Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware infection - browser hijacked, popups


  • This topic is locked This topic is locked
32 replies to this topic

#1 rrahl

rrahl

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 11 April 2010 - 07:31 PM

My computer was infected with a trojan "Selace.A" and "Selace.B", and maybe "Win32.Trojan.Spy". Microsoft Security Essentials found the first two, ADWare found the Spy.

My symptoms were hijacked browsing, and popups. It started yesterday, i did a full scan, removed what needed to be removed, uninstalled java JREs and flash and reinstalled both, and now both ADWare and MSE find nothing to report. I am still getting hijacked browsing and popups, hoping I can get some help from an expert.

Below are the contents of the DDS, GMER logs. Attached file Attach.txt as well.




DDS LOG:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Allan Douglass at 14:42:52.98 on Sun 04/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.938 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
svchost.exe "C:\WINDOWS\system32\adptifa.exe"
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Security Task Manager\SpyProtector.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\Jetico\BCWipe\BCResident.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Allan Douglass\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cbs.sportsline.com/
uInternet Settings,ProxyServer = 127.0.0.1:7212
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ATI Launchpad]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TCASUTIEXE] TCAUDIAG.exe -on
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [IW Controlcenter] c:\progra~1\instan~1\instan~1\IWCTRL.EXE
mRun: [RCScheduleCheck] c:\program files\vcom\recovery commander\RCSCHED.EXE -CHECK
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [CTHelper] CTHELPER.EXE
mRun: [Spy Protector] c:\program files\security task manager\SpyProtector.exe /autostart
mRun: [BCWipeTM Startup] "c:\program files\jetico\bcwipe\BCWipeTM.exe" startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\ipsecdialer.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {578FC4E3-151E-456c-AF8E-B63061EFE228}
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128859283046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15016/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}: STS
SEH: HookRC Class: {a5780613-492e-4a2a-a7fd-549610edf6cc} - c:\program files\vcom\recovery commander\RCHOOK.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\bidubiti.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alland~1\applic~1\mozilla\firefox\profiles\h2dqf21t.default\
FF - prefs.js: browser.startup.homepage - cbs.sportsline.com
FF - plugin: c:\documents and settings\allan douglass\application data\mozilla\firefox\profiles\h2dqf21t.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-11 64288]
R1 Asapi;ASAPI;c:\windows\system32\drivers\asapi.sys [2003-6-7 11264]
R1 cdrdrv;cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys [2003-6-7 61440]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
R1 MpKsla5b9b56b;MpKsla5b9b56b;c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{37e15692-a725-487f-ba99-bc90202ad2a8}\MpKsla5b9b56b.sys [2010-4-11 28880]
R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys [2003-6-7 9728]
R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys [2003-6-7 178688]
R2 CVPNDRV;Cisco Systems IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [2004-7-12 263749]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-10-18 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
R2 pavdrv;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2003-4-3 58752]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2005-12-8 8192]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-6-6 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-9-4 19534]
S2 clr_optimization_v2.0.50727_32SwPrv;.NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32SwPrv;c:\windows\system32\adptifa.exe srv --> c:\windows\system32\adptifa.exe srv [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 135664]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030607.003\NAVENG.SYS [2003-6-7 67800]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030607.003\NAVEX15.SYS [2003-6-7 531128]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-10-18 167808]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-10-18 13532]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2008-11-13 91496]

=============== Created Last 30 ================

2010-04-11 05:11:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-11 05:00:42 0 d-----w- C:\~BCWipe.stu
2010-04-11 05:00:26 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-11 05:00:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-11 04:57:13 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-11 04:34:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-09 23:42:29 0 d-sh--w- c:\windows\system32\lowsec
2010-04-09 23:41:20 280 --s-a-w- c:\windows\system32\2609227831.dat
2010-04-04 22:50:17 0 d-----w- c:\documents and settings\allan douglass\motodevstudio
2010-04-04 22:44:24 0 d-----w- c:\documents and settings\allan douglass\user
2010-04-04 22:43:22 0 d-----w- c:\documents and settings\allan douglass\.android
2010-04-04 22:24:33 0 d-----w- c:\program files\OPhoneSDK_1.5
2010-04-04 21:23:56 0 d-----w- c:\documents and settings\allan douglass\.eclipse
2010-04-04 21:23:01 0 d-----w- c:\documents and settings\allan douglass\workspace
2010-04-04 21:22:32 0 d--h--w- c:\program files\InstallJammer Registry
2010-04-04 21:21:32 0 d-----w- c:\program files\Motorola
2010-04-04 17:55:50 12928 ----a-w- c:\windows\system32\drivers\filedisk.sys
2010-04-04 17:55:44 0 d-----w- c:\program files\WinImage
2010-03-22 15:02:38 0 d-----w- c:\program files\MSECache
2010-03-14 23:04:49 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-03-14 23:04:49 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-03-14 03:22:47 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-11 04:33:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-10 21:52:37 3270 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2008-07-09 03:04:19 6228 ----a-w- c:\program files\install.log
2003-03-31 15:40:00 437888 ----a-w- c:\windows\inf\EL2K_N64.sys
2003-03-31 15:39:08 145152 ----a-w- c:\windows\inf\EL2K_XP.sys
2003-03-31 15:38:50 145152 ----a-w- c:\windows\inf\EL2K_2K.sys
2003-06-08 00:13:34 32 --sha-w- c:\windows\{135FCF6B-7955-4256-A99E-2C393457670D}.dat
2003-06-08 00:12:25 32 --sha-w- c:\windows\{34E28297-F92B-4C00-BDCE-5FB9ECF9677F}.dat
2003-06-08 00:14:33 32 --sha-w- c:\windows\{750164C2-0F2B-40DC-AD69-292F61A625AC}.dat
2003-06-08 00:13:34 32 --sha-w- c:\windows\system32\{11851757-35C7-4F8A-A851-DFDD8840F455}.dat
2003-06-08 00:14:33 32 --sha-w- c:\windows\system32\{53C25621-58D3-4DDC-B8C7-30C375C1DDA5}.dat
2003-06-08 00:12:25 32 --sha-w- c:\windows\system32\{C1BCC51A-EF0C-4458-B6B6-26855E3CECAB}.dat
2008-09-06 16:08:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat
2009-09-07 12:48:12 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-07 12:48:12 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-07 12:48:12 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:44:12.84 ===============

