[RESOLVED] Rootkit.TDS?

Started By jdhoward, Jan 22 2012 04:33 PM

You cannot start a new topic
You cannot reply to this topic
Go to first unread post

26 replies to this topic

#1 jdhoward

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 04:33 PM

Dell Dimension B110 running XP3 fully updated.
Installed security:
MBAM paid
SAS paid
Comodo Firewall free
MSE

About every 3 days when the machine starts up i get a warninf from SAS
The latest was Rootkit.TDSServ-trace.process. SAS scanned and found nothing.
I ran MSE scan and ESET
Nothing found.

The last SAS log that found anything: attached

Programs take about a minute to launch

Logs attached;

MBAM
GMER
aswMBR
DDS.txt
attach.txt

As always thanks for helping

Attached Files

SUPERAntiSpyware Scan Log - 01-16-2012 - 08-02-32.log 742bytes 2 downloads
mbam-log-2012-01-22 (06-55-59).txt 1.88K 4 downloads
GMER.log 100.65K 4 downloads
aswMBR.txt 867bytes 6 downloads
attach.txt 13.7K 8 downloads
dds.txt 12.69K 4 downloads

#2 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 07:33 PM

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================================================

All logs have to be pasted not attached.

#3 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 07:39 PM

I tried to paste them but was unable to. I must be doing something wrong.

#4 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 08:42 PM

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Sandra at 9:14:19 on 2012-01-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1397 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe
C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
BHO: AutorunsDisabled - No File
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [StartWatch] c:\program files\softwx\startwatch\StartWatch.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [<NO NAME>]
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [TaskPlus] c:\documents and settings\sandra\taskplus\taskplus0.exe
StartupFolder: c:\documents and settings\sandra\start menu\programs\startup\Printkey.exe
StartupFolder: c:\docume~1\sandra\startm~1\programs\startup\wallma~1.lnk - c:\program files\wallmaster\wallmast.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskpl~1.lnk - c:\documents and settings\sandra\taskplus\taskplus0.exe
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoWinKeys = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: Download All Links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292712666031
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 74.50.130.108 74.50.130.109
TCP: Interfaces\{01A3F69E-B2E3-4E55-8901-5862CFE1E187} : DhcpNameServer = 74.50.130.108 74.50.130.109
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sandra\application data\mozilla\firefox\profiles\9kxjav6t.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\sandra\application data\mozilla\firefox\profiles\9kxjav6t.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-12-22 16024]
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [2011-9-25 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [2011-9-25 83392]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 31704]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2010-12-9 101616]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslfb70ede7;MpKslfb70ede7;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aad84add-adee-4452-bbdc-6b6a6c3586bc}\MpKslfb70ede7.sys [2012-1-22 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1960584]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-18 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-18 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2011-12-22 224920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
UnknownUnknown MpKsl2f6f7354;MpKsl2f6f7354; [x]
UnknownUnknown MpKsl9fa4aaae;MpKsl9fa4aaae; [x]
.
=============== Created Last 30 ================
.
2012-01-22 16:08:51 -------- d--h--w- c:\windows\PIF
2012-01-22 16:02:33 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aad84add-adee-4452-bbdc-6b6a6c3586bc}\MpKslfb70ede7.sys
2012-01-22 15:51:40 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{aad84add-adee-4452-bbdc-6b6a6c3586bc}\mpengine.dll
2012-01-15 17:29:09 -------- d-----w- c:\program files\ESET
2012-01-06 18:07:57 -------- d-----w- c:\program files\Karen's Power Tools
2012-01-06 18:07:46 -------- d-----w- c:\documents and settings\all users\application data\Karen's Power Tools
2012-01-06 01:41:50 -------- d-----w- c:\documents and settings\sandra\application data\ElevatedDiagnostics
2012-01-06 01:19:08 -------- dc-h--w- c:\windows\ie8
2012-01-05 22:34:27 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-01-05 22:34:03 -------- d-----w- c:\windows\ie8updates
2012-01-05 22:33:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-05 22:33:07 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-05 22:33:06 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-31 18:18:51 -------- d-----w- c:\documents and settings\all users\application data\Macrium
2011-12-31 18:17:45 -------- d-----w- c:\program files\Macrium
2011-12-31 16:15:20 161 ----a-w- C:\Delme.bat
2011-12-31 14:01:56 -------- d-----w- c:\documents and settings\sandra\local settings\application data\Solid State Networks
2011-12-31 13:59:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-31 13:22:59 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-31 13:22:55 814040 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-31 13:22:55 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-31 13:22:55 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-31 13:22:55 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-31 13:22:55 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-31 13:22:55 2124760 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-31 13:22:55 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-31 13:22:54 97240 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-31 13:22:54 486360 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-31 13:22:54 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-31 13:22:54 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-12-31 13:59:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-22 22:16:42 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-12-22 22:16:34 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-12-22 22:16:28 47256 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-12-19 18:59:21 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 18:59:20 494816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 18:59:19 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 18:58:56 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 18:58:55 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-10 22:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 13:11:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-30 13:01:19 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-06-07 21:03:00 28672 ----a-w- c:\program files\SysRestorePoint.exe
.
============= FINISH: 9:15:24.68 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/18/2010 12:39:58 PM
System Uptime: 1/22/2012 8:55:02 AM (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 0WF887
Processor: Intel® Celeron® CPU 2.53GHz | Microprocessor | 2527/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 109 GiB total, 89.635 GiB free.
D: is FIXED (NTFS) - 36 GiB total, 21.709 GiB free.
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 1/22/2012 8:58:37 AM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acronis True Image WD Edition
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
AOLIcon
Apple Application Support
Auslogics Disk Defrag
awinterscene_3274380 Screen Saver
Battleship SURFACE THUNDER
BufferChm
CDBurnerXP
ClearType Tuning Control Panel Applet
Clue
COMODO Internet Security
Conexant D850 56K V.9x DFVc Modem
Corel Paint Shop Pro X
Corel Photo Album 6
Coupon Printer for Windows
CustomerResearchQFolder
Data Lifeguard Diagnostic for Windows 1.24
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Dell System Restore
Destinations
DeviceManagementQFolder
Digital Line Detect
DirectX Media Runtime 5.1
dj_taplugin
dj6980
Documentation & Support Launcher
ELIcon
ESET Online Scanner v3
eSupportQFolder
FLV Player
Freecorder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hoyle Board Games 2003
Hoyle Board Games 2005
Hoyle Card Games 2005
Hoyle Solitaire
Hoyle Word Games
HP Deskjet 6900 series
HP Extended Capabilities 6.0
HP Imaging Device Functions 6.0
HP Photosmart Essential
HP Solution Center and Imaging Support Tools 6.0
hpf_ProductContext
HPProductAssistant
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Download Manager
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 30
Karen's Cookie Viewer
LP6980_Help
LP6980Trb
Macrium Reflect Free Edition
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Excel Viewer 97
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft PowerPoint Viewer 97
Microsoft Security Client
Microsoft Security Essentials
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MozBackup 1.4.7
Mozilla Firefox 9.0.1 (x86 en-US)
Mozilla Thunderbird (6.0)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Password Corral v4.0
QFolder
Quicken 2008
QuickTime
Readme
Recuva
Revo Uninstaller 1.92
Rings of the Magi
Roxio DLA
Roxio Express Labeler
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scrabble
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SolutionCenter
Sonic Activation Module
StartWatch (remove only)
Status
SUPERAntiSpyware
Task Plus 3.9.9.7
thechristmastree_3264062 Screen Saver
TrayApp
Tweak UI
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.11
WallMaster
WebFldrs XP
WebReg
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Service Pack 3
Works Upgrade
.
==== Event Viewer Messages From Past Week ========
.
1/19/2012 6:09:27 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/17/2012 11:41:22 AM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
1/16/2012 6:17:07 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.22.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sandra :: SANDRA [administrator]

