05:23:20 | 000,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)
    DRV - [2003/11/05 18:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    IE - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    IE - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
    IE - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    O1 HOSTS File: ([2011/03/31 22:01:55 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AC-Pro) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
    O3 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - HKLM..\Run: [AlwaysReady Power Message APP] C:\WINDOWS\arpwrmsg.exe (Microsoft)
    O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
    O4 - HKLM..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe (Enigma Software Group USA, LLC.)
    O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe ()
    O4 - Startup: C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
    O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab (Verizon Wireless Media Upload)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.sun.com/s/ESD44/J...31/&filename=jinstall-6u7-windows-i586-jc.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab (Java Plug-in 1.5.0)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/09/14 23:46:28 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2001/07/28 05:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
    O32 - AutoRun File - [2009/08/03 13:04:35 | 000,027,992 | R--- | M] (magicJack L.P.) - K:\autorun.exe -- [ CDFS ]
    O32 - AutoRun File - [2009/08/03 13:04:35 | 000,016,158 | R--- | M] () - K:\autorun.ico -- [ CDFS ]
    O32 - AutoRun File - [2009/08/03 13:04:35 | 000,000,308 | R--- | M] () - K:\autorun.inf -- [ CDFS ]
    O32 - AutoRun File - [2009/08/03 13:04:35 | 000,728,816 | R--- | M] (magicJack L.P.) - K:\autorunu.exe -- [ CDFS ]
    O32 - Unable to obtain root file information for disk L:\
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()
    Drivers32: vidc.LEAD - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (56590081070202880)