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 19:51:28
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ALLAND~1\LOCALS~1\Temp\pxtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF77C9B40]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF77C9860]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF77C9CF0]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9816000, 0x1C5D38, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79F9C14]
.text tcpip.sys!IPTransmit + 10FC AC745D3A 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 AC747690 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 AC75D454 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B9BE03FD 7 Bytes CALL F782E57C Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 02522FE0
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0252313E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0252DF23
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0252E058
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 02522B30
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0253044C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 025304F3
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 025304B4
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 02530491
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 025303C0
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 025303E2
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0253046E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 02530428
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 02530404
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0252C1A7
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0252C1DB
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[140] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0252C1F8
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00E22FE0
.text C:\WINDOWS\system32\spoolsv.exe[228] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E2313E
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00E2DF23
.text C:\WINDOWS\system32\spoolsv.exe[228] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00E2E058
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00E3044C
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00E304F3
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00E304B4
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00E30491
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00E303C0
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00E303E2
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00E3046E
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00E30428
.text C:\WINDOWS\system32\spoolsv.exe[228] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00E30404
.text C:\WINDOWS\system32\spoolsv.exe[228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E2C1A7
.text C:\WINDOWS\system32\spoolsv.exe[228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E2C1DB
.text C:\WINDOWS\system32\spoolsv.exe[228] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E2C1F8
.text C:\WINDOWS\system32\spoolsv.exe[228] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00E22B30
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00252FE0
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0025313E
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0025DF23
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0025E058
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0026044C
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 002604F3
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 002604B4
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00260491
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 002603C0
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 002603E2
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0026046E
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00260428
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00260404
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0025C1A7
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0025C1DB
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0025C1F8
.text C:\WINDOWS\System32\MsPMSPSv.exe[556] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00252B30
.text C:\WINDOWS\system32\SearchIndexer.exe[648] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0B2A2FE0
.text C:\WINDOWS\system32\SearchIndexer.exe[648] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0B2A313E
.text C:\WINDOWS\system32\SearchIndexer.exe[648] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[648] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0B2ADF23
.text C:\WINDOWS\system32\SearchIndexer.exe[648] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0B2AE058
.text C:\WINDOWS\system32\SearchIndexer.exe[648] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0B2A2B30
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0B2AC1A7
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0B2AC1DB
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0B2AC1F8
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0B2B044C
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0B2B04F3
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0B2B04B4
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 0B2B0491
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0B2B03C0
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0B2B03E2
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0B2B046E
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 0B2B0428
.text C:\WINDOWS\system32\SearchIndexer.exe[648] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 0B2B0404
.text C:\WINDOWS\System32\svchost.exe[924] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00B92FE0
.text C:\WINDOWS\System32\svchost.exe[924] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00B9313E
.text C:\WINDOWS\System32\svchost.exe[924] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00B9DF23
.text C:\WINDOWS\System32\svchost.exe[924] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00B9E058
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00BA044C
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00BA04F3
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00BA04B4
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00BA0491
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00BA03C0
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00BA03E2
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00BA046E
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00BA0428
.text C:\WINDOWS\System32\svchost.exe[924] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00BA0404
.text C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B9C1A7
.text C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B9C1DB
.text C:\WINDOWS\System32\svchost.exe[924] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B9C1F8
.text C:\WINDOWS\System32\svchost.exe[924] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00B92B30
.text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00FD2FE0
.text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00FD313E
.text C:\WINDOWS\system32\services.exe[1024] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00FDDF23
.text C:\WINDOWS\system32\services.exe[1024] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00FDE058
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00FE044C
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00FE04F3
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00FE04B4
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00FE0491
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00FE03C0
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00FE03E2
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00FE046E
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00FE0428
.text C:\WINDOWS\system32\services.exe[1024] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00FE0404
.text C:\WINDOWS\system32\services.exe[1024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FDC1A7
.text C:\WINDOWS\system32\services.exe[1024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FDC1DB
.text C:\WINDOWS\system32\services.exe[1024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FDC1F8
.text C:\WINDOWS\system32\services.exe[1024] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00FD2B30
.text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00EC2FE0
.text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00EC313E
.text C:\WINDOWS\system32\lsass.exe[1036] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00ECDF23
.text C:\WINDOWS\system32\lsass.exe[1036] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00ECE058
.text C:\WINDOWS\system32\lsass.exe[1036] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00ECC1A7
.text C:\WINDOWS\system32\lsass.exe[1036] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00ECC1DB
.text C:\WINDOWS\system32\lsass.exe[1036] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00ECC1F8
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00ED044C
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00ED04F3
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00ED04B4
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00ED0491
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00ED03C0
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00ED03E2
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00ED046E
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00ED0428
.text C:\WINDOWS\system32\lsass.exe[1036] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00ED0404
.text C:\WINDOWS\system32\lsass.exe[1036] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00EC2B30
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00FB2FE0
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00FB313E
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00FBDF23
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00FBE058
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00FC044C
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00FC04F3
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00FC04B4
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00FC0491
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00FC03C0
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00FC03E2
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00FC046E
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00FC0428
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00FC0404
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00FB2B30
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FBC1A7
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FBC1DB
.text C:\WINDOWS\system32\Ati2evxx.exe[1224] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FBC1F8
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 024B2FE0
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00E42FE0
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E4313E
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00E4DF23
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00E4E058
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00E5044C
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00E504F3
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00E504B4
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00E50491
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00E503C0
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00E503E2
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00E5046E
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00E50428
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00E50404
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E4C1A7
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E4C1DB
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E4C1F8
.text C:\WINDOWS\System32\CTSvcCDA.EXE[1288] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00E42B30
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00DD2FE0
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00DD313E
.text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00DDDF23
.text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00DDE058
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00DE044C
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00DE04F3
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00DE04B4
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00DE0491
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00DE03C0
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00DE03E2
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00DE046E
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00DE0428
.text C:\WINDOWS\system32\svchost.exe[1296] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00DE0404
.text C:\WINDOWS\system32\svchost.exe[1296] Ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DDC1A7
.text C:\WINDOWS\system32\svchost.exe[1296] Ws2_32.dll!send 71AB4C27 5 Bytes JMP 00DDC1DB
.text C:\WINDOWS\system32\svchost.exe[1296] Ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DDC1F8
.text C:\WINDOWS\system32\svchost.exe[1296] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00DD2B30
.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00F22FE0
.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00F2313E
.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00F2DF23
.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00F2E058
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00F3044C
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00F304F3
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00F304B4
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00F30491
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00F303C0
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00F303E2
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00F3046E
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00F30428
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00F30404
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F2C1A7
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F2C1DB
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F2C1F8
.text C:\WINDOWS\system32\svchost.exe[1340] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00F22B30
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01102FE0
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0110313E
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0110C1A7
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0110C1DB
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0110C1F8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0110DF23
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0110E058
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 01102B30
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0111044C
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 011104F3
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 011104B4
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01110491
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 011103C0
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 011103E2
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0111046E
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 01110428
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1396] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 01110404
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01BD2FE0
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01BD313E
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 01BDDF23
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 01BDE058
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01BE044C
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 01BE04F3
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01BE04B4
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01BE0491
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01BE03C0
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01BE03E2
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01BE046E
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 01BE0428
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 01BE0404
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 01BD2B30
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01BDC1A7
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01BDC1DB
.text c:\Program Files\Microsoft Security Essentials\MsMpEng.exe[1480] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01BDC1F8
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00F02FE0
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00F0313E
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00F0DF23
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00F0E058
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00F1044C
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00F104F3
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00F104B4
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00F10491
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00F103C0
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00F103E2
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00F1046E
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00F10428
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00F10404
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00F02B30
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F0C1A7
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F0C1DB
.text C:\WINDOWS\SYSTEM32\Ati2evxx.exe[1648] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F0C1F8
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00D32FE0
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D3313E
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00D3DF23
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00D3E058
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00D4044C
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00D404F3
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00D404B4
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00D40491
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00D403C0
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00D403E2
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00D4046E
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00D40428
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00D40404
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D3C1A7
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D3C1DB
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D3C1F8
.text C:\Program Files\Common Files\Stardock\SDMCP.exe[1672] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00D32B30
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 01162FE0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0116313E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0116C1A7
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0116C1DB
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0116C1F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0116DF23
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0116E058
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0117044C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 011704F3
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 011704B4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01170491
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 011703C0
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 011703E2
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0117046E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 01170428
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 01170404
.text C:\Program Files\Java\jre6\bin\jqs.exe[1744] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 01162B30
.text C:\WINDOWS\System32\svchost.exe[1808] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00A42FE0
.text C:\WINDOWS\System32\svchost.exe[1808] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A4313E
.text C:\WINDOWS\System32\svchost.exe[1808] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00A4DF23
.text C:\WINDOWS\System32\svchost.exe[1808] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00A4E058
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00A5044C
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00A504F3
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00A504B4
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00A50491
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00A503C0
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00A503E2
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00A5046E
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00A50428
.text C:\WINDOWS\System32\svchost.exe[1808] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00A50404
.text C:\WINDOWS\System32\svchost.exe[1808] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A4C1A7
.text C:\WINDOWS\System32\svchost.exe[1808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A4C1DB
.text C:\WINDOWS\System32\svchost.exe[1808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A4C1F8
.text C:\WINDOWS\System32\svchost.exe[1808] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00A42B30
.text C:\WINDOWS\System32\svchost.exe[1996] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00C52FE0
.text C:\WINDOWS\System32\svchost.exe[1996] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00C5313E
.text C:\WINDOWS\System32\svchost.exe[1996] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00C5DF23
.text C:\WINDOWS\System32\svchost.exe[1996] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00C5E058
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 00C6044C
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 00C604F3
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 00C604B4
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00C60491
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 00C603C0
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 00C603E2
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 00C6046E
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00C60428
.text C:\WINDOWS\System32\svchost.exe[1996] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00C60404
.text C:\WINDOWS\System32\svchost.exe[1996] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C5C1A7
.text C:\WINDOWS\System32\svchost.exe[1996] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C5C1DB
.text C:\WINDOWS\System32\svchost.exe[1996] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C5C1F8
.text C:\WINDOWS\System32\svchost.exe[1996] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00C52B30
.text C:\WINDOWS\Explorer.EXE[2316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[2316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00082FE0
.text C:\WINDOWS\System32\svchost.exe[2604] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0008313E
.text C:\WINDOWS\System32\svchost.exe[2604] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0008DF23
.text C:\WINDOWS\System32\svchost.exe[2604] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0008E058
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0009044C
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 000904F3
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 000904B4
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00090491
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 000903C0
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 000903E2
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0009046E
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00090428
.text C:\WINDOWS\System32\svchost.exe[2604] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00090404
.text C:\WINDOWS\System32\svchost.exe[2604] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0008C1A7
.text C:\WINDOWS\System32\svchost.exe[2604] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0008C1DB
.text C:\WINDOWS\System32\svchost.exe[2604] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0008C1F8
.text C:\WINDOWS\System32\svchost.exe[2604] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00082B30
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00142FE0
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0014313E
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0014DF23
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0014E058
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0015044C
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 001504F3
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 001504B4
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00150491
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 001503C0
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 001503E2
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0015046E
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00150428
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00150404
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0014C1A7
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0014C1DB
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0014C1F8
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2808] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00142B30
.text C:\WINDOWS\System32\alg.exe[2980] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00082FE0
.text C:\WINDOWS\System32\alg.exe[2980] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0008313E
.text C:\WINDOWS\System32\alg.exe[2980] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0008DF23
.text C:\WINDOWS\System32\alg.exe[2980] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0008E058
.text C:\WINDOWS\System32\alg.exe[2980] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0008C1A7
.text C:\WINDOWS\System32\alg.exe[2980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0008C1DB
.text C:\WINDOWS\System32\alg.exe[2980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0008C1F8
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0009044C
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 000904F3
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 000904B4
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00090491
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 000903C0
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 000903E2
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0009046E
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00090428
.text C:\WINDOWS\System32\alg.exe[2980] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00090404
.text C:\WINDOWS\System32\alg.exe[2980] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00082B30
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00132FE0
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0013313E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0013DF23
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 0013E058
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0014044C
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 001404F3
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 001404B4
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 00140491
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 001403C0
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 001403E2
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0014046E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!HttpSendRequestExA 3D9BA70A 5 Bytes JMP 00140428
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WININET.dll!HttpSendRequestExW 3D9BA763 5 Bytes JMP 00140404
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0013C1A7
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0013C1DB
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0013C1F8
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3996] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 00132B30

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Panda Antivirus Filter Driver for Windows XP/Panda Software)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys (Panda Antivirus Filter Driver for Windows XP/Panda Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 88D5FAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 11 April 2010 - 08:15 PM

Hi, rrahl smile.gif

Welcome.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    RDPCDD.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 11 April 2010 - 09:01 PM

Thank you for the quick reply and welcome

OTL and EXTRAS text file contents:

OTL logfile created on: 4/11/2010 9:49:53 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Allan Douglass\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 64.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 42.73 Gb Free Space | 38.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 13.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded

Computer Name: AJD
Current User Name: Allan Douglass
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/11 21:47:33 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Allan Douglass\Desktop\OTL\OTL.exe
PRC - [2010/04/11 01:00:03 | 000,818,256 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/04/11 01:00:02 | 001,265,264 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/02/21 06:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/12/09 19:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2008/07/31 07:09:11 | 000,184,320 | ---- | M] (Jetico, Inc.) -- C:\Program Files\Jetico\BCWipe\BCResident.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/05 16:39:18 | 000,114,248 | ---- | M] (Neuber Software GmbH - www.neuber.com) -- C:\Program Files\Security Task Manager\SpyProtector.exe
PRC - [2005/12/08 12:06:12 | 000,016,384 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\CTHELPER.EXE
PRC - [2005/04/15 15:36:24 | 000,745,472 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
PRC - [2004/01/08 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PRC - [2003/11/13 18:53:52 | 000,253,952 | ---- | M] (Stardock) -- C:\Program Files\Common Files\Stardock\sdmcp.exe
PRC - [2003/10/08 17:35:42 | 000,139,264 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
PRC - [2003/09/17 11:43:36 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
PRC - [2003/06/18 02:00:00 | 000,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe
PRC - [2003/01/31 09:44:24 | 001,290,302 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2002/07/29 15:18:44 | 000,750,592 | ---- | M] (VOB Computersysteme GmbH) -- C:\Program Files\InstantCD+DVD\InstantWrite\iwctrl.exe


========== Modules (SafeList) ==========

MOD - [2010/04/11 21:47:33 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Allan Douglass\Desktop\OTL\OTL.exe
MOD - [2008/04/13 20:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2005/12/08 12:06:10 | 000,007,168 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTAGENT.DLL
MOD - [2004/01/08 09:50:00 | 000,024,064 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL
MOD - [2004/01/08 09:50:00 | 000,006,144 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/11 01:00:02 | 001,265,264 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/22 15:53:24 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/12/09 19:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/04/13 20:12:36 | 000,062,976 | --S- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\adptifa.exe -- (clr_optimization_v2.0.50727_32SwPrv)
SRV - [2003/01/31 09:44:24 | 001,290,302 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [On_Demand | Stopped] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - [2001/11/06 10:13:20 | 000,352,256 | ---- | M] ( Iomega Corporation) [Auto | Stopped] -- C:\WINDOWS\System32\iomegaaccess.exe -- (IomegaAccess)


