TechSpot

Tdx.sys infected (Windows 7 Pro) cannot connect to Internet

Solved
By Ryanmon99
Nov 10, 2011
  1. Avast scanned and I moved tdx.sys to chest. Next startup Windows Restore installed and no internet access (connect to network but no internet access).
    I ran ComboFix. Log states that tdx.sys infected. Windows Restore and popups gone.
    Ran Malwarebytes: nothing.
    EDIT: tdssKiller: nothing.

    Logs to follow...

    Thanks in advance!
     
  2. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    Combo Fix

    ComboFix 11-11-09.01 - Ryan 11/10/2011 0:35.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.1173 [GMT -8:00]
    Running from: I:\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Hotspot Shield\HssIE\HsSIe.dll
    c:\program files\RelevantKnowledge
    c:\program files\RelevantKnowledge\shfscp.dat
    c:\programdata\haYmxJzJarJdVt.exe
    c:\programdata\HygiitgmpfdQHsG.exe
    c:\users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
    c:\windows\$NtUninstallKB52242$
    c:\windows\$NtUninstallKB52242$\354499486
    c:\windows\$NtUninstallKB52242$\3607894814\Desktop.ini
    .
    c:\windows\system32\drivers\tdx.sys . . . is infected!! . . . Failed to find a valid replacement.
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-10 09:04 . 2011-11-10 09:06 -------- d-----w- c:\users\Ryan\AppData\Local\temp
    2011-11-10 09:04 . 2011-11-10 09:04 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-11-10 08:39 . 2011-11-10 08:39 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{910EA4BF-0BF3-42BF-A195-3BAA38F40F04}\offreg.dll
    2011-11-09 06:35 . 2011-11-09 06:36 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-11-09 05:49 . 2011-11-09 05:50 -------- d--h--w- c:\users\Ryan\AppData\Roaming\Mozilla-Cache
    2011-11-09 05:47 . 2011-11-09 05:47 -------- d-----w- C:\Programs
    2011-11-09 03:10 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 03:10 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
    2011-11-09 03:10 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys
    2011-11-09 03:07 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{910EA4BF-0BF3-42BF-A195-3BAA38F40F04}\mpengine.dll
    2011-10-15 20:47 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
    2011-10-15 20:47 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-10-15 20:47 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
    2011-10-15 20:47 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2011-10-15 20:13 . 2011-10-15 20:13 -------- d-----w- c:\program files\iPod
    2011-10-15 20:09 . 2011-10-15 20:09 -------- d-----w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-15 20:20 . 2011-06-11 01:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-31 06:05 . 2011-08-31 06:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 06:05 . 2011-08-31 06:05 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-22 03:42 . 2011-08-22 03:42 2829 ----a-w- c:\windows\War3Unin.pif
    2011-08-22 03:42 . 2011-08-22 03:42 126976 ----a-w- c:\windows\War3Unin.exe
    2011-11-05 06:53 . 2011-04-13 05:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2009-04-02 20:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ---ha-w- c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ---ha-w- c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ---ha-w- c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "googletalk"="c:\users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "MusicManager"="c:\users\Ryan\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2011-09-14 13128704]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2010-08-20 33120]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
    "iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-10-06 59240]
    "ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2011-09-29 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2008-06-18 122880]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    .
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
    backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDSmartWare.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
    backup=c:\windows\pss\WDSmartWare.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
    backupExtension=.Startup
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 135664]
    R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [2011-03-25 271408]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 135664]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-20 18432]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-12 1343400]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-07-25 436792]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]
    S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [2004-04-23 173568]
    S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-10-15 326704]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-08-17 98304]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-05 812544]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-10 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-27 00:22]
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 18:49]
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 18:49]
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1148415063-2950945713-2109174141-1000Core.job
    - c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-27 03:20]
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1148415063-2950945713-2109174141-1000UA.job
    - c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-27 03:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = localhost;127.0.0.1;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254 199.185.220.254
    FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\pp9zcygj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://m.us.yahoo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-ares - c:\program files\Ares\Ares.exe
    HKCU-Run-HygiitgmpfdQHsG.exe - c:\programdata\HygiitgmpfdQHsG.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3236)
    c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\program files\WinSCP\DragExt.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
    c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\DllHost.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-10 01:22:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-10 09:22
    .
    Pre-Run: 4,349,894,656 bytes free
    Post-Run: 5,066,555,392 bytes free
    .
    - - End Of File - - 2E06E2386BDC6B1B6E1698C897528BE4
     
  3. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    mbam log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7622

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    11/10/2011 12:07:24 PM
    mbam-log-2011-11-10 (12-07-24).txt