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/03/31 23:05:29 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
    [2011/03/31 23:03:11 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2011/03/31 21:48:10 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/03/31 21:45:20 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2011/03/31 21:45:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2011/03/31 21:45:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2011/03/31 21:45:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2011/03/31 21:45:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/03/31 21:35:29 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/03/31 20:52:24 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\TDSSKiller.exe
    [2011/03/30 22:58:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
    [2011/03/30 22:56:53 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
    [2011/03/30 20:44:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Avira
    [2011/03/30 20:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
    [2011/03/30 20:40:30 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
    [2011/03/30 20:40:26 | 000,137,656 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2011/03/30 20:40:26 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
    [2011/03/30 20:40:25 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2011/03/30 20:40:25 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
    [2011/03/30 20:40:24 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
    [2011/03/30 20:40:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
    [2011/03/30 20:29:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2011/03/28 18:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\My Documents\AVG
    [2011/03/28 17:45:25 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2011/03/26 12:17:06 | 000,398,760 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\cpnprt2.cid
    [2011/03/26 12:17:06 | 000,398,760 | ---- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
    [2011/03/26 12:16:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
    [2011/03/26 12:16:57 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons
    [2011/03/23 21:31:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Start Menu\Programs\SpyHunter
    [2011/03/23 21:31:35 | 000,000,000 | ---D | C] -- C:\sh4ldr
    [2011/03/23 19:04:08 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2011/03/23 18:41:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2011/03/23 18:40:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/03/09 20:46:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Help
    [2011/03/09 20:46:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Help
    [2011/03/06 12:22:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\WMTools Downloaded Files
    [1 C:\Documents and Settings\HP_Administrator\My Documents\*.tmp files -> C:\Documents and Settings\HP_Administrator\My Documents\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/03/31 23:09:10 | 000,091,195 | ---- | M] () -- C:\logfile
    [2011/03/31 23:06:52 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
    [2011/03/31 23:06:06 | 000,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
    [2011/03/31 23:05:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2011/03/31 22:58:20 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2011/03/31 22:58:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/03/31 22:58:05 | 1072,152,576 | -HS- | M] () -- C:\hiberfil.sys
    [2011/03/31 22:53:57 | 001,373,616 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\MCPR.exe
    [2011/03/31 22:01:55 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2011/03/31 21:48:15 | 000,000,325 | RHS- | M] () -- C:\boot.ini
    [2011/03/31 21:28:29 | 004,310,832 | R--- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    [2011/03/31 21:17:27 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
    [2011/03/31 21:15:59 | 000,036,828 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\RKReport
    [2011/03/31 21:13:45 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\RKUnhookerLE.EXE
    [2011/03/31 20:51:55 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.zip
    [2011/03/31 19:00:38 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
    [2011/03/31 17:25:40 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe
    [2011/03/30 23:13:19 | 000,001,074 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\magicJack.lnk
    [2011/03/30 22:57:14 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
    [2011/03/30 21:46:33 | 000,413,883 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\TechSpot DOcument.rtf
    [2011/03/30 20:41:01 | 000,001,718 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2011/03/27 14:51:16 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ybaheqij.dat
    [2011/03/27 09:17:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/03/27 06:45:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Nrusupotovunikan.bin
    [2011/03/26 18:53:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2011/03/26 12:17:06 | 000,398,760 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\cpnprt2.cid
    [2011/03/26 12:17:06 | 000,398,760 | ---- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
    [2011/03/23 21:31:38 | 000,002,006 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\SpyHunter.lnk
    [2011/03/18 14:32:10 | 000,071,072 | ---- | M] () -- C:\WINDOWS\CouponPrinter.ocx
    [2011/03/14 20:33:33 | 000,033,792 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
    [2011/03/14 20:33:30 | 000,011,264 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
    [2011/03/14 20:32:54 | 000,445,370 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/03/14 20:32:54 | 000,072,576 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\TDSSKiller.exe
    [2011/03/10 04:04:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/03/04 20:07:59 | 000,000,046 | ---- | M] () -- C:\WINDOWS\System32\_WKERNEL.FRE
    [2011/03/04 16:11:12 | 000,137,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2011/03/04 14:37:13 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [1 C:\Documents and Settings\HP_Administrator\My Documents\*.tmp files -> C:\Documents and Settings\HP_Administrator\My Documents\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/03/31 22:53:48 | 001,373,616 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\MCPR.exe
    [2011/03/31 21:45:20 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/03/31 21:45:20 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/03/31 21:45:20 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/03/31 21:45:20 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/03/31 21:45:20 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/03/31 21:28:16 | 004,310,832 | R--- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    [2011/03/31 21:17:14 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