========== Driver Services (All) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (i2omp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (cd20xrnt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Abiosdsk)
DRV - [2010/04/11 21:40:25 | 000,028,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{37E15692-A725-487F-BA99-BC90202AD2A8}\MpKsl20ea9ba0.sys -- (MpKsl20ea9ba0)
DRV - [2010/04/11 10:05:26 | 000,028,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{37E15692-A725-487F-BA99-BC90202AD2A8}\MpKsla5b9b56b.sys -- (MpKsla5b9b56b)
DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/12/31 12:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srv.sys -- (Srv)
DRV - [2009/12/04 14:22:22 | 000,455,424 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\mrxsmb.sys -- (MRxSmb)
DRV - [2009/12/02 16:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/10/20 12:20:16 | 000,265,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\http.sys -- (HTTP)
DRV - [2009/07/21 12:30:48 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/06/24 07:18:41 | 000,092,928 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ksecdd.sys -- (KSecDD)
DRV - [2008/08/14 06:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2008/06/20 07:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip.sys -- (Tcpip)
DRV - [2008/04/13 20:13:22 | 000,139,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rdpwd.sys -- (RDPWD)
DRV - [2008/04/13 20:13:21 | 000,021,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdtcp.sys -- (TDTCP)
DRV - [2008/04/13 20:13:20 | 000,040,840 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\termdd.sys -- (TermDD)
DRV - [2008/04/13 20:13:20 | 000,012,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdpipe.sys -- (TDPIPE)
DRV - [2008/04/13 15:28:39 | 000,175,744 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\rdbss.sys -- (Rdbss)
DRV - [2008/04/13 15:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2008/04/13 15:20:42 | 000,091,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndiswan.sys -- (NdisWan)
DRV - [2008/04/13 15:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ndis.sys -- (NDIS)
DRV - [2008/04/13 15:19:48 | 000,048,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspptp.sys -- (PptpMiniport) WAN Miniport (PPTP)
DRV - [2008/04/13 15:19:43 | 000,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rasl2tp.sys -- (Rasl2tp) WAN Miniport (L2TP)
DRV - [2008/04/13 15:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ipsec.sys -- (IPSec)
DRV - [2008/04/13 15:18:00 | 000,052,480 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/04/13 15:17:18 | 000,083,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdmaud.sys -- (wdmaud)
DRV - [2008/04/13 15:17:05 | 000,105,344 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\mup.sys -- (Mup)
DRV - [2008/04/13 15:15:55 | 000,060,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sysaudio.sys -- (sysaudio)
DRV - [2008/04/13 15:15:53 | 000,574,976 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\ntfs.sys -- (Ntfs)
DRV - [2008/04/13 15:15:45 | 000,064,512 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\serial.sys -- (Serial)
DRV - [2008/04/13 15:14:29 | 000,143,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\fastfat.sys -- (Fastfat)
DRV - [2008/04/13 15:14:21 | 000,063,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\cdfs.sys -- (Cdfs)
DRV - [2008/04/13 15:00:19 | 000,030,080 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\modem.sys -- (Modem)
DRV - [2008/04/13 14:57:32 | 000,041,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspppoe.sys -- (RasPppoe)
DRV - [2008/04/13 14:57:29 | 000,040,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndproxy.sys -- (NDProxy)
DRV - [2008/04/13 14:57:27 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asyncmac.sys -- (AsyncMac)
DRV - [2008/04/13 14:57:27 | 000,010,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndistapi.sys -- (NdisTapi)
DRV - [2008/04/13 14:57:21 | 000,034,560 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanarp.sys -- (Wanarp)
DRV - [2008/04/13 14:57:15 | 000,152,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipnat.sys -- (IpNat)
DRV - [2008/04/13 14:57:07 | 000,020,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipinip.sys -- (IpInIp)
DRV - [2008/04/13 14:56:38 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psched.sys -- (PSched)
DRV - [2008/04/13 14:56:32 | 000,035,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msgpc.sys -- (Gpc)
DRV - [2008/04/13 14:56:02 | 000,034,688 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\netbios.sys -- (NetBIOS)
DRV - [2008/04/13 14:55:58 | 000,014,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisuio.sys -- (Ndisuio)
DRV - [2008/04/13 14:54:28 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irenum.sys -- (IRENUM)
DRV - [2008/04/13 14:53:34 | 000,036,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ip6fw.sys -- (ip6fw)
DRV - [2008/04/13 14:51:25 | 000,061,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nic1394.sys -- (NIC1394)
DRV - [2008/04/13 14:51:25 | 000,060,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\arp1394.sys -- (Arp1394)
DRV - [2008/04/13 14:51:25 | 000,059,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atmarpc.sys -- (Atmarpc)
DRV - [2008/04/13 14:46:25 | 000,085,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nabtsfec.sys -- (NABTSFEC)
DRV - [2008/04/13 14:46:24 | 000,019,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wstcodec.sys -- (WSTCODEC)
DRV - [2008/04/13 14:46:23 | 000,017,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdecode.sys -- (CCDECODE)
DRV - [2008/04/13 14:46:23 | 000,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slip.sys -- (SLIP)
DRV - [2008/04/13 14:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 14:46:22 | 000,010,880 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ndisip.sys -- (NdisIP)
DRV - [2008/04/13 14:46:21 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\streamip.sys -- (streamip)
DRV - [2008/04/13 14:46:18 | 000,061,696 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ohci1394.sys -- (ohci1394)
DRV - [2008/04/13 14:45:40 | 000,032,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbccgp.sys -- (usbccgp)
DRV - [2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbstor.sys -- (usbstor)
DRV - [2008/04/13 14:45:37 | 000,059,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbhub.sys -- (usbhub)
DRV - [2008/04/13 14:45:35 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbehci.sys -- (usbehci)
DRV - [2008/04/13 14:45:35 | 000,020,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbuhci.sys -- (usbuhci)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:45:13 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\drmkaud.sys -- (drmkaud)
DRV - [2008/04/13 14:45:09 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kmixer.sys -- (kmixer)
DRV - [2008/04/13 14:45:09 | 000,056,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmidi.sys -- (swmidi)
DRV - [2008/04/13 14:45:07 | 000,006,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\splitter.sys -- (splitter)
DRV - [2008/04/13 14:45:01 | 000,052,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dmusic.sys -- (DMusic)
DRV - [2008/04/13 14:44:48 | 000,799,744 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2008/04/13 14:44:46 | 000,153,344 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmio.sys -- (dmio)
DRV - [2008/04/13 14:44:40 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vga.sys -- (VgaSave)
DRV - [2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\volsnap.sys -- (VolSnap)
DRV - [2008/04/13 14:40:58 | 000,042,112 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\imapi.sys -- (Imapi)
DRV - [2008/04/13 14:40:49 | 000,019,712 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\partmgr.sys -- (PartMgr)
DRV - [2008/04/13 14:40:48 | 000,011,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\sfloppy.sys -- (Sfloppy)
DRV - [2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\disk.sys -- (Disk)
DRV - [2008/04/13 14:40:46 | 000,062,976 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/13 14:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2008/04/13 14:40:25 | 000,027,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fdc.sys -- (Fdc)
DRV - [2008/04/13 14:40:25 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\flpydisk.sys -- (Flpydisk)
DRV - [2008/04/13 14:40:12 | 000,015,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\serenum.sys -- (serenum)
DRV - [2008/04/13 14:40:10 | 000,080,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2008/04/13 14:39:53 | 000,004,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swenum.sys -- (swenum)
DRV - [2008/04/13 14:39:52 | 000,007,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mskssrv.sys -- (MSKSSRV)
DRV - [2008/04/13 14:39:51 | 000,004,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mspqm.sys -- (MSPQM)
DRV - [2008/04/13 14:39:50 | 000,005,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mstee.sys -- (MSTEE)
DRV - [2008/04/13 14:39:50 | 000,005,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mspclock.sys -- (MSPCLOCK)
DRV - [2008/04/13 14:39:47 | 000,024,576 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kbdclass.sys -- (Kbdclass)
DRV - [2008/04/13 14:39:47 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mouclass.sys -- (Mouclass)
DRV - [2008/04/13 14:39:46 | 000,384,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\update.sys -- (Update)
DRV - [2008/04/13 14:39:46 | 000,042,368 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mountmgr.sys -- (MountMgr)
DRV - [2008/04/13 14:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sr.sys -- (sr)
DRV - [2008/04/13 14:36:46 | 000,015,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mssmbios.sys -- (mssmbios)