Protection: Enabled

1/22/2012 6:55:59 AM
mbam-log-2012-01-22 (06-55-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 206723
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-22 08:50:49
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-75GVC0 rev.08.02D08
Running: ncevu5si.exe; Driver: C:\DOCUME~1\Sandra\LOCALS~1\Temp\kwtdypob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB16407E6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB163FD92]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB164044C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xB164102A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB1642BEE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB1642F6C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB163F77E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xB16409D2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xB1640BDA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB163F584]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xB16417F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xB1641A4E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB1642620]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB164005A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB1640628]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenKey [0xB164101A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB163F1B2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB16402F4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB163F3B6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xB1641C5C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xB16420B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xB1641E6E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB1641590]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xB1640E38]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB164290C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xB16412F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB163FFC4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB16401E0]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB14F8640]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB163F982]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 2CC 804E2938 6 Bytes [5C, 1C, 64, B1, B0, 20]
.text ntoskrnl.exe!_abnormal_termination + 2D3 804E293F 1 Byte [B1]
.text ntoskrnl.exe!_abnormal_termination + 34C 804E29B8 2 Bytes [90, 15]
.text ntoskrnl.exe!_abnormal_termination + 34F 804E29BB 1 Byte [B1]
.text ntoskrnl.exe!_abnormal_termination + 448 804E2AB4 2 Bytes [E0, 01] {LOOPNZ 0x3}
.text ...
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB98D5F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[396] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\System32\svchost.exe[452] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[452] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\msseces.exe[644] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\csrss.exe[784] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001450 C:\WINDOWS\system32\cmdcsr.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\csrss.exe[784] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 100017F0 C:\WINDOWS\system32\cmdcsr.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1040] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] advapi32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe[1064] advapi32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Program Files\WallMaster\wallmast.exe[1072] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] advapi32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\WallMaster\wallmast.exe[1072] advapi32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1104] rpcss.dll!WhichService 76A84234 8 Bytes JMP ED501001
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1200] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00530250 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO)
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1200] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00549CD0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1236] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1248] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1512] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1560] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\spoolsv.exe[1672] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\spoolsv.exe[1672] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\System32\alg.exe[1792] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\alg.exe[1792] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe[1824] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\Explorer.EXE[1908] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[1908] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 0095D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [05, 84]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 0096BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 0096B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00967DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0095D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00964F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00965AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 00963A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 00964390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00968BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00968990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00969CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1952] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00969BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\igfxsrvc.exe[2068] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\System32\svchost.exe[2124] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[2124] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Rootkit\ncevu5si.exe[2208] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Rootkit\ncevu5si.exe[2208] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[3540] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[3540] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F74397F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F74397F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F74397F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F74397F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F74397F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [F74397F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [F7439750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [F7439820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [F74397B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 014F8E60
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 014F8B50
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 014F1280
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 014F2620
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 014F5CC0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 014F3800
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 014F2BD0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 014F5000
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 014F8030
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 014F8070
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 014F91B0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 014F7C30
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 014F5C20
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 014F4330
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 014F3400
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 014F3DB0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 014F9730
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 014F5350
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 014F5A80
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 014F66B0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 014F6190
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 014F6630
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 014F7190
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 014F6860
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 014F3000
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 014F41E0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 014F8150
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 014F62D0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 014F5BC0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 014F5780
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 014F5DD0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 014F91D0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 014F60D0
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 014F9470
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 014F9410
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 014F9660
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 014F9700
IAT C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe[660] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 014F9530

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x5C 0xC5 0x8C 0x2A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{df869d8c-b58c-4fce-a3ff-4c3b868bf4f6}@Model 67
Reg HKLM\SOFTWARE\Classes\CLSID\{df869d8c-b58c-4fce-a3ff-4c3b868bf4f6}@Therad 20
Reg HKLM\SOFTWARE\Classes\CLSID\{df869d8c-b58c-4fce-a3ff-4c3b868bf4f6}@MData 0x6C 0xAD 0x00 0x7B ...

---- EOF - GMER 1.0.15 ----

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-22 09:00:29
-----------------------------
09:00:29.609 OS Version: Windows 5.1.2600 Service Pack 3
09:00:29.609 Number of processors: 1 586 0x409
09:00:29.609 ComputerName: SANDRA UserName: Sandra
09:02:32.578 Initialze error C0000034 - driver not loaded
09:03:46.453 Service scanning
09:03:49.968 Service MpKslfb70ede7 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AAD84ADD-ADEE-4452-BBDC-6B6A6C3586BC}\MpKslfb70ede7.sys **LOCKED** 32
09:03:54.125 Modules scanning
09:03:54.125 Disk 0 trace - called modules:
09:03:54.125
09:03:54.125 Scan finished successfully
09:04:33.312 The log file has been saved successfully to "C:\Documents and Settings\Sandra\Desktop\root\aswMBR.txt"

#5 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 08:45 PM

You're running two AV programs, MSE and McAfee.
One of them has to go.
If McAfee use this tool to uninstall it: http://majorgeeks.co...Tool_d5420.html

Since SAS and MBAM are both paid for you have to disable one from starting up.
You can't be running two antispyware tools in real time.

When done....

Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.
Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
It will show a Black screen with some data on it.
Right click on the screen and click Select All.
Press CTRL+C
Open a Notepad and press CTRL+V
Post the output back here.

