Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search results being redirected in Firefox


  • This topic is locked This topic is locked
11 replies to this topic

#1 dewce

dewce

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 21 February 2010 - 06:09 PM

It appears to be a common problem, but it looks like there are multiple ways to attack it. Here is my hijackthis log file, in hopes that someone can tell me what method to use to fix this virus/malware.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:14 PM, on 2/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\windows\system32\CSHelper.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\windows\System32\svchost.exe
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\windows\system32\WebUpdateSvc4.exe
C:\windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\windows\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Compaq_Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecurepro2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecurepro2009.com
O1 - Hosts: 91.212.127.227 www.winsecurepro2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Videoraptor_WebRipPlugin Class - {3C0372C2-04C3-4100-BAB1-1D42C552BC48} - C:\Program Files\RapidSolution\AudialsOne\VideoRaptor\plugins\IE\VR_WebRipIePlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\AudialsOne\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\windows\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [Seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Peer Impact] "C:\Program Files\Peer Impact\peerimpact.exe" /drmpurge
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Compaq_Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mail.gdls.com/whalecome6626a0c97b58...m0/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122325263444
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163072932656
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} (Invoke Solutions Compatibility Test Control) - http://rms2.invokesolutions.com/events/bin...iveCompTest.ocx
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://rms2.invokesolutions.com/events/bin...1450/MILive.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.113,93.188.166.97
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\windows\system32\CSHelper.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\windows\system32\LEXBCES.EXE
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Data Perceptions / PowerProgrammer - C:\windows\system32\WebUpdateSvc4.exe

--
End of file - 14753 bytes

Sorry, here are the DDS logs.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Owner at 18:11:41.65 on Sun 02/21/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1247 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\windows\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\windows\system32\CSHelper.exe
C:\windows\system32\svchost.exe -k hpdevmgmt
C:\windows\system32\svchost.exe -k HPService
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\windows\system32\WebUpdateSvc4.exe
C:\windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\windows\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Compaq_Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/a/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Videoraptor_WebRipPlugin Class: {3c0372c2-04c3-4100-bab1-1d42c552bc48} - c:\program files\rapidsolution\audialsone\videoraptor\plugins\ie\VR_WebRipIePlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Tunebite_WebRipPlugin Class: {aa102584-3b97-47e7-b9bc-75d54c110a7d} - c:\program files\rapidsolution\audialsone\tunebite\plugins\ie\TB_WebRipIePlugin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SansaDispatch] c:\documents and settings\compaq_owner\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Peer Impact] "c:\program files\peer impact\peerimpact.exe" /drmpurge
mRun: [YeppStudioAgent] c:\program files\samsung\samsung media studio\SamsungMediaStudioAgent.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Convert for CLIÉ - c:\program files\sony\image converter\menu.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mail.gdls.com/whalecome6626a0c97b58b6e5e39960571087a5e40/whalecom0/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122325263444
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163072932656
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://rms2.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe
Hosts: 91.212.127.227 winsecurepro2009.microsoft.com
Hosts: 91.212.127.227 winsecurepro2009.com
Hosts: 91.212.127.227 www.winsecurepro2009.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\rc1pqmn8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\rapidsolution\audialsone\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npExecuteQtrax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\rapidsolution\audialsone\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2009-4-8 40496]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-18 266240]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-2 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-2 144704]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2008-6-24 431384]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-6-25 229592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-2 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-2 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-2 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-2 40552]
R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\drivers\NETGEARUHOST.sys [2007-4-2 10752]
R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\drivers\NETGEARUHUB.sys [2007-4-2 37120]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-5-14 16640]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-2 34248]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-7-11 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-7-11 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-7-11 23680]

=============== Created Last 30 ================

2010-02-21 22:35:39 0 d-----w- c:\program files\Trend Micro
2010-02-05 01:55:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 01:55:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 01:55:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-04 02:26:56 696832 ----a-w- c:\windows\is-0OVFU.exe
2010-02-04 02:26:56 350 ----a-w- c:\windows\is-0OVFU.lst
2010-02-04 02:26:56 10498 ----a-w- c:\windows\is-0OVFU.msg
2010-01-23 03:04:52 0 d-----w- c:\program files\HRBlock2009

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-19 13:40:19 39 ----a-w- c:\documents and settings\compaq_owner\jagex_runescape_preferences.dat
2009-12-19 13:29:55 69 ----a-w- c:\documents and settings\compaq_owner\jagex_runescape_preferences2.dat
2009-12-18 13:05:43 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 04:56:18 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\dllcache\msrle32.dll
2009-03-22 00:38:06 96 ----a-w- c:\program files\piconfig.lx
2007-06-17 01:27:28 12257 ----a-w- c:\program files\setuplog.txt
2007-06-17 01:27:27 11380 ----a-w- c:\program files\uninstal.log
2005-02-03 03:37:16 0 --sha-w- c:\windows\sminst\HPCD.sys
2008-10-09 00:51:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100820081009\index.dat

============= FINISH: 18:12:33.18 ===============

Also, I can't giver a GMER log, as it crashes my system when I run it.

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 21 February 2010 - 09:40 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 23 February 2010 - 03:41 PM

Hi dewce,

My name is Syler and I will be helping you to solve your Malware issues.

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    /md5start
    proquota.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

unite.jpg


#3 dewce

dewce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 23 February 2010 - 06:35 PM

Thanks, syler. Here are the two reports you asked for:

OTL logfile created on: 2/23/2010 5:50:16 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Compaq_Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0D:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 186.31 Gb Total Space | 80.96 Gb Free Space | 43.45% Space Free | Partition Type: NTFS
Drive D: | 95.42 Gb Total Space | 22.29 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 465.76 Gb Total Space | 285.01 Gb Free Space | 61.19% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: BLACKY
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/23 17:49:26 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\OTL.exe
PRC - [2010/02/21 14:29:55 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/25 12:08:56 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Documents and Settings\Compaq_Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2009/12/18 08:05:43 | 000,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/11/12 16:33:10 | 000,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/04 16:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/08/24 17:23:54 | 008,318,056 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2009/07/08 20:22:24 | 005,134,864 | ---- | M] (McAfee) -- C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/05 10:48:14 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/02/18 10:54:26 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\CSHelper.exe
PRC - [2009/02/06 17:21:00 | 000,224,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Toolbar\wltuser.exe
PRC - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/09/10 13:01:28 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/06/24 20:06:22 | 000,904,768 | ---- | M] (Acronis) -- C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
PRC - [2008/06/24 19:56:52 | 000,136,472 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
PRC - [2008/06/24 19:56:38 | 000,431,384 | ---- | M] (Seagate) -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/05 01:41:00 | 000,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/10/22 23:11:58 | 000,524,288 | ---- | M] () -- C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
PRC - [2007/06/25 11:19:10 | 000,229,592 | ---- | M] (Data Perceptions / PowerProgrammer) -- C:\WINDOWS\system32\WebUpdateSvc4.exe
PRC - [2007/03/16 19:22:00 | 000,045,056 | ---- | M] () -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
PRC - [2007/03/02 13:03:36 | 000,149,024 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/03/02 13:03:28 | 000,407,072 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/03/02 12:58:34 | 001,165,288 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
PRC - [2007/01/02 21:40:10 | 000,210,520 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2006/12/10 21:52:38 | 000,049,152 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
PRC - [2006/10/18 20:05:26 | 000,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2006/09/28 18:56:38 | 000,146,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WudfHost.exe
PRC - [2006/06/07 15:57:46 | 000,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
PRC - [2006/01/05 19:10:33 | 000,126,976 | ---- | M] () -- C:\WINDOWS\system32\UAService7.exe
PRC - [2005/01/03 11:40:42 | 000,854,528 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2004/01/12 06:12:00 | 000,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\lexbces.exE