    Scan type: Quick scan
    Objects scanned: 164436
    Time elapsed: 7 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    GMER Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-10 13:27:48
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS542516K9SA00 rev.BBCOC3BP
    Running: rnmk5gkv.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\kxldrpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8E226202]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8E8FCCB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8E22881C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8E228874]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8E22898A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8E228772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8E2288C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8E2287C6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8E228938]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8E226226]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8E8FCD62]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8E225FF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8E22624A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8E228D82]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8E226CDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8E22884C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8E22889C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8E2289B4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8E22879E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8E228904]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8E2287F4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8E228962]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8E8FCDFA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8E226BA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8E22626E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8E226292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8E22604A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8E226186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8E226162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8E2261AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8E2262B6]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E912902]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 82A86349 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ABFD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82AC6D80 4 Bytes [02, 62, 22, 8E]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82AC6DA8 4 Bytes [B2, CC, 8F, 8E]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82AC6E5C 8 Bytes [1C, 88, 22, 8E, 74, 88, 22, ...] {SBB AL, 0x88; AND CL, [ESI-0x71dd778c]}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82AC6E68 4 Bytes [8A, 89, 22, 8E]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82AC6E84 4 Bytes [72, 87, 22, 8E]
    .text ...
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C53BE8 5 Bytes JMP 8E90E2BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject + 27 82C6C1B8 5 Bytes JMP 8E90FD74 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C812FF 4 Bytes CALL 8E22734B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C9B0D1 4 Bytes CALL 8E227361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D24F10 7 Bytes JMP 8E912906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    .text sptd.sys 888AF000 8 Bytes [34, E2, A1, 82, A0, 47, A1, ...]
    .text sptd.sys 888AF009 23 Bytes [47, A1, 82, 48, 6B, A1, 82, ...]
    .text sptd.sys 888AF024 4 Bytes [44, E5, 9D, 88]
    .text sptd.sys 888AF02C 100 Bytes [39, D6, CA, 82, 48, 99, C2, ...]
    .text sptd.sys 888AF091 87 Bytes [45, A8, 82, 15, F5, A7, 82, ...]
    .text ...
    .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x889A6D38]
    ? C:\Windows\System32\Drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload 8E9A3DB9 5 Bytes JMP 85A5E410
    .text ayfuhx4w.SYS 94D95000 12 Bytes [44, 68, A1, 82, EE, 66, A1, ...]
    .text ayfuhx4w.SYS 94D9500D 189 Bytes [47, A1, 82, 48, 6B, A1, 82, ...]
    .text ayfuhx4w.SYS 94D950CB 285 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text ayfuhx4w.SYS 94D951E9 470 Bytes [F8, 5C, 3A, 5E, 7C, 5F, BE, ...]
    .text ayfuhx4w.SYS 94D953C0 99 Bytes [57, 80, 56, 30, 54, E0, 55, ...]
    .text ...
    .text peauth.sys AF161C9D 28 Bytes [44, CE, 65, D4, E8, C5, 2F, ...]
    .text peauth.sys AF161CC1 28 Bytes [44, CE, 65, D4, E8, C5, 2F, ...]
    .text user32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes [E9, 0A, 5C, 6E, 8A] {JMP 0xffffffff8a6e5c0f}
    .text user32.dll!UnhookWinEvent 75B4B750 5 Bytes [E9, A7, 4C, 6E, 8A] {JMP 0xffffffff8a6e4cac}
    .text user32.dll!SetWindowsHookExW 75B4E30C 5 Bytes [E9, F3, 24, 6E, 8A] {JMP 0xffffffff8a6e24f8}
    .text user32.dll!SetWinEventHook 75B524DC 5 Bytes [E9, 17, DD, 6D, 8A] {JMP 0xffffffff8a6ddd1c}
    .text user32.dll!SetWindowsHookExA 75B76D0C 5 Bytes [E9, EF, 98, 6B, 8A] {JMP 0xffffffff8a6b98f4}
    .text kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\csrss.exe[408] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[460] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000303FC
    .text C:\Windows\system32\wininit.exe[460] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\wininit.exe[460] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[460] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001C0A08
    .text C:\Windows\system32\wininit.exe[460] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001C03FC
    .text C:\Windows\system32\wininit.exe[460] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001C0804
    .text C:\Windows\system32\wininit.exe[460] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001C01F8
    .text C:\Windows\system32\wininit.exe[460] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001C0600
    .text C:\Windows\system32\csrss.exe[468] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\services.exe[520] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\services.exe[520] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\services.exe[520] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[544] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[544] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[544] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[544] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\winlogon.exe[544] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\winlogon.exe[544] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 000C0804
    .text C:\Windows\system32\winlogon.exe[544] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\winlogon.exe[544] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 000C0600
    .text C:\Windows\system32\lsass.exe[564] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsass.exe[564] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsass.exe[564] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\lsm.exe[580] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\lsm.exe[580] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\lsm.exe[580] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000503FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000501F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00080A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 000803FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00080804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 000801F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[668] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00080600
    .text C:\Windows\system32\svchost.exe[676] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[676] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[676] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[764] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[764] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[764] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[856] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[856] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[856] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[856] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00230A08
    .text C:\Windows\System32\svchost.exe[856] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002303FC
    .text C:\Windows\System32\svchost.exe[856] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00230804
    .text C:\Windows\System32\svchost.exe[856] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002301F8
    .text C:\Windows\System32\svchost.exe[856] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00230600
    .text C:\Windows\System32\svchost.exe[892] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[892] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[892] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[892] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00350A08
    .text C:\Windows\System32\svchost.exe[892] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 003503FC
    .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00350804
    .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 003501F8