DRV - [2008/04/13 14:36:44 | 000,068,224 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\pci.sys -- (PCI)
DRV - [2008/04/13 14:36:43 | 000,120,192 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2008/04/13 14:36:41 | 000,037,248 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\isapnp.sys -- (isapnp)
DRV - [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\agp440.sys -- (agp440)
DRV - [2008/04/13 14:36:35 | 000,187,776 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ACPI.sys -- (ACPI)
DRV - [2008/04/13 14:33:28 | 000,044,544 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fips.sys -- (Fips)
DRV - [2008/04/13 14:32:59 | 000,129,792 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\fltmgr.sys -- (FltMgr)
DRV - [2008/04/13 14:32:44 | 000,180,608 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2008/04/13 14:32:39 | 000,030,848 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\npfs.sys -- (Npfs)
DRV - [2008/04/13 14:32:39 | 000,019,072 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\msfs.sys -- (Msfs)
DRV - [2008/04/13 14:32:36 | 000,066,048 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\udfs.sys -- (Udfs)
DRV - [2008/04/13 14:31:32 | 000,036,352 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\intelppm.sys -- (intelppm)
DRV - [2008/04/13 14:31:30 | 000,035,840 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\processr.sys -- (Processor)
DRV - [2008/04/13 12:39:23 | 000,142,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aec.sys -- (aec)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/11/13 06:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/09/14 00:46:44 | 000,091,496 | ---- | M] (Jetico, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\bcswap.sys -- (BCSWAP)
DRV - [2007/06/13 21:23:29 | 000,169,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2007/03/07 19:51:00 | 000,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/09/28 19:00:34 | 000,082,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WudfRd.sys -- (WudfRd)
DRV - [2006/09/28 18:55:50 | 000,077,568 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WudfPf.sys -- (WudfPf)
DRV - [2006/06/01 17:22:00 | 003,925,920 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/03/27 17:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2005/12/08 12:20:14 | 000,008,192 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pfmodnt.sys -- (PfDetNT)
DRV - [2005/12/08 11:55:48 | 000,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2005/12/08 11:55:46 | 000,439,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2005/12/08 11:55:08 | 000,179,712 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2005/12/08 11:55:04 | 000,154,112 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2005/12/08 11:55:02 | 000,754,176 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2005/12/08 11:54:52 | 000,114,688 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/12/08 11:54:42 | 000,142,336 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/12/08 11:54:40 | 000,077,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2005/12/08 11:54:32 | 000,501,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/11/10 17:06:04 | 000,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/10/16 07:00:00 | 000,012,928 | ---- | M] (Bo Brantén) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\filedisk.sys -- (FileDisk)
DRV - [2005/09/01 01:52:50 | 000,176,640 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2005/08/02 23:00:36 | 000,232,192 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2005/05/25 12:55:58 | 003,134,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/05/06 08:27:00 | 000,232,064 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/04/26 08:30:20 | 000,025,424 | R--- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iteatapi.sys -- (iteatapi)
DRV - [2005/04/01 10:42:20 | 000,066,048 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\EAPPkt.sys -- (EAPPkt)
DRV - [2005/01/19 18:30:52 | 000,067,200 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3132.sys -- (SI3132)
DRV - [2004/11/01 15:21:32 | 000,010,368 | R--- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2004/08/13 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/12/17 09:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003/12/17 09:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)
DRV - [2003/10/13 01:29:00 | 000,067,456 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GA311ND5.SYS -- (RTL8023)
DRV - [2003/08/22 02:22:00 | 000,016,848 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctpdusb.sys -- (Jukebox3)
DRV - [2003/06/12 15:09:40 | 000,015,360 | ---- | M] (Sygate Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wpsdrvnt.sys -- (wpsdrvnt)
DRV - [2003/06/12 15:09:28 | 000,008,023 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys -- (wg3n)
DRV - [2003/06/12 15:08:06 | 000,085,456 | ---- | M] (Sygate Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys -- (Teefer)
DRV - [2003/06/07 04:00:00 | 000,531,128 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20030607.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2003/06/07 04:00:00 | 000,067,800 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20030607.003\NAVENG.SYS -- (NAVENG)
DRV - [2003/05/27 12:00:34 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2003/04/03 13:04:28 | 000,058,752 | ---- | M] (Panda Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\pavdrv51.sys -- (pavdrv)
DRV - [2003/03/31 11:39:08 | 000,145,152 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EL2K_XP.sys -- (EL2000)
DRV - [2003/03/21 10:46:22 | 000,555,264 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2003/02/26 00:01:40 | 000,100,032 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2003/01/31 09:46:10 | 000,263,749 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDrv.sys -- (CVPNDRV)
DRV - [2002/10/02 08:57:12 | 000,013,532 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)
DRV - [2002/09/27 07:53:00 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/19 22:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2002/08/29 08:00:00 | 000,125,056 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ftdisk.sys -- (Ftdisk)
DRV - [2002/08/29 08:00:00 | 000,032,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipfltdrv.sys -- (IpFilterDriver)
DRV - [2002/08/29 08:00:00 | 000,032,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkfwd.sys -- (NwlnkFwd)
DRV - [2002/08/29 08:00:00 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cdaudio.sys -- (Cdaudio)
DRV - [2002/08/29 08:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/08/29 08:00:00 | 000,016,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspti.sys -- (Raspti)
DRV - [2002/08/29 08:00:00 | 000,013,952 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2002/08/29 08:00:00 | 000,012,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkflt.sys -- (NwlnkFlt)
DRV - [2002/08/29 08:00:00 | 000,012,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ws2ifsl.sys -- (WS2IFSL)
DRV - [2002/08/29 08:00:00 | 000,011,648 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2002/08/29 08:00:00 | 000,008,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)
DRV - [2002/08/29 08:00:00 | 000,006,784 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\parvdm.sys -- (ParVdm)
DRV - [2002/08/29 08:00:00 | 000,005,888 | ---- | M] (Microsoft Corp., Veritas Software.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmload.sys -- (dmload)
DRV - [2002/08/29 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rdpcdd.sys -- (RDPCDD)
DRV - [2002/08/29 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mnmdd.sys -- (mnmdd)
DRV - [2002/08/29 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\beep.sys -- (Beep)
DRV - [2002/08/29 08:00:00 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\null.sys -- (Null)
DRV - [2002/08/24 15:00:24 | 000,181,400 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SymTDI.sys -- (SYMTDI)
DRV - [2002/08/09 16:23:46 | 000,178,688 | ---- | M] (VOB Computersysteme GmbH) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\vobIW.sys -- (vobiw)
DRV - [2002/07/26 14:32:40 | 000,061,440 | ---- | M] (VOB Computersysteme GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Cdrdrv.sys -- (cdrdrv)
DRV - [2002/06/27 23:00:00 | 000,016,509 | ---- | M] (Palm, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2002/04/17 20:27:02 | 000,011,264 | ---- | M] (VOB Computersysteme GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\asapi.sys -- (Asapi)
DRV - [2002/01/09 16:10:30 | 000,128,380 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2001/10/04 11:53:16 | 000,009,728 | ---- | M] (VOB Computersysteme GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\vobcom.sys -- (vobcom)
DRV - [2001/09/04 07:22:52 | 000,019,534 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TCAITDI.SYS -- (TCAITDI)
DRV - [2001/08/17 13:51:52 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\pciide.sys -- (PCIIde)
DRV - [2001/08/17 09:59:44 | 000,003,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub)
DRV - [2000/06/06 14:08:04 | 000,021,233 | ---- | M] (3Com Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\TCAICCHG.SYS -- (tcaicchg)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://cbs.sportsline.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1B 71 11 49 69 ED C9 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:7212

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "cbs.sportsline.com"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/04/11 00:33:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/07 19:15:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/10 17:58:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/10 17:58:08 | 000,000,000 | ---D | M]

