Solved Malware problems?

psaulm119 · 2010/12/31

[Resolved] Malware problems?

I was told by a member here to run the advised programs to see if I have malware on my computer. I am having major problems getting any desktop search engine to scan. My first recommendation was to do system restore. I tried three restore points--one that I definitely know was before my desktop search problems began (some 2 weeks ago), a second, and a third from just a few days ago (after the problems started appearing)--Windows was not able to restore Windows at all--it gave me an error message saying no restore was made.

(1) I updated malwerbytes, did a scan, which found nothing
(2) I updated MSSE, did a full scan, which found nothing.
(3) I installed MBRwhatever, did a scan.
(3.5) I ran the temp file cleaner program.
(3.6) I ran GMER as well.
(4) I ran DDSwhatever, but 3 times, it made it two-thirds of teh way across the UI window, but never finished. It took 30 plus minutes each time. DIrections said to disable any script-blocking programs. Not sure what those are, so I just disabled MSSE from running. All three times, computer froze and wouldn't let me shut anything down so I had to just power down manually.

I will post the logs below.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5429

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2010 12:04:31 PM
mbam-log-2010-12-31 (12-04-31).txt

Scan type: Quick scan
Objects scanned: 154835
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\System32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB9F11000 fltmgr.sys
0xB9EFF000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EE8000 KSecDD.sys
0xB9E5B000 Ntfs.sys
0xB9E2E000 NDIS.sys
0xB9E14000 Mup.sys
0xBA338000 hotcore3.sys
0xBA248000 \SystemRoot\system32\DRIVERS\AmdPPM.sys
0xBA570000 \SystemRoot\System32\DRIVERS\wmiacpi.sys
0xB9A0D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB99F9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3F0000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xB9941000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xBA3F8000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xBA258000 \SystemRoot\System32\DRIVERS\imapi.sys
0xBA268000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA278000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB991E000 \SystemRoot\System32\DRIVERS\ks.sys
0xB98F6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA288000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xBA410000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xB98BF000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xBA5D0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA298000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB984E000 \SystemRoot\System32\Drivers\wdf01000.sys
0xBA428000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xBA2A8000 \SystemRoot\System32\DRIVERS\bcm4sbxp.sys
0xB983A000 \SystemRoot\System32\DRIVERS\sdbus.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xBA594000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xBA70E000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA2C8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xBA59C000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9823000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA2D8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA2E8000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xBA448000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB97EA000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA2F8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xBA458000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xBA468000 \SystemRoot\System32\DRIVERS\raspti.sys
0xBA308000 \SystemRoot\System32\DRIVERS\termdd.sys
0xBA5D8000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB978C000 \SystemRoot\System32\DRIVERS\update.sys
0xB9DE8000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xB9779000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0xBA318000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA128000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xB165D000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB1560000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB14B0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA498000 \SystemRoot\System32\Drivers\Modem.SYS
0xB1392000 \SystemRoot\system32\drivers\sthda.sys
0xB136E000 \SystemRoot\system32\drivers\portcls.sys
0xBA138000 \SystemRoot\system32\drivers\drmk.sys
0xBA148000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xB1347000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xBA612000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA7D0000 \SystemRoot\System32\Drivers\Null.SYS
0xBA616000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA3B8000 \SystemRoot\System32\drivers\vga.sys
0xBA61A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA61E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3C8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3D8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9813000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xB1314000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xB12BB000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xB126B000 \SystemRoot\System32\DRIVERS\netbt.sys
0xB1245000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xB1223000 \SystemRoot\System32\drivers\afd.sys
0xBA158000 \SystemRoot\System32\DRIVERS\netbios.sys
0xB11F8000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xB1188000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xBA178000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9765000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xBA198000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xB9755000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xBA408000 \SystemRoot\system32\DRIVERS\point32.sys
0xBA1A8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1148000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA622000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA588000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA438000 \SystemRoot\System32\watchdog.sys
0xBA1C8000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6E2000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0F2000 \SystemRoot\System32\atikvmag.dll
0xBF165000 \SystemRoot\System32\atiok3x2.dll
0xBF1AF000 \SystemRoot\System32\ati3duag.dll
0xBF582000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAED9C000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xAED18000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xAE9AB000 \SystemRoot\system32\drivers\wdmaud.sys
0xB96E1000 \SystemRoot\system32\drivers\sysaudio.sys
0xAE3D8000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xAE330000 \SystemRoot\System32\DRIVERS\srv.sys
0xAE3B0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xADE3F000 \SystemRoot\System32\Drivers\HTTP.sys
0xADC97000 \??\C:\DOCUME~1\Paul\LOCALS~1\Temp\ffnorkob.sys
0xAEACC000 \SystemRoot\System32\DRIVERS\asyncmac.sys
0xADBD8000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
448 C:\WINDOWS\system32\smss.exe
752 csrss.exe
784 C:\WINDOWS\system32\winlogon.exe
832 C:\WINDOWS\system32\services.exe
844 C:\WINDOWS\system32\lsass.exe
1000 C:\WINDOWS\system32\ati2evxx.exe
1032 C:\WINDOWS\system32\svchost.exe
1116 svchost.exe
1160 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1200 C:\WINDOWS\system32\svchost.exe
1320 svchost.exe
1372 svchost.exe
1588 C:\WINDOWS\system32\WLTRYSVC.EXE
1616 C:\WINDOWS\system32\ati2evxx.exe
1724 C:\WINDOWS\system32\BCMWLTRY.EXE
1844 C:\WINDOWS\system32\spoolsv.exe
300 C:\WINDOWS\explorer.exe
612 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
624 C:\WINDOWS\system32\WLTRAY.EXE
632 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
652 C:\WINDOWS\vVX3000.exe
696 C:\WINDOWS\system32\qttask.exe
1124 C:\Program Files\Microsoft Security Client\msseces.exe
1260 C:\WINDOWS\system32\ctfmon.exe
464 svchost.exe
492 C:\Program Files\Java\jre6\bin\jqs.exe
620 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
264 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
2244 C:\WINDOWS\system32\svchost.exe
2328 C:\WINDOWS\system32\searchindexer.exe
3384 alg.exe
3820 C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3972 C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4020 C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1592 C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1784 C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3764 OSPPSVC.EXE
2908 wmiprvse.exe
796 C:\WINDOWS\system32\searchprotocolhost.exe
3052 searchfilterhost.exe
3492 C:\Documents and Settings\Paul\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000007`5343e000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHM060HI, Rev: YD100-15