    .text C:\Windows\System32\svchost.exe[892] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00350600
    .text C:\Windows\system32\svchost.exe[920] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[920] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[920] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[920] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00A20A08
    .text C:\Windows\system32\svchost.exe[920] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 00A203FC
    .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00A20804
    .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 00A201F8
    .text C:\Windows\system32\svchost.exe[920] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00A20600
    .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1088] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1088] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 003C0A08
    .text C:\Windows\system32\svchost.exe[1088] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 003C03FC
    .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 003C0804
    .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 003C01F8
    .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 003C0600
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1248] kernel32.dll!SetUnhandledExceptionFilter 759FF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1248] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[1340] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\Dwm.exe[1340] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\Dwm.exe[1340] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[1340] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 000F0A08
    .text C:\Windows\system32\Dwm.exe[1340] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\Dwm.exe[1340] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 000F0804
    .text C:\Windows\system32\Dwm.exe[1340] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\Dwm.exe[1340] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 000F0600
    .text C:\Windows\Explorer.EXE[1364] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\Explorer.EXE[1364] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\Explorer.EXE[1364] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\Explorer.EXE[1364] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00110A08
    .text C:\Windows\Explorer.EXE[1364] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001103FC
    .text C:\Windows\Explorer.EXE[1364] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00110804
    .text C:\Windows\Explorer.EXE[1364] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001101F8
    .text C:\Windows\Explorer.EXE[1364] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00110600
    .text C:\Program Files\Apoint\Apoint.exe[1516] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001503FC
    .text C:\Program Files\Apoint\Apoint.exe[1516] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001501F8
    .text C:\Program Files\Apoint\Apoint.exe[1516] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Apoint\Apoint.exe[1516] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00170A08
    .text C:\Program Files\Apoint\Apoint.exe[1516] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001703FC
    .text C:\Program Files\Apoint\Apoint.exe[1516] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00170804
    .text C:\Program Files\Apoint\Apoint.exe[1516] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001701F8
    .text C:\Program Files\Apoint\Apoint.exe[1516] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00170600
    .text C:\Windows\System32\igfxtray.exe[1528] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Windows\System32\igfxtray.exe[1528] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Windows\System32\igfxtray.exe[1528] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\igfxtray.exe[1528] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00200A08
    .text C:\Windows\System32\igfxtray.exe[1528] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002003FC
    .text C:\Windows\System32\igfxtray.exe[1528] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00200804
    .text C:\Windows\System32\igfxtray.exe[1528] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002001F8
    .text C:\Windows\System32\igfxtray.exe[1528] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00200600
    .text C:\Windows\System32\hkcmd.exe[1536] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Windows\System32\hkcmd.exe[1536] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Windows\System32\hkcmd.exe[1536] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\hkcmd.exe[1536] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00200A08
    .text C:\Windows\System32\hkcmd.exe[1536] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002003FC
    .text C:\Windows\System32\hkcmd.exe[1536] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00200804
    .text C:\Windows\System32\hkcmd.exe[1536] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002001F8
    .text C:\Windows\System32\hkcmd.exe[1536] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00200600
    .text C:\Windows\System32\igfxpers.exe[1548] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Windows\System32\igfxpers.exe[1548] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Windows\System32\igfxpers.exe[1548] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\igfxpers.exe[1548] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00190A08
    .text C:\Windows\System32\igfxpers.exe[1548] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001903FC
    .text C:\Windows\System32\igfxpers.exe[1548] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00190804
    .text C:\Windows\System32\igfxpers.exe[1548] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001901F8
    .text C:\Windows\System32\igfxpers.exe[1548] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00190600
    .text C:\Windows\system32\igfxsrvc.exe[1620] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Windows\system32\igfxsrvc.exe[1620] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Windows\system32\igfxsrvc.exe[1620] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\igfxsrvc.exe[1620] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001F0A08
    .text C:\Windows\system32\igfxsrvc.exe[1620] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001F03FC
    .text C:\Windows\system32\igfxsrvc.exe[1620] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001F0804
    .text C:\Windows\system32\igfxsrvc.exe[1620] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001F01F8
    .text C:\Windows\system32\igfxsrvc.exe[1620] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001F0600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1680] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[1720] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000A03FC
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000A01F8
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00140A08
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001403FC
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00140804
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001401F8
    .text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[1728] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00140600
    .text C:\Windows\System32\svchost.exe[1752] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000A03FC
    .text C:\Windows\System32\svchost.exe[1752] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000A01F8
    .text C:\Windows\System32\svchost.exe[1752] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1752] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00390A08
    .text C:\Windows\System32\svchost.exe[1752] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 003903FC
    .text C:\Windows\System32\svchost.exe[1752] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00390804
    .text C:\Windows\System32\svchost.exe[1752] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 003901F8
    .text C:\Windows\System32\svchost.exe[1752] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00390600
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00110A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001103FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00110804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001101F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[1756] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00110600
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 002F0A08
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002F03FC
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 002F0804
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002F01F8
    .text C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe[1768] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 002F0600
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00300A08
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 003003FC
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00300804
    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] USER32.dll!SetWinEventHook
     