========== Modules (SafeList) ==========

MOD - [2010/02/23 17:49:26 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/11/04 16:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee) [On_Demand | Stopped] -- C:\Program Files\McAfee\MBK\MBackMonitor.exe -- (MBackMonitor)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/05 10:48:14 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/02/18 10:54:26 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\CSHelper.exe -- (CSHelper)
SRV - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe -- (MSSQL$MICROSOFTSMLBIZ)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/09/10 13:01:28 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/06/24 19:56:38 | 000,431,384 | ---- | M] (Seagate) [Auto | Running] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
SRV - [2007/12/05 01:41:00 | 000,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/06/25 11:19:10 | 000,229,592 | ---- | M] (Data Perceptions / PowerProgrammer) [Auto | Running] -- C:\WINDOWS\system32\WebUpdateSvc4.exe -- (WebUpdate4)
SRV - [2007/05/16 22:13:08 | 000,602,112 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL -- (HPSLPSVC)
SRV - [2007/03/16 19:22:00 | 000,045,056 | ---- | M] () [Auto | Running] -- C:\Program Files\MagicTune Premium\MagicTuneEngine.exe -- (MagicTuneEngine)
SRV - [2007/03/02 13:03:28 | 000,407,072 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/01/02 22:46:54 | 000,225,280 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2006/12/10 23:29:24 | 000,131,072 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2006/11/08 16:35:38 | 000,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 16:35:36 | 000,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2006/06/07 15:57:46 | 000,266,295 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/01/05 19:10:33 | 000,126,976 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)
SRV - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTSMLBIZ)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/03 11:40:42 | 000,854,528 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2004/01/12 06:12:00 | 000,303,104 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\system32\lexbces.exE -- (LexBceS)
SRV - [2003/07/28 12:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009/12/08 23:56:18 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Aspi32.sys -- (ASPI32)
DRV - [2009/11/04 16:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/07/08 12:02:48 | 000,037,664 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2009/05/18 14:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/04/23 16:24:26 | 000,016,640 | ---- | M] (Wondershare) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1)) WsAudio_DeviceS(1)
DRV - [2009/02/02 22:34:45 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/02/02 22:34:45 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/02/02 22:34:35 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/02/02 22:34:27 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2008/12/13 13:47:38 | 000,129,896 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Uim_IM.sys -- (Uim_IM)
DRV - [2008/12/13 13:47:38 | 000,040,496 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\hotcore3.sys -- (hotcore3)
DRV - [2008/12/13 13:47:38 | 000,032,056 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\UimBus.sys -- (UimBus)
DRV - [2008/04/13 13:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/12/05 01:41:00 | 007,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/13 05:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/11/02 14:36:10 | 000,018,176 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2007/10/22 03:21:35 | 000,041,984 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp)
DRV - [2007/07/04 21:48:28 | 000,049,920 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2007/07/04 21:48:28 | 000,021,568 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/07/04 21:48:28 | 000,016,496 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007/06/18 14:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 14:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/05/03 12:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2007/01/22 18:33:00 | 000,007,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2006/12/26 17:30:01 | 000,094,080 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ezplay.sys -- (ezplay)
DRV - [2006/12/26 17:29:55 | 000,047,360 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (Pcouffin)
DRV - [2006/08/17 15:04:18 | 000,010,752 | ---- | M] (SerComm) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETGEARUHOST.sys -- (NETGEARUHOST)
DRV - [2006/08/17 15:04:12 | 000,037,120 | ---- | M] (SerComm) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETGEARUHUB.sys -- (NETGEARUHUB)
DRV - [2006/06/07 21:06:58 | 000,329,901 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/06/07 15:33:34 | 000,855,018 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/06/07 15:29:10 | 000,030,459 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/06/07 15:28:20 | 000,149,028 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/06/07 15:26:52 | 000,067,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/06/07 15:23:20 | 000,047,811 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/10/21 07:25:32 | 000,013,396 | ---- | M] () [Kernel | System | Running] -- C:\windows\system32\drivers\MTictwl.sys -- (NCPro)
DRV - [2005/10/21 07:25:32 | 000,013,396 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MTictwl.sys -- (MagicTune)
DRV - [2005/04/20 10:00:56 | 002,317,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/12 10:42:16 | 000,011,904 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2005/04/12 10:08:44 | 000,247,296 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2005/03/04 11:02:20 | 001,066,278 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/02/18 18:14:28 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\giveio.sys -- (giveio)
DRV - [2005/01/03 11:33:44 | 000,099,456 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/01/03 11:33:24 | 000,028,928 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/01/03 11:33:18 | 000,027,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2004/10/20 09:23:22 | 000,020,576 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2004/09/23 19:52:20 | 000,173,312 | ---- | M] (Copyright © VIA/S3 Graphics Co, Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx)
DRV - [2004/08/21 01:26:00 | 000,737,874 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/08/04 07:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 07:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/08/04 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/05/08 19:21:44 | 000,035,840 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2003/12/02 20:23:20 | 000,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/09/19 04:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/09/11 02:36:54 | 000,021,060 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2003/07/29 15:11:24 | 000,016,772 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2003/07/18 18:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/07/12 00:28:56 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2003/07/02 13:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2002/10/04 19:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2001/08/17 16:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:53:32 | 000,006,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam)
DRV - [2001/08/17 12:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
IE - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
IE - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
IE - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\S-1-5-21-216301871-1108676632-3902835741-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: tunebite-firefox-surf-and-catch-extension@audials.com:1.4.7400.0
FF - prefs.js..network.proxy.autoconfig_url: "file:///C:/Documents%20and%20Settings/Compaq_Owner/Local%20Settings/Application%20Data/RapidSolution/Videoraptor/WebRip/profile/rrproxy_ffox_4b818d93.pac"
FF - prefs.js..network.proxy.type: 2

FF - HKLM\software\mozilla\Firefox\Extensions\\tunebite-firefox-surf-and-catch-extension@audials.com: C:\Program Files\RapidSolution\AudialsOne\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\ [2009/07/10 19:37:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\videoraptor-firefox-surf-and-catch-extension@audials.com: C:\Program Files\RapidSolution\AudialsOne\VideoRaptor\plugins\GeckoBased\videoraptor-firefox-surf-and-catch-extension@audials.com\ [2009/07/10 19:41:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/21 14:30:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/21 14:30:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/01/30 11:54:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/01/15 19:23:01 | 000,000,000 | ---D | M]

[2009/03/22 10:36:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Extensions
[2009/03/22 10:36:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Extensions\songbird@songbirdnest.com
[2010/02/21 14:51:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rc1pqmn8.default\extensions
[2010/02/21 03:27:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rc1pqmn8.default\extensions\fatcash@fatwallet.com
[2010/02/21 14:51:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/08 08:49:17 | 000,393,216 | ---- | M] (Invenda Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/03/31 13:18:00 | 000,061,440 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npExecuteQtrax.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2009/11/19 03:48:53 | 000,000,161 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecurepro2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecurepro2009.com
O1 - Hosts: 91.212.127.227 www.winsecurepro2009.com
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Videoraptor_WebRipPlugin Class) - {3C0372C2-04C3-4100-BAB1-1D42C552BC48} - C:\Program Files\RapidSolution\AudialsOne\VideoRaptor\plugins\IE\VR_WebRipIePlugin.dll (RapidSolution Software)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Tunebite_WebRipPlugin Class) - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\AudialsOne\Tunebite\plugins\IE\TB_WebRipIePlugin.dll (RapidSolution Software)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\windows\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe (Seagate)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe (McAfee)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [Peer Impact] C:\Program Files\Peer Impact\peerimpact.exe (Wurld Media, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\windows\Samsung\PanelMgr\ssmmgr.exe ()
O4 - HKLM..\Run: [Seagate Scheduler2 Service] C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Seagate)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe ()
O4 - HKU\S-1-5-21-216301871-1108676632-3902835741-1009..\Run: [SansaDispatch] C:\Documents and Settings\Compaq_Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKU\S-1-5-21-216301871-1108676632-3902835741-1009..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm ()
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/d/c.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://mail.gdls.com/whalecome6626a0c97b58...m0/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1122325263444 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1163072932656 (MUWebControl Class)
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CAB (Wizard101GameLauncher)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} http://offers.e-centives.com/cif/download/bin/actxcab.cab (CBSTIEPrint Class)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.com/controls/cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (InetDownload Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_05)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} http://rms2.invokesolutions.com/events/bin...iveCompTest.ocx (Invoke Solutions Compatibility Test Control)
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx (CRLDownloadWrapper Class)
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} http://rms2.invokesolutions.com/events/bin...1450/MILive.cab (Invoke Solutions Participant Control(MR))
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\windows\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\windows\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2004/10/20 08:13:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b5d97a49-0ec0-11db-9656-0011d81dc41d}\Shell\AutoRun\command - "" = F:\.\MigWiz\migsetup.exe -- File not found
O33 - MountPoints2\{df222cf6-cbea-11db-9676-0011d81dc41d}\Shell - "" = AutoRun
O33 - MountPoints2\{df222cf6-cbea-11db-9676-0011d81dc41d}\Shell\Auto\command - "" = C:\windows\System32\setup.exe -- [2008/04/13 19:12:34 | 000,023,040 | ---- | M] (Microsoft Corporation)
O33 - MountPoints2\{df222cf6-cbea-11db-9676-0011d81dc41d}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\windows\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/03/25 12:57:07 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: SSHNAS - File not found