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-31 16:05:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM060HI rev.YD100-15
Running: 154nruub.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\ffnorkob.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9A0E000, 0x1B85E6, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\WINDOWS\system32\SearchIndexer.exe[2328] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1592] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010
IAT C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1784] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010
IAT C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3104] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010
IAT C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3972] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010
IAT C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4020] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR

---- EOF - GMER 1.0.15 ----

broni · 2011/01/01

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

Yes, it looks like you're infected.

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

psaulm119 · 2011/01/01

Thanks Broni.
I did a scan and it said nothing was detected.

Here's the report:

2011/01/01 09:54:02.0828 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/01 09:54:02.0828 ================================================================================
2011/01/01 09:54:02.0828 SystemInfo:
2011/01/01 09:54:02.0828
2011/01/01 09:54:02.0828 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/01 09:54:02.0828 Product type: Workstation
2011/01/01 09:54:02.0828 ComputerName: PAUL-NRCW396W1E
2011/01/01 09:54:02.0828 UserName: Paul
2011/01/01 09:54:02.0828 Windows directory: C:\WINDOWS
2011/01/01 09:54:02.0828 System windows directory: C:\WINDOWS
2011/01/01 09:54:02.0828 Processor architecture: Intel x86
2011/01/01 09:54:02.0828 Number of processors: 2
2011/01/01 09:54:02.0828 Page size: 0x1000
2011/01/01 09:54:02.0828 Boot type: Normal boot
2011/01/01 09:54:02.0828 ================================================================================
2011/01/01 09:54:03.0234 Initialize success
2011/01/01 09:54:16.0750 ================================================================================
2011/01/01 09:54:16.0750 Scan started
2011/01/01 09:54:16.0750 Mode: Manual;
2011/01/01 09:54:16.0750 ================================================================================
2011/01/01 09:54:17.0531 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/01 09:54:17.0562 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/01 09:54:17.0656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/01 09:54:17.0718 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/01 09:54:17.0765 AFS2K (b34b1ab0a7690a0e2301fec6d17b2fc1) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/01/01 09:54:17.0906 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/01/01 09:54:18.0062 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/01 09:54:18.0078 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/01 09:54:18.0312 ati2mtag (1db0e5f78a67307f9c68d777873c1164) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/01 09:54:18.0375 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/01 09:54:18.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/01 09:54:18.0515 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/01/01 09:54:18.0593 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/01/01 09:54:18.0625 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/01 09:54:18.0687 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/01 09:54:18.0734 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/01 09:54:18.0796 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/01 09:54:18.0812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/01 09:54:18.0843 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/01 09:54:18.0921 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/01 09:54:18.0953 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/01 09:54:19.0062 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/01 09:54:19.0156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/01 09:54:19.0187 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/01 09:54:19.0218 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/01 09:54:19.0281 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/01 09:54:19.0328 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/01 09:54:19.0375 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/01 09:54:19.0406 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/01 09:54:19.0437 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/01 09:54:19.0453 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/01 09:54:19.0468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/01 09:54:19.0515 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/01 09:54:19.0546 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/01 09:54:19.0578 genmcmnUSB (86f732d2995ada73fd307539ec266d3a) C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
2011/01/01 09:54:19.0625 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/01 09:54:19.0656 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/01 09:54:19.0703 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/01 09:54:19.0750 hotcore3 (8e0968b308040261c53b216e3ce7559a) C:\WINDOWS\system32\DRIVERS\hotcore3.sys
2011/01/01 09:54:19.0812 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/01/01 09:54:19.0890 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/01/01 09:54:19.0937 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/01 09:54:20.0031 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/01 09:54:20.0078 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/01 09:54:20.0171 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/01 09:54:20.0218 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/01 09:54:20.0250 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/01 09:54:20.0296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/01 09:54:20.0328 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/01 09:54:20.0375 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/01 09:54:20.0421 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/01 09:54:20.0453 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/01 09:54:20.0484 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/01 09:54:20.0546 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/01 09:54:20.0593 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/01 09:54:20.0671 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/01/01 09:54:20.0718 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/01 09:54:20.0781 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/01 09:54:20.0812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/01 09:54:20.0859 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/01 09:54:20.0906 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/01 09:54:20.0921 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/01 09:54:20.0984 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/01/01 09:54:21.0046 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/01 09:54:21.