  5. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    GMER Log 2

    .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1836] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00300600
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe[1880] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002003FC
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00200804
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002001F8
    .text C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe[1908] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00200600
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[1972] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001F0A08
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001F03FC
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001F0804
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001F01F8
    .text C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2012] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001F0600
    .text C:\Windows\System32\spoolsv.exe[2140] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\System32\spoolsv.exe[2140] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\System32\spoolsv.exe[2140] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[2140] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00140A08
    .text C:\Windows\System32\spoolsv.exe[2140] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001403FC
    .text C:\Windows\System32\spoolsv.exe[2140] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00140804
    .text C:\Windows\System32\spoolsv.exe[2140] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001401F8
    .text C:\Windows\System32\spoolsv.exe[2140] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\svchost.exe[2180] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[2180] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[2180] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2180] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 003E0A08
    .text C:\Windows\system32\svchost.exe[2180] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 003E03FC
    .text C:\Windows\system32\svchost.exe[2180] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 003E0804
    .text C:\Windows\system32\svchost.exe[2180] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 003E01F8
    .text C:\Windows\system32\svchost.exe[2180] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 003E0600
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00140A08
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001403FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00140804
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001401F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2228] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\taskhost.exe[2240] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskhost.exe[2240] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskhost.exe[2240] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\taskhost.exe[2240] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00070A08
    .text C:\Windows\system32\taskhost.exe[2240] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 000703FC
    .text C:\Windows\system32\taskhost.exe[2240] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00070804
    .text C:\Windows\system32\taskhost.exe[2240] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 000701F8
    .text C:\Windows\system32\taskhost.exe[2240] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00070600
    .text C:\Windows\System32\svchost.exe[2308] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[2308] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[2308] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[2308] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00900A08
    .text C:\Windows\System32\svchost.exe[2308] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 009003FC
    .text C:\Windows\System32\svchost.exe[2308] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00900804
    .text C:\Windows\System32\svchost.exe[2308] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 009001F8
    .text C:\Windows\System32\svchost.exe[2308] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00900600
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2356] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001503FC
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001501F8
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001E0A08
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001E03FC
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001E0804
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001E01F8
    .text C:\Program Files\AskBarDis\bar\bin\AskService.exe[2464] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001E0600
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001503FC
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001501F8
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001E0A08
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001E03FC
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001E0804
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001E01F8
    .text C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe[2512] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001E0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[2564] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001503FC
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001501F8
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] user32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001F0A08
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] user32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001F03FC
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] user32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001F0804
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] user32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001F01F8
    .text C:\Program Files\ccxgui\ccXservice.exe[2648] user32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001F0600
    .text C:\Windows\system32\svchost.exe[2704] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[2704] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[2704] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2704] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 005B0A08
    .text C:\Windows\system32\svchost.exe[2704] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 005B03FC
    .text C:\Windows\system32\svchost.exe[2704] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 005B0804
    .text C:\Windows\system32\svchost.exe[2704] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 005B01F8
    .text C:\Windows\system32\svchost.exe[2704] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 005B0600
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002003FC
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00200804
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002001F8
    .text C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe[2744] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00200600
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Hotspot Shield\bin\hsswd.exe[2792] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000503FC
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000501F8
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 000F0A08
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 000F03FC
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 000F0804
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 000F01F8
    .text C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2896] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 000F0600
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00230A08
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002303FC
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00230804
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002301F8
    .text C:\Users\Ryan\Desktop\rnmk5gkv.exe[2904] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00230600
    .text C:\Windows\system32\svchost.exe[2916] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[2916] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[2916] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[2948] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[2948] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[2948] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002003FC
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00200804
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002001F8
    .text C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe[3004] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00200600
    .text C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe[3036] KERNEL32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[3308] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Windows\system32\SearchIndexer.exe[3308] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Windows\system32\SearchIndexer.exe[3308] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[3308] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Windows\system32\SearchIndexer.exe[3308] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Windows\system32\SearchIndexer.exe[3308] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Windows\system32\SearchIndexer.exe[3308] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Windows\system32\SearchIndexer.exe[3308] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000603FC
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000601F8
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 002003FC
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00200804
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 002001F8
    .text C:\Program Files\iPod\bin\iPodService.exe[3400] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00200600
    .text C:\Windows\system32\AUDIODG.EXE[3500] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\WUDFHost.exe[3520] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\WUDFHost.exe[3520] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\WUDFHost.exe[3520] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\WUDFHost.exe[3520] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00140A08
    .text C:\Windows\system32\WUDFHost.exe[3520] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001403FC
    .text C:\Windows\system32\WUDFHost.exe[3520] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00140804
    .text C:\Windows\system32\WUDFHost.exe[3520] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001401F8
    .text C:\Windows\system32\WUDFHost.exe[3520] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00140600
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001603FC
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001601F8
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 001F0A08
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001F03FC
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 001F0804
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001F01F8
    .text C:\Program Files\Apoint\ApMsgFwd.exe[3768] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 001F0600
    .text C:\Program Files\Apoint\Apntex.exe[3800] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 001503FC
    .text C:\Program Files\Apoint\Apntex.exe[3800] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 001501F8
    .text C:\Program Files\Apoint\Apntex.exe[3800] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Program Files\Apoint\Apntex.exe[3800] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00170A08
    .text C:\Program Files\Apoint\Apntex.exe[3800] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001703FC
    .text C:\Program Files\Apoint\Apntex.exe[3800] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00170804
    .text C:\Program Files\Apoint\Apntex.exe[3800] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001701F8
    .text C:\Program Files\Apoint\Apntex.exe[3800] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00170600
    .text C:\Windows\system32\conhost.exe[3820] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000703FC
    .text C:\Windows\system32\conhost.exe[3820] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000701F8
    .text C:\Windows\system32\conhost.exe[3820] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\conhost.exe[3820] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00100A08
    .text C:\Windows\system32\conhost.exe[3820] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001003FC
    .text C:\Windows\system32\conhost.exe[3820] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00100804
    .text C:\Windows\system32\conhost.exe[3820] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001001F8
    .text C:\Windows\system32\conhost.exe[3820] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00100600
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] ntdll.dll!LdrUnloadDll 773AC8DE 5 Bytes JMP 000503FC
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] ntdll.dll!LdrLoadDll 773B22B8 5 Bytes JMP 000501F8
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] kernel32.dll!GetBinaryTypeW + 70 75A169F4 1 Byte [62]
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] USER32.dll!UnhookWindowsHookEx 75B4ADF9 5 Bytes JMP 00130A08
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] USER32.dll!UnhookWinEvent 75B4B750 5 Bytes JMP 001303FC
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] USER32.dll!SetWindowsHookExW 75B4E30C 5 Bytes JMP 00130804
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] USER32.dll!SetWinEventHook 75B524DC 5 Bytes JMP 001301F8
    .text C:\Windows\system32\SearchProtocolHost.exe[3900] USER32.dll!SetWindowsHookExA 75B76D0C 5 Bytes JMP 00130600

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [888B00C0] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [888B0FE0] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [888B0574] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [888B11BC] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [888B0362] \SystemRoot\System32\Drivers\sptd.sys
    IAT \SystemRoot\System32\Drivers\ayfuhx4w.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 1456B60F

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 84A591F8
    Device \FileSystem\fastfat \FatCdrom 87FB01F8
    Device \Driver\usbuhci \Device\USBPDO-0 85BDD430
    Device \Driver\usbuhci \Device\USBPDO-1 85BDD430
    Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    Device \Driver\usbehci \Device\USBPDO-2 85BD91F8
    Device \Driver\usbuhci \Device\USBPDO-3 85BDD430
    Device \Driver\usbuhci \Device\USBPDO-4 85BDD430
    Device \Driver\usbuhci \Device\USBPDO-5 85BDD430
    Device \Driver\usbehci \Device\USBPDO-6 85BD91F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom0 85A9F1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A561F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 84A561F8
    Device \Driver\atapi \Device\Ide\IdePort0 84A561F8
    Device \Driver\atapi \Device\Ide\IdePort1 84A561F8
    Device \Driver\atapi \Device\Ide\IdePort2 84A561F8
    Device \Driver\msahci \Device\Ide\PciIde1Channel0 84A571F8
    Device \Driver\cdrom \Device\CdRom1 85A9F1F8
     