CREATERESTOREPOINT
Error starting restore point: 15
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2010/02/21 18:15:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\My Documents\gmer
[2010/02/21 17:35:39 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/04 20:55:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/02/04 20:55:33 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/02/04 20:55:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/03 22:52:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/30 12:01:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\PCHealth
[2009/07/23 06:33:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2009/02/03 15:21:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/03 15:21:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/01/14 20:28:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\HP
[2008/12/30 20:59:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/08/16 16:57:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Acronis
[2007/12/25 19:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2006/12/26 17:30:01 | 000,094,080 | ---- | C] (VSO Software) -- C:\Documents and Settings\Compaq_Owner\Application Data\ezplay.sys
[2006/12/26 17:29:54 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Compaq_Owner\Application Data\pcouffin.sys
[2006/09/19 08:16:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Help
[2006/09/19 08:16:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Help
[1 C:\Documents and Settings\Compaq_Owner\My Documents\*.tmp files -> C:\Documents and Settings\Compaq_Owner\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/23 06:20:01 | 009,961,472 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\NTUSER.DAT
[2010/02/21 22:19:24 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\From Previous Owners.doc
[2010/02/21 20:29:01 | 000,001,158 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2010/02/21 20:28:23 | 000,013,849 | ---- | M] () -- C:\windows\System32\Config.MPF
[2010/02/21 20:26:26 | 000,000,326 | ---- | M] () -- C:\windows\tasks\GlaryInitialize.job
[2010/02/21 20:25:39 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010/02/21 20:25:21 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2010/02/21 17:41:52 | 000,463,530 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/02/21 17:41:52 | 000,080,532 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/02/21 17:35:39 | 000,001,747 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.lnk
[2010/02/21 08:47:29 | 000,175,616 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/20 22:20:30 | 000,557,064 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010/02/20 15:32:28 | 000,000,012 | ---- | M] () -- C:\windows\bthservsdp.dat
[2010/02/20 15:30:42 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK
[2010/02/20 15:15:04 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Compaq_Owner\ntuser.ini
[2010/02/20 15:14:58 | 005,727,828 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\IconCache.db
[2010/02/20 12:57:33 | 000,378,880 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\2009 Duck Bookkeeping.xls
[2010/02/18 07:33:32 | 000,000,284 | ---- | M] () -- C:\windows\tasks\AppleSoftwareUpdate.job
[2010/02/16 22:15:12 | 000,001,742 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/02/15 02:19:02 | 000,000,354 | ---- | M] () -- C:\windows\tasks\McDefragTask.job
[2010/02/13 06:39:38 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Rome was started by the twin brothers Romulus and Remus.doc
[2010/02/12 21:13:12 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Ethan I like to play video games.doc
[2010/02/09 07:30:55 | 000,000,116 | ---- | M] () -- C:\windows\NeroDigital.ini
[2010/02/04 20:55:45 | 000,000,709 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/04 19:21:28 | 000,011,028 | -HS- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\6j3B46
[2010/02/03 22:57:21 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\FixExe.reg
[2010/02/03 21:26:56 | 000,696,832 | ---- | M] () -- C:\windows\is-0OVFU.exe
[2010/02/03 21:26:56 | 000,010,498 | ---- | M] () -- C:\windows\is-0OVFU.msg
[2010/02/03 21:26:56 | 000,000,350 | ---- | M] () -- C:\windows\is-0OVFU.lst
[2010/02/02 12:04:53 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\noah's iew rome.doc
[2010/02/02 12:04:53 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\~$ah's iew rome.doc
[2010/02/01 01:01:10 | 000,000,332 | ---- | M] () -- C:\windows\tasks\McQcTask.job
[2010/02/01 00:02:14 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\JOnas CC-IEW The amazing Olympics.doc
[2010/01/30 11:55:24 | 000,270,192 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2010/01/30 11:11:19 | 000,000,976 | ---- | M] () -- C:\windows\win.ini
[2010/01/30 10:09:01 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\ending 2009 inventory.xls
[2010/01/30 10:07:44 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\JOnas The Pharos Lighthouse.doc
[2010/01/29 22:33:39 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\noah's iew olimpics.doc
[2010/01/24 23:41:26 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\noah's iew pandora.doc
[2010/01/24 23:38:50 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\JOnas-CCiew The majestic box.doc
[1 C:\Documents and Settings\Compaq_Owner\My Documents\*.tmp files -> C:\Documents and Settings\Compaq_Owner\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/21 22:19:24 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\From Previous Owners.doc
[2010/02/21 17:35:39 | 000,001,747 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.lnk
[2010/02/19 14:08:23 | 000,378,880 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\2009 Duck Bookkeeping.xls
[2010/02/12 21:13:04 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Ethan I like to play video games.doc
[2010/02/04 20:55:45 | 000,000,709 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/03 22:56:59 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\FixExe.reg
[2010/02/03 21:26:56 | 000,696,832 | ---- | C] () -- C:\windows\is-0OVFU.exe
[2010/02/03 21:26:56 | 000,010,498 | ---- | C] () -- C:\windows\is-0OVFU.msg
[2010/02/03 21:26:56 | 000,000,350 | ---- | C] () -- C:\windows\is-0OVFU.lst
[2010/02/03 14:18:22 | 000,011,028 | -HS- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\6j3B46
[2010/02/02 13:34:52 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Rome was started by the twin brothers Romulus and Remus.doc
[2010/02/02 12:04:53 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\~$ah's iew rome.doc
[2010/02/02 12:04:52 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\noah's iew rome.doc
[2010/01/30 10:09:00 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\ending 2009 inventory.xls
[2010/01/30 10:07:44 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\JOnas The Pharos Lighthouse.doc
[2010/01/26 13:32:57 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\JOnas CC-IEW The amazing Olympics.doc
[2010/01/26 11:00:35 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\noah's iew olimpics.doc
[2010/01/24 23:38:49 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\JOnas-CCiew The majestic box.doc
[2009/12/25 22:55:49 | 000,178,176 | ---- | C] () -- C:\windows\System32\unrar.dll
[2009/03/20 15:13:42 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\8f01a90e-7eb3-48d3-93b1-50d88fd146fb
[2009/03/02 10:33:32 | 000,067,584 | ---- | C] () -- C:\windows\System32\ff_vfw.dll
[2009/03/02 10:33:32 | 000,000,547 | ---- | C] () -- C:\windows\System32\ff_vfw.dll.manifest
[2008/12/28 17:52:25 | 000,000,141 | ---- | C] () -- C:\windows\System32\09wutili.sys
[2008/12/07 14:54:12 | 000,000,052 | ---- | C] () -- C:\windows\FPRINCE.INI