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/01 09:54:21.0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/01 09:54:21.0234 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/01 09:54:21.0265 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/01 09:54:21.0281 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/01 09:54:21.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/01 09:54:21.0375 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/01 09:54:21.0406 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/01 09:54:21.0453 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/01 09:54:21.0484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/01 09:54:21.0515 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/01 09:54:21.0562 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/01 09:54:21.0593 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/01 09:54:21.0625 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/01 09:54:21.0671 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/01 09:54:21.0718 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/01 09:54:21.0750 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/01 09:54:21.0796 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/01 09:54:21.0843 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/01 09:54:21.0906 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/01/01 09:54:21.0937 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/01 09:54:21.0984 NWADI (6f1455b88a1bf5dadac344d647208a81) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
2011/01/01 09:54:22.0046 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/01 09:54:22.0062 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/01 09:54:22.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/01 09:54:22.0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/01 09:54:22.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/01 09:54:22.0234 PCASp50 (803c8e7f4d00fe832c1f3871514fec85) C:\WINDOWS\system32\Drivers\PCASp50.sys
2011/01/01 09:54:22.0281 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/01 09:54:22.0359 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/01 09:54:22.0406 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/01 09:54:22.0578 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/01/01 09:54:22.0625 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/01 09:54:22.0656 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/01 09:54:22.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/01 09:54:22.0718 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/01 09:54:22.0781 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/01 09:54:22.0906 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/01 09:54:22.0937 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/01 09:54:22.0968 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/01 09:54:22.0984 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/01 09:54:23.0031 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/01 09:54:23.0046 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/01 09:54:23.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/01 09:54:23.0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/01 09:54:23.0187 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/01/01 09:54:23.0265 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/01/01 09:54:23.0312 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/01 09:54:23.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/01 09:54:23.0421 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/01/01 09:54:23.0453 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/01/01 09:54:23.0468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/01 09:54:23.0546 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/01 09:54:23.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/01 09:54:23.0671 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/01 09:54:23.0750 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/01 09:54:23.0890 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/01/01 09:54:23.0953 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/01 09:54:23.0984 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/01 09:54:24.0046 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/01 09:54:24.0234 SynTP (6bef3acd6ee22eec55b68699e8aace09) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/01/01 09:54:24.0265 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/01 09:54:24.0343 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/01 09:54:24.0421 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/01 09:54:24.0453 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/01 09:54:24.0500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/01 09:54:24.0562 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/01 09:54:24.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/01 09:54:24.0734 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/01 09:54:24.0796 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/01 09:54:24.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/01 09:54:24.0828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/01 09:54:24.0875 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/01 09:54:24.0906 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/01 09:54:24.0968 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/01 09:54:25.0031 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/01 09:54:25.0062 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/01 09:54:25.0109 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/01 09:54:25.0250 VX3000 (42870675b4d84acd81a9da69b83f14c5) C:\WINDOWS\system32\DRIVERS\VX3000.sys
2011/01/01 09:54:25.0312 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/01 09:54:25.0390 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/01/01 09:54:25.0484 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/01 09:54:25.0578 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/01 09:54:25.0671 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/01 09:54:25.0750 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/01 09:54:25.0812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/01 09:54:25.0859 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/01 09:54:26.0250 ================================================================================
2011/01/01 09:54:26.0250 Scan finished
2011/01/01 09:54:26.0250 ================================================================================

broni · 2011/01/01

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

psaulm119 · 2011/01/01

Broni, I ran ComboFix for about 40 minutes (the window that pops up says that it normally takes 10 minutes, double that for heavily infected computers) and there was nothing--no further messages about the report, no report itself, nothing telling me that teh scan was done. The computer froze up, I couldn't even bring up task manager with Ctrl+Alt+Del.

Do you want me to run this in safe mode, or run it with Rkill?

broni · 2011/01/01

Please try ways listed after:

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:
Click to expand...

psaulm119 · 2011/01/01

OK I've d/l rkill, but after booting into safe mode, whether running Combofix or rkill, the laptop overheats and shuts down--neither program seems to be able to finish. I have a cooling pad underneath this laptop that runs whenever the laptop is turned on, so I'm really surprised that it is overheating.