[2009/05/09 08:57:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Allan Douglass\Application Data\Mozilla\Extensions
[2009/05/09 08:57:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Allan Douglass\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/04/11 20:29:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Allan Douglass\Application Data\Mozilla\Firefox\Profiles\h2dqf21t.default\extensions
[2010/04/11 14:29:20 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Allan Douglass\Application Data\Mozilla\Firefox\Profiles\h2dqf21t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/04/11 20:29:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/10 17:58:09 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2010/04/11 00:34:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
[2010/04/01 13:58:18 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/04/01 13:58:19 | 000,138,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/08/07 13:35:32 | 000,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2010/04/11 00:33:41 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2008/04/16 19:09:28 | 000,249,856 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npff_gdm.dll
[2010/04/01 13:58:20 | 000,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/03/22 15:53:24 | 000,032,576 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
[2010/04/01 11:56:18 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2010/04/01 11:56:18 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2010/04/01 11:56:18 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2010/04/01 11:56:18 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2010/04/01 11:56:18 | 000,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2010/04/01 11:56:18 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2010/04/01 11:56:18 | 000,001,096 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2002/08/29 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [BCWipeTM Startup] C:\Program Files\Jetico\BCWipe\BCWipeTM.exe (Jetico, Inc.)
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IW Controlcenter] C:\Program Files\InstantCD+DVD\InstantWrite\iwctrl.exe (VOB Computersysteme GmbH)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE (imagine LAN, Inc.)
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe (Neuber Software GmbH - www.neuber.com)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TCASUTIEXE] C:\WINDOWS\System32\TCAUDIAG.EXE ()
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKCU..\Run: [ATI Launchpad] File not found
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe (Creative Technology Ltd)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe ()
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - Reg Error: Value error. File not found
O9 - Extra Button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.)
O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15026/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab (CDownloadCtrl Object)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1128859283046 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-secure.com/ols/fscax.cab (F-Secure Online Scanner 3.3)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.4.1/jinstall-...indows-i586.cab (Java Plug-in 1.4.1)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/webgames/popcaploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15016/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe ()
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\MCPClient: DllName - C:\Program Files\Common Files\Stardock\mcpstub.dll - C:\Program Files\Common Files\Stardock\MCPStub.dll (Stardock)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - STS - Reg Error: Key error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {a5780613-492e-4a2a-a7fd-549610edf6cc} - C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL ()
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/06/03 15:08:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\ASUSACPI.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/06/07 15:23:20 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/04/11 21:47:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\Desktop\OTL
[2010/04/11 21:44:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\Desktop\atapi
[2010/04/11 21:33:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/04/11 20:37:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee Security Scan
[2010/04/11 20:37:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
[2010/04/11 20:37:51 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2010/04/11 15:21:45 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Allan Douglass\Cookies
[2010/04/11 15:21:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Allan Douglass\Favorites
[2010/04/11 01:00:26 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/04/11 01:00:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/04/11 01:00:20 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/11 00:57:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/04/11 00:56:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
[2010/04/11 00:54:27 | 097,364,760 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Allan Douglass\Desktop\Ad-AwareInstaller.exe
[2010/04/11 00:34:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sun
[2010/04/11 00:34:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/11 00:34:04 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/11 00:34:03 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/11 00:34:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/11 00:34:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/11 00:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\Application Data\Sun
[2010/04/11 00:16:17 | 016,291,616 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Allan Douglass\Desktop\jre-6u19-windows-i586.exe
[2010/04/10 21:08:38 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/10 17:56:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\Adobe PDF 6.0
[2010/04/10 17:56:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
[2010/04/10 17:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\Temp
[2010/04/10 17:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\Adobe
[2010/04/09 19:42:29 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/04/04 18:50:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\motodevstudio
[2010/04/04 18:44:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\user
[2010/04/04 18:43:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\.android
[2010/04/04 18:24:33 | 000,000,000 | ---D | C] -- C:\Program Files\OPhoneSDK_1.5
[2010/04/04 17:23:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\.eclipse
[2010/04/04 17:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Allan Douglass\workspace
[2010/04/04 17:22:32 | 000,000,000 | -H-D | C] -- C:\Program Files\InstallJammer Registry
[2010/04/04 17:21:32 | 000,000,000 | ---D | C] -- C:\Program Files\Motorola
[2010/04/04 13:55:50 | 000,012,928 | ---- | C] (Bo Brantén) -- C:\WINDOWS\System32\drivers\filedisk.sys
[2010/04/04 13:55:44 | 000,000,000 | ---D | C] -- C:\Program Files\WinImage
[2010/03/26 20:39:58 | 169,200,899 | ---- | C] (Motorola) -- C:\Documents and Settings\Allan Douglass\My Documents\MOTODEV_Studio_for_Android_1.2.0_Windows-x86.exe
[2010/03/22 11:03:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/03/22 11:02:38 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/03/14 19:04:49 | 000,032,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbccgp.sys
[2010/03/13 23:22:47 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2005/12/08 12:17:46 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2003/06/03 15:26:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2003/06/03 15:26:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2003/06/03 15:08:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2003/06/03 15:08:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/11 21:49:31 | 000,010,980 | ---- | M] () -- C:\WINDOWS\uedit32.INI
[2010/04/11 21:43:20 | 000,061,511 | ---- | M] () -- C:\Documents and Settings\Allan Douglass\Desktop\CurrentControlSet-Atapi.zip
[2010/04/11 21:07:00 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 20:37:52 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Security Scan Plus.lnk
[2010/04/11 20:37:52 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2010/04/11 20:21:58 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/11 20:14:26 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/04/11 20:12:52 | 000,006,245 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000002-00001102-00000004-20021102}.CDF
[2010/04/11 20:12:49 | 000,000,328 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Checkpoint.job
[2010/04/11 20:10:58 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/11 20:10:55 | 000,000,898 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/11 20:09:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/11 20:09:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/11 19:57:43 | 000,006,245 | ---- | M] () -- C:\WINDOWS\{00000001-00000000-00000002-00001102-00000004-20021102}.BAK
[2010/04/11 15:20:01 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000001-00000000-00000002-00001102-00000004-20021102}.rfx
[2010/04/11 15:20:00 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000001-00000000-00000002-00001102-00000004-20021102}.rfx
[2010/04/11 15:20:00 | 000,031,056 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000001-00000000-00000002-00001102-00000004-20021102}.rfx
[2010/04/11 15:20:00 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000001-00000000-00000002-00001102-00000004-20021102}.rfx
[2010/04/11 15:20:00 | 000,030,528 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000001-00000000-00000002-00001102-00000004-20021102}.rfx
[2010/04/11 15:20:00 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/04/11 15:20:00 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/04/11 15:17:59 | 006,815,744 | ---- | M] () -- C:\Documents and Settings\Allan Douglass\NTUSER.DAT
[2010/04/11 15:17:59 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Allan Douglass\ntuser.ini
[2010/04/11 12:01:16 | 000,000,280 | --S- | M] () -- C:\WINDOWS\System32\2609227831.dat
[2010/04/11 01:00:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/11 01:00:17 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/04/11 00:58:45 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2010/04/11 00:57:11 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Ad-Aware.lnk
[2010/04/11 00:54:39 | 097,364,760 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Allan Douglass\Desktop\Ad-AwareInstaller.exe
[2010/04/11 00:33:40 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/11 00:33:40 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/11 00:33:40 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/11 00:33:40 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/11 00:33:39 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/11 00:23:17 | 000,109,904 | ---- | M] () -- C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/11 00:20:46 | 000,333,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/11 00:16:19 | 016,291,616 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Allan Douglass\Desktop\jre-6u19-windows-i586.exe
[2010/04/10 17:58:14 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/04/10 17:52:37 | 000,003,270 | ---- | M] () -- C:\WINDOWS\System32\ealregsnapshot1.reg
[2010/04/10 17:24:19 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/04/04 17:22:26 | 000,000,960 | ---- | M] () -- C:\Documents and Settings\Allan Douglass\Desktop\MOTODEV Studio for Android 1.2.lnk
[2010/04/04 13:55:44 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\Allan Douglass\Desktop\WinImage.lnk
[2010/04/03 17:01:22 | 000,002,193 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Steam.lnk
[2010/03/31 23:39:05 | 001,581,752 | -H-- | M] () -- C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\IconCache.db
[2010/03/26 20:48:00 | 169,200,899 | ---- | M] (Motorola) -- C:\Documents and Settings\Allan Douglass\My Documents\MOTODEV_Studio_for_Android_1.2.0_Windows-x86.exe
[2010/03/14 08:56:46 | 000,556,108 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 08:56:46 | 000,464,720 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 08:56:46 | 000,080,178 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 08:51:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,011,168 | -H-- | C] () -- C:\WINDOWS\System32\valapeze
[2010/04/11 21:43:19 | 000,061,511 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\Desktop\CurrentControlSet-Atapi.zip
[2010/04/11 20:37:52 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Security Scan Plus.lnk
[2010/04/11 20:37:52 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2010/04/11 14:46:50 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\Desktop\gmer.exe
[2010/04/11 01:11:28 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/04/11 01:09:49 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/11 00:58:45 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2010/04/11 00:57:42 | 000,000,902 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/11 00:57:41 | 000,000,898 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/11 00:57:11 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Ad-Aware.lnk
[2010/04/10 17:58:14 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/04/09 19:41:20 | 000,000,280 | --S- | C] () -- C:\WINDOWS\System32\2609227831.dat
[2010/04/04 17:22:26 | 000,000,960 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\Desktop\MOTODEV Studio for Android 1.2.lnk
[2010/04/04 13:55:44 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\Desktop\WinImage.lnk
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/11 12:34:52 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/07/11 12:34:52 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/07/11 12:34:52 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2008/07/08 23:04:19 | 000,006,228 | ---- | C] () -- C:\Program Files\install.log
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/11/16 12:02:33 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
[2006/11/01 02:54:30 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/11/01 02:52:38 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/10/18 13:32:21 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\EnumDevLib.dll
[2006/10/04 09:12:47 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/06/01 17:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/06/01 17:22:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/06/01 17:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/06/01 17:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/06/01 17:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/06/01 17:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/01 17:22:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/05/04 00:31:00 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/05/04 00:25:27 | 000,027,891 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/05/04 00:25:22 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/03/28 21:05:04 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2006/01/20 22:41:28 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/01/20 18:46:10 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/12/08 12:54:30 | 000,050,410 | ---- | C] () -- C:\WINDOWS\System32\e10kxwdm.ini
[2005/12/08 12:54:30 | 000,000,055 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2005/12/08 12:24:52 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2005/06/16 18:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL
[2005/04/15 21:32:26 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\fusioncache.dat
[2005/03/30 00:13:22 | 000,647,168 | ---- | C] () -- C:\WINDOWS\System32\pqdvdb.dll
[2005/02/12 17:59:38 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\ntuser.dat
[2005/02/12 17:59:38 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users.WINDOWS\ntuser.dat.LOG
[2005/02/02 20:26:51 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2005/02/02 20:23:06 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2004/09/19 03:35:24 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/07/19 09:17:05 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\frapsvid.dll
[2004/05/30 12:16:45 | 000,077,824 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/03/21 00:02:45 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdRegSrv.dll
[2004/03/21 00:02:45 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\PdeSrvps.dll
[2004/02/14 22:42:33 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Allan Douglass\NTUSER.DFG.LOG
[2004/02/14 22:02:13 | 000,000,056 | ---- | C] () -- C:\WINDOWS\uilib.INI
[2004/01/19 00:00:23 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/01/18 01:27:40 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2003/12/12 11:49:00 | 000,001,459 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\tempfile.diff
[2003/12/12 11:31:54 | 000,010,980 | ---- | C] () -- C:\WINDOWS\uedit32.INI
[2003/12/12 10:35:27 | 000,122,944 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2003/07/23 22:45:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2003/06/13 23:16:47 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2003/06/07 18:14:26 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\.plugin141_01.trace
[2003/06/07 17:03:56 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2003/06/07 17:03:56 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2003/06/07 17:03:56 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2003/06/07 17:03:56 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2003/06/07 17:03:56 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2003/06/07 17:03:56 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2003/06/07 15:52:05 | 000,025,853 | R--- | C] () -- C:\WINDOWS\System32\sk98nt4.ini
[2003/06/07 15:52:05 | 000,025,853 | R--- | C] () -- C:\WINDOWS\System32\InstInfo.ini
[2003/06/07 15:41:17 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2003/06/07 15:27:31 | 000,001,024 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\ntuser.dat.LOG
[2003/06/07 15:27:31 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Allan Douglass\ntuser.ini
[2003/06/07 15:27:30 | 006,815,744 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\NTUSER.DAT
[2003/06/07 15:27:30 | 004,718,592 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\NTUSER.BAK
[2003/06/07 15:27:30 | 004,194,304 | ---- | C] () -- C:\Documents and Settings\Allan Douglass\NTUSER.BK1
[2003/04/09 16:30:19 | 000,196,608 | --S- | C] () -- C:\WINDOWS\System32\archlib.dll
[2003/03/21 17:56:12 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2002/09/23 15:39:44 | 000,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/04/11 20:08:59 | 000,000,822 | ---- | M] () -- C:\aaw7boot.log
[2003/06/03 15:08:20 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2004/02/14 21:42:59 | 000,000,053 | -HS- | M] () -- C:\boot.inh
[2009/03/15 12:06:12 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2003/06/03 15:08:20 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2006/10/04 09:31:41 | 000,004,896 | ---- | M] () -- C:\debug.log
[2005/08/27 13:29:30 | 000,000,856 | ---- | M] () -- C:\flashplayer.xpt
[2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\gmer.exe
[2003/06/03 15:08:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/09/09 17:45:58 | 000,870,851 | ---- | M] () -- C:\moduleName.txt
[2003/06/03 15:08:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/07/25 00:42:28 | 000,045,055 | ---- | M] () -- C:\MW_Abuse_small.GIF
[2006/06/24 13:40:30 | 000,001,276 | ---- | M] () -- C:\net_save.dna
[2004/02/14 21:42:59 | 000,000,053 | -HS- | M] () -- C:\ntdetect.col
[2005/03/19 10:43:46 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/02/14 21:42:59 | 000,000,053 | -HS- | M] () -- C:\ntldp
[2008/09/06 11:42:51 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2004/02/11 22:37:52 | 000,000,740 | -H-- | M] () -- C:\PANDA.RPT
[2010/04/11 20:12:45 | 000,000,266 | ---- | M] () -- C:\RCINFO.TXT
[2004/02/14 21:42:59 | 000,000,000 | ---- | M] () -- C:\SFCFILES.TXT
[2003/06/07 20:14:54 | 000,000,171 | ---- | M] () -- C:\shop.url
[2003/09/18 19:09:50 | 010,700,800 | ---- | M] () -- C:\torque-3.1.tar
[2003/06/07 13:45:53 | 027,262,976 | ---- | M] () -- C:\VIRTPART.DAT
[2009/03/15 11:57:34 | 000,000,232 | ---- | M] () -- C:\VundoFix.txt
[1 C:\*.tmp files -> C:\*.tmp -> ]