[2008/07/09 20:34:00 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\1DAA8A
[2008/07/09 20:33:59 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\mcs.rma
[2008/02/24 18:24:58 | 000,000,000 | ---- | C] () -- C:\windows\PROTOCOL.INI
[2008/02/18 19:48:15 | 000,000,000 | ---- | C] () -- C:\windows\hpqEmlSz.INI
[2008/01/27 20:21:38 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/26 22:40:00 | 000,000,028 | ---- | C] () -- C:\windows\pdf995.ini
[2008/01/16 21:23:21 | 000,013,396 | ---- | C] () -- C:\windows\System32\drivers\MTictwl.sys
[2007/12/05 01:41:00 | 001,703,936 | ---- | C] () -- C:\windows\System32\nvwdmcpl.dll
[2007/12/05 01:41:00 | 001,474,560 | ---- | C] () -- C:\windows\System32\nview.dll
[2007/12/05 01:41:00 | 001,019,904 | ---- | C] () -- C:\windows\System32\nvwimg.dll
[2007/12/05 01:41:00 | 000,466,944 | ---- | C] () -- C:\windows\System32\nvshell.dll
[2007/12/05 01:41:00 | 000,286,720 | ---- | C] () -- C:\windows\System32\nvnt4cpl.dll
[2007/06/16 20:27:25 | 000,012,257 | ---- | C] () -- C:\Program Files\setuplog.txt
[2007/06/16 20:27:25 | 000,011,380 | ---- | C] () -- C:\Program Files\uninstal.log
[2007/05/22 21:42:02 | 000,000,158 | ---- | C] () -- C:\windows\System32\AddPort.ini
[2007/05/22 21:36:32 | 000,001,366 | ---- | C] () -- C:\windows\hpntwksetup.ini
[2007/05/22 21:30:28 | 000,011,425 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/05/18 15:55:04 | 000,000,217 | ---- | C] () -- C:\windows\TLCAPPS.INI
[2007/05/18 15:54:22 | 000,000,000 | ---- | C] () -- C:\windows\SETUP32.INI
[2007/03/08 21:12:42 | 000,057,344 | ---- | C] () -- C:\windows\System32\lexdlls.dlL
[2007/03/08 21:07:50 | 000,000,050 | ---- | C] () -- C:\windows\cdplayer.ini
[2007/02/27 06:55:42 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\FixVTS.ini
[2007/01/23 15:15:22 | 000,676,224 | ---- | C] () -- C:\windows\System32\OGACheckControl.DLL
[2007/01/18 19:26:28 | 000,000,142 | ---- | C] () -- C:\windows\wpd99.drv
[2007/01/18 19:26:06 | 000,051,716 | ---- | C] () -- C:\windows\System32\pdf995mon.dll
[2006/12/26 17:30:04 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\POOBMOLU.log
[2006/12/26 17:30:01 | 000,007,812 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\ezplay.cat
[2006/12/26 17:30:01 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\POOBMOLU.inf
[2006/12/26 17:30:01 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\POOBMOLU.ini
[2006/12/26 17:29:55 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\pcouffin.log
[2006/12/26 17:29:54 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\ezpinst.exe
[2006/12/26 17:29:54 | 000,007,824 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\pcouffin.cat
[2006/12/26 17:29:54 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\pcouffin.inf
[2006/12/16 10:26:16 | 000,000,096 | ---- | C] () -- C:\Program Files\piconfig.lx
[2006/12/16 10:25:41 | 000,153,192 | ---- | C] () -- C:\windows\System32\launcherax.dll
[2006/09/28 16:46:33 | 000,000,000 | ---- | C] () -- C:\windows\prestopm.INI
[2006/09/28 16:20:13 | 000,000,029 | ---- | C] () -- C:\windows\DEBUGSM.INI
[2006/08/21 06:46:21 | 000,000,004 | ---- | C] () -- C:\windows\uccspecb.sys
[2006/06/07 15:52:08 | 000,090,112 | ---- | C] () -- C:\windows\System32\btprn2k.dll
[2006/01/15 10:09:42 | 000,000,308 | ---- | C] () -- C:\windows\mp3wavcon.ini
[2006/01/15 10:09:06 | 000,003,082 | ---- | C] () -- C:\windows\System32\affv11300p5now.sys
[2006/01/14 22:10:23 | 000,249,856 | ---- | C] () -- C:\windows\System32\CddbPlaylistSamsung.dll
[2006/01/05 19:10:32 | 000,090,112 | ---- | C] () -- C:\windows\System32\CmdLineExt.dll
[2005/11/03 05:56:14 | 000,002,917 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/06/17 21:08:28 | 000,000,748 | ---- | C] () -- C:\windows\LMAAL2DD.ini
[2005/05/17 22:07:26 | 000,007,680 | ---- | C] () -- C:\windows\System32\CNMVS6y.DLL
[2005/05/17 21:59:46 | 000,040,960 | ---- | C] () -- C:\windows\System32\IPPCPUID.DLL
[2005/05/17 21:59:46 | 000,000,105 | ---- | C] () -- C:\windows\UMXADDIN.INI
[2005/05/17 21:59:34 | 000,011,776 | ---- | C] () -- C:\windows\System32\pmsbfn32.dll
[2005/05/17 21:58:51 | 000,000,074 | ---- | C] () -- C:\windows\PMINI.ini
[2005/05/17 21:57:50 | 000,000,398 | ---- | C] () -- C:\windows\System32\CNCMP60.INI
[2005/04/09 10:09:39 | 000,000,000 | ---- | C] () -- C:\windows\iPlayer.INI
[2005/03/20 22:42:05 | 000,000,288 | ---- | C] () -- C:\windows\IfoEdit.INI
[2005/03/14 14:37:02 | 000,000,116 | ---- | C] () -- C:\windows\NeroDigital.ini
[2005/03/04 20:13:46 | 000,000,155 | ---- | C] () -- C:\windows\winamp.ini
[2005/03/04 19:49:53 | 000,679,936 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2005/03/04 19:49:53 | 000,421,888 | ---- | C] () -- C:\windows\System32\OpenQuicktimeLib.dll
[2005/03/04 19:49:53 | 000,155,648 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2005/03/04 19:49:53 | 000,061,440 | ---- | C] () -- C:\windows\System32\libfaac.dll
[2005/02/18 18:14:28 | 000,005,248 | ---- | C] () -- C:\windows\System32\giveio.sys
[2005/02/17 11:41:32 | 000,000,603 | ---- | C] () -- C:\windows\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 000,000,593 | ---- | C] () -- C:\windows\System32\btcss.dll.manifest
[2005/02/12 11:59:43 | 000,019,968 | ---- | C] () -- C:\windows\System32\Cpuinf32.dll
[2005/02/07 22:44:04 | 000,003,692 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
[2005/02/05 22:50:22 | 000,000,045 | ---- | C] () -- C:\windows\EPSC42.ini
[2005/02/03 22:01:10 | 000,175,616 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/02/01 22:23:22 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
[2005/01/03 10:10:44 | 000,319,488 | ---- | C] () -- C:\windows\System32\DLXAPI32.DLL
[2004/10/22 00:57:31 | 000,190,524 | ---- | C] () -- C:\windows\System32\VGAunistlog.ini
[2004/10/22 00:57:31 | 000,103,579 | ---- | C] () -- C:\windows\VGAsetup.ini
[2004/10/21 05:36:04 | 000,000,061 | ---- | C] () -- C:\windows\smscfg.ini
[2004/10/21 00:59:42 | 000,013,949 | ---- | C] () -- C:\windows\System32\CHODDI.SYS
[2004/10/21 00:59:35 | 000,045,056 | ---- | C] () -- C:\windows\System32\hpreg.dll
[2004/10/20 09:43:54 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI
[2004/10/20 09:30:41 | 000,204,800 | ---- | C] () -- C:\windows\System32\IVIresizeW7.dll
[2004/10/20 09:30:41 | 000,200,704 | ---- | C] () -- C:\windows\System32\IVIresizeA6.dll
[2004/10/20 09:30:41 | 000,192,512 | ---- | C] () -- C:\windows\System32\IVIresizeP6.dll
[2004/10/20 09:30:41 | 000,192,512 | ---- | C] () -- C:\windows\System32\IVIresizeM6.dll
[2004/10/20 09:30:41 | 000,188,416 | ---- | C] () -- C:\windows\System32\IVIresizePX.dll
[2004/10/20 09:30:41 | 000,020,480 | ---- | C] () -- C:\windows\System32\IVIresize.dll
[2004/10/20 09:13:52 | 000,001,793 | ---- | C] () -- C:\windows\System32\fxsperf.ini
[2004/10/20 08:29:01 | 000,299,073 | ---- | C] () -- C:\windows\System32\PythonCOM22.dll
[2004/10/20 08:29:01 | 000,065,536 | ---- | C] () -- C:\windows\System32\PyWinTypes22.dll
[2004/10/20 08:27:39 | 000,016,896 | ---- | C] () -- C:\windows\System32\bcbmm.dll
[2004/10/20 08:17:13 | 000,000,802 | ---- | C] () -- C:\windows\orun32.ini
[2004/10/20 07:59:37 | 000,000,572 | ---- | C] () -- C:\windows\System32\oeminfo.ini
[2004/09/14 01:35:56 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini
[2004/08/20 05:14:46 | 000,086,016 | ---- | C] () -- C:\windows\System32\PcdrKernelModeServices.dll
[2004/08/20 05:14:46 | 000,065,536 | ---- | C] () -- C:\windows\System32\ProgressTrace.dll
[2003/08/07 14:01:52 | 000,237,568 | ---- | C] () -- C:\windows\System32\lame_enc.dll
[2003/04/11 01:04:00 | 000,028,672 | ---- | C] () -- C:\windows\System32\JAWTAccessBridge.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\windows\System32\lcppn21.dll
[2001/07/07 02:00:00 | 000,003,399 | ---- | C] () -- C:\windows\System32\hptcpmon.ini