At any rate, I'll let it sit for a few hours, and then try this again.

broni · 2011/01/01

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.

Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

Your system should now display a REATOGO-X-PE desktop.

Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.

Double-click on the OTLPE icon.

When asked Do you wish to load the remote registry, select Yes

When asked Do you wish to load remote user profile(s) for scanning, select Yes

Ensure the box Automatically Load All Remaining Users" is checked and press OK

OTL should now start.

Press Run Scan to start the scan.

When finished, the file will be saved in drive C:\OTL.txt

Copy this file to your USB drive if you do not have internet connection on this system

Please post the contents of the OTL.txt file in your reply.

psaulm119 · 2011/01/01

OK. GOt online and am d/l the OTLPEN.exe.

After booting back normally, now Windows says it cant find MSSE--it didn't load like it normally does in my ssytem tray, and going into it from the programs section of the start menu gave me that error message.

I'm beginning to think a reinstall is called for here, but on the other, I'd like to clean up whatever has crammed itself into my computer....

broni · 2011/01/01

You can create that CD on any computer.
Another working computer would even be recommended to do it.

psaulm119 · 2011/01/01

OK here is the OTL log:

OTL logfile created on: 1/1/2011 1:31:13 PM - Run
OTLPE by OldTimer - Version 3.1.43.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.30 Gb Total Space | 11.70 Gb Free Space | 39.93% Space Free | Partition Type: NTFS
Drive D: | 26.58 Gb Total Space | 9.49 Gb Free Space | 35.71% Space Free | Partition Type: NTFS
Drive X: | 434.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- C:\ComboFix\PEV.cfx -- (PEVSystemStart)
SRV - File not found [On_Demand] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/12/30 22:04:52 | 000,030,192 | ---- | M] (Google) [On_Demand] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)
SRV - [2010/12/20 21:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/11/11 15:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/25 12:25:22 | 030,969,208 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2004/10/22 05:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\DRIVERS\sxuptp.sys -- (sxuptp)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\DlinkUDSMBus.sys -- (DlinkUDSMBus)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- C:\DOCUME~1\Paul\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/12/20 21:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/12/15 12:14:43 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2009/09/29 16:06:46 | 000,040,560 | ---- | M] (Paragon Software Group) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\hotcore3.sys -- (hotcore3)
DRV - [2009/08/28 12:33:50 | 000,228,784 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/06/26 19:21:02 | 001,956,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2009/01/14 02:14:01 | 003,455,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/04/13 12:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/05/10 13:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/04/17 00:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/03/16 21:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/11/21 07:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 03:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/04/10 12:46:36 | 000,018,560 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2006/03/27 18:02:06 | 000,074,752 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2005/07/22 14:02:12 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/07/22 14:01:08 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/07/22 14:01:00 | 000,717,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/04/19 18:01:00 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\gflmouhid.sys -- (genmcmnUSB)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Paul_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\Paul_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\Paul_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A BC 81 80 5B A4 CB 01 [binary data]
IE - HKU\Paul_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Temp_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/31 14:23:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/08 14:45:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.11\extensions\\Components: C:\Program Files\SeaMonkey\components [2010/12/18 01:25:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.11\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2010/12/18 01:25:27 | 000,000,000 | ---D | M]

[2010/12/29 07:10:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/15 17:09:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/04 00:20:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/09 20:13:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/24 15:48:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/11/12 21:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[1999/12/31 19:00:00 | 000,166,680 | ---- | M] (Tracker Software Products Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll

O1 HOSTS File: ([2002/09/03 11:34:19 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Copernic Desktop Search - Professional Toolbar) - {45CFEF3A-ADC2-4CC8-BF74-CD0B92908570} - C:\Program Files\Copernic Desktop Search - Pro\Toolbar\ToolbarContainer101000325.dll (Copernic Inc.)
O3 - HKLM\..\Toolbar: (no name) - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Paul_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Paul_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Temp_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM ()
O9 - Extra 'Tools' menuitem : Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM ()
O9 - Extra Button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM ()
O9 - Extra 'Tools' menuitem : Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM ()
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260845174850 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab (CTAdjust Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Application Data\FastStone\FSIV\FSViewerWallPaper.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2009/12/14 21:38:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk /k *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/01 16:04:40 | 127,353,979 | ---- | C] (Igor Pavlov) -- C:\Documents and Settings\Paul\Desktop\OTLPENet.exe
[2011/01/01 15:12:39 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/01/01 13:11:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/01 13:09:48 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/01 13:09:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/01 13:09:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/01 13:09:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/01 13:09:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/01 13:09:11 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/01 12:52:43 | 001,345,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Paul\Desktop\TDSSKiller.exe
[2010/12/31 17:53:16 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\TFC.exe
[2010/12/31 03:32:31 | 000,000,000 | ---D | C] -- C:\Program Files\Copernic Desktop Search - Pro
[2010/12/31 03:31:31 | 009,143,320 | ---- | C] (Copernic Inc.) -- C:\Documents and Settings\Paul\Desktop\CopernicDesktopSearch-Professional-EN-3.4.0.26.exe
[2010/12/30 22:04:36 | 002,014,704 | ---- | C] (Google) -- C:\Documents and Settings\Paul\Desktop\GoogleDesktopSetup.exe
[2010/12/30 20:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Copernic
[2010/12/30 20:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Copernic
[2010/12/29 00:32:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Desktop\Tariff Docs
[2010/12/26 09:03:06 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2010/12/24 23:41:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Search
[2010/12/24 23:41:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Identities
[2010/12/24 23:41:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Desktop Search
[2010/12/24 15:48:27 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/12/24 15:48:27 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/12/24 15:48:27 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/12/24 15:39:40 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/24 15:39:07 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/24 02:05:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Desktop\New Folder
[2010/12/23 03:59:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Desktop\1815 Maps
[2010/12/22 00:15:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Malwarebytes
[2010/12/08 14:45:49 | 000,086,016 | ---- | C] (MindVision) -- C:\WINDOWS\unvise32qt.exe
[2010/12/08 14:44:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\QuickTime
[2010/12/08 14:44:29 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/12/08 14:43:10 | 000,000,000 | ---D | C] -- C:\Program Files\emme
[2010/12/05 22:24:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Apple Computer
[2010/12/05 22:24:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Apple Computer
[2010/12/05 22:24:05 | 000,000,000 | ---D | C] -- C:\Program Files\Safari
[2010/12/05 22:23:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/12/05 22:23:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Apple
[2010/12/05 22:23:13 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2 D:\My Documents\*.tmp files -> D:\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Paul\Desktop\*.tmp files -> C:\Documents and Settings\Paul\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/01 16:22:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/01 16:19:39 | 000,466,212 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/01 16:19:39 | 000,079,770 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/01 16:11:07 | 127,353,979 | ---- | M] (Igor Pavlov) -- C:\Documents and Settings\Paul\Desktop\OTLPENet.exe
[2011/01/01 16:05:33 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word 2010.lnk
[2011/01/01 15:40:17 | 000,780,283 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\rkill.com
[2011/01/01 15:19:08 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/01/01 14:17:16 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Reagan Doctrine.doc
[2011/01/01 14:17:11 | 000,002,485 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Gmail.lnk
[2011/01/01 14:02:59 | 000,087,796 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Economic Optimism_ Yes, Iâ€™ll Take That Bet - Findings - NYTimes.pdf
[2011/01/01 13:08:30 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Please download ComboFix from.doc
[2011/01/01 13:03:37 | 004,012,260 | R--- | M] () -- C:\Documents and Settings\Paul\Desktop\ComboFix.exe
[2011/01/01 12:52:18 | 001,232,020 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\tdsskiller.zip
[2011/01/01 12:43:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-2147006213-682003330-1004UA.job
[2011/01/01 12:28:09 | 002,787,328 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\dft32_v416_b00.iso
[2011/01/01 10:58:14 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\WWI Casualties.doc
[2011/01/01 10:55:39 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Paul\Desktop\~$I Casualties.doc
[2011/01/01 10:00:47 | 001,679,360 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Woodrow Wilson.ppt
[2011/01/01 00:43:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-2147006213-682003330-1004Core.job
[2011/01/01 00:42:36 | 000,212,038 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\taylor_map.jpg
[2010/12/31 22:30:28 | 000,164,903 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\woodrow-wilson.jpg
[2010/12/31 22:26:03 | 000,163,909 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\The_Gap_in_the_Bridge.gif
[2010/12/31 22:25:01 | 000,274,529 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\The-league-of-nations.jpg