  6. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    GMER Log 3

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom2 85A9F1F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\USBSTOR \Device\00000079 85ABC1F8
    Device \Driver\PCI_PNP0965 \Device\0000005c sptd.sys
    Device \Driver\PCI_PNP0965 \Device\0000005c sptd.sys
    Device \Driver\usbuhci \Device\USBFDO-0 85BDD430
    Device \Driver\USBSTOR \Device\0000007a 85ABC1F8
    Device \Driver\usbuhci \Device\USBFDO-1 85BDD430
    Device \Driver\usbehci \Device\USBFDO-2 85BD91F8
    Device \Driver\usbuhci \Device\USBFDO-3 85BDD430
    Device \Driver\usbuhci \Device\USBFDO-4 85BDD430
    Device \Driver\usbuhci \Device\USBFDO-5 85BDD430
    Device \Driver\usbehci \Device\USBFDO-6 85BD91F8
    Device \Driver\ayfuhx4w \Device\Scsi\ayfuhx4w1Port3Path0Target0Lun0 85CF81F8
    Device \Driver\ayfuhx4w \Device\Scsi\ayfuhx4w1Port3Path0Target1Lun0 85CF81F8
    Device \Driver\ayfuhx4w \Device\Scsi\ayfuhx4w1 85CF81F8
    Device \FileSystem\fastfat \Fat 87FB01F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0x93 0xE1 0x88 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBF 0x64 0xFF 0x7A ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5C 0xFE 0x39 0xC3 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE6 0x9F 0xAD 0x51 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0x93 0xE1 0x88 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBF 0x64 0xFF 0x7A ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5C 0xFE 0x39 0xC3 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xE6 0x9F 0xAD 0x51 ...

    ---- EOF - GMER 1.0.15 ----
     
  7. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    DDS

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
    Run by Ryan at 13:28:48 on 2011-11-10
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.855 [GMT -8:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\svchost.exe -k NetworkService
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ccxgui\ccXservice.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    C:\Program Files\Hotspot Shield\bin\hsswd.exe
    C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = localhost;127.0.0.1;*.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [googletalk] c:\users\ryan\appdata\roaming\google\google talk\googletalk.exe /autostart
    uRun: [MusicManager] "c:\users\ryan\appdata\local\programs\google\musicmanager\MusicManager.exe"
    uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\AxAutoMntSrv.exe" -automount
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
    uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\ryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\ryan\appdata\roaming\dropbox\bin\Dropbox.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\users\ryan\desktop\PartyPoker.lnk
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.254 199.185.220.254
    TCP: Interfaces\{14138B5B-41F7-4F66-ACE8-B498610B0014} : DhcpNameServer = 64.71.255.198 64.71.255.253
    TCP: Interfaces\{332725B6-F2FD-4668-9941-9E98FBC250DC} : DhcpNameServer = 192.168.1.254 199.185.220.254
    TCP: Interfaces\{332725B6-F2FD-4668-9941-9E98FBC250DC}\142696A716465686 : DhcpNameServer = 216.19.176.6 216.19.176.7
    TCP: Interfaces\{332725B6-F2FD-4668-9941-9E98FBC250DC}\2456C6B696E6E233646454 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{332725B6-F2FD-4668-9941-9E98FBC250DC}\4656661657C647 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{332725B6-F2FD-4668-9941-9E98FBC250DC}\C696E6B6379737 : DhcpNameServer = 24.196.64.53 24.196.64.52
    TCP: Interfaces\{7EE372DB-69EB-4749-8669-9E0168E1E4D0} : DhcpNameServer = 64.71.255.198 64.71.255.253
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\pp9zcygj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://m.us.yahoo.com/
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\ryan\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\users\ryan\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\ryan\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-8 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-27 307928]
    R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-12-27 464264]
    R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-12-27 234888]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-27 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-27 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-5-10 42184]
    R2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [2004-4-23 173568]
    R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-10 366152]
    R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindServiceAE.exe [2009-12-23 370688]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-8-17 98304]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-10 22216]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-8-3 9344]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2009-12-28 812544]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-27 135664]
    S2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2011-3-24 271408]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-27 135664]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-2 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-11 1343400]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
    .
    =============== Created Last 30 ================
    .
    2011-11-10 20:01:11 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{910ea4bf-0bf3-42bf-a195-3baa38f40f04}\offreg.dll
    2011-11-10 19:59:24 -------- d-----w- c:\users\ryan\appdata\roaming\Malwarebytes
    2011-11-10 19:59:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-11-10 19:59:15 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-10 19:59:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-10 09:16:39 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-11-10 09:04:19 -------- d-----w- c:\users\ryan\appdata\local\temp
    2011-11-10 08:28:24 98816 ----a-w- c:\windows\sed.exe
    2011-11-10 08:28:24 518144 ----a-w- c:\windows\SWREG.exe
    2011-11-10 08:28:24 256000 ----a-w- c:\windows\PEV.exe
    2011-11-10 08:28:24 208896 ----a-w- c:\windows\MBR.exe
    2011-11-10 08:28:16 -------- d-----w- C:\ComboFix
    2011-11-09 06:35:24 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-11-09 05:49:32 -------- d-----w- c:\users\ryan\appdata\roaming\Mozilla-Cache
    2011-11-09 05:47:14 -------- d-----w- C:\Programs
    2011-11-09 03:10:35 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 03:10:32 708608 ----a-w- c:\program files\common files\system\wab32.dll
    2011-11-09 03:10:30 2341888 ----a-w- c:\windows\system32\win32k.sys
    2011-11-09 03:07:47 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{910ea4bf-0bf3-42bf-a195-3baa38f40f04}\mpengine.dll
    2011-10-15 20:47:19 233472 ----a-w- c:\windows\system32\oleacc.dll
    2011-10-15 20:47:18 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-10-15 20:47:07 75776 ----a-w- c:\windows\system32\psisrndr.ax
    2011-10-15 20:47:06 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2011-10-15 20:13:38 -------- d-----w- c:\program files\iPod
    2011-10-15 20:09:29 -------- d-----w- c:\program files\Bonjour
    .
    ==================== Find3M ====================
    .
    2011-10-15 20:20:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-31 06:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 06:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-22 03:42:10 2829 ----a-w- c:\windows\War3Unin.pif
    2011-08-22 03:42:09 126976 ----a-w- c:\windows\War3Unin.exe
    2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
    .
    ============= FINISH: 13:31:41.16 ===============
     