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/05 05:00:24 | 000,192,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >
[2009/11/16 23:14:47 | 000,002,474 | ---- | M] () -- C:\cfmulknl.exe
[2008/01/15 22:16:34 | 022,766,896 | ---- | M] (Apple Inc.) -- C:\QuickTime740Installer.exe
[2005/09/23 18:57:26 | 000,007,522 | ---- | M] () -- C:\qunlock.exe
[2009/11/16 23:14:32 | 000,002,475 | ---- | M] () -- C:\qwshv.exe


< MD5 for: AGP440.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/10/08 19:24:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/10/08 19:24:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 14:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/10/08 19:24:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/10/08 19:24:29 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 01:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: PROQUOTA.EXE >
[2004/08/04 07:00:00 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=4D9D45A4370E0C2AD00C362B7118E2A4 -- C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
[2008/04/13 19:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\ServicePackFiles\i386\proquota.exe
[2008/04/13 19:12:32 | 000,050,176 | ---- | M] (Microsoft Corporation) MD5=F6465A2EEF75468988A4FCF124148FA8 -- C:\WINDOWS\system32\dllcache\proquota.exe

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >


OTL Extras logfile created on: 2/23/2010 5:50:16 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Compaq_Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0D:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 186.31 Gb Total Space | 80.96 Gb Free Space | 43.45% Space Free | Partition Type: NTFS
Drive D: | 95.42 Gb Total Space | 22.29 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 465.76 Gb Total Space | 285.01 Gb Free Space | 61.19% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: BLACKY
Current User Name: Compaq_Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%ProgramFiles%\iTunes\iTunes.exe" = %ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes -- (Apple Inc.)
"C:\PROGRA~1\PEERIM~1\PEERIM~1.EXE" = C:\PROGRA~1\PEERIM~1\PEERIM~1.EXE:*:Enabled:Peer Impact -- (Wurld Media, Inc.)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe" = C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- (Sun Microsystems, Inc.)
"C:\PROGRA~1\PEERIM~1\PEERIM~1.EXE" = C:\PROGRA~1\PEERIM~1\PEERIM~1.EXE:*:Enabled:Peer Impact -- (Wurld Media, Inc.)
"C:\Program Files\Ruckus Player\Ruckus.exe" = C:\Program Files\Ruckus Player\Ruckus.exe:*:Enabled:Ruckus -- File not found
"G:\setup\HPZNET01.EXE" = G:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe -- File not found
"G:\setup\HPONICIFS01.EXE" = G:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\SAS\SAS 9.1\sas.exe" = C:\Program Files\SAS\SAS 9.1\sas.exe:*:Enabled:SAS 9.1 for Windows -- File not found
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Azureus\Azureus.exe" = C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus -- (Azureus Inc)
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS17B.tmp\setup\HPZnui01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS17B.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS17B.tmp\setup\hponicifs01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS17B.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe -- File not found
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS127C.tmp\setup\HPZnui01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS127C.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS127C.tmp\setup\hponicifs01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS127C.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- File not found
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- File not found
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS3.tmp\setup\HPZnui01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS3.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS3.tmp\setup\hponicifs01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS3.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS2A3.tmp\setup\HPZnui01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS2A3.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- File not found
"C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS2A3.tmp\setup\hponicifs01.exe" = C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\7zS2A3.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0A55CDBB-0566-4AA2-A15B-24C7F27C6FF4}" = BPD_Scan
"{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{109AB81D-9732-40B3-9C1F-113A86CE6F93}" = Canon MP Navigator 1.0
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15EE1439-3B90-4DA6-A4FD-3BF23E830C25}" = Data Export
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter
"{1DAB6BE8-4B4F-4C08-AC96-4008057E3424}" = Samsung Media Studio
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{324CEC09-007A-48eb-90E0-9D42D4D5EB0A}" = NetDeviceManager
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}" = Windows Live Outlook Toolbar (Windows Live Toolbar)
"{39D56213-B450-43B2-9DB1-A734C389C6BB}" = Tagrunner
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = Belkin Bluetooth Software
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FF3DD04-F386-46B0-97FC-B86238B65487}" = Canon MP Drivers 6.0
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{44E26ADF-FBE9-4A8F-801A-45045ACC4FAF}" = AppForge Crossfire Client for Palm OS
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4732D4A0-5A47-44D8-9B84-B3BD4906D30D}" = TaxCut Premium 2007
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4FB600F5-C478-4DF7-A2BC-57D3807BAC91}" = BPDSoftware_Ini
"{50AD75E8-547E-4998-8C06-BF5CEEF30813}" = Acronis True Image
"{5104B07C-6A3D-4E7E-8BBB-960B52554BDD}" = BPD_HPSU
"{53B2CFE9-A508-4457-B2CA-5D253536BFB7}" = OneCare Advisor (Windows Live Toolbar)
"{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}" = Form Fill (Windows Live Toolbar)
"{565E29BB-5863-46FD-ABF3-8074FBB5BAFF}" = QBFC 4.0
"{56DF5C9E-6392-46D3-B366-297B14E1DAAF}" = Bonjour Core for Windows
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{58F33687-EE1F-FE06-AC2B-6858503C33F2}" = Quick Hit - Football
"{5BE42A03-E7B8-42A9-B1BB-FC48B03D58B8}" = Presto! PageManager 6.03
"{607726FC-5C44-4AE6-A3DF-A0CEC3B08F03}" = CLIE Update Wizard
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6395D480-9F3B-4930-8204-B91C8882F967}" = Stata 10
"{66A7A386-6F35-41A7-A731-101F0C0153C8}" = Popup Blocker (Windows Live Toolbar)
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{66F418FE-38D5-449B-A982-CFE00CD640BF}" = TrekStor i.Beat emo
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6DA97673-5752-45D0-A504-8C4824AE17A6}" = Tunebite
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05
"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{868EA922-5675-4E91-BDA6-BBD0F923C5EF}" = HP Officejet Pro All-In-One Series
"{8868D822-2CBA-46B2-A286-B400B6185769}" = 7500_7600_7700_Help
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A62A068-3FD6-495A-9F66-26FE94F32EC9}" = Rhapsody Player Engine
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8CEC94AB-C87C-4FE0-977E-BFB4B7FB4B6B}" = Qtrax
"{8F968232-15C6-4872-84C2-9FCDAA1AEAB6}" = MPM
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
"{92A0792A-E771-4C4A-9A4A-C2917AA19EEA}" = H&R Block Basic + Efile 2009
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A4D3367-A6EA-44D6-9FBA-640B28F1F8B1}" = Radiotracker
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9C450606-ED24-4958-92BA-B8940C99D441}" = PixiePack Codec Pack
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A495D4DC-4036-4914-9CB2-0FCF6A3166EF}" = L7500
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3F058C0-A21C-452D-8D99-95B1A45F417D}" = InterVideo DiscLabel
"{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = Seagate DiscWizard
"{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}" = Palm Desktop
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2BD3C8F-9D7F-472B-BDF9-7309A5CB813A}" = Motorola Driver Installation 3.5.0
"{D6044256-A309-43B5-9833-D3FAFE2AD24D}" = MagicTune Premium
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D81FBA6E-5492-4C46-BAE3-3A9242C27210}" = TaxCut Basic + Efile 2008
"{D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}_is1" = Invoke Solutions Participant 6.2.0.1450
"{DA3F32EC-9B99-4C91-B2FD-E74D9999E5B7}" = Mobile Connection Wizard
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DB6D0A87-77BA-4083-85D1-D07604B3FAD7}" = CLIE SCSI Driver
"{DD7CDE4F-23DC-4C51-B749-0198C50F352D}_is1" = PDF to Word
"{DEB9AEF7-3ADA-40a9-9C98-546D54FE9CBD}" = ProductContext
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = jetAudio Basic
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E46601FA-2CA8-4F48-B743-DE27D8A30416}" = ML-1430 Series
"{E51D3EF9-3BD7-4BE8-A781-61D15E7F0303}" = Videoraptor
"{E82414F2-BEF9-44CC-9706-F62872AD457E}" = Audials TV
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}" = Goombah Partner COM Server
"{ECAD4F6A-0BF3-4028-9C81-E5D9F9606CBA}" = BPDSoftware
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F5EA2077-A5A0-411E-8423-3D08F4602E5E}" = Image Converter 1.1
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7D1D93A-B17A-41F8-9070-0B2A544C6165}" = LEGO Star Wars Demo Disc
"{F8013DD1-574B-4921-A473-88A2F7A34D16}" = Paragon Drive Backup™ 9 Personal Edition
"{FC053571-8507-44E4-8B6D-AACEAB8CA57C}" = Sansa Media Converter
"{FC2C7405-BC58-4E11-8F51-29671BEAC06B}" = Natural Color Pro
"{FE4EF1A8-6DB6-469F-98E4-519AEC0ED6E9}" = CLIE Mail Conduit
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"ArtistScope Plugin IE 424.2.0.0" = ArtistScope Plugin IE 42
"Atomic Cannon Demo" = Atomic Cannon Demo
"AudialsOne_is1" = AudialsOne 3.0.4901.8302
"AviSynth" = AviSynth 2.5
"Azureus 3.0" = Azureus 3.0
"BlindWrite 6_is1" = BlindWrite 6
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Crimson Editor" = Crimson Editor (remove only)
"Driver Magician_is1" = Driver Magician 3.26
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"e7b5d423e2fcc19f6c91a3c2b5238c8a" = SAS Private JRE (J2SE™ Java Runtime Environment 1.4.1)
"Easy-WebPrint" = Easy-WebPrint
"EPSON Printer and Utilities" = EPSON Printer Software
"FamilyFeudOnlineParty" = FamilyFeudOnlineParty (remove only)
"Fast DVD Ripper_is1" = Fast DVD Ripper 1.1
"File Writer output plugin" = File Writer output plugin for WinAMP 2 v1.17© (remove only)
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.2.9
"Glary Utilities_is1" = Glary Utilities 2.15.0.738
"Help and Support Additions" = Help and Support Additions
"HijackThis" = HijackThis 2.0.2
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InCD!UninstallKey" = InCD
"InstallShield_{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer
"InstallShield_{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"InstallShield_{F7D1D93A-B17A-41F8-9070-0B2A544C6165}" = LEGO Star Wars Demo Disc
"Intellisync Lite Connected Organizers V4.0" = Intellisync Lite
"InterActual Player" = InterActual Player
"Kazaa Lite Resurrection_is1" = Kazaa Lite Resurrection 0.0.7.6 F
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Basic)
"Lexmark_HostCD" = Lexmark Software Uninstall
"LifeNumbers_is1" = LifeNumbers version 3.0b
"LimdepV7" = Limdep v7.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McGraw-Hill EZ Test" = McGraw-Hill EZ Test
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Mystery of the Monkey Kingdom™" = Mystery of the Monkey Kingdom™
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero PhotoShow Express" = Nero PhotoShow Express
"NeroVision!UninstallKey" = NeroVision Express 3 SE
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVEContent!UninstallKey" = NeroVision Express 2 Content
"NVIDIA Drivers" = NVIDIA Drivers
"OxCons4_is1" = Ox Console 4.10
"OxEdit4_is1" = OxEdit 4.10
"Pdf995" = Pdf995 (installed by TaxCut)
"PdfEdit995" = PdfEdit995 (installed by TaxCut)
"Peer Impact" = Peer Impact
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"quickhit.football.QHFootball.4D5206CA741FBF5FD6AAD1A97F5076E917382B34.1" = Quick Hit - Football
"R for Windows_is1" = R for Windows 2.6.2
"Royal RegisterLink" = Royal RegisterLink
"Samsung CLP-300 Series" = Samsung CLP-300 Series
"Samsung Multimedia Studio_is1" = Samsung Multimedia Studio
"SFlyStudio" = Shutterfly Studio
"SiS VGA Driver" = SiS VGA Utilities
"ST6UNST #1" = Rebate! Rebate! 2.0
"Stat/Transfer" = Stat/Transfer Nine
"TaxCut 2004" = TaxCut 2004
"TaxCut Deluxe 2005" = TaxCut Deluxe 2005
"TaxCut Premium 2006" = TaxCut Premium 2006
"The Frog Prince" = The Frog Prince
"V CAST Music with Rhapsody" = V CAST Music with Rhapsody
"VSO DivxToDVD_is1" = DivxToDVD 0.5.1
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Web Update Wizard (Redistributable)" = Web Update Wizard (Redistributable) 4.0
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinUtilities" = WinUtilities 6.2
"WinX DVD Ripper_is1" = WinX DVD Ripper 4.3
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wondershare Music Converter_is1" = Wondershare Music Converter(Build 1.1.0.0)
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilisoft DVD Ripper Ultimate 5" = Xilisoft DVD Ripper Ultimate
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-216301871-1108676632-3902835741-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ESPN Java Check" = ESPN Java Check
"Sansa Updater" = Sansa Updater