#6 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 09:16 PM

Thank you sir.
.\debug.cpp(238) : Debug log started at 22.01.2012 - 21:08:59
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : © 2009 Esage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.1
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x00217580 "\WINDOWS\system32\ntoskrnl.exe"
.\debug.cpp(256) : 0x806ef000 0x00020300 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xf7987000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xf7897000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xf75a8000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xf7989000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xf7597000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xf75f7000 0x0000a000 "isapnp.sys"
.\debug.cpp(256) : 0xf74e4000 0x00013000 "vsflt53.sys"
.\debug.cpp(256) : 0xf7a4f000 0x00001000 "pciide.sys"
.\debug.cpp(256) : 0xf7707000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xf798b000 0x00002000 "intelide.sys"
.\debug.cpp(256) : 0xf7607000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xf74c5000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xf770f000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xf7617000 0x0000d000 "VolSnap.sys"
.\debug.cpp(256) : 0xf74ad000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xf7627000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xf7637000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xf748d000 0x00020000 "fltmgr.sys"
.\debug.cpp(256) : 0xf747b000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xf7465000 0x00016000 "DRVMCDB.SYS"
.\debug.cpp(256) : 0xf7717000 0x00005000 "PxHelp20.sys"
.\debug.cpp(256) : 0xf744e000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xf7b52000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xf7438000 0x00016000 "inspect.sys"
.\debug.cpp(256) : 0xf740b000 0x0002d000 "\WINDOWS\System32\DRIVERS\NDIS.SYS"
.\debug.cpp(256) : 0xf771f000 0x00005000 "\WINDOWS\System32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xf787a000 0x0001d000 "vididr.sys"
.\debug.cpp(256) : 0xba76e000 0x00092000 "timntr.sys"
.\debug.cpp(256) : 0xba746000 0x00028000 "snapman.sys"
.\debug.cpp(256) : 0xf7727000 0x00007000 "pssnap.sys"
.\debug.cpp(256) : 0xba72c000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xf7657000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0xb9686000 0x000cb000 "\SystemRoot\system32\DRIVERS\ialmnt5.sys"
.\debug.cpp(256) : 0xb9672000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xf77df000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xb964e000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xf77e7000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0xb961a000 0x00034000 "\SystemRoot\system32\DRIVERS\HSFHWBS2.sys"
.\debug.cpp(256) : 0xb95f7000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xb94f8000 0x000ff000 "\SystemRoot\system32\DRIVERS\HSF_DP.sys"
.\debug.cpp(256) : 0xb9451000 0x000a7000 "\SystemRoot\system32\DRIVERS\HSF_CNXT.sys"
.\debug.cpp(256) : 0xf77ef000 0x00008000 "\SystemRoot\System32\Drivers\Modem.SYS"
.\debug.cpp(256) : 0xb93ec000 0x00026000 "\SystemRoot\system32\DRIVERS\e100b325.sys"
.\debug.cpp(256) : 0xf7667000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xba66b000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xb93d8000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xf7677000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xf79af000 0x00002000 "\SystemRoot\System32\Drivers\DLACDBHM.SYS"
.\debug.cpp(256) : 0xf7687000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xf7697000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xb9398000 0x00040000 "\SystemRoot\system32\drivers\smwdm.sys"
.\debug.cpp(256) : 0xb9374000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0xf76a7000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0xb92c1000 0x000b3000 "\SystemRoot\system32\drivers\senfilt.sys"
.\debug.cpp(256) : 0xb9d43000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xf76b7000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xba663000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xb92aa000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xf76c7000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xf76d7000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xb9299000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xf76e7000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xf77ff000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xf7807000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xf76f7000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xf780f000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xf7817000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xf79b1000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xb923b000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xba657000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xf7587000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xf7567000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xf79b5000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xba63b000 0x00004000 "\SystemRoot\system32\drivers\MODEMCSA.sys"
.\debug.cpp(256) : 0xba627000 0x00003000 "\SystemRoot\System32\Drivers\i2omgmt.SYS"
.\debug.cpp(256) : 0xb114e000 0x00027000 "\SystemRoot\system32\DRIVERS\MpFilter.sys"
.\debug.cpp(256) : 0xb10b0000 0x00076000 "\SystemRoot\System32\DRIVERS\cmdguard.sys"
.\debug.cpp(256) : 0xba68f000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
.\debug.cpp(256) : 0xf7547000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
.\debug.cpp(256) : 0xf7747000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
.\debug.cpp(256) : 0xba68b000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
.\debug.cpp(256) : 0xba687000 0x00004000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
.\debug.cpp(256) : 0xf79db000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xba3c4000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xf79dd000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xf7757000 0x00006000 "\SystemRoot\System32\Drivers\DLARTL_N.SYS"
.\debug.cpp(256) : 0xf775f000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xf79df000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xf79e1000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xf7767000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xf776f000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xba683000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xb102d000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xb0fd4000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xf7777000 0x00006000 "\SystemRoot\System32\DRIVERS\cmdhlp.sys"
.\debug.cpp(256) : 0xb0fac000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xb0f8a000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xf7527000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xb0f68000 0x00022000 "\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS"
.\debug.cpp(256) : 0xf777f000 0x00006000 "\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS"
.\debug.cpp(256) : 0xb0f3d000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xb0ecd000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xb0eb6000 0x00017000 "\SystemRoot\system32\DRIVERS\idmtdi.sys"
.\debug.cpp(256) : 0xf7517000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xb0e90000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xf7507000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xba489000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xb0e50000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xf79e7000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf800000 0x001c6000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xb114a000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xf778f000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xf7a83000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xbf020000 0x00020000 "\SystemRoot\System32\ialmdnt5.dll"
.\debug.cpp(256) : 0xbf012000 0x0000e000 "\SystemRoot\System32\ialmrnt5.dll"
.\debug.cpp(256) : 0xbf040000 0x00030000 "\SystemRoot\System32\ialmdev5.DLL"
.\debug.cpp(256) : 0xbf070000 0x000dc000 "\SystemRoot\System32\ialmdd5.DLL"
.\debug.cpp(256) : 0xbf14c000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xb0e38000 0x00004000 "\??\C:\WINDOWS\system32\drivers\mbam.sys"
.\debug.cpp(256) : 0xb9dce000 0x0000a000 "\SystemRoot\System32\Drivers\DRVNDDM.SYS"
.\debug.cpp(256) : 0xf7aae000 0x00001000 "\SystemRoot\System32\DLA\DLADResN.SYS"
.\debug.cpp(256) : 0xb0cfa000 0x00016000 "\SystemRoot\System32\DLA\DLAIFS_M.SYS"
.\debug.cpp(256) : 0xb0e2c000 0x00004000 "\SystemRoot\System32\DLA\DLAOPIOM.SYS"
.\debug.cpp(256) : 0xf79f5000 0x00002000 "\SystemRoot\System32\DLA\DLAPoolM.SYS"
.\debug.cpp(256) : 0xf779f000 0x00007000 "\SystemRoot\System32\DLA\DLABOIOM.SYS"
.\debug.cpp(256) : 0xb0ce2000 0x00018000 "\SystemRoot\System32\DLA\DLAUDFAM.SYS"
.\debug.cpp(256) : 0xb0ccc000 0x00016000 "\SystemRoot\System32\DLA\DLAUDF_M.SYS"
.\debug.cpp(256) : 0xb0ad6000 0x00016000 "\SystemRoot\system32\DRIVERS\nwlnkipx.sys"
.\debug.cpp(256) : 0xb9dee000 0x00010000 "\SystemRoot\system32\DRIVERS\nwlnknb.sys"
.\debug.cpp(256) : 0xb0959000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
.\debug.cpp(256) : 0xb0c2c000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
.\debug.cpp(256) : 0xb09be000 0x0000e000 "\SystemRoot\system32\DRIVERS\nwlnkspx.sys"
.\debug.cpp(256) : 0xf798d000 0x00002000 "\SystemRoot\System32\Drivers\StarOpen.SYS"
.\debug.cpp(256) : 0xb05b3000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xb0bb8000 0x00003000 "\SystemRoot\system32\DRIVERS\mdmxsdk.sys"
.\debug.cpp(256) : 0xafffa000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xb004b000 0x00009000 "\SystemRoot\System32\DRIVERS\ipfltdrv.sys"
.\debug.cpp(256) : 0xafdb0000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureD0F4738COffset1F60800Length1B25813E00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02#3&172e68dd&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination "\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination "\Device\Video0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
.\debug.cpp(400) : Destination "\Device\Video1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CC0CA6FB-51B8-4ED4-89FC-80EDB99FFE7E}"
.\debug.cpp(400) : Destination "\Device\{CC0CA6FB-51B8-4ED4-89FC-80EDB99FFE7E}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000034"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination "\Device\Ip"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
.\debug.cpp(400) : Destination "\Device\Video2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
.\debug.cpp(400) : Destination "\Device\IPSEC"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
.\debug.cpp(400) : Destination "\Device\Video3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000032"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\snapman"
.\debug.cpp(400) : Destination "\Device\snapman603"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