  8. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    DDS attach

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/26/2009 3:48:36 PM
    System Uptime: 11/10/2011 11:56:30 AM (2 hours ago)
    .
    Motherboard: Sony Corporation | | VAIO
    Processor: Intel(R) Pentium(R) Dual CPU T2390 @ 1.86GHz | N/A | 1867/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 140 GiB total, 4.758 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is CDROM ()
    H: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: WPD FileSystem Volume Driver
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_FLASHMEDIA#SDDEVICE1#5&28709844&0&003#
    Manufacturer: Microsoft
    Name: E:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_FLASHMEDIA#SDDEVICE1#5&28709844&0&003#
    Service: WUDFRd
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: WPD FileSystem Volume Driver
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_FLASHMEDIA#MEMORYSTICKDEVICE0#5&28709844&0&002#
    Manufacturer: Microsoft
    Name: F:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_FLASHMEDIA#MEMORYSTICKDEVICE0#5&28709844&0&002#
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP318: 11/9/2011 10:59:53 PM - Restore Operation
    .
    ==== Installed Programs ======================
    .
    Leawo MP4 Converter version 3.1.0.0
    Update for Microsoft Office 2007 (KB2508958)
    Acoustica Effects Pack
    Acoustica Mixcraft 5
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.6
    Alpha Decay
    Alps Pointing-device for VAIO
    Amazon MP3 Downloader 1.0.10
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    AviSynth 2.5
    Bonjour
    CCleaner
    Dropbox
    FrostWire 4.21.1
    Google Chrome
    Google Earth
    Google Talk (remove only)
    Google Talk Plugin
    Google Update Helper
    Google Updater
    Hotspot Shield 1.57
    iCloud
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    iTunes
    Java(TM) 6 Update 26
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft IntelliPoint 8.2
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ Run Time Lib Setup
    Mozilla Firefox 8.0 (x86 en-US)
    MSVCRT
    Music Manager
    Nuclear Fission
    OGA Notifier 2.0.0048.0
    PartyPoker
    QuickTime
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Skype Toolbars
    Skype™ 4.2
    Sony Download Taxi 1.5.0.0
    Starcraft
    System Requirements Lab CYRI
    TomTom HOME 2.8.2.2264
    TomTom HOME Visual Studio Merge Modules
    TrueCrypt
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    Veetle TV 0.9.18
    Videora iPhone 4 Converter 6
    Videora iPod Converter 5.04
    VLC media player 1.0.5
    Vuze
    Vuze Toolbar
    Warcraft III
    WD SmartWare
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Upload Tool
    WinRAR archiver
    WinSCP 4.3.2
    XBMC
    XP Codec Pack
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/9/2011 6:17:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    11/9/2011 6:17:29 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:17:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    11/9/2011 6:16:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    11/9/2011 6:16:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx truecrypt Wanarpv6 WfpLwf
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/9/2011 6:16:30 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/9/2011 5:14:52 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.
    11/9/2011 5:13:51 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    11/9/2011 11:22:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/9/2011 10:59:44 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
    11/8/2011 8:21:19 PM, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: %%-2147416365
    11/8/2011 7:45:35 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSnx aswSP aswTdi CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx truecrypt Wanarpv6 WfpLwf
    11/8/2011 5:04:51 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    11/7/2011 11:47:08 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    11/3/2011 5:20:07 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{332725B6-F2FD-4668-9941-9E98FBC250DC} because another computer on the network has the same name. The server could not start.
    11/10/2011 12:54:22 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    11/10/2011 12:35:50 AM, Error: Service Control Manager [7034] - The Hotspot Shield Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
    11/10/2011 12:28:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
    11/10/2011 12:24:17 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    11/10/2011 12:24:17 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/10/2011 12:24:16 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/10/2011 12:24:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    11/10/2011 12:24:08 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi discache spldr sptd truecrypt Wanarpv6
    11/10/2011 12:23:25 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .
    11/10/2011 11:57:39 AM, Error: Service Control Manager [7003] - The IP Helper service depends the following service: Tdx. This service might not be installed.
    11/10/2011 11:57:39 AM, Error: Service Control Manager [7001] - The Hotspot Shield Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
    11/10/2011 11:56:51 AM, Error: Service Control Manager [7023] - The Offline Files service terminated with the following error: The system cannot find the path specified.
    11/10/2011 1:30:30 PM, Error: Service Control Manager [7003] - The DHCP Client service depends the following service: Tdx. This service might not be installed.
    11/10/2011 1:30:30 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
    11/10/2011 1:28:04 PM, Error: Service Control Manager [7003] - The DNS Client service depends the following service: Tdx. This service might not be installed.
    11/10/2011 1:12:22 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    .
    ==== End Of File ===========================
     
  9. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ======================================================================

    Never run Combofix on your own!

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      tdx.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  10. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    SystemLook

    C:\windows\winsxs\x86_microsoft-windows-rid-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --a--- 74240 bytes [23:12 13/07/2009] [23:12 13/07/2009] cb39e896a2a83702d1737bfd402b3542

    -= EOF =-
     
  11. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\windows\winsxs\x86_microsoft-windows-rid-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys | c:\windows\system32\drivers\tdx.sys
    
    File::
    
    Folder::
    c:\program files\AskBarDis
    
    Driver::
    ASKService
    ASKUpgrade
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
    [-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
     
  12. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    Thanks for the help. Be back later. Gotta find a computer w Internet access to copy logs and whatnot.
     