< MD5 for: AGP440.SYS >
[2005/03/19 10:40:06 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/06 11:38:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2005/03/19 10:40:06 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/09/06 11:38:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/03/19 10:40:06 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/06 11:38:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2005/03/19 10:40:06 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/09/06 11:38:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 08:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Documents and Settings\Allan Douglass\Desktop\atapi\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0028\DriverFiles\i386\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0036\DriverFiles\i386\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0037\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: RDPCDD.SYS >
[2002/08/29 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=4912D5B403614CE99C28420F75353332 -- C:\WINDOWS\system32\dllcache\rdpcdd.sys
[2002/08/29 08:00:00 | 000,004,224 | ---- | M] (Microsoft Corporation) MD5=4912D5B403614CE99C28420F75353332 -- C:\WINDOWS\system32\drivers\rdpcdd.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2003/06/07 11:05:41 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/06/07 11:05:41 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/06/07 11:05:41 | 000,417,792 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/21 11:55:26 | 000,442,368 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >



OTL Extras logfile created on: 4/11/2010 9:49:53 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Allan Douglass\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 64.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 42.73 Gb Free Space | 38.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 13.03 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
I: Drive not present or media not loaded

Computer Name: AJD
Current User Name: Allan Douglass
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [File Finder...] -- C:\Program Files\VCOM\PowerDesk\pdfind.exe /PATH:%1 (V Communications, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Turbine\Dungeons & Dragons Online - Stormreach\dndlauncher.exe" = C:\Program Files\Turbine\Dungeons & Dragons Online - Stormreach\dndlauncher.exe:*:Enabled:Dungeons & Dragons Online - Stormreach -- File not found
"C:\Program Files\LucasArts\SWKotOR\launcher.exe" = C:\Program Files\LucasArts\SWKotOR\launcher.exe:*:Enabled: Star Wars Knights of the Old Republic -- (BioWare Corp.)
"C:\Program Files\Turbine\Dungeons & Dragons Online - Stormreach\dndclient.exe" = C:\Program Files\Turbine\Dungeons & Dragons Online - Stormreach\dndclient.exe:*:Enabled:dndclient -- File not found
"C:\Program Files\GhostSurf\GhostSurf.exe" = C:\Program Files\GhostSurf\GhostSurf.exe:*:Enabled:Architecture launch vehicle -- File not found
"C:\Program Files\ICQ\Icq.exe" = C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ -- (ICQ Inc.)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Disabled:EA Download Manager -- (Electronic Arts)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" = C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe:*:Enabled:RCMan -- (Creative Technology Ltd)
"C:\Program Files\VCOM\SystemSuite\MXTASK.exe" = C:\Program Files\VCOM\SystemSuite\MXTASK.exe:*:Enabled:mxtask -- File not found
"C:\WINDOWS\system32\services.exe" = C:\WINDOWS\system32\services.exe:*:Enabled:services -- (Microsoft Corporation)
"C:\Program Files\Steam\steamapps\common\plants vs zombies\PlantsVsZombies.exe" = C:\Program Files\Steam\steamapps\common\plants vs zombies\PlantsVsZombies.exe:*:Enabled:Plants Vs Zombies -- ()
"C:\Program Files\City of Heroes\CityOfHeroes.exe" = C:\Program Files\City of Heroes\CityOfHeroes.exe:*:Disabled:City of Heroes -- (Cryptic Studios)
"C:\UDK\UDK-2009-11\Binaries\Win32\UDK.exe" = C:\UDK\UDK-2009-11\Binaries\Win32\UDK.exe:*:Enabled:UDK -- (Epic Games, Inc.)
"C:\Program Files\Motorola\MOTODEV Studio for Android 1.2\motodevstudio.exe" = C:\Program Files\Motorola\MOTODEV Studio for Android 1.2\motodevstudio.exe:*:Enabled:motodevstudio -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{0893078B-8A9A-84D6-D393-119B9B0B033A}" = CCC Help French
"{0E2A60F7-2907-5718-FF16-7D8FAF70051E}" = CCC Help Chinese Standard
"{10C69612-017B-45F5-B986-7D113D5A2EA3}" = MSN Toolbar
"{14FAE013-AE19-4FC9-B5BF-E56ADC01ECE6}" = CCC Help Turkish
"{17BB2784-6EE4-D7FF-FE63-58A3AD2B3708}" = CCC Help Russian
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{200E0DC2-2223-11D6-830E-0050DABBB449}" = Webcast
"{233588CF-96D5-46AF-EF74-7EC382662791}" = Catalyst Control Center Graphics Full Existing
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars®: Knights of the Old Republic ™
"{3260ECBC-9DDF-E7A3-0863-449473BC7BD5}" = CCC Help Chinese Traditional
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{36BD0774-6CD6-4FF9-A148-83CA09AC123E}" = Intel® PROSafe for Wired Connections
"{39C6C229-CFFD-639E-229A-E463FCD87478}" = CCC Help German
"{3FC15B2F-7B06-4D45-9908-3B2A4466F87A}" = VidiotMaps Map Overlay
"{403EF592-953B-4794-BCEF-ECAB835C2095}" = Intel® PROSafe for Wired Connections
"{41785C66-90F2-40CE-8CB5-1C94BFC97280}" = Microsoft Chart Controls for Microsoft .NET Framework 3.5
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F11FC80-CE8C-1BD4-5C39-EBE5744E5135}" = CCC Help Portuguese
"{4FAB2BA7-E16C-95D2-F326-60A68409373F}" = Catalyst Control Center HydraVision Full
"{529AA9A8-5020-6CFB-A809-BC5943C87077}" = CCC Help Thai
"{53604297-26FD-516D-6FF7-1063BA64A0A4}" = Catalyst Control Center Graphics Light
"{55BD3B0B-F054-9341-514F-295A5F7EA450}" = CCC Help Spanish
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{5A4FA9C8-ED56-08C3-153B-FC5C19256290}" = CCC Help Dutch
"{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}" = PlayNC Launcher
"{626C034B-50B8-47BD-AF93-EEFD0FA78FF4}" = Character Builder
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66F324A1-BDC0-11D7-9E5C-00D0B76A8705}" = Creative NOMAD Jukebox Zen Xtra
"{6C390D51-E5F0-4FCD-24C4-731ACAF34571}" = CCC Help Japanese
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AA8FA9A-1656-7DBD-633B-FE7A62BBED0C}" = CCC Help Czech
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85CC6638-C827-40E8-94C7-110A77E7812B}" = Adobe Illustrator CS Tryout
"{896D642C-7125-44F0-AC49-A23ABF82209C}" = CDBurnerXP Pro 3
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C22131B-8634-CECF-F0D1-A2ECC160B450}" = CCC Help Norwegian
"{8D70145A-3BD3-4DBF-9CBF-223EF4A43257}" = ATI Parental Control & Encoder
"{90FBE4D0-2ACA-A8A8-2CC4-CFFBAE528504}" = CCC Help Finnish
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{9933F0EE-DFCD-4829-B979-3C56C367CB1A}" = InterVideo WinDVD Creator
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D74375E-3012-E7D2-9229-B220C91F326A}" = Catalyst Control Center Core Implementation
"{9E2514D9-DC24-4634-B348-61F3EF0F1628}" = Sound Blaster Audigy 2 ZS
"{9EE8BDCA-7505-4895-D91E-8108DD16292E}" = CCC Help English
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}" = Microsoft Speech SDK 5.1
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A8AF8BD3-61B5-7945-4D1B-217421F604FC}" = CCC Help Hungarian
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AA46E1C5-A709-6D9B-D99D-92E4C6E042A9}" = CCC Help Korean
"{AA62A33C-9E5E-3913-7D88-7E58A8CB1493}" = CCC Help Greek
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{B0C60A57-0353-498B-BDF0-AE83BFE3B4B9}_is1" = championBuilder v0.2.0
"{B42F73D4-AFDA-4761-B3F4-23A872D11339}" = Morrowind
"{B653F643-A1B4-9936-2DB6-FEA9A3110D8D}" = ccc-core-preinstall
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B71C4637-0247-78CE-6A3D-D61645CB8921}" = ccc-utility
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BC2E7C0B-1AC6-5F6C-F31D-E1E72D8E0B5C}" = CCC Help Danish
"{BF8C7DA7-2DE6-ED67-6C82-6BE82F8BA8D3}" = Catalyst Control Center Graphics Full New
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C409F338-BB20-6C4A-F40D-20CA07AF714C}" = CCC Help Polish
"{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}" = Palm Desktop
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CAA8FBFF-AB9C-4176-B6FB-5A243DFD82EB}" = Mids' Hero Designer
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32D4182-DE6C-457E-838C-8D7B9CE332BA}" = InterVideo WinRip
"{D4B7B2DC-E688-A9D6-6EC0-56AE540E074C}" = Catalyst Control Center Localization All
"{D56B0E27-4A3E-46C9-B5C1-D93D580C099C}" = NVIDIA PhysX v8.10.29
"{D9CD701B-3F04-FC69-D974-F3A7F5E9BA30}" = CCC Help Swedish
"{D9D93D74-107D-4BD3-87D0-AABCF7C98BD5}" = Catalyst Control Center - Branding
"{DBAD6496-1968-46F7-A23F-9BE02F85001D}" = WebUpdate
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = WG111v2 Configuration Utility
"{E213321B-1E88-B38D-DAB2-D8CB9355984A}" = Skins
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F330A4C0-802E-11D5-8311-0050DABBB21D}" = OnDVD
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4148D8F-ED3A-3097-509C-04D5560220F9}" = ccc-core-static
"{F7E68997-E626-952B-A7BF-F72066CD5D77}" = Catalyst Control Center Graphics Previews Common
"{F8811C6B-4C6F-11D6-830E-0050DABBB449}" = Reader Drivers and Utilities
"{FA36C82B-464D-51F2-A6A1-0BC9140BE067}" = CCC Help Italian
"{FF70923C-8A51-47F4-A7E9-893C6D54EB68}" = TES Construction Set
"3ComNicUnInstall" = 3Com NIC Diagnostics
"AC Tool 4.4.7 Install" = AC Tool 4.4.7 Install
"Ad-Aware" = Ad-Aware
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Advanced Administrative Tools" = Advanced Administrative Tools
"All ATI Software" = ATI - Software Uninstall Utility
"Apophysis 2.0" = Apophysis 2.0
"AsusUpdate" = AsusUpdate
"ATI Display Driver" = ATI Display Driver
"AudioConSole" = Creative Audio Console
"BCWipe" = BCWipe 3.0
"BookWorm Deluxe 1.0" = BookWorm Deluxe 1.0
"Borland JBuilder 9 Personal" = Borland JBuilder 9 Personal
"CoH" = City of Heroes (remove only)
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Creative Jukebox Driver" = Creative Jukebox Driver
"Diablo II" = Diablo II
"Download Manager" = Download Manager 2.3.9
"F9AE2226-25C4-3E49-D1A5-FB3F55153303" = MOTODEV Studio for Android
"FLVPlayer" = FLV Player 1.3.3
"FreshDevices - FreshDiagnose_is1" = FreshDiagnose
"GameSpotDownloadManager" = GameSpot Download Manager
"Google Chrome" = Google Chrome
"Handmark LIST ANYTHING: MobileDB Super Pak" = Handmark LIST ANYTHING: MobileDB Super Pak
"Handmark® Monopoly® for Palm OS" = Handmark® Monopoly® for Palm OS
"Handmark® Scrabble® for Palm OS" = Handmark® Scrabble® for Palm OS
"ICQ" = ICQ
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{102E4D60-5A93-4A3C-8105-FE390427C60D}" = Sid Meier's Alpha Centauri 2000/XP Compatibility Update
"InstallShield_{243A7C38-E425-4B8A-B1ED-CEAEC7BDC319}" = ATI DVD Decoder 2.1.0.1
"InstallShield_{28ADA52D-B7AF-442C-8B7F-CEB9ECC28078}" = ATI Multimedia Center 8.1.0.0
"InstallShield_{438D221C-5B5B-4E4B-B7BD-A86512E5B6C1}" = DAO
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"InstallShield_{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"InstantCD/DVD" = InstantCD/DVD
"Iomega Backup" = Iomega Backup 4.5
"LiveReg" = LiveReg (Symantec Corporation)
"MailWasher_is1" = MailWasher
"Map Patch" = Map Patch
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mids' Hero/Villain Designer" = Mids' Hero/Villain Designer
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MS-MPEG4" = Microsoft MPEG-4 VKI Video Codec V1/V2/V3
"Mystery P.I. - The Vegas Heist 1.0.0.3" = Mystery P.I. - The Vegas Heist 1.0.0.3
"Network Play System (Patching)" = Network Play System (Patching)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"Palmspring Pocket Money" = Palmspring Pocket Money
"Peggle Deluxe 1.01" = Peggle Deluxe 1.01
"Peggle Nights Deluxe 1.0" = Peggle Nights Deluxe 1.0
"PowerDesk5.0" = PowerDesk 5.0
"Pro Pinball : Big Race USA" = Pro Pinball : Big Race USA
"Pro Pinball : Fantastic Journey" = Pro Pinball : Fantastic Journey
"ProjectIEKA2a_is1" = Morrowind Character Creator 2
"PROSetDX" = Intel® PRO Network Connections Software v10.1.41.0
"PSPMovieCreator" = PSP Movie Creator(remove only)
"QuikSync 3" = QuikSync 3
"RealPlayer 6.0" = RealPlayer
"Recovery Commander" = Recovery Commander
"Rocket Mania 1.01" = Rocket Mania 1.01
"Scrabble" = Scrabble
"Security Task Manager" = Security Task Manager 1.7f
"Shockwave" = Shockwave
"Sid Meier's Alpha Centauri" = Sid Meier's Alpha Centauri
"ST6UNST #1" = ObjectMapper
"Stardock Central" = Stardock Central
"Steam App 26800" = Braid
"Steam App 3590" = Plants Vs Zombies
"Swiveller's Cribbage" = Swiveller's Cribbage
"SysInfo" = Creative System Information
"SystemRequirementsLab" = System Requirements Lab
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"Torchlight" = Torchlight
"UDK-d1f5888b-4159-4a51-9d41-b1e6390768ca" = Unreal Development Kit: 2009-11
"UltraEdit-32" = UltraEdit-32 Uninstall
"WIC" = Windows Imaging Component
"Winamp" = Winamp (remove only)
"WinAVIVideoConverter_is1" = WinAVIVideoConverter
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"Wisdom-soft ScreenHunter 5.0 Free" = Wisdom-soft ScreenHunter 5.0 Free
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World_Series_Of_Poker_1.0" = World Series Of Poker
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xvid" = XviD MPEG-4 Video Codec