[2010/12/31 19:09:10 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\dds.scr
[2010/12/31 19:08:26 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\MBRCheck.exe
[2010/12/31 19:06:07 | 000,062,464 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\GMER 1.doc
[2010/12/31 18:00:57 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/12/31 17:58:11 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\154nruub.exe
[2010/12/31 17:53:18 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\Desktop\TFC.exe
[2010/12/30 23:28:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/30 22:04:40 | 002,014,704 | ---- | M] (Google) -- C:\Documents and Settings\Paul\Desktop\GoogleDesktopSetup.exe
[2010/12/30 16:35:14 | 000,415,095 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\3296842855_42c2ce0948_b.jpg
[2010/12/30 16:35:00 | 000,133,309 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\3296842855_42c2ce0948.jpg
[2010/12/30 16:34:40 | 000,020,606 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\hb-standoff.jpg
[2010/12/30 16:34:17 | 000,077,098 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\MexicanStandoff.jpg
[2010/12/30 13:00:31 | 000,115,358 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\College Degree Inflation.pdf
[2010/12/29 19:48:09 | 000,016,816 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\tweety-bird.jpg
[2010/12/29 13:09:10 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Sun Bowl.doc
[2010/12/29 07:50:28 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Lippmann.doc
[2010/12/29 07:43:43 | 000,043,520 | ---- | M] () -- D:\My Documents\Pronunciation Key.xls
[2010/12/29 07:12:34 | 012,408,757 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\The_truth_about_the_Treaty.pdf
[2010/12/29 07:07:21 | 000,083,545 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\KenanGOP Won Cold War.pdf
[2010/12/28 21:21:00 | 000,116,224 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Kennan's course.doc
[2010/12/28 19:15:36 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\call target for epipen, aaa batteries; small *****.doc
[2010/12/28 16:35:23 | 000,021,317 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Critique of Containment.pdf
[2010/12/28 01:09:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\10 files in new folder
[2010/12/28 01:09:19 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\50 emails in inbox
[2010/12/28 01:09:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\fix natalie's art kit
[2010/12/27 21:44:41 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\call Tracy Marsh
[2010/12/27 21:21:30 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Looking at a map of the German Confederation.doc
[2010/12/27 20:17:07 | 000,063,174 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Three.jpg
[2010/12/27 18:26:02 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Notes from Millenium.doc
[2010/12/26 09:04:28 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2010/12/25 12:47:44 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Louis XIV.doc
[2010/12/25 10:24:40 | 122,811,025 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\A_cyclopedia_of_commerce_and_commercial.pdf
[2010/12/25 02:37:52 | 000,436,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/25 02:17:00 | 001,427,952 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Colbert1666.jpg
[2010/12/24 23:48:46 | 000,033,280 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Alphabet.doc
[2010/12/24 23:40:33 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/24 22:57:17 | 000,014,621 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Louis XIV and the Creation of the French nation.docx
[2010/12/24 02:24:52 | 000,085,856 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Berlin_Conference_1878.jpg
[2010/12/24 02:19:47 | 002,086,877 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Berlinkongressen_1878,_Nordisk_familjebok.png
[2010/12/20 21:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 21:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/16 12:47:52 | 001,345,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Paul\Desktop\TDSSKiller.exe
[2010/12/12 07:29:51 | 000,097,384 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/12 07:29:39 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/12/11 17:58:52 | 000,063,809 | ---- | M] () -- D:\My Documents\1-100 Chart.pdf
[2010/12/08 14:45:48 | 000,028,672 | ---- | M] () -- C:\WINDOWS\System32\qttask.exe
[2010/12/08 14:44:46 | 000,000,361 | ---- | M] () -- C:\WINDOWS\System32\QuickTime.qtp
[2010/12/03 23:13:06 | 000,025,088 | ---- | M] () -- D:\My Documents\Politics of Appeasing Hitler.doc
[2 D:\My Documents\*.tmp files -> D:\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Paul\Desktop\*.tmp files -> C:\Documents and Settings\Paul\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/01 15:40:14 | 000,780,283 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\rkill.com
[2011/01/01 14:17:16 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Reagan Doctrine.doc
[2011/01/01 14:02:57 | 000,087,796 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Economic Optimism_ Yes, Iâ€™ll Take That Bet - Findings - NYTimes.pdf
[2011/01/01 13:12:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/01/01 13:12:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/01/01 13:09:48 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/01 13:09:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/01 13:09:48 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/01 13:09:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/01 13:09:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/01 13:08:29 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Please download ComboFix from.doc
[2011/01/01 13:03:23 | 004,012,260 | R--- | C] () -- C:\Documents and Settings\Paul\Desktop\ComboFix.exe
[2011/01/01 12:52:17 | 001,232,020 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\tdsskiller.zip
[2011/01/01 12:28:07 | 002,787,328 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\dft32_v416_b00.iso
[2011/01/01 10:55:39 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Paul\Desktop\~$I Casualties.doc
[2011/01/01 10:55:38 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\WWI Casualties.doc
[2011/01/01 00:42:36 | 000,212,038 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\taylor_map.jpg
[2010/12/31 22:30:28 | 000,164,903 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\woodrow-wilson.jpg
[2010/12/31 22:26:03 | 000,163,909 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\The_Gap_in_the_Bridge.gif
[2010/12/31 22:25:01 | 000,274,529 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\The-league-of-nations.jpg
[2010/12/31 19:09:06 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\dds.scr