  13. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    ComboFix 11-11-09.01 - Ryan 11/11/2011 11:39:32.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2038.1247 [GMT -8:00]
    Running from: c:\users\Ryan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ryan\Desktop\CFScript.txt
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\AskBarDis
    c:\program files\AskBarDis\bar\bin\askBar.dll
    c:\program files\AskBarDis\bar\bin\askPopStp.dll
    c:\program files\AskBarDis\bar\bin\AskService.exe
    c:\program files\AskBarDis\bar\bin\AskSplash.exe
    c:\program files\AskBarDis\bar\bin\AskTBApp.exe
    c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
    c:\program files\AskBarDis\bar\bin\psvince.dll
    c:\program files\AskBarDis\bar\Settings\AskLogo.ico
    c:\program files\AskBarDis\bar\Settings\config.dat
    c:\program files\AskBarDis\bar\Settings\config.dat.bak
    c:\program files\AskBarDis\unins000.dat
    c:\program files\AskBarDis\unins000.exe
    c:\users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys --> c:\windows\system32\drivers\tdx.sys
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_ASKService
    -------\Service_ASKUpgrade
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-11 20:06 . 2011-11-11 20:08 -------- d-----w- c:\users\Ryan\AppData\Local\temp
    2011-11-11 20:06 . 2011-11-11 20:06 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-11-11 19:39 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
    2011-11-11 08:10 . 2011-11-11 08:10 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{910EA4BF-0BF3-42BF-A195-3BAA38F40F04}\offreg.dll
    2011-11-10 21:34 . 2011-11-10 21:34 -------- d-----w- c:\program files\RegTweaker
    2011-11-10 19:59 . 2011-11-10 19:59 -------- d-----w- c:\users\Ryan\AppData\Roaming\Malwarebytes
    2011-11-10 19:59 . 2011-11-10 19:59 -------- d-----w- c:\programdata\Malwarebytes
    2011-11-10 19:59 . 2011-11-10 19:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-10 19:59 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-09 06:35 . 2011-11-09 06:36 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-11-09 05:49 . 2011-11-09 05:50 -------- d-----w- c:\users\Ryan\AppData\Roaming\Mozilla-Cache
    2011-11-09 05:47 . 2011-11-09 05:47 -------- d-----w- C:\Programs
    2011-11-09 03:10 . 2011-09-29 16:03 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-11-09 03:10 . 2011-10-01 04:37 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
    2011-11-09 03:10 . 2011-09-29 03:37 2341888 ----a-w- c:\windows\system32\win32k.sys
    2011-11-09 03:07 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{910EA4BF-0BF3-42BF-A195-3BAA38F40F04}\mpengine.dll
    2011-10-15 20:47 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
    2011-10-15 20:47 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-10-15 20:47 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
    2011-10-15 20:47 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2011-10-15 20:13 . 2011-10-15 20:13 -------- d-----w- c:\program files\iPod
    2011-10-15 20:09 . 2011-10-15 20:09 -------- d-----w- c:\program files\Bonjour
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-15 20:20 . 2011-06-11 01:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-08-31 06:05 . 2011-08-31 06:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-08-31 06:05 . 2011-08-31 06:05 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-08-22 03:42 . 2011-08-22 03:42 2829 ----a-w- c:\windows\War3Unin.pif
    2011-08-22 03:42 . 2011-08-22 03:42 126976 ----a-w- c:\windows\War3Unin.exe
    2011-11-05 06:53 . 2011-04-13 05:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7}]
    2011-03-03 07:20 242688 ----a-w- c:\program files\RegTweaker\key.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "googletalk"="c:\users\Ryan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "MusicManager"="c:\users\Ryan\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2011-09-14 13128704]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2010-08-20 33120]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
    "iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-10-06 59240]
    "ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2011-09-29 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2008-06-18 122880]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]
    .
    c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Ryan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
    backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDSmartWare.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk
    backup=c:\windows\pss\WDSmartWare.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
    backupExtension=.Startup
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 135664]
    R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [2011-03-25 271408]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 135664]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-20 18432]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-12 1343400]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-07-25 436792]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [2004-04-23 173568]
    S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-10-15 326704]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
    S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-08-17 98304]
    S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-01 22216]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-05 812544]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-11 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-27 00:22]
    .
    2011-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 18:49]
    .
    2011-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 18:49]
    .
    2011-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1148415063-2950945713-2109174141-1000Core.job
    - c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-27 03:20]
    .
    2011-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1148415063-2950945713-2109174141-1000UA.job
    - c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-27 03:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = localhost;127.0.0.1;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254 199.185.220.254
    FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\pp9zcygj.default\
    FF - prefs.js: browser.startup.homepage - hxxp://m.us.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3836)
    c:\users\Ryan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\program files\WinSCP\DragExt.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
    c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-11 12:19:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-11 20:19
    ComboFix2.txt 2011-11-10 09:22
    .
    Pre-Run: 5,078,818,816 bytes free
    Post-Run: 4,906,876,928 bytes free
    .
    - - End Of File - - CB3993156AD916E50EB824FECAA0B646
     
  14. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    Still no internet?
     
  15. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    Nothing... says identifying No internet access
     
  16. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    Also, when going to Internet Options I get an error: Explorer.exe Illegal Operation attempted on a registry key that has been marked for deletion.

    EDIT: Get the same error message when trying to open any program
     
  17. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    You have to restart computer to fix that issue.

    After restarting....

    Please download MiniToolBox and run it.

    Checkmark following boxes:
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    Click Go and post the result.
     
  18. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    MiniToolBox by Farbar
    Ran by Ryan (administrator) on 11-11-2011 at 14:45:52
    Windows 7 Professional Service Pack 1 (X86)

    ***************************************************************************

    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= FF Proxy Settings: ==============================

    "network.proxy.type", 0
    ========================= Hosts content: =================================

    127.0.0.1 localhost

    ========================= IP Configuration: ================================

    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4

    reset


    popd
    # End of IPv4 configuration



    Windows IP Configuration

    Host Name . . . . . . . . . . . . : Ryan-PC
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection* 17:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Anchorfree HSS Adapter
    Physical Address. . . . . . . . . : 00-FF-11-24-1C-73
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Local Area Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Marvell Yukon 88E8039 PCI-E Fast Ethernet Controller
    Physical Address. . . . . . . . . : 00-1A-80-F8-42-50
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wireless Network Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
    Physical Address. . . . . . . . . : 00-1F-3B-BD-AC-27
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::35aa:a53d:acee:5025%10(Preferred)
    Autoconfiguration IPv4 Address. . : 169.254.80.37(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.1.254
    199.185.220.254
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{332725B6-F2FD-4668-9941-9E98FBC250DC}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{3114ADA3-487B-4C1E-B608-B922E16785C0}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{11241C73-C986-4D96-999B-B20B77AF9935}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Server: UnKnown
    Address: 192.168.1.254

    Ping request could not find host google.com. Please check the name and try again.
    Server: UnKnown
    Address: 192.168.1.254

    Ping request could not find host yahoo.com. Please check the name and try again.