    [2011/03/31 21:15:59 | 000,036,828 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\RKReport
    [2011/03/31 21:13:32 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\RKUnhookerLE.EXE
    [2011/03/31 20:51:50 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\tdsskiller.zip
    [2011/03/31 18:57:34 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
    [2011/03/31 17:25:35 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe
    [2011/03/30 20:41:00 | 000,001,718 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
    [2011/03/28 17:54:59 | 000,413,883 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\My Documents\TechSpot DOcument.rtf
    [2011/03/26 07:48:37 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ybaheqij.dat
    [2011/03/26 07:48:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Nrusupotovunikan.bin
    [2011/03/23 20:27:42 | 1072,152,576 | -HS- | C] () -- C:\hiberfil.sys
    [2011/02/17 09:12:16 | 000,101,740 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2011/01/17 20:17:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/06/17 14:11:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
    [2010/05/16 09:06:21 | 000,000,314 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
    [2010/03/21 10:31:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
    [2009/08/11 21:16:06 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
    [2009/08/11 21:16:06 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
    [2009/08/11 21:16:06 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
    [2009/08/11 21:16:06 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
    [2009/08/11 21:16:06 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
    [2009/07/21 07:37:09 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\WebServer
    [2009/07/21 07:37:09 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\User Pictures
    [2009/07/21 07:37:09 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
    [2009/07/21 07:37:09 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\business-inkjet
    [2009/07/20 11:21:01 | 000,000,025 | ---- | C] () -- C:\WINDOWS\EPCX3800.ini
    [2009/01/10 15:02:51 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
    [2008/11/24 10:29:46 | 000,000,438 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2008/10/21 12:20:35 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\mcs.rma
    [2008/10/21 12:20:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Application Data\5E4D4B
    [2008/10/06 21:15:56 | 000,000,144 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
    [2008/10/06 21:14:38 | 000,000,907 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
    [2008/10/06 21:10:14 | 000,068,951 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
    [2008/10/06 21:10:14 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
    [2008/10/03 19:29:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\muveeapp.INI
    [2008/10/02 23:50:46 | 000,061,440 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/10/02 11:47:11 | 000,061,440 | ---- | C] () -- C:\WINDOWS\wnUninstall.exe
    [2008/10/02 11:45:28 | 000,000,684 | ---- | C] () -- C:\WINDOWS\unins000.dat
    [2008/10/01 23:31:06 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\fusioncache.dat
    [2005/09/15 00:17:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2005/09/14 23:51:01 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
    [2005/09/14 23:50:16 | 000,014,289 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
    [2005/09/14 23:50:08 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
    [2005/09/14 23:42:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2005/09/14 23:38:00 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
    [2005/09/14 23:37:59 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
    [2005/09/14 23:37:59 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
    [2005/09/14 23:37:59 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
    [2005/09/14 23:37:59 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
    [2005/09/14 23:37:59 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
    [2005/09/14 23:32:01 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
    [2005/09/14 23:19:28 | 000,080,418 | ---- | C] () -- C:\WINDOWS\HPHins08.dat
    [2005/09/14 23:19:28 | 000,004,011 | ---- | C] () -- C:\WINDOWS\hphmdl08.dat
    [2005/09/14 23:17:23 | 000,072,881 | ---- | C] () -- C:\WINDOWS\hpiins01.dat
    [2005/09/14 23:17:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpimdl01.dat
    [2005/09/14 23:16:30 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2005/09/14 23:13:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\hcwXDS.dll
    [2005/09/14 23:10:57 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2005/09/14 22:56:46 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2005/09/14 22:49:54 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
    [2005/09/14 22:49:54 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
    [2005/09/14 22:49:33 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
    [2005/08/21 12:47:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2005/08/03 02:19:16 | 000,050,176 | ---- | C] () -- C:\WINDOWS\armcex.dll
    [2005/07/02 09:36:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2005/07/02 09:34:10 | 000,434,168 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2005/07/02 09:28:10 | 000,445,370 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2005/07/02 09:28:10 | 000,072,576 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2005/01/28 13:41:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/01/28 13:36:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2004/08/10 22:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/10 08:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
    [2004/08/10 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/10 08:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
    [2004/08/10 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/10 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/10 08:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
    [2004/08/10 08:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
    [2004/08/10 08:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
    [2004/08/10 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/10 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/10 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2004/08/10 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2004/07/27 01:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2003/01/08 01:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/08/23 19:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2001/08/23 19:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2001/07/07 01:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    ========== LOP Check ==========