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WinImage" = WinImage

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/10/2010 5:56:42 PM | Computer Name = AJD | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\ADOBE
PDF 6.0\SETTINGS\STANDARD.JOBOPTIONS> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 4/10/2010 5:56:42 PM | Computer Name = AJD | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\ADOBE
PDF 6.0\SETTINGS\STANDARD.JOBOPTIONS> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 4/10/2010 5:56:43 PM | Computer Name = AJD | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\ADOBE
PDF 6.0\SETTINGS\PRESS QUALITY.JOBOPTIONS> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 4/10/2010 5:56:43 PM | Computer Name = AJD | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\ADOBE
PDF 6.0\SETTINGS\PRESS QUALITY.JOBOPTIONS> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 4/10/2010 5:56:43 PM | Computer Name = AJD | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\ADOBE
PDF 6.0\SETTINGS\HIGH QUALITY.JOBOPTIONS> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 4/10/2010 5:56:43 PM | Computer Name = AJD | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\DOCUMENTS\ADOBE
PDF 6.0\SETTINGS\HIGH QUALITY.JOBOPTIONS> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 4/10/2010 9:28:41 PM | Computer Name = AJD | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 4/11/2010 12:59:06 AM | Computer Name = AJD | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 4/11/2010 2:22:13 PM | Computer Name = AJD | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash10c.ocx, version 10.0.32.18, fault address 0x000e8710.

Error - 4/11/2010 2:22:40 PM | Computer Name = AJD | Source = Application Error | ID = 1001
Description = Fault bucket 1555532600.

[ System Events ]
Error - 4/10/2010 5:56:51 PM | Computer Name = AJD | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/10/2010 5:56:51 PM | Computer Name = AJD | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/10/2010 5:56:51 PM | Computer Name = AJD | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 4/11/2010 12:22:48 AM | Computer Name = AJD | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 4/11/2010 12:23:04 AM | Computer Name = AJD | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 4/11/2010 9:31:17 AM | Computer Name = AJD | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=370...atid=2147629578

User:
AJD\Allan Douglass Name: Trojan:WinNT/Alureon.H ID: 2147629578 Severity: Severe Category:
Trojan Path: Action: %%808 Error Code: 0x80508023 Error description: The program could
not find the spyware and other potentially unwanted software on this computer.
Status: Signature Version: AV: 1.79.1559.0, AS: 1.79.1559.0 Engine Version: 1.1.5605.0

Error - 4/11/2010 3:18:24 PM | Computer Name = AJD | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 4/11/2010 7:58:13 PM | Computer Name = AJD | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/11/2010 7:58:43 PM | Computer Name = AJD | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 4/11/2010 9:30:55 PM | Computer Name = AJD | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {B801CA65-A1FC-11D0-85AD-444553540000}.
The
error: "%2" Happened while starting this command: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
-Embedding


< End of report >


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 11 April 2010 - 09:14 PM

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    QUOTE
    :OTL
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe ()

    :files
    C:\WINDOWS\System32\valapeze
    C:\WINDOWS\system32\drivers\rdpcdd.sys|C:\WINDOWS\system32\dllcache\rdpcdd.sys /replace

    :Commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]

  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • The computer will restart
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

Run GMER after a restart and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 12 April 2010 - 04:40 PM

file contents below. processing GMER now.


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\sdra64.exe deleted successfully.
File move failed. C:\WINDOWS\system32\sdra64.exe scheduled to be moved on reboot.
========== FILES ==========
C:\WINDOWS\System32\valapeze moved successfully.
File C:\WINDOWS\system32\drivers\rdpcdd.sys successfully replaced with C:\WINDOWS\system32\dllcache\rdpcdd.sys
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS

User: Allan
->Temp folder emptied: 1673170 bytes
->Temporary Internet Files folder emptied: 68538718 bytes

User: Allan Douglass
->Temp folder emptied: 103015 bytes
->Temporary Internet Files folder emptied: 14317358 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 65804969 bytes
->Google Chrome cache emptied: 819568 bytes
->Flash cache emptied: 1929224 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 1142643 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 2730794 bytes
->Temporary Internet Files folder emptied: 10898050 bytes
->Flash cache emptied: 3168 bytes

%systemdrive% .tmp files removed: 9582512 bytes
%systemroot% .tmp files removed: 1119359 bytes
%systemroot%\System32 .tmp files removed: 8231936 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3789222 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10450558 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 44448 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 192.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.1 log created on 04112010_222517

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\system32\sdra64.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 12 April 2010 - 06:51 PM

Run GMER and OTL once again and post their report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 12 April 2010 - 08:43 PM

GMER below (takes close to 6 hours to run). going to rerun OTL and repost the OTL results, have to reboot as part of that process dont want to lose this detail between the two.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 21:38:07
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ALLAND~1\LOCALS~1\Temp\pxtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF7789B40]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF7789860]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF7789CF0]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB94CD000, 0x1C5D38, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79EFC14]
.text tcpip.sys!IPTransmit + 10FC AC40CD3A 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 AC40E690 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 AC424454 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys B98A73FD 7 Bytes CALL F782E57C Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[856] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\SearchIndexer.exe[2128] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[2460] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[2460] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Panda Antivirus Filter Driver for Windows XP/Panda Software)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys (Panda Antivirus Filter Driver for Windows XP/Panda Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 88E76AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#8 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 12 April 2010 - 08:57 PM

New OTL run:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\sdra64.exe deleted successfully.
File C:\WINDOWS\system32\sdra64.exe not found.
========== FILES ==========
File\Folder C:\WINDOWS\System32\valapeze not found.
File C:\WINDOWS\system32\drivers\rdpcdd.sys successfully replaced with C:\WINDOWS\system32\dllcache\rdpcdd.sys
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS

User: Allan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Allan Douglass
->Temp folder emptied: 3924617 bytes
->Temporary Internet Files folder emptied: 6607393 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 22653020 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 10922 bytes
->Temporary Internet Files folder emptied: 977207 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1794364 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 34.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.1 log created on 04122010_214429

Files\Folders moved on Reboot...
C:\Documents and Settings\Allan Douglass\Local Settings\Temporary Internet Files\Content.IE5\ZJJBZNJ0\iframe[2].htm moved successfully.
C:\Documents and Settings\Allan Douglass\Local Settings\Temporary Internet Files\Content.IE5\ZJJBZNJ0\index[1].htm moved successfully.
File\Folder C:\WINDOWS\temp\B.tmp not found!
C:\WINDOWS\temp\TMP000000010047E25B7F3F59AD moved successfully.

Registry entries deleted on Reboot...


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 12 April 2010 - 11:32 PM

GMER is the only progran that shows the infection. Run it as follows:

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure that all are UNCHECKED except for the following:
    • Sections
    • Devices
    • C:\
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 13 April 2010 - 06:39 AM

I'm pretty sure this file (C:\WINDOWS\system32\drivers\atapi.sys) was modified by the Alureon trojan, skimming threads about that shows it is a common occurance and fixing it stops the browser hijacks, popups and the like.

another run of GMER (this one took seconds to complete):


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 07:36:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ALLAND~1\LOCALS~1\Temp\pxtdrpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9B32000, 0x1C5D38, 0xE8000020]
.rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79A3C14]
.text tcpip.sys!IPTransmit + 10FC ACA21D3A 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 ACA23690 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 ACA39454 6 Bytes CALL F782E490 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F743C3FD 7 Bytes CALL F782E57C Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1516] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 06A0000A
.text C:\WINDOWS\System32\svchost.exe[1516] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 069F000A
.text C:\WINDOWS\system32\SearchIndexer.exe[2092] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2512] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[3976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[3976] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[3976] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys (Panda Antivirus Filter Driver for Windows XP/Panda Software)

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys (Panda Antivirus Filter Driver for Windows XP/Panda Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 88E69AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 13 April 2010 - 11:07 AM

The problem is not the atapi.sys but the RDPCDD.sys. Both files have been infected with the TDL3 Trojan. I would like to resolve this issue throughout an external environment.

First

Download the enclosed folder. Save and extract its contents to the desktop.

Second

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      RDPCDD.sys
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.



No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 13 April 2010 - 08:26 PM

Scan did not complete. I attempted this twice, both times with the same 'oleat.dll' erroring out.

I was not presented with this option:
•When asked "Do you wish to load the remote registry", select Yes


The scan started, progressed, and errored out after about 45 seconds of scanning (I could see a number of objects scan successfully prior to the error)
•access violation at address 771248A4 in module 'oleat.dll'. Read of address 022CF914.


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 13 April 2010 - 08:42 PM

By any chance, do you have the Windows XP installation CD? I would like to boot the computer to the Recovery Console using the CD.

Go to Start -> Run, type CMD and click OK. At the prompt, copy and paste the following command and press Enter:

extrac32 /L %systemdrive%\ "C:\WINDOWS\ServicePackFiles\i386\sp3.cab" atapi.sys

Please move the RDPCDD.sys downloaded to the C:\ folder

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    QUOTE
    :filefind
    atapi.sys
    RDPCDD.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 rrahl

rrahl
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 13 April 2010 - 08:54 PM

I do not have the XP cd, moved since the computer was built, it is packed somewhere....

is it worth trying the rest of what you suggest? or would the initial bootable CD you had me create have a workaround possibly?

thanks for the patience smile.gif

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:58 PM

Posted 13 April 2010 - 09:03 PM

Perhaps we don't have to run OTLPE. While in the Reatogo environment, can you see (browse) the contents of the C:\ drive?

Please run Systemlook.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users