[2010/12/31 19:08:26 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\MBRCheck.exe
[2010/12/31 19:06:06 | 000,062,464 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\GMER 1.doc
[2010/12/31 17:58:08 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\154nruub.exe
[2010/12/31 03:31:31 | 001,421,422 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\CDS-QuickStart-Guide.pdf
[2010/12/30 16:35:14 | 000,415,095 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\3296842855_42c2ce0948_b.jpg
[2010/12/30 16:35:00 | 000,133,309 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\3296842855_42c2ce0948.jpg
[2010/12/30 16:34:40 | 000,020,606 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\hb-standoff.jpg
[2010/12/30 16:34:17 | 000,077,098 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\MexicanStandoff.jpg
[2010/12/30 16:19:37 | 001,679,360 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Woodrow Wilson.ppt
[2010/12/30 13:00:29 | 000,115,358 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\College Degree Inflation.pdf
[2010/12/29 19:48:09 | 000,016,816 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\tweety-bird.jpg
[2010/12/29 13:06:50 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Sun Bowl.doc
[2010/12/29 07:12:27 | 012,408,757 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\The_truth_about_the_Treaty.pdf
[2010/12/29 07:07:20 | 000,083,545 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\KenanGOP Won Cold War.pdf
[2010/12/28 22:08:19 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Lippmann.doc
[2010/12/28 16:35:23 | 000,021,317 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Critique of Containment.pdf
[2010/12/28 16:33:55 | 000,116,224 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Kennan's course.doc
[2010/12/28 01:09:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\10 files in new folder
[2010/12/28 01:09:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\fix natalie's art kit
[2010/12/28 01:09:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\50 emails in inbox
[2010/12/27 21:44:41 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\call Tracy Marsh
[2010/12/27 21:21:30 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Looking at a map of the German Confederation.doc
[2010/12/27 21:13:40 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\call target for epipen, aaa batteries; small *****.doc
[2010/12/27 20:17:07 | 000,063,174 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Three.jpg
[2010/12/27 00:08:39 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Notes from Millenium.doc
[2010/12/26 09:04:28 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2010/12/25 12:47:25 | 000,046,080 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Louis XIV.doc
[2010/12/25 10:23:28 | 122,811,025 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\A_cyclopedia_of_commerce_and_commercial.pdf
[2010/12/25 02:16:55 | 001,427,952 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Colbert1666.jpg
[2010/12/24 23:48:45 | 000,033,280 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Alphabet.doc
[2010/12/24 22:57:17 | 000,014,621 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Louis XIV and the Creation of the French nation.docx
[2010/12/24 02:24:52 | 000,085,856 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Berlin_Conference_1878.jpg
[2010/12/24 02:19:47 | 002,086,877 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Berlinkongressen_1878,_Nordisk_familjebok.png
[2010/12/12 07:29:39 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/12/12 07:29:39 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/12/11 17:58:51 | 000,063,809 | ---- | C] () -- D:\My Documents\1-100 Chart.pdf
[2010/12/08 14:45:48 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\qttask.exe
[2010/12/08 14:44:45 | 000,000,361 | ---- | C] () -- C:\WINDOWS\System32\QuickTime.qtp
[2010/12/08 14:44:01 | 000,019,173 | ---- | C] () -- C:\WINDOWS\emmeUS.wri
[2010/11/25 09:56:05 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\VSHP1018.DLL
[2010/11/21 00:47:23 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/20 12:36:52 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2010/09/30 00:25:27 | 000,002,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/21 20:14:25 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/09/21 20:14:20 | 000,790,528 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/09/21 20:14:20 | 000,134,144 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/09/21 20:14:19 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/09/01 18:26:42 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/06/03 20:31:57 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2010/05/08 22:59:52 | 000,000,097 | ---- | C] () -- C:\WINDOWS\CR.ini
[2010/05/05 21:58:55 | 000,000,091 | ---- | C] () -- C:\WINDOWS\CBP.INI
[2010/04/17 11:10:01 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2010/04/02 10:34:51 | 000,000,165 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/18 17:30:29 | 000,000,037 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2010/02/11 22:07:29 | 000,001,890 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/02/11 22:07:29 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\B69F2F8E88.sys
[2010/02/04 00:54:05 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/12/22 10:51:28 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/12/22 10:51:25 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/12/16 23:56:45 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/12/15 03:45:09 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/12/14 13:29:36 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/06/26 19:21:02 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2008/01/15 07:31:00 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
[2007/09/27 13:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 13:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 13:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/11/29 14:08:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/21 01:02:32 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/21 01:02:32 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/04/19 18:01:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\gflmouhid.sys
[2000/07/07 16:49:30 | 000,069,120 | ---- | C] () -- C:\WINDOWS\System32\LTDLL.DLL
[2000/03/25 21:00:00 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\clcd32.dll
[1999/09/20 15:43:10 | 000,006,784 | ---- | C] () -- C:\WINDOWS\System32\clcd16.dll
[1999/03/10 02:23:00 | 000,222,928 | ---- | C] () -- C:\WINDOWS\System32\lobas09.dll
[1998/01/13 14:52:30 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\lotrn13.dll
[1997/11/14 02:23:00 | 000,031,008 | ---- | C] () -- C:\WINDOWS\System32\ivtrn09.dll
[1994/07/25 04:23:00 | 000,014,928 | ---- | C] () -- C:\WINDOWS\System32\wingen.drv