    [2005/09/14 23:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
    [2009/01/28 20:42:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
    [2009/07/21 07:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
    [2010/08/23 23:25:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
    [2011/03/30 20:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
    [2008/10/03 19:28:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
    [2009/08/26 10:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
    [2009/12/27 22:46:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NewsView
    [2009/07/21 07:38:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
    [2009/07/21 07:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
    [2011/01/13 19:41:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2009/07/07 09:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2005/09/14 23:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/02/20 16:10:01 | 000,003,264 | ---- | M] () -- C:\ASPI.LOG
    [2005/09/14 23:46:28 | 000,000,100 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2008/10/03 11:18:20 | 000,000,279 | ---- | M] () -- C:\Boot.bak
    [2011/03/31 21:48:15 | 000,000,325 | RHS- | M] () -- C:\boot.ini
    [2004/08/10 08:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/03/31 22:19:56 | 000,018,395 | ---- | M] () -- C:\ComboFix.txt
    [2005/01/28 13:41:28 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/12/17 10:09:59 | 000,000,076 | ---- | M] () -- C:\DVDPATH.TXT
    [2011/03/31 22:58:05 | 1072,152,576 | -HS- | M] () -- C:\hiberfil.sys
    [2005/01/28 13:41:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2011/03/31 23:09:10 | 000,091,195 | ---- | M] () -- C:\logfile
    [2005/01/28 13:41:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/10 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/10/02 09:50:03 | 000,250,048 | ---- | M] () -- C:\ntldr
    [2011/03/31 22:58:04 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
    [2011/03/27 15:20:25 | 000,002,437 | ---- | M] () -- C:\sh4_service.log
    [2010/03/11 14:17:42 | 000,185,835 | ---- | M] () -- C:\shldr
    [2011/03/27 11:19:39 | 000,006,286 | ---- | M] () -- C:\spyhunter.log
    [2009/03/26 20:34:44 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
    [2009/04/14 21:03:45 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
    [2009/04/19 13:28:08 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
    [2009/04/19 22:15:19 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
    [2009/04/21 18:11:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
    [2010/01/18 21:06:25 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
    [2009/03/26 20:34:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
    [2009/04/14 21:03:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
    [2009/04/19 13:28:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
    [2009/04/19 22:15:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
    [2009/04/21 18:11:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
    [2010/01/18 21:06:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
    [2011/03/31 21:16:15 | 000,042,702 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_31.03.2011_20.53.02_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >
    [2005/05/12 09:36:48 | 000,012,288 | ---- | M] (Hewlett-Packard Co.) -- C:\WINDOWS\Fonts\RandFont.dll