    Pinging 127.0.0.1 with 32 bytes of data:
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
    ===========================================================================
    Interface List
    21...00 ff 11 24 1c 73 ......Anchorfree HSS Adapter
    11...00 1a 80 f8 42 50 ......Marvell Yukon 88E8039 PCI-E Fast Ethernet Controller
    10...00 1f 3b bd ac 27 ......Intel(R) Wireless WiFi Link 4965AGN
    1...........................Software Loopback Interface 1
    24...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    169.254.0.0 255.255.0.0 On-link 169.254.80.37 281
    169.254.80.37 255.255.255.255 On-link 169.254.80.37 281
    169.254.255.255 255.255.255.255 On-link 169.254.80.37 281
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 169.254.80.37 281
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 169.254.80.37 281
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 306 ::1/128 On-link
    10 281 fe80::/64 On-link
    10 281 fe80::35aa:a53d:acee:5025/128
    On-link
    1 306 ff00::/8 On-link
    10 281 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None
    ========================= Winsock entries =====================================

    Catalog5 01 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
    Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
    Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
    Catalog5 05 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog5 06 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
    Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
    Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 25 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 26 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 27 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 28 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 29 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 30 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 31 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 32 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 33 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 34 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 35 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 36 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 37 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
    Catalog9 38 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

    ========================= Event log errors: ===============================

    Application errors:
    ==================
    Error: (11/11/2011 00:11:44 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 15647

    Error: (11/11/2011 00:11:44 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 15647

    Error: (11/11/2011 00:11:44 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (11/10/2011 04:58:02 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 2739892

    Error: (11/10/2011 04:58:02 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 2739892

    Error: (11/10/2011 04:58:02 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (11/10/2011 04:57:51 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 2728380

    Error: (11/10/2011 04:57:51 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 2728380

    Error: (11/10/2011 04:57:51 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (11/10/2011 04:12:38 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 15600


    System errors:
    =============
    Error: (11/11/2011 02:44:39 PM) (Source: Service Control Manager) (User: )
    Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error:
    %%1075

    Error: (11/11/2011 02:44:39 PM) (Source: Service Control Manager) (User: )
    Description: The DHCP Client service depends the following service: Tdx. This service might not be installed.

    Error: (11/11/2011 02:44:36 PM) (Source: Service Control Manager) (User: )
    Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error:
    %%1075

    Error: (11/11/2011 02:44:36 PM) (Source: Service Control Manager) (User: )
    Description: The DHCP Client service depends the following service: Tdx. This service might not be installed.

    Error: (11/11/2011 02:44:36 PM) (Source: Service Control Manager) (User: )
    Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error:
    %%1075

    Error: (11/11/2011 02:44:36 PM) (Source: Service Control Manager) (User: )
    Description: The DHCP Client service depends the following service: Tdx. This service might not be installed.

    Error: (11/11/2011 02:44:35 PM) (Source: Service Control Manager) (User: )
    Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error:
    %%1075

    Error: (11/11/2011 02:44:35 PM) (Source: Service Control Manager) (User: )
    Description: The DHCP Client service depends the following service: Tdx. This service might not be installed.

    Error: (11/11/2011 02:44:35 PM) (Source: Service Control Manager) (User: )
    Description: The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error:
    %%1075

    Error: (11/11/2011 02:44:35 PM) (Source: Service Control Manager) (User: )
    Description: The DHCP Client service depends the following service: Tdx. This service might not be installed.


    Microsoft Office Sessions:
    =========================

    **** End of log ****
     
  19. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :reg
      HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd
      HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipsec
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx 
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  20. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    SystemLook 30.07.11 by jpshortstuff
    Log created at 15:20 on 11/11/2011 by Ryan
    Administrator - Elevation successful

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd]
    "BootFlags"= 0x0000000001 (1)
    "DisplayName"="@%systemroot%\system32\drivers\afd.sys,-1000"
    "Group"="PNP_TDI"
    "ImagePath"="\SystemRoot\system32\drivers\afd.sys"
    "Description"="@%systemroot%\system32\drivers\afd.sys,-1000"
    "ErrorControl"= 0x0000000001 (1)
    "Start"= 0x0000000001 (1)
    "Type"= 0x0000000001 (1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Parameters]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\afd\Enum]


    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt]
    "DisplayName"="@%SystemRoot%\system32\drivers\netbt.sys,-2"
    "Group"="PNP_TDI"
    "ImagePath"="System32\DRIVERS\netbt.sys"
    "Description"="@%SystemRoot%\system32\drivers\netbt.sys,-1"
    "ErrorControl"= 0x0000000001 (1)
    "Start"= 0x0000000001 (1)
    "Type"= 0x0000000001 (1)
    "DependOnService"="Tdx tcpip"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Linkage]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Parameters]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Security]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\netbt\Enum]


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipsec]
    (Unable to open key - key not found)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx]
    (Unable to open key - key not found)

    -= EOF =-
     
  21. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    It looks like you have "tdx" key missing from registry as well.
    Do you have another Windows 7 computer you could copy that key from?
     
  22. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    I have the install disc but no windows 7 comp around me at all
     
  23. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    OK, we can try "tdk" from my Vista but make sure to create fresh restore point first.

    Attached is zipped tdx.reg file.
    Unzip it and double click on tdx.reg.
    Allow registry merge.

    Restart computer and check your internet connection.
     

    Attached Files:

    • tdx.zip
      File size:
      627 bytes
      Views:
      49
  24. Ryanmon99

    Ryanmon99 TS Rookie Topic Starter Posts: 25

    Internet!
    Yes! Thank you
     
  25. Broni

    Broni Malware Annihilator Posts: 47,684   +268

    Working?

    If so....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.