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/20/2010 3:10:02 PM | Computer Name = BLACKY | Source = Application Hang | ID = 1001
Description = Fault bucket 1669655770.

Error - 2/20/2010 3:10:06 PM | Computer Name = BLACKY | Source = Application Hang | ID = 1002
Description = Hanging application msnmsgr.exe, version 14.0.8089.726, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/20/2010 3:14:19 PM | Computer Name = BLACKY | Source = Application Error | ID = 1000
Description = Faulting application hpqtra08.exe, version 82.0.188.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x00010ef4.

Error - 2/20/2010 3:14:23 PM | Computer Name = BLACKY | Source = Application Error | ID = 1001
Description = Fault bucket 1228363424.

Error - 2/20/2010 3:32:52 PM | Computer Name = BLACKY | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 4272 (0x10b0) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5301.4018 Object being scanned = \Device\HarddiskVolume3\Paragon Backup\drive_c_2-7-10\arc_200210191633203\img_0_200210_191928265_0000p.002

by C:\Program Files\Paragon Software\Drive Backup 9 Personal Edition\program\launcher.exe

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


Error - 2/20/2010 4:09:06 PM | Computer Name = BLACKY | Source = Application Error | ID = 1000
Description = Faulting application launcher.exe, version 9.0.9.8667, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 2/20/2010 4:19:11 PM | Computer Name = BLACKY | Source = NativeWrapper | ID = 5000
Description =

Error - 2/21/2010 2:52:31 PM | Computer Name = BLACKY | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16981, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/21/2010 7:00:34 PM | Computer Name = BLACKY | Source = SAS | ID = 2400
Description =

Error - 2/21/2010 7:48:48 PM | Computer Name = BLACKY | Source = ESENT | ID = 485
Description = svchost (1376) An attempt to delete the file "C:\windows\system32\CatRoot2\tmp.edb"
failed with system error 5 (0x00000005): "Access is denied. ". The delete file
operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 2/21/2010 7:46:01 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Run the configured recovery program.

Error - 2/21/2010 7:48:36 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 2/21/2010 7:48:36 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7000
Description = The SSPORT service failed to start due to the following error: %%2

Error - 2/21/2010 7:51:12 PM | Computer Name = BLACKY | Source = System Error | ID = 1003
Description = Error code d0000144, parameter1 c0000005, parameter2 001b0fe9, parameter3
00000001, parameter4 20013b02.

Error - 2/21/2010 9:24:13 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7031
Description = The McAfee Network Agent service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 2/21/2010 9:24:13 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7031
Description = The McAfee Services service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 2/21/2010 9:27:26 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 2/21/2010 9:27:26 PM | Computer Name = BLACKY | Source = Service Control Manager | ID = 7000
Description = The SSPORT service failed to start due to the following error: %%2

Error - 2/21/2010 9:29:25 PM | Computer Name = BLACKY | Source = System Error | ID = 1003
Description = Error code d0000144, parameter1 c0000005, parameter2 001b0ebf, parameter3
00000001, parameter4 7c800000.

Error - 2/23/2010 2:46:38 PM | Computer Name = BLACKY | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
WDH-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{DBC2ABF4-3276-4F34-A3.
The
master browser is stopping or an election is being forced.


< End of report >




#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 23 February 2010 - 06:46 PM

Unfortunately your logs show you have a rootkit infection, so you should be aware of the following information.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.


  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.

unite.jpg


#5 dewce

dewce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 23 February 2010 - 07:30 PM

Thanks again. Wow, McAfee is some anti-virus, huh? I never had these problems running Kaspersky. What do you think about trying to clean it, then upgrading to Windows 7 from XP (I have Vista and Win7 disks)? Anyway, TDSSKiller didn't ask me to do anything but reboot, which I did.

Here is the log:

19:13:10:137 3888 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
19:13:10:137 3888 ================================================================================
19:13:10:137 3888 SystemInfo:

19:13:10:137 3888 OS Version: 5.1.2600 ServicePack: 3.0
19:13:10:137 3888 Product type: Workstation
19:13:10:137 3888 ComputerName: BLACKY
19:13:10:137 3888 UserName: Compaq_Owner
19:13:10:137 3888 Windows directory: C:\windows
19:13:10:137 3888 Processor architecture: Intel x86
19:13:10:137 3888 Number of processors: 1
19:13:10:137 3888 Page size: 0x1000
19:13:10:137 3888 Boot type: Normal boot
19:13:10:137 3888 ================================================================================
19:13:10:153 3888 UnloadDriverW: NtUnloadDriver error 2
19:13:10:153 3888 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:13:10:169 3888 MyNtCreateFileW: NtCreateFile(\??\C:\windows\system32\drivers\klmd.sys) returned status 00000000
19:13:10:356 3888 UtilityInit: KLMD drop and load success
19:13:10:356 3888 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
19:13:10:356 3888 UtilityInit: KLMD open success
19:13:10:356 3888 UtilityInit: Initialize success
19:13:10:356 3888
19:13:10:356 3888 Scanning Services ...
19:13:10:356 3888 CreateRegParser: Registry parser init started
19:13:10:356 3888 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
19:13:10:356 3888 CreateRegParser: DisableWow64Redirection error
19:13:10:356 3888 wfopen_ex: Trying to open file C:\windows\system32\config\system
19:13:10:356 3888 MyNtCreateFileW: NtCreateFile(\??\C:\windows\system32\config\system) returned status C0000043
19:13:10:356 3888 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:13:10:356 3888 wfopen_ex: Trying to KLMD file open
19:13:10:356 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\config\system
19:13:10:356 3888 wfopen_ex: File opened ok (Flags 2)
19:13:10:356 3888 CreateRegParser: HIVE_ADAPTER(C:\windows\system32\config\system) init success: 384B88
19:13:10:356 3888 wfopen_ex: Trying to open file C:\windows\system32\config\software
19:13:10:356 3888 MyNtCreateFileW: NtCreateFile(\??\C:\windows\system32\config\software) returned status C0000043
19:13:10:356 3888 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:13:10:356 3888 wfopen_ex: Trying to KLMD file open
19:13:10:356 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\config\software
19:13:10:356 3888 wfopen_ex: File opened ok (Flags 2)
19:13:10:356 3888 CreateRegParser: HIVE_ADAPTER(C:\windows\system32\config\software) init success: 384A78
19:13:10:356 3888 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
19:13:10:356 3888 CreateRegParser: EnableWow64Redirection error
19:13:10:356 3888 CreateRegParser: RegParser init completed
19:13:10:809 3888 GetAdvancedServicesInfo: Raw services enum returned 420 services
19:13:10:825 3888 fclose_ex: Trying to close file C:\windows\system32\config\system
19:13:10:825 3888 fclose_ex: Trying to close file C:\windows\system32\config\software
19:13:10:825 3888
19:13:10:825 3888 Scanning Kernel memory ...
19:13:10:825 3888 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:13:10:825 3888 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AB94A08
19:13:10:825 3888 DetectCureTDL3: KLMD_GetDeviceObjectList returned 16 DevObjects
19:13:10:825 3888
19:13:10:825 3888 DetectCureTDL3: DEVICE_OBJECT: 8A60BC18
19:13:10:825 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A60BC18
19:13:10:825 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A60BC18[0x38]
19:13:10:825 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:825 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:825 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:825 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:825 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:825 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:825 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:825 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:841 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:841 3888
19:13:10:841 3888 DetectCureTDL3: DEVICE_OBJECT: 8A6904F8
19:13:10:841 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6904F8
19:13:10:841 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6904F8[0x38]
19:13:10:841 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:841 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:841 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:841 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:841 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:841 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:841 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:841 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:841 3888
19:13:10:841 3888 DetectCureTDL3: DEVICE_OBJECT: 8AA05348
19:13:10:841 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA05348
19:13:10:841 3888 DetectCureTDL3: DEVICE_OBJECT: 8A960A80
19:13:10:841 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A960A80
19:13:10:841 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A960A80[0x38]
19:13:10:841 3888 DetectCureTDL3: DRIVER_OBJECT: 8A999578
19:13:10:841 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A999578[0xA8]
19:13:10:841 3888 KLMD_ReadMem: Trying to ReadMemory 0xE2121F08[0x1E]
19:13:10:841 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\MXOPSWD, Driver Name: MXOPSWD
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CREATE : B628F07A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CLOSE : B628F07A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_READ : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_WRITE : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B6290712
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B62906E6
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_POWER : B628FB6A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B6290746
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:841 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:841 3888 TDL3_FileDetect: Processing driver: MXOPSWD
19:13:10:841 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\mxopswd.sys
19:13:10:841 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\mxopswd.sys
19:13:10:841 3888 TDL3_FileDetect: Processing driver: MXOPSWD
19:13:10:841 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\mxopswd.sys
19:13:10:841 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\mxopswd.sys
19:13:10:856 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\mxopswd.sys - Verdict: Clean
19:13:10:856 3888
19:13:10:856 3888 DetectCureTDL3: DEVICE_OBJECT: 8A614608
19:13:10:856 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A614608
19:13:10:856 3888 DetectCureTDL3: DEVICE_OBJECT: 8A617C48
19:13:10:856 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A617C48
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A617C48[0x38]
19:13:10:856 3888 DetectCureTDL3: DRIVER_OBJECT: 8A6B02A8
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6B02A8[0xA8]
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1EC9850[0x1E]
19:13:10:856 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE : BA3D5218
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA3D5218
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_READ : BA3D523C
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_WRITE : BA3D523C
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA3D5180
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3D09E6
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_POWER : BA3D45F0
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA3D2A6E
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:856 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:856 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:856 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0xBA3D1F26[0x400]
19:13:10:856 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:10:856 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:856 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:856 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:856 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:13:10:856 3888
19:13:10:856 3888 DetectCureTDL3: DEVICE_OBJECT: 8A628788
19:13:10:856 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A628788
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A628788[0x38]
19:13:10:856 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:856 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:856 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:856 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:856 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:856 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:856 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:856 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:856 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:856 3888
19:13:10:856 3888 DetectCureTDL3: DEVICE_OBJECT: 8AA81AA0
19:13:10:856 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA81AA0
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AA81AA0[0x38]
19:13:10:856 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:856 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:856 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:856 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:856 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:856 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:856 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:872 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:872 3888
19:13:10:872 3888 DetectCureTDL3: DEVICE_OBJECT: 8A5C95C0
19:13:10:872 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5C95C0
19:13:10:872 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A5C95C0[0x38]
19:13:10:872 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:872 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:872 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:872 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:872 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:872 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:872 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:872 3888
19:13:10:872 3888 DetectCureTDL3: DEVICE_OBJECT: 8A692600
19:13:10:872 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A692600
19:13:10:872 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A692600[0x38]
19:13:10:872 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:872 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:872 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:872 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:872 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:872 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:872 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:872 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:872 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:887 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:887 3888
19:13:10:887 3888 DetectCureTDL3: DEVICE_OBJECT: 8AA90860
19:13:10:887 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AA90860
19:13:10:887 3888 DetectCureTDL3: DEVICE_OBJECT: 8A6A3030
19:13:10:887 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6A3030
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6A3030[0x38]
19:13:10:887 3888 DetectCureTDL3: DRIVER_OBJECT: 8A6B02A8
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6B02A8[0xA8]
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1EC9850[0x1E]
19:13:10:887 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE : BA3D5218
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA3D5218
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_READ : BA3D523C
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_WRITE : BA3D523C
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA3D5180
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3D09E6
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_POWER : BA3D45F0
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA3D2A6E
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:887 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:887 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0xBA3D1F26[0x400]
19:13:10:887 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:10:887 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:887 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:13:10:887 3888
19:13:10:887 3888 DetectCureTDL3: DEVICE_OBJECT: 8A610AB8
19:13:10:887 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A610AB8
19:13:10:887 3888 DetectCureTDL3: DEVICE_OBJECT: 8A631030
19:13:10:887 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A631030
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A631030[0x38]
19:13:10:887 3888 DetectCureTDL3: DRIVER_OBJECT: 8A6B02A8
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6B02A8[0xA8]
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1EC9850[0x1E]
19:13:10:887 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE : BA3D5218
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA3D5218
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_READ : BA3D523C
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_WRITE : BA3D523C
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA3D5180
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3D09E6
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_POWER : BA3D45F0
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA3D2A6E
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:887 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:887 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0xBA3D1F26[0x400]
19:13:10:887 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:10:887 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:887 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:13:10:887 3888
19:13:10:887 3888 DetectCureTDL3: DEVICE_OBJECT: 8A5A53C8
19:13:10:887 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5A53C8
19:13:10:887 3888 DetectCureTDL3: DEVICE_OBJECT: 8A6C94F0
19:13:10:887 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6C94F0
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6C94F0[0x38]
19:13:10:887 3888 DetectCureTDL3: DRIVER_OBJECT: 8A6B02A8
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6B02A8[0xA8]