    < %systemroot%\Fonts\*.ini >
    [2005/01/28 13:40:34 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2002/07/08 23:38:21 | 007,000,064 | ---- | M] () -- C:\WINDOWS\NightLights.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2005/01/28 05:28:56 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2005/01/28 05:28:56 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2005/01/28 05:28:56 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/10/02 09:53:50 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2008/10/01 23:32:51 | 000,000,170 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2005/01/28 13:46:24 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/03/31 21:28:29 | 004,310,832 | R--- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
    [2011/03/31 17:25:40 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe
    [2011/03/31 21:17:27 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
    [2011/03/31 22:53:57 | 001,373,616 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\MCPR.exe
    [2011/03/31 23:06:52 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
    [2011/03/31 21:13:45 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\RKUnhookerLE.EXE
    [2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\HP_Administrator\Desktop\TDSSKiller.exe
    [2011/03/30 22:57:14 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
     
  20. mpete

    mpete TS Rookie Topic Starter Posts: 50

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2010/09/24 09:08:41 | 003,758,370 | ---- | M] (A Software Plus ) -- C:\Documents and Settings\HP_Administrator\My Documents\CoolMP3ToAACConverterSetup.exe
    [2010/10/30 14:02:35 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\HP_Administrator\My Documents\mbam-setup.exe
    [2008/05/25 20:38:06 | 004,707,746 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\My Documents\qbrew-install.exe
    [2008/10/06 21:05:28 | 289,618,064 | ---- | M] (Hewlett-Packard Company ) -- C:\Documents and Settings\HP_Administrator\My Documents\rub_w01_Americas_Euro1.exe
    [2010/09/24 08:03:01 | 006,383,608 | ---- | M] (Koyote Soft ) -- C:\Documents and Settings\HP_Administrator\My Documents\Setup_FreeConverter.exe
    [2010/12/07 22:12:17 | 008,866,856 | ---- | M] (YL Computing, Inc ) -- C:\Documents and Settings\HP_Administrator\My Documents\wufinstall.exe
    [1 C:\Documents and Settings\HP_Administrator\My Documents\*.tmp files -> C:\Documents and Settings\HP_Administrator\My Documents\*.tmp -> ]

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2004/08/10 08:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2008/10/01 23:32:50 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/03/08 19:11:06 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\Cookies\desktop.ini
    [2011/03/31 23:00:05 | 000,917,504 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 19:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 19:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004/08/04 19:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 19:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 19:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 19:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 19:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [1998/05/07 12:04:38 | 000,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\system\hpsysdrv.exe

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    < End of report >
     
  21. mpete

    mpete TS Rookie Topic Starter Posts: 50

    OTL Extras logfile created on: 3/31/2011 11:07:48 PM - Run 1
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 374.00 Mb Available Physical Memory | 37.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 224.86 Gb Total Space | 170.36 Gb Free Space | 75.76% Space Free | Partition Type: NTFS
    Drive D: | 8.00 Gb Total Space | 0.86 Gb Free Space | 10.76% Space Free | Partition Type: FAT32
    Drive K: | 1.64 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive L: | 17.59 Mb Total Space | 17.32 Mb Free Space | 98.44% Space Free | Partition Type: FAT