.\debug.cpp(400) : Destination "\Device\NDProxy"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c016#6&23a329d3&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000005c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e2faafe5-0ac4-11e0-9a8f-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomPHILIPS_DVD+-RW_DVD8801_________________2D06____#4156353153353136373139343931202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c016#6&23a329d3&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\0000005c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02#3&172e68dd&0&FD#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureD0F4738COffset1B27F4C800Length91EA43400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination "\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
.\debug.cpp(400) : Destination "\Device\Serial0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DB319038-DAC1-40CE-91B3-B577DFF6945F}"
.\debug.cpp(400) : Destination "\Device\{DB319038-DAC1-40CE-91B3-B577DFF6945F}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&b643904&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&211ee94a&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2572&SUBSYS_01D51028&REV_02#3&172e68dd&0&10#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0001"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination "\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination "\Device\PSched"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination "\Device\IPNAT"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3692842B-F245-45D1-9484-C904E4C8B01C}"
.\debug.cpp(400) : Destination "\Device\{3692842B-F245-45D1-9484-C904E4C8B01C}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM4"
.\debug.cpp(400) : Destination "\Device\Winachsf0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination "\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination "\Device\Tcp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\I2OExec"
.\debug.cpp(400) : Destination "\Device\I2OExec"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1897a88c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&900482c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\vididr"
.\debug.cpp(400) : Destination "\Device\vididr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AcroVBus"
.\debug.cpp(400) : Destination "\Device\AcroVBus"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPFILTERDRIVER"
.\debug.cpp(400) : Destination "\Device\IPFILTERDRIVER"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02#4&1c660dd6&0&40F0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination "\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000038"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination "\Device\VideoPdo0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIPX"
.\debug.cpp(400) : Destination "\Device\NdisWanIpx"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ConexantDiagnosticsServer"
.\debug.cpp(400) : Destination "\Device\ConexantDiagnosticsServer"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination "\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination "\Device\USBFDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RKSAMPLE0"
.\debug.cpp(400) : Destination "\Device\RKSAMPLE0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
.\debug.cpp(400) : Destination "\Device\sysaudio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination "\Device\FsWrap"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000036"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination "\Device\USBFDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{560B6ABD-EDE8-41DE-9351-327521EFA423}"
.\debug.cpp(400) : Destination "\Device\{560B6ABD-EDE8-41DE-9351-327521EFA423}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000044"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\drvnddm"
.\debug.cpp(400) : Destination "\Device\drvnddm"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&316e3fd5&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\00000051"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{B51E43FB-660A-4ADC-B5A8-F4898BDC32DE}"
.\debug.cpp(400) : Destination "\Device\{B51E43FB-660A-4ADC-B5A8-F4898BDC32DE}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
.\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c016#5&101de47f&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\cmdGuard"
.\debug.cpp(400) : Destination "\Device\cmdGuard"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\StarOpen"
.\debug.cpp(400) : Destination "\Device\StarOpen"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_15_Model_4#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HSF_MDMDevice0"
.\debug.cpp(400) : Destination "\Device\HSF_MDMDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2005#6&27052970&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000005d"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
.\debug.cpp(400) : Destination "\Device\00000051"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00#4&1c660dd6&0&10F0#{adb44c00-1b8d-11d4-8d5e-00a0c90d1c42}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e2faafe4-0ac4-11e0-9a8f-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
.\debug.cpp(400) : Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SASDIFSV"
.\debug.cpp(400) : Destination "\Device\SASDIFSV"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000031"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIPX#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000033"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
.\debug.cpp(400) : Destination "\Device\WANARP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\INTELPRO_{01A3F69E-B2E3-4E55-8901-5862CFE1E187}"
.\debug.cpp(400) : Destination "\Device\INTELPRO_{01A3F69E-B2E3-4E55-8901-5862CFE1E187}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{BE656344-CB99-4D79-B2DC-D43D55293D96}"
.\debug.cpp(400) : Destination "\Device\{BE656344-CB99-4D79-B2DC-D43D55293D96}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000004"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\snapman603"
.\debug.cpp(400) : Destination "\Device\snapman603"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Inspect"
.\debug.cpp(400) : Destination "\Device\Inspect"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D4&SUBSYS_01D51028&REV_02#3&172e68dd&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDMTDI"
.\debug.cpp(400) : Destination "\Device\IDMTDI"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e2faafe6-0ac4-11e0-9a8f-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SASKUTIL"
.\debug.cpp(400) : Destination "\Device\SASKUTIL"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomPHILIPS_DVD+-RW_DVD8801_________________2D06____#4156353153353136373139343931202020202020#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#4&1506bb2e&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
.\debug.cpp(400) : Destination "\Device\00000052"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{01A3F69E-B2E3-4E55-8901-5862CFE1E187}"
.\debug.cpp(400) : Destination "\Device\{01A3F69E-B2E3-4E55-8901-5862CFE1E187}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D2&SUBSYS_01D51028&REV_02#3&172e68dd&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
.\debug.cpp(400) : Destination "\Device\NdisWanIp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskWDC_WD1600JB-75GVC0_____________________08.02D08#5&2a84b1a5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02#3&172e68dd&0&FD#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\cmdhlp"
.\debug.cpp(400) : Destination "\Device\cmdhlp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00#4&1c660dd6&0&10F0#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24DE&SUBSYS_01D51028&REV_02#3&172e68dd&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_01D51028&REV_02#3&172e68dd&0&FD#{dda54a40-1e4c-11d1-a050-405705c10000}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_413c&Pid_2005#5&101de47f&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000035"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
.\debug.cpp(400) : Destination "\Device\ParTechInc0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
.\debug.cpp(400) : Destination "\Device\NdisTapi"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
.\debug.cpp(400) : Destination "\Device\NdisWan"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
.\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
.\debug.cpp(400) : Destination "\Device\IPMULTICAST"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
.\debug.cpp(400) : Destination "\Device\ParTechInc1"
.\debug.cpp(409) : --
.\debug.cpp(369) : Device "\GLOBAL??\DLAIFS"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
.\debug.cpp(400) : Destination "\Device\LanmanRedirector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination "\Device\ParTechInc2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SmwdmDev"
.\debug.cpp(400) : Destination "\Device\Smwdm0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Conexant D850 56K V.9x DFVc Modem #2"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\drvmcdb"
.\debug.cpp(400) : Destination "\Device\drvmcdb"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination "\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination "\Device\MailSlot"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MBAMProtector"
.\debug.cpp(400) : Destination "\Device\MBAMProtector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination "\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomPHILIPS_DVD+-RW_DVD8801_________________2D06____#4156353153353136373139343931202020202020#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination "\Device\Null"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24DD&SUBSYS_01D51028&REV_02#3&172e68dd&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\vidsflt53"
.\debug.cpp(400) : Destination "\Device\vidsflt53"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT1"
.\debug.cpp(400) : Destination "\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000039"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CSIO"
.\debug.cpp(400) : Destination "\Device\CSIO"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\vidsflt"
.\debug.cpp(400) : Destination "\Device\vidsflt53"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2005#6&27052970&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination "\Device\0000005d"
.\debug.cpp(409) : --
.\debug.cpp(453) : **********************************************
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
.\boot_cleaner.cpp(276) : Boot sector MD5 is: 75152e63358aab67ac253ae2f28ef97a
.\boot_cleaner.cpp(1061) :
.\boot_cleaner.cpp(1062) : Size Device Name MBR Status
.\boot_cleaner.cpp(1063) : --------------------------------------------
.\boot_cleaner.cpp(1107) : 149 GB \\.\PhysicalDrive0 Unknown boot code
.\boot_cleaner.cpp(1113) :
.\boot_cleaner.cpp(1119) : Unknown boot code has been found on some of your physical disks.
.\boot_cleaner.cpp(1121) : To inspect the boot code manually, dump the master boot sector:
.\boot_cleaner.cpp(1122) : remover.exe dump <device_name> [output_file]
.\boot_cleaner.cpp(1126) : To disinfect the master boot sector, use the following command:
.\boot_cleaner.cpp(1127) : remover.exe fix <device_name>
.\boot_cleaner.cpp(1130) :
.\boot_cleaner.cpp(1152) : Done;