========== LOP Check ==========

[2010/11/28 00:27:15 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Nitro PDF
[2010/06/17 11:45:05 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\SoftGrid Client
[2010/12/01 01:26:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Auslogics
[2010/11/21 01:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Contaware
[2010/12/30 20:14:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Copernic
[2010/11/22 19:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\ImgBurn
[2010/11/27 11:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\KompoZer
[2010/11/27 11:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\kompozer.net
[2010/11/27 13:56:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Nitro PDF
[2010/11/22 20:16:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\OpenOffice.org
[2010/12/24 23:41:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Windows Desktop Search
[2010/12/24 23:41:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Windows Search

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> D:\My Documents\oilprice1947.gif:Roxio EMC Stream
< End of report >

psaulm119 · 2011/01/01

FYI--in your instructions, it said "Do you wish to load remote user profile for scanning, "--it never gave me that options, so I simply selected my user profile (Paul), and made sure that the option for AUtomatically load all remaining users was checked.

broni · 2011/01/01

I don't really see anything malicious in OTL log.
There is some garbage here and there, but nothing malicious.

Malware-wise, the rootkit seemed to be a main culprit.
Unless Combofix will find something else.

Let's try it again.
Delete your Combofix file. Download fresh one, rename it before saving it to the desktop and run it from Safe Mode.

psaulm119 · 2011/01/01

Renamed it BEFORE saving to desktop. Booted back into safe mode, heard the laptop's own fan running so I walked away from it--hadn't yet started combofix. After about 30 seconds it shut down on its own.

broni · 2011/01/01

I think, you may have some other issues beside that rootkit, we just removed....

Download System Information for Windows (SIW free version)
No installation required.

After it scans your computer, navigate to Hardware>Sensors and post all info from there.

psaulm119 · 2011/01/01

OK Here it is:
http://img600.imageshack.us/img600/5320/screenshot09.png

Temperatures seemed to be pretty low (when the system snapshot was taken just now). My cores generally overheat and shut down when the cores get to be in the 160 degree-and-up fahrenheit range--at least that is what SIW has told me in the past when I've had overheating problems.

broni · 2011/01/01

That looks fairly normal....

Disable "Restart on error" feature...

1. Right-click My Computer, and then click Properties.
2. Click the Advanced tab (Vista: click Advanced system settings).
3. Under Startup and Recovery, click Settings to open the Startup and Recovery dialog box.
4. Clear the Automatically restart check box, and click OK the necessary number of times.
5. Restart your computer for the settings to take effect.

You may see some error message. If so, post back what it says.

Now, try Combofix in safe mode again.

psaulm119 · 2011/01/01

It already was unchecked--obviously no error message.

broni · 2011/01/01

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.

Click the Report tab, then click Scan.

Check Drivers, Stealth, and uncheck the rest.

Click OK.

Wait until it's finished and then go to File > Save Report.

Save the report to your Desktop.

Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".

psaulm119 · 2011/01/01

OK. Here goes:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF1AF000 C:\WINDOWS\System32\ati3duag.dll 4009984 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB9012000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3788800 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF582000 C:\WINDOWS\System32\ativvaxx.dll 2502656 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB0954000 C:\WINDOWS\system32\drivers\sthda.sys 1171456 bytes (SigmaTel, Inc., NDRC)
0xB0B22000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB0A72000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB8EFF000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 606208 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xBF065000 C:\WINDOWS\System32\ati2cqag.dll 577536 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xB9E5B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF0F2000 C:\WINDOWS\System32\atikvmag.dll 471040 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB8DE8000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xB074A000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8D4E000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB0855000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xADB39000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF165000 C:\WINDOWS\System32\atiok3x2.dll 303104 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAD648000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB8E59000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0xB0C1F000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xADBE1000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E2E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB07BA000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8E90000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB0807000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB0909000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xB082F000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB0930000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8EDB000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8EB8000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB07E5000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9E14000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB070A000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8DBD000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xADE94000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8DD4000 C:\WINDOWS\System32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB8FFE000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB08AE000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB8D3B000 C:\WINDOWS\system32\DRIVERS\NWADIenum.sys 77824 bytes (Novatel Wireless Inc, NWADI Interface Bus Enumerator)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8DAC000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2C8000 C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xBA1D8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA288000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA158000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA298000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAE101000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA148000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA168000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 57344 bytes (Oak Technology Inc., Audio File System)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xBA268000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA0E8000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA2A8000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA2E8000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA308000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1A8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA278000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA2F8000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA118000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA108000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA178000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA318000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA188000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAD30D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA1B8000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA418000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA468000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA3E8000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA448000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA470000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3F0000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3F8000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA478000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xBA458000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA338000 hotcore3.sys 20480 bytes (Paragon Software Group, A part of Paragon System Utilities)
0xBA460000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA408000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA410000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA400000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3E0000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA480000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA57C000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xAD74D000 C:\DOCUME~1\Paul\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys 16384 bytes
0xAE34D000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xBA58C000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAE2D5000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB8D2B000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB93C7000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xADBAD000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA550000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA580000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB93BF000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA56C000 C:\WINDOWS\System32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5EC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5F4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5EA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5EE000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5F0000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5C2000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5C0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA77B000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA764000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6E6000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

Log in or Sign up

Solved Malware problems?

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

Share This Page

Log in or Sign up

Solved Malware problems?

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

broni Moderator Malware Analyst

psaulm119 Geek Member Thread Starter

Share This Page

Useful Searches