    Computer Name: YOUR-55E5F9E3D2 | User Name: HP_Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htafile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
    "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
    "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
    "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
    "C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\magicJack.exe" = C:\Documents and Settings\HP_Administrator\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack -- (magicJack L.P.)
    "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater -- ()


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{03B1B42B-F6DE-41d9-8CFF-DC44E895C7A7}" = PhotoGallery
    "{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
    "{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
    "{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
    "{08F9879C-0AA3-4B0A-AACE-3498BBCAE175}" = Scrapbook Factory Deluxe 3.0
    "{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
    "{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
    "{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
    "{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
    "{172975EB-9465-4861-95B5-C7BB6D3DE62A}" = DocumentViewer
    "{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
    "{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
    "{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
    "{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{21DB3D90-D816-4092-A260-CA3F6B55A6DD}" = Sonic_PrimoSDK
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
    "{23A7B376-BBEC-4e76-BBD7-0F155E70D74B}" = CP_Panorama1Config
    "{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{2C3D719A-92C7-4323-89CC-C937D0267B84}" = muvee autoProducer 4.0
    "{2C5D07FB-31A2-4F2D-9FDA-0B24ACD42BD0}" = HP Deskjet Printer Preload
    "{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
    "{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
    "{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
    "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
    "{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{32BDCCB8-9DC8-496d-9DB1-F77510775BDB}" = InstantShareDevices
    "{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
    "{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{36E47DA1-10E1-45d9-8B19-14D19607CDCF}" = CP_CalendarTemplates1
    "{3912A629-0020-0005-3757-2FBA74D4DF0A}" = InterVideo WinDVD Player
    "{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
    "{3BA95526-6AE0-4B87-A62D-17187EF565FC}" = HP Boot Optimizer
    "{3CCB26F5-E2A7-4C91-8340-9149D7B7C2BE}" = Virtual Earth 3D (Beta)
    "{413CEBC4-ABA1-4AC4-ADFB-69FA195F09AB}" = 7300_Help
    "{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
    "{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
    "{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
    "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
    "{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
    "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
    "{4ED7D297-58F7-45C3-A9BA-A7CD6FA0D373}_is1" = SureThing CD Labeler LightScribe Trial 5
    "{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
    "{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
    "{56EE8B17-8274-418d-89AC-C057C5DB251E}" = RandMap
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{5783F2D7-6001-0409-0002-0060B0CE6BBA}" = AutoCAD 2008 - English
    "{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
    "{5A01C58E-B0EC-49b9-AD71-7C0468688087}" = CP_Package_Basic1
    "{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
    "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
    "{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
    "{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
    "{64D5E9DE-7890-4FB0-8865-8B24BE1773F7}" = LightScribe 1.4.42.1
    "{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
    "{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
    "{66BA8C26-AFE4-4408-807B-43E76B57EF53}" = SkinsHP1
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{69CF01AD-9E35-4BD7-9036-7B8478BEB839}" = HPTunesAddIn
    "{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
    "{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
    "{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
    "{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
    "{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
    "{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
    "{7E27304E-BAA2-4d90-A34E-76641FAFABB4}" = CP_AtenaShokunin1Config
    "{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus
    "{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006 with GPS Locator
    "{84031A18-BA9A-4156-A74F-E05B52DDFCE2}" = DING!
    "{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
    "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
    "{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
    "{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
    "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
    "{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
    "{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
    "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
    "{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
    "{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
    "{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7
    "{9A945BB0-FB9C-4DAA-9C72-789E4B97C595}" = ATI Catalyst Control Center
    "{9D18F7F8-B984-4249-8512-CC621BC59F12}" = Microsoft Location Finder
    "{9EF5B77F-703E-4953-9DA9-186E28A62568}" = 7300Trb
    "{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
    "{A5BB5365-EFB4-44c3-A7E2-EB59B7EFD23D}" = CueTour
    "{A71D5E81-B967-43DB-93D7-FD31BFB95748}" = MobileMe Control Panel
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{ADBFF96D-EE54-46EA-A835-899955CDCFD8}" = 7300
    "{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
    "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
    "{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
    "{B1931B3A-29E9-4F91-9B61-BE2CF05E84F1}" = muvee autoProducer unPlugged 1.1 - HPD
    "{B26D142C-AEBB-491B-A53D-513AF87BAE5F}" = LD-Field Data Input 1.2
    "{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
    "{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
    "{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
    "{B662D841-AAA0-41E8-B2AB-E374560DC5B1}" = Multimedia Card Reader
    "{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
    "{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
    "{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C7793EE8-F666-4E6B-9827-76468679480E}" = Tweakui Powertoy for Windows XP
    "{C83A12B9-B31B-461A-BBD4-CE9B988094F1}" = HP Photosmart Cameras 5.0
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
    "{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
    "{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
    "{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
    "{D518592A-0F1E-40ca-BECB-3D3F026C6B0D}" = CameraDrivers
    "{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
    "{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
    "{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
    "{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
    "{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
    "{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
    "{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
    "{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
    "{F80239D8-7811-4D5E-B033-0D0BBFE32920}" = HP DigitalMedia Archive
    "{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
    "{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
    "{FC274982-5AAD-4C20-848D-4424A5043010}_is1" = WinUtilities 9.94 Free Edition
    "{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
    "{FDC8065B-80DE-4466-B90B-2581F6D77DFF}" = Image Plugin
    "{FEFA34C3-6C95-492A-9F30-0B0B23689389}" = SpyHunter
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player 11
    "Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
    "Any PDF to DWG Converter_is1" = Any PDF to DWG Converter 2010
    "ATI Display Driver" = ATI Display Driver
    "AutoCAD 2008 - English" = AutoCAD 2008 - English
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "AwayMode160" = Microsoft Away Mode
    "B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
    "drmtool.inf" = Personal License Update Wizard for Windows Media Player
    "EPSON Printer and Utilities" = EPSON Printer Software
    "EPSON Scanner" = EPSON Scan
    "ESET Online Scanner" = ESET Online Scanner v3
    "HP Document Viewer" = HP Document Viewer 5.3
    "HP Image Zone for Media Center PC" = HP Image Zone for Media Center PC
    "HP Imaging Device Functions" = HP Imaging Device Functions 5.3
    "HP Photo & Imaging" = HP Image Zone 5.3
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "Image2CAD_is1" = Image2CAD 1.2
    "Img2CAD_is1" = Img2CAD 7.0
    "InstallShield_{B662D841-AAA0-41E8-B2AB-E374560DC5B1}" = Multimedia Card Reader
    "InterActual Player" = InterActual Player
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "mmmusic" = Movie Maker Background Music Files
    "mmsounds" = Movie Maker Sound Effects
    "mmtitle" = Movie Maker Title Images
    "mplibwiz.inf" = Media Library Management Wizard
    "mpxlswiz.inf" = Windows Media Player Playlist Import to Excel Wizard
    "mpxptray.inf" = Windows Media Player Tray Control
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NewsView" = NewsView
    "Night Lights Screen Saver_is1" = Night Lights
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Peddimat" = Peddimat (remove only)
    "PROSet" = Intel(R) Network Connections Drivers
    "PS2" = PS2
    "Python 2.2.3" = Python 2.2.3
    "pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
    "QBrew" = QBrew (remove only)
    "Rainbow Client Activator 2.2 English" = Client Activator 2.2 - English
    "Rhapsody" = Rhapsody
    "The Logo Creator v5" = The Logo Creator v5
    "UnityWebPlayer" = Unity Web Player
    "wa2wmp" = Windows Media Player Skin Importer
    "WinAce Archiver" = WinAce Archiver
    "Window Washer" = Window Washer
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "WMBK2" = Windows Media Bonus Pack for Windows XP
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3546639218-2641362338-365077101-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "magicJack" = magicJack

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 3/30/2011 8:59:36 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 9:07:01 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 9:22:02 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 9:44:25 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 9:56:00 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 10:35:09 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 10:39:38 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 10:54:57 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 10:55:03 PM | Computer Name = YOUR-55E5F9E3D2 | Source = VSS | ID = 5013
    Description = Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager
    called routine OpenNtmsSessionW which failed with status 0x80070422 (converted
    to 0x800423f4).