McAfee is gone.
Disabled SAS and Mbam

#7 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 09:22 PM

Did you?

Quote

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

#8 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 10:07 PM

Broni, on 22 January 2012 - 09:22 PM, said:

Did you?

Yes, McAfee is gone, SAS and Mbam are both disabled.

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

ListParts by Farbar
Ran by Sandra on 22-01-2012 at 15:04:25
Windows XP (X86)
Running From: C:\Documents and Settings\Sandra\Desktop\Downloads
************************************************************

========================= Memory info ======================

Percentage of memory in use: 31%
Total physical RAM: 2045.98 MB
Available physical RAM: 1396.66 MB
Total Pagefile: 3941.71 MB
Available Pagefile: 3167.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.22 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:108.59 GB) (Free:89.49 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: (Backup) (Fixed) (Total:36.48 GB) (Free:21.71 GB) NTFS
3 Drive e: (SCRABBLE) (CDROM) (Total:0.25 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 31 MB 32 KB
Partition 2 Primary 109 GB 31 MB
Partition 3 Primary 36 GB 109 GB
Partition 4 Unknown 4001 MB 145 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 109 GB Healthy System (partition with boot components)

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Backup NTFS Partition 36 GB Healthy

Disk: 0
Partition 4
Type : DB
Hidden: Yes
Active: No
There is no volume associated with this partition.

'bcdedit' is not recognized as an internal or external command,
operable program or batch file.

****** End Of Log ******

#9 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 10:12 PM

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
OK any security prompts.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

#10 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 10:40 PM

OK. SystemRESTORE is renabled. MBAM in protection mode. SAS disabled;
Scan results show:
Backdoor,tidserv has not been found on your computer.