19:13:10:887 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1EC9850[0x1E]
19:13:10:887 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE : BA3D5218
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA3D5218
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_READ : BA3D523C
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_WRITE : BA3D523C
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA3D5180
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3D09E6
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_POWER : BA3D45F0
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA3D2A6E
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:887 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:887 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:887 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:887 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xBA3D1F26[0x400]
19:13:10:903 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:10:903 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:13:10:903 3888
19:13:10:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8A6AE4F0
19:13:10:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6AE4F0
19:13:10:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8A5DC030
19:13:10:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5DC030
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A5DC030[0x38]
19:13:10:903 3888 DetectCureTDL3: DRIVER_OBJECT: 8A6B02A8
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8A6B02A8[0xA8]
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1EC9850[0x1E]
19:13:10:903 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE : BA3D5218
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA3D5218
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_READ : BA3D523C
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_WRITE : BA3D523C
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA3D5180
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3D09E6
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_POWER : BA3D45F0
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA3D2A6E
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:903 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xBA3D1F26[0x400]
19:13:10:903 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:10:903 3888 TDL3_FileDetect: Processing driver: USBSTOR
19:13:10:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\USBSTOR.SYS
19:13:10:903 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
19:13:10:903 3888
19:13:10:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8AB26C68
19:13:10:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB26C68
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB26C68[0x38]
19:13:10:903 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:903 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:903 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:903 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:903 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:903 3888
19:13:10:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8AAEF030
19:13:10:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAEF030
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AAEF030[0x38]
19:13:10:903 3888 DetectCureTDL3: DRIVER_OBJECT: 8AB94A08
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB94A08[0xA8]
19:13:10:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xE100D860[0x18]
19:13:10:903 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE : BA0EEBB0
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CLOSE : BA0EEBB0
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_READ : BA0E8D1F
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_WRITE : BA0E8D1F
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA0E92E2
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA0E93BB
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA0E92E2
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_POWER : BA0EAC82
19:13:10:903 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA0EF99E
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
19:13:10:919 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:919 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:919 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:919 3888 TDL3_FileDetect: Processing driver: Disk
19:13:10:919 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\disk.sys
19:13:10:919 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\disk.sys
19:13:10:919 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\disk.sys - Verdict: Clean
19:13:10:919 3888
19:13:10:919 3888 DetectCureTDL3: DEVICE_OBJECT: 8AB87AB8
19:13:10:919 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB87AB8
19:13:10:919 3888 DetectCureTDL3: DEVICE_OBJECT: 8AB3FF18
19:13:10:919 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB3FF18
19:13:10:919 3888 DetectCureTDL3: DEVICE_OBJECT: 8AB95B00
19:13:10:919 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB95B00
19:13:10:919 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB95B00[0x38]
19:13:10:919 3888 DetectCureTDL3: DRIVER_OBJECT: 8AAEC480
19:13:10:919 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AAEC480[0xA8]
19:13:10:919 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1B8A7E0[0x1A]
19:13:10:919 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_CREATE : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_CLOSE : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_READ : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_WRITE : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SET_EA : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_CLEANUP : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_POWER : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : B9F3AB3A
19:13:10:919 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : B9F3AB3A
19:13:10:919 3888 TDL3_FileDetect: Processing driver: atapi
19:13:10:919 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\atapi.sys
19:13:10:919 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\atapi.sys
19:13:10:934 3888 DetectCureTDL3: All IRP handlers pointed to one addr: B9F3AB3A
19:13:10:934 3888 KLMD_ReadMem: Trying to ReadMemory 0xB9F3AB3A[0x400]
19:13:10:934 3888 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
19:13:10:934 3888 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
19:13:10:934 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A0B4[0x4]
19:13:10:934 3888 TDL3_IrpHookDetect: New IrpHandler addr: 8AB0B8C8
19:13:10:934 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB0B8C8[0x400]
19:13:10:934 3888 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
19:13:10:934 3888 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:13:10:934 3888 KLMD_WriteMem: Trying to WriteMemory 0x8AB0B94E[0xD]
19:13:10:934 3888 cured
19:13:10:950 3888 KLMD_ReadMem: Trying to ReadMemory 0xB9F38864[0x400]
19:13:10:950 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:10:950 3888 TDL3_FileDetect: Processing driver: atapi
19:13:10:950 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\DRIVERS\atapi.sys
19:13:10:950 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\DRIVERS\atapi.sys
19:13:10:950 3888 TDL3_FileDetect: C:\windows\system32\DRIVERS\atapi.sys - Verdict: Infected
19:13:10:950 3888 File C:\windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 19:13:10:950 3888 TDL3_FileCure: Processing driver file: C:\windows\system32\DRIVERS\atapi.sys
19:13:10:950 3888 ProcessDirEnumEx: FindFirstFile(C:\windows\system32\DriverStore\FileRepository\*) error 3
19:13:10:950 3888 CABFileCallback: Processing cab-file: C:\windows\Driver Cache\i386\driver.cab
19:13:10:981 3888 CABFileCallback: Processing cab-file: C:\windows\Driver Cache\i386\sp2.cab
19:13:10:981 3888 CABFileCallback: Processing cab-file: C:\windows\Driver Cache\i386\sp3.cab
19:13:10:981 3888 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
19:13:11:028 3888 CabinetCallback: File extracted successfully: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\bck6C5.tmp
19:13:11:028 3888 ValidateDriverFile: Stage 1 passed
19:13:11:028 3888 ValidateDriverFile: Stage 2 passed
19:13:11:122 3888 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
19:13:12:872 3888 DigitalSignVerifyByHandle: Cat DS result: 00000000
19:13:12:872 3888 ValidateDriverFile: Stage 3 passed
19:13:12:872 3888 CabinetCallback: File validated successfully, restore information prepared
19:13:12:872 3888 FindDriverFileBackup: Backup copy found in cab-file
19:13:12:872 3888 TDL3_FileCure: Backup copy found, using it..
19:13:12:872 3888 TDL3_FileCure: Dumping cured buffer to file C:\windows\system32\drivers\tsk6C6.tmp
19:13:12:903 3888 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk6C6.tmp, system32\drivers\atapi.sys)
19:13:12:903 3888 TDL3_FileCure: KLMD jobs schedule success
19:13:12:903 3888 will be cured on next reboot
19:13:12:903 3888
19:13:12:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8AB92AB8
19:13:12:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB92AB8
19:13:12:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8AAF4F18
19:13:12:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAF4F18
19:13:12:903 3888 DetectCureTDL3: DEVICE_OBJECT: 8AB3D940
19:13:12:903 3888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB3D940
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB3D940[0x38]
19:13:12:903 3888 DetectCureTDL3: DRIVER_OBJECT: 8AAEC480
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AAEC480[0xA8]
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xE1B8A7E0[0x1A]
19:13:12:903 3888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_CREATE : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_CLOSE : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_READ : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_WRITE : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SET_INFORMATION : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_QUERY_EA : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SET_EA : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SHUTDOWN : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_CLEANUP : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SET_SECURITY : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_POWER : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : B9F3AB3A
19:13:12:903 3888 DetectCureTDL3: IRP_MJ_SET_QUOTA : B9F3AB3A
19:13:12:903 3888 TDL3_FileDetect: Processing driver: atapi
19:13:12:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\drivers\tsk6C6.tmp
19:13:12:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\drivers\tsk6C6.tmp
19:13:12:903 3888 DetectCureTDL3: All IRP handlers pointed to one addr: B9F3AB3A
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xB9F3AB3A[0x400]
19:13:12:903 3888 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB3A0B4[0x4]
19:13:12:903 3888 TDL3_IrpHookDetect: New IrpHandler addr: 8AB0B8C8
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0x8AB0B8C8[0x400]
19:13:12:903 3888 TDL3_IrpHookDetect: TDL3 is already cured
19:13:12:903 3888 KLMD_ReadMem: Trying to ReadMemory 0xB9F38864[0x400]
19:13:12:903 3888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
19:13:12:903 3888 TDL3_FileDetect: Processing driver: atapi
19:13:12:903 3888 TDL3_FileDetect: Processing driver file: C:\windows\system32\drivers\tsk6C6.tmp
19:13:12:903 3888 KLMD_CreateFileW: Trying to open file C:\windows\system32\drivers\tsk6C6.tmp
19:13:12:903 3888 TDL3_FileDetect: C:\windows\system32\drivers\tsk6C6.tmp - Verdict: Clean
19:13:12:903 3888 UtilityBootReinit: Reboot required for cure complete..
19:13:12:919 3888 MyNtCreateFileW: NtCreateFile(\??\C:\windows\system32\drivers\klmdb.sys) returned status 00000000
19:13:13:044 3888 UtilityBootReinit: KLMD drop success
19:13:13:044 3888 KLMD_ApplyPendList: Pending buffer(5E7F_7F22, 608) dropped successfully
19:13:13:044 3888 UtilityBootReinit: Cure on reboot scheduled successfully
19:13:13:044 3888
19:13:13:044 3888 Completed
19:13:13:044 3888
19:13:13:044 3888 Results:
19:13:13:044 3888 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
19:13:13:044 3888 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:13:13:044 3888 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:13:13:044 3888
19:13:13:044 3888 UnloadDriverW: NtUnloadDriver error 1
19:13:13:044 3888 KLMD_Unload: UnloadDriverW(klmd21) error 1
19:13:13:044 3888 MyNtCreateFileW: NtCreateFile(\??\C:\windows\system32\drivers\klmd.sys) returned status 00000000
19:13:13:044 3888 UtilityDeinit: KLMD(ARK) unloaded successfully


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 24 February 2010 - 11:11 AM

It looks like TDSSKiller got it though I would need to check this, If you want to upgrade then you should be ok to do it now, let me know what
you want to do.

unite.jpg


#7 dewce

dewce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 24 February 2010 - 11:23 AM

What do you need me to do to double check that TDSSKiller got it?

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 24 February 2010 - 11:26 AM

Do this next step and let me no if you are still being redirected.

Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.

unite.jpg


#9 dewce

dewce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 24 February 2010 - 07:03 PM

The Google redirect has stopped. It now appears normal. Here is the mbr.log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll tsk6C6.tmp pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
copy of MBR has been found in sector 8 !


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 24 February 2010 - 07:14 PM

Looks like TDSSKiller got it, you should be ok to back up and go ahead with the format.

unite.jpg


#11 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 26 February 2010 - 08:52 PM

Can you let me know if you are going ahead with the format so I can close this topic.

unite.jpg


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:07 AM

Posted 03 March 2010 - 10:32 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users