    Error - 3/30/2011 11:13:20 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Application Error | ID = 1000
    Description = Faulting application McNASvc.exe, version 3.15.101.0, faulting module
    McNmcSrv.dll, version 3.15.101.0, fault address 0x000abe90.

    [ System Events ]
    Error - 3/31/2011 6:11:33 PM | Computer Name = YOUR-55E5F9E3D2 | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.

    Error - 3/31/2011 9:33:57 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7034
    Description = The SpyHunter 4 Service service terminated unexpectedly. It has done
    this 1 time(s).

    Error - 3/31/2011 9:33:57 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7031
    Description = The McAfee Real-time Scanner service terminated unexpectedly. It
    has done this 1 time(s). The following corrective action will be taken in 60000
    milliseconds: Restart the service.

    Error - 3/31/2011 9:33:57 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7031
    Description = The McAfee SystemGuards service terminated unexpectedly. It has done
    this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
    Restart the service.

    Error - 3/31/2011 10:01:10 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7000
    Description = The MCSTRM service failed to start due to the following error: %%2

    Error - 3/31/2011 10:46:35 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7000
    Description = The MCSTRM service failed to start due to the following error: %%2

    Error - 3/31/2011 10:48:05 PM | Computer Name = YOUR-55E5F9E3D2 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1053" attempting to start the service COMSysApp with
    arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}

    Error - 3/31/2011 10:48:14 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7009
    Description = Timeout (30000 milliseconds) waiting for the COM+ System Application
    service to connect.

    Error - 3/31/2011 10:48:14 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7000
    Description = The COM+ System Application service failed to start due to the following
    error: %%1053

    Error - 3/31/2011 10:58:25 PM | Computer Name = YOUR-55E5F9E3D2 | Source = Service Control Manager | ID = 7000
    Description = The MCSTRM service failed to start due to the following error: %%2


    < End of report >
     
  22. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Broni, thanks for your help this evening, I have to cutout unitl tomorrow. I have removed McAfee and run the program you suggested. Can I also get rid of Spyhunter 4, and what else would you suggest Iclean up while I am at it?
     
  23. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Spyhunter is not a great program.
    You can safely uninstall it.

    ===================================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (AC-Pro) - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - File not found
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKU\S-1-5-21-3546639218-2641362338-365077101-1008\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      [1 C:\Documents and Settings\HP_Administrator\My Documents\*.tmp files -> C:\Documents and Settings\HP_Administrator\My Documents\*.tmp -> ]
      [2011/03/27 06:45:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Nrusupotovunikan.bin
      [2011/03/26 07:48:37 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Ybaheqij.dat
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =====================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  24. mpete

    mpete TS Rookie Topic Starter Posts: 50

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3546639218-2641362338-365077101-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    C:\Documents and Settings\HP_Administrator\My Documents\savDBE.tmp deleted successfully.
    C:\WINDOWS\Nrusupotovunikan.bin moved successfully.
    C:\WINDOWS\Ybaheqij.dat moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: HP_Administrator
    ->Temp folder emptied: 11539407 bytes
    ->Temporary Internet Files folder emptied: 15510048 bytes
    ->Java cache emptied: 1970 bytes
    ->Flash cache emptied: 1072 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 16786 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 1095563 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 90 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 443762969 bytes

    Total Files Cleaned = 450.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: HP_Administrator
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 04012011_173350

    Files\Folders moved on Reboot...
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll moved successfully.
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\X4JQE8HI\crosspixel-dest[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I326A0IF\topic163160-2[2].htm moved successfully.
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\37TXQXIB\sh36[1].htm moved successfully.
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

    Registry entries deleted on Reboot...
     
  25. mpete

    mpete TS Rookie Topic Starter Posts: 50

    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 3
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Avira AntiVir Personal - Free Antivirus
    ESET Online Scanner v3
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Java(TM) 6 Update 7
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader 9.4.1
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...