#11 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 10:43 PM

Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

#12 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 10:53 PM

Here you go. Thanks again

15:50:19.0953 0360 TDSS rootkit removing tool 2.7.6.0 Jan 19 2012 13:09:04
15:50:21.0968 0360 ============================================================
15:50:21.0968 0360 Current date / time: 2012/01/22 15:50:21.0968
15:50:21.0968 0360 SystemInfo:
15:50:21.0968 0360
15:50:21.0968 0360 OS Version: 5.1.2600 ServicePack: 3.0
15:50:21.0968 0360 Product type: Workstation
15:50:21.0968 0360 ComputerName: SANDRA
15:50:21.0968 0360 UserName: Sandra
15:50:21.0968 0360 Windows directory: C:\WINDOWS
15:50:21.0968 0360 System windows directory: C:\WINDOWS
15:50:21.0968 0360 Processor architecture: Intel x86
15:50:21.0968 0360 Number of processors: 1
15:50:21.0968 0360 Page size: 0x1000
15:50:21.0968 0360 Boot type: Normal boot
15:50:21.0968 0360 ============================================================
15:50:24.0312 0360 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:50:24.0406 0360 Initialize success
15:50:26.0781 2952 ============================================================
15:50:26.0781 2952 Scan started
15:50:26.0781 2952 Mode: Manual;
15:50:26.0781 2952 ============================================================
15:50:27.0625 2952 Abiosdsk - ok
15:50:27.0687 2952 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
15:50:27.0687 2952 abp480n5 - ok
15:50:27.0750 2952 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:50:27.0750 2952 ACPI - ok
15:50:27.0781 2952 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:50:27.0781 2952 ACPIEC - ok
15:50:27.0812 2952 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
15:50:27.0812 2952 adpu160m - ok
15:50:27.0859 2952 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:50:27.0859 2952 aec - ok
15:50:27.0906 2952 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:50:27.0906 2952 AFD - ok
15:50:27.0953 2952 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
15:50:27.0953 2952 agp440 - ok
15:50:27.0968 2952 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
15:50:27.0968 2952 agpCPQ - ok
15:50:27.0984 2952 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
15:50:27.0984 2952 Aha154x - ok
15:50:28.0015 2952 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
15:50:28.0015 2952 aic78u2 - ok
15:50:28.0046 2952 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
15:50:28.0046 2952 aic78xx - ok
15:50:28.0078 2952 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
15:50:28.0078 2952 AliIde - ok
15:50:28.0125 2952 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
15:50:28.0125 2952 alim1541 - ok
15:50:28.0140 2952 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
15:50:28.0140 2952 amdagp - ok
15:50:28.0171 2952 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
15:50:28.0171 2952 amsint - ok
15:50:28.0218 2952 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
15:50:28.0218 2952 asc - ok
15:50:28.0250 2952 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
15:50:28.0250 2952 asc3350p - ok
15:50:28.0265 2952 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
15:50:28.0265 2952 asc3550 - ok
15:50:28.0312 2952 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:50:28.0312 2952 AsyncMac - ok
15:50:28.0343 2952 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:50:28.0343 2952 atapi - ok
15:50:28.0359 2952 Atdisk - ok
15:50:28.0390 2952 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:50:28.0390 2952 Atmarpc - ok
15:50:28.0421 2952 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:50:28.0421 2952 audstub - ok
15:50:28.0468 2952 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:50:28.0468 2952 Beep - ok
15:50:28.0500 2952 bvrp_pci - ok
15:50:28.0531 2952 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
15:50:28.0531 2952 cbidf - ok
15:50:28.0562 2952 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:50:28.0562 2952 cbidf2k - ok
15:50:28.0578 2952 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
15:50:28.0578 2952 cd20xrnt - ok
15:50:28.0593 2952 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:50:28.0609 2952 Cdaudio - ok
15:50:28.0640 2952 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:50:28.0656 2952 Cdfs - ok
15:50:28.0671 2952 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:50:28.0687 2952 Cdrom - ok
15:50:28.0703 2952 Changer - ok
15:50:28.0796 2952 cmdGuard (a2c97b4f0db351930d58f467948dc51d) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
15:50:28.0796 2952 cmdGuard - ok
15:50:28.0843 2952 cmdHlp (a736f2263310fee1799de88cb50c1023) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
15:50:28.0843 2952 cmdHlp - ok
15:50:28.0859 2952 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
15:50:28.0859 2952 CmdIde - ok
15:50:28.0906 2952 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
15:50:28.0906 2952 Cpqarray - ok
15:50:28.0953 2952 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
15:50:28.0953 2952 dac2w2k - ok
15:50:28.0984 2952 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
15:50:28.0984 2952 dac960nt - ok
15:50:29.0031 2952 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:50:29.0046 2952 Disk - ok
15:50:29.0109 2952 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
15:50:29.0109 2952 DLABOIOM - ok
15:50:29.0140 2952 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
15:50:29.0140 2952 DLACDBHM - ok
15:50:29.0171 2952 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
15:50:29.0171 2952 DLADResN - ok
15:50:29.0203 2952 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
15:50:29.0218 2952 DLAIFS_M - ok
15:50:29.0234 2952 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
15:50:29.0234 2952 DLAOPIOM - ok
15:50:29.0250 2952 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
15:50:29.0250 2952 DLAPoolM - ok
15:50:29.0281 2952 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
15:50:29.0281 2952 DLARTL_N - ok
15:50:29.0296 2952 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
15:50:29.0296 2952 DLAUDFAM - ok
15:50:29.0328 2952 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
15:50:29.0328 2952 DLAUDF_M - ok
15:50:29.0390 2952 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:50:29.0406 2952 dmboot - ok
15:50:29.0468 2952 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:50:29.0468 2952 dmio - ok
15:50:29.0500 2952 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:50:29.0500 2952 dmload - ok
15:50:29.0546 2952 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:50:29.0546 2952 DMusic - ok
15:50:29.0578 2952 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
15:50:29.0593 2952 dpti2o - ok
15:50:29.0609 2952 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:50:29.0609 2952 drmkaud - ok
15:50:29.0656 2952 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
15:50:29.0656 2952 DRVMCDB - ok
15:50:29.0671 2952 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
15:50:29.0671 2952 DRVNDDM - ok
15:50:29.0703 2952 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
15:50:29.0718 2952 E100B - ok
15:50:29.0781 2952 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:50:29.0781 2952 Fastfat - ok
15:50:29.0812 2952 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:50:29.0828 2952 Fdc - ok
15:50:29.0859 2952 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:50:29.0875 2952 Fips - ok
15:50:29.0890 2952 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:50:29.0890 2952 Flpydisk - ok
15:50:29.0921 2952 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:50:29.0921 2952 FltMgr - ok
15:50:29.0953 2952 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:50:29.0968 2952 Fs_Rec - ok
15:50:29.0984 2952 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:50:29.0984 2952 Ftdisk - ok
15:50:30.0015 2952 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:50:30.0015 2952 Gpc - ok
15:50:30.0046 2952 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:50:30.0046 2952 HidUsb - ok
15:50:30.0156 2952 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
15:50:30.0156 2952 hpn - ok
15:50:30.0218 2952 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
15:50:30.0250 2952 HSFHWBS2 - ok
15:50:30.0312 2952 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
15:50:30.0343 2952 HSF_DP - ok
15:50:30.0406 2952 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:50:30.0406 2952 HTTP - ok
15:50:30.0453 2952 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
15:50:30.0453 2952 i2omgmt - ok
15:50:30.0484 2952 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
15:50:30.0484 2952 i2omp - ok
15:50:30.0531 2952 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:50:30.0531 2952 i8042prt - ok
15:50:30.0609 2952 ialm (0294a30b302ca71a2c26e582dda93486) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
15:50:30.0640 2952 ialm - ok
15:50:30.0703 2952 IDMTDI (8893a9194e17be5d4547120cc95e7bcc) C:\WINDOWS\system32\DRIVERS\idmtdi.sys
15:50:30.0703 2952 IDMTDI - ok
15:50:30.0765 2952 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:50:30.0765 2952 Imapi - ok
15:50:30.0796 2952 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
15:50:30.0812 2952 ini910u - ok
15:50:30.0859 2952 Inspect (456003490faa4a2361ceacbfb6409172) C:\WINDOWS\system32\DRIVERS\inspect.sys
15:50:30.0859 2952 Inspect - ok
15:50:30.0890 2952 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
15:50:30.0890 2952 IntelIde - ok
15:50:30.0906 2952 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:50:30.0906 2952 intelppm - ok
15:50:30.0937 2952 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:50:30.0937 2952 Ip6Fw - ok
15:50:30.0968 2952 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:50:30.0968 2952 IpFilterDriver - ok
15:50:30.0984 2952 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:50:30.0984 2952 IpInIp - ok
15:50:31.0015 2952 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:50:31.0015 2952 IpNat - ok
15:50:31.0062 2952 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:50:31.0062 2952 IPSec - ok
15:50:31.0078 2952 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:50:31.0078 2952 IRENUM - ok
15:50:31.0109 2952 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:50:31.0109 2952 isapnp - ok
15:50:31.0140 2952 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:50:31.0140 2952 Kbdclass - ok
15:50:31.0156 2952 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:50:31.0171 2952 kbdhid - ok
15:50:31.0203 2952 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:50:31.0203 2952 kmixer - ok
15:50:31.0234 2952 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:50:31.0234 2952 KSecDD - ok
15:50:31.0265 2952 lbrtfdc - ok
15:50:31.0328 2952 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
15:50:31.0328 2952 MBAMProtector - ok
15:50:31.0390 2952 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
15:50:31.0390 2952 mdmxsdk - ok
15:50:31.0421 2952 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:50:31.0421 2952 mnmdd - ok
15:50:31.0468 2952 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:50:31.0468 2952 Modem - ok
15:50:31.0500 2952 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
15:50:31.0500 2952 MODEMCSA - ok
15:50:31.0515 2952 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:50:31.0515 2952 Mouclass - ok
15:50:31.0562 2952 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:50:31.0578 2952 mouhid - ok
15:50:31.0593 2952 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:50:31.0593 2952 MountMgr - ok
15:50:31.0656 2952 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
15:50:31.0656 2952 MpFilter - ok
15:50:31.0796 2952 MpKsl53de4a1d (a69630d039c38018689190234f866d77) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD2D3AA4-2888-4A31-B11E-4DC9A6975A8D}\MpKsl53de4a1d.sys
15:50:31.0796 2952 MpKsl53de4a1d - ok
15:50:31.0843 2952 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
15:50:31.0843 2952 mraid35x - ok
15:50:31.0875 2952 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:50:31.0875 2952 MRxDAV - ok
15:50:31.0953 2952 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:50:31.0953 2952 MRxSmb - ok
15:50:32.0031 2952 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:50:32.0046 2952 Msfs - ok
15:50:32.0062 2952 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:50:32.0062 2952 MSKSSRV - ok
15:50:32.0093 2952 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:50:32.0093 2952 MSPCLOCK - ok
15:50:32.0125 2952 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:50:32.0125 2952 MSPQM - ok
15:50:32.0156 2952 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:50:32.0156 2952 mssmbios - ok
15:50:32.0203 2952 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:50:32.0203 2952 Mup - ok
15:50:32.0250 2952 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:50:32.0265 2952 NDIS - ok
15:50:32.0343 2952 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:50:32.0343 2952 NdisTapi - ok
15:50:32.0406 2952 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:50:32.0406 2952 Ndisuio - ok
15:50:32.0500 2952 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:50:32.0500 2952 NdisWan - ok
15:50:32.0546 2952 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:50:32.0546 2952 NDProxy - ok
15:50:32.0593 2952 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:50:32.0593 2952 NetBIOS - ok
15:50:32.0640 2952 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:50:32.0640 2952 NetBT - ok
15:50:32.0718 2952 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:50:32.0718 2952 Npfs - ok
15:50:32.0796 2952 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:50:32.0812 2952 Ntfs - ok
15:50:32.0890 2952 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:50:32.0890 2952 Null - ok
15:50:32.0984 2952 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:50:33.0031 2952 nv - ok
15:50:33.0062 2952 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:50:33.0062 2952 NwlnkFlt - ok
15:50:33.0093 2952 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:50:33.0093 2952 NwlnkFwd - ok
15:50:33.0125 2952 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
15:50:33.0125 2952 NwlnkIpx - ok
15:50:33.0140 2952 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
15:50:33.0140 2952 NwlnkNb - ok
15:50:33.0156 2952 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
15:50:33.0171 2952 NwlnkSpx - ok
15:50:33.0203 2952 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:50:33.0218 2952 Parport - ok
15:50:33.0250 2952 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:50:33.0250 2952 PartMgr - ok
15:50:33.0296 2952 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:50:33.0296 2952 ParVdm - ok
15:50:33.0328 2952 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:50:33.0343 2952 PCI - ok
15:50:33.0359 2952 PCIDump - ok
15:50:33.0375 2952 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:50:33.0375 2952 PCIIde - ok
15:50:33.0406 2952 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:50:33.0406 2952 Pcmcia - ok
15:50:33.0421 2952 PDCOMP - ok
15:50:33.0437 2952 PDFRAME - ok
15:50:33.0468 2952 PDRELI - ok
15:50:33.0484 2952 PDRFRAME - ok
15:50:33.0500 2952 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
15:50:33.0500 2952 perc2 - ok
15:50:33.0531 2952 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
15:50:33.0531 2952 perc2hib - ok
15:50:33.0609 2952 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:50:33.0609 2952 PptpMiniport - ok
15:50:33.0640 2952 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:50:33.0640 2952 PSched - ok
15:50:33.0687 2952 pssnap (8fd519ab5d4357a132409722591f6203) C:\WINDOWS\system32\DRIVERS\pssnap.sys
15:50:33.0687 2952 pssnap - ok
15:50:33.0718 2952 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:50:33.0718 2952 Ptilink - ok
15:50:33.0734 2952 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:50:33.0734 2952 PxHelp20 - ok
15:50:33.0765 2952 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
15:50:33.0765 2952 ql1080 - ok
15:50:33.0796 2952 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
15:50:33.0796 2952 Ql10wnt - ok
15:50:33.0828 2952 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
15:50:33.0828 2952 ql12160 - ok
15:50:33.0843 2952 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
15:50:33.0843 2952 ql1240 - ok
15:50:33.0875 2952 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
15:50:33.0875 2952 ql1280 - ok
15:50:33.0906 2952 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:50:33.0921 2952 RasAcd - ok
15:50:33.0953 2952 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:50:33.0953 2952 Rasl2tp - ok
15:50:33.0968 2952 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:50:33.0984 2952 RasPppoe - ok
15:50:34.0000 2952 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:50:34.0000 2952 Raspti - ok
15:50:34.0031 2952 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:50:34.0046 2952 Rdbss - ok
15:50:34.0062 2952 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:50:34.0062 2952 RDPCDD - ok
15:50:34.0140 2952 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:50:34.0140 2952 rdpdr - ok
15:50:34.0187 2952 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:50:34.0187 2952 RDPWD - ok
15:50:34.0234 2952 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:50:34.0234 2952 redbook - ok
15:50:34.0359 2952 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
15:50:34.0359 2952 SASDIFSV - ok
15:50:34.0375 2952 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
15:50:34.0375 2952 SASKUTIL - ok
15:50:34.0437 2952 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:50:34.0437 2952 Secdrv - ok
15:50:34.0515 2952 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
15:50:34.0531 2952 senfilt - ok
15:50:34.0578 2952 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:50:34.0578 2952 serenum - ok
15:50:34.0593 2952 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:50:34.0609 2952 Serial - ok
15:50:34.0687 2952 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:50:34.0687 2952 Sfloppy - ok
15:50:34.0718 2952 Simbad - ok
15:50:34.0750 2952 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
15:50:34.0750 2952 sisagp - ok
15:50:34.0781 2952 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS\system32\drivers\smwdm.sys
15:50:34.0796 2952 smwdm - ok
15:50:34.0828 2952 snapman (98b44c15b4eed76aa8dccb64a4ca11af) C:\WINDOWS\system32\DRIVERS\snapman.sys
15:50:34.0843 2952 snapman - ok
15:50:34.0890 2952 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
15:50:34.0890 2952 Sparrow - ok
15:50:34.0937 2952 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:50:34.0937 2952 splitter - ok
15:50:34.0968 2952 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:50:34.0968 2952 sr - ok
15:50:35.0031 2952 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:50:35.0046 2952 Srv - ok
15:50:35.0109 2952 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys
15:50:35.0109 2952 StarOpen - ok
15:50:35.0140 2952 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:50:35.0156 2952 swenum - ok
15:50:35.0171 2952 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:50:35.0171 2952 swmidi - ok
15:50:35.0203 2952 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
15:50:35.0203 2952 symc810 - ok
15:50:36.0000 2952 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
15:50:36.0000 2952 symc8xx - ok
15:50:36.0125 2952 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
15:50:36.0125 2952 sym_hi - ok
15:50:36.0156 2952 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
15:50:36.0156 2952 sym_u3 - ok
15:50:36.0203 2952 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:50:36.0203 2952 sysaudio - ok
15:50:36.0265 2952 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:50:36.0265 2952 Tcpip - ok
15:50:36.0296 2952 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:50:36.0296 2952 TDPIPE - ok
15:50:36.0328 2952 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:50:36.0328 2952 TDTCP - ok
15:50:36.0375 2952 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:50:36.0375 2952 TermDD - ok
15:50:36.0453 2952 timounter (d8a96d0e25d43fdac3bed09adf39fde9) C:\WINDOWS\system32\DRIVERS\timntr.sys
15:50:36.0468 2952 timounter - ok
15:50:36.0515 2952 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
15:50:36.0515 2952 TosIde - ok
15:50:36.0562 2952 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:50:36.0562 2952 Udfs - ok
15:50:36.0578 2952 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
15:50:36.0578 2952 ultra - ok
15:50:36.0625 2952 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:50:36.0656 2952 Update - ok
15:50:36.0718 2952 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
15:50:36.0718 2952 usbaudio - ok
15:50:36.0750 2952 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:50:36.0750 2952 usbccgp - ok
15:50:36.0796 2952 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:50:36.0796 2952 usbehci - ok
15:50:36.0812 2952 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:50:36.0812 2952 usbhub - ok
15:50:36.0875 2952 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:50:36.0890 2952 usbprint - ok
15:50:36.0906 2952 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:50:36.0906 2952 USBSTOR - ok
15:50:36.0937 2952 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:50:36.0937 2952 usbuhci - ok
15:50:36.0968 2952 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:50:36.0968 2952 VgaSave - ok
15:50:37.0015 2952 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
15:50:37.0015 2952 viaagp - ok
15:50:37.0031 2952 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
15:50:37.0031 2952 ViaIde - ok
15:50:37.0093 2952 vididr (149ec3e217f9d11e9ca6c54ce3d70c73) C:\WINDOWS\system32\DRIVERS\vididr.sys
15:50:37.0093 2952 vididr - ok
15:50:37.0125 2952 vidsflt53 (e31e9cd40677b84b3adaa7a0d80dc439) C:\WINDOWS\system32\DRIVERS\vsflt53.sys
15:50:37.0140 2952 vidsflt53 - ok
15:50:37.0171 2952 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:50:37.0171 2952 VolSnap - ok
15:50:37.0234 2952 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:50:37.0234 2952 Wanarp - ok
15:50:37.0250 2952 wanatw - ok
15:50:37.0281 2952 WDICA - ok
15:50:37.0312 2952 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:50:37.0312 2952 wdmaud - ok
15:50:37.0375 2952 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
15:50:37.0390 2952 winachsf - ok
15:50:37.0515 2952 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:50:37.0515 2952 WS2IFSL - ok
15:50:37.0546 2952 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:50:37.0546 2952 WudfPf - ok
15:50:37.0578 2952 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:50:37.0578 2952 WudfRd - ok
15:50:37.0625 2952 MBR (0x1B8) (91722e6bc3a2b40ff00222dca4a3db3e) \Device\Harddisk0\DR0
15:50:37.0671 2952 \Device\Harddisk0\DR0 - ok
15:50:37.0718 2952 Boot (0x1200) (90b10d4e152b6c5cc37fb07cc2c2a3b1) \Device\Harddisk0\DR0\Partition0
15:50:37.0718 2952 \Device\Harddisk0\DR0\Partition0 - ok
15:50:37.0750 2952 Boot (0x1200) (0f9ea24fa1e634396a104e990960d262) \Device\Harddisk0\DR0\Partition1
15:50:37.0750 2952 \Device\Harddisk0\DR0\Partition1 - ok
15:50:37.0750 2952 ============================================================
15:50:37.0750 2952 Scan finished
15:50:37.0750 2952 ============================================================
15:50:37.0781 1572 Detected object count: 0
15:50:37.0781 1572 Actual detected object count: 0
15:51:21.0859 2424 Deinitialize success

#13 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 11:02 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

#14 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 11:33 PM

Her yu go.

ComboFix 12-01-21.02 - Sandra 01/22/2012 16:18:30.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1483 [GMT -7:00]
Running from: c:\documents and settings\Sandra\Desktop\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Sandra\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 22:27 . 2012-01-22 22:27 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD2D3AA4-2888-4A31-B11E-4DC9A6975A8D}\MpKsl53de4a1d.sys
2012-01-22 16:17 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD2D3AA4-2888-4A31-B11E-4DC9A6975A8D}\mpengine.dll
2012-01-22 16:08 . 2012-01-22 16:08 -------- d--h--w- c:\windows\PIF
2012-01-15 17:29 . 2012-01-15 17:29 -------- d-----w- c:\program files\ESET
2012-01-06 18:07 . 2012-01-06 18:07 -------- d-----w- c:\program files\Karen's Power Tools
2012-01-06 18:07 . 2012-01-06 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2012-01-06 16:40 . 2012-01-06 16:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-06 01:41 . 2012-01-06 01:41 -------- d-----w- c:\documents and settings\Sandra\Application Data\ElevatedDiagnostics
2012-01-06 01:19 . 2012-01-06 01:23 -------- dc-h--w- c:\windows\ie8
2012-01-05 23:13 . 2012-01-05 23:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-05 22:34 . 2011-08-16 10:45 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-01-05 22:33 . 2011-11-04 19:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-05 22:33 . 2011-11-04 19:20 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-05 22:33 . 2011-11-04 19:20 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-31 18:18 . 2011-12-31 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2011-12-31 18:17 . 2011-12-31 18:17 -------- d-----w- c:\program files\Macrium
2011-12-31 16:15 . 2011-12-31 16:15 161 ----a-w- C:\Delme.bat
2011-12-31 14:01 . 2011-12-31 14:02 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\Solid State Networks
2011-12-31 13:59 . 2011-12-31 13:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-31 13:22 . 2011-12-21 07:24 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-31 13:22 . 2011-12-21 07:24 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-31 13:22 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-31 13:22 . 2011-12-21 07:24 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-31 13:22 . 2011-12-21 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-31 13:22 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-31 13:22 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-31 13:22 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-31 13:22 . 2011-12-21 07:24 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-31 13:22 . 2011-12-21 07:24 486360 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-31 13:22 . 2011-12-21 04:30 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-31 13:22 . 2011-12-21 04:30 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2011-10-30 12:55 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-31 13:59 . 2011-11-07 01:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-22 22:16 . 2011-12-22 22:16 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-12-22 22:16 . 2011-12-22 22:16 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-12-22 22:16 . 2011-12-22 22:16 47256 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-12-20 18:05 . 2010-12-09 08:02 103944 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2011-12-19 18:59 . 2010-09-11 06:40 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 18:59 . 2010-09-11 06:40 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 18:59 . 2010-09-11 06:40 494816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 18:59 . 2010-09-11 06:40 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 18:58 . 2011-10-26 13:15 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 18:58 . 2010-09-11 06:41 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-10 22:24 . 2010-12-19 02:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 13:11 . 2011-05-30 11:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 17:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-10 17:51 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-10 17:51 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 17:51 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 17:51 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-10 17:51 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-06-07 21:03 . 2011-04-19 15:09 28672 ----a-w- c:\program files\SysRestorePoint.exe
2011-12-21 07:24 . 2011-12-31 13:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 18:46 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartWatch"="c:\program files\SoftWx\StartWatch\StartWatch.exe" [2008-01-14 315392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-16 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"TaskPlus"="c:\documents and settings\Sandra\TaskPlus\taskplus0.exe" [2010-10-21 5406064]
.
c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Printkey.exe [1998-11-27 589824]
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2010-12-19 288256]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Plus.lnk - c:\documents and settings\Sandra\TaskPlus\taskplus0.exe [2006-9-27 5406064]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoWinKeys"= 01000000
"NoNetworkConnections"= 01000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2011-06-22 17:17 395392 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2010-06-26 18:09 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2011-06-22 17:15 2637824 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [12/22/2011 3:16 PM 16024]
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [9/25/2011 1:26 PM 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [9/25/2011 1:26 PM 83392]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 31704]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [12/9/2010 1:02 AM 103944]
R1 MpKsl53de4a1d;MpKsl53de4a1d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FD2D3AA4-2888-4A31-B11E-4DC9A6975A8D}\MpKsl53de4a1d.sys [1/22/2012 3:27 PM 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 10:48 AM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/18/2010 7:05 PM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/18/2010 7:05 PM 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [12/22/2011 3:16 PM 224920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 38965294
*NewlyCreated* - MPKSL53DE4A1D
*Deregistered* - 38965294
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 331828d3-5dcd-44f4-a8de-5b6b4f1151a5.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-08-04 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 74.50.130.108 74.50.130.109
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9kxjav6t.default\
FF - prefs.js: browser.startup.homepage - about:blank
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-avast5 - c:\program files\Alwil Software\Avast5\avastUI.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 16:26
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):5c,c5,8c,2a,2a,eb,6a,96,47,61,0f,ac,62,97,bf,24,5b,7e,89,fc,9e,
67,cc,a3,d6,6d,0d,19,62,1b,33,c1,59,ba,15,3f,0a,7a,74,df,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{df869d8c-b58c-4fce-a3ff-4c3b868bf4f6}]
@Denied: (Full) (Everyone)
"Model"=dword:00000043
"Therad"=dword:00000014
"MData"=hex(0):6c,ad,00,7b,63,e8,0f,1b,e4,03,00,3d,ae,41,d7,9f,fd,5d,1e,41,88,
ed,a6,87,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-RPAV-VYHR-9DQ6-1E3A-AVCJ-CFAY7F5"
"Activated"="Y"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
.
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2348)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\program files\Internet Download Manager\IDMNetMon.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(780)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2012-01-22 16:29:29
ComboFix-quarantined-files.txt 2012-01-22 23:29
.
Pre-Run: 96,184,012,800 bytes free
Post-Run: 96,179,134,464 bytes free
.
- - End Of File - - FC7AA1B4B33A91EB89BFA690F795CC75
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/22/2012 at 16:31:16.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 01/22/2012 at 16:31:28.

#15 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 22 January 2012 - 11:36 PM

Quote

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Re-run Combofix from normal mode and allow recovery console installation.

Post new Combofix log.

How is computer doing?

#16 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 22 January 2012 - 11:59 PM

Once again Recovery onsole did not download. The message stated failed to download required files aborting....
I have an Xp cd so I an use that if necessary.
During scan about stage 7 The grey MS info box popped up and said: PEV has encountered a problem and closed.
The scan seemed to run normally.
since this is not my computer I don't know if it is quicker or not, seems OK to me.
Thanks for spending your Sunday with me,
ComboFix 12-01-21.02 - Sandra 01/22/2012 16:43:58.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1435 [GMT -7:00]
Running from: c:\documents and settings\Sandra\Desktop\Root\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 23:34 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CAFCDCCE-3F2E-4D84-87EC-D8316690CB80}\mpengine.dll
2012-01-22 16:08 . 2012-01-22 16:08 -------- d--h--w- c:\windows\PIF
2012-01-15 17:29 . 2012-01-15 17:29 -------- d-----w- c:\program files\ESET
2012-01-06 18:07 . 2012-01-06 18:07 -------- d-----w- c:\program files\Karen's Power Tools
2012-01-06 18:07 . 2012-01-06 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2012-01-06 16:40 . 2012-01-06 16:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-01-06 01:41 . 2012-01-06 01:41 -------- d-----w- c:\documents and settings\Sandra\Application Data\ElevatedDiagnostics
2012-01-06 01:19 . 2012-01-06 01:23 -------- dc-h--w- c:\windows\ie8
2012-01-05 23:13 . 2012-01-05 23:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-05 22:34 . 2011-08-16 10:45 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-01-05 22:33 . 2011-11-04 19:20 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-01-05 22:33 . 2011-11-04 19:20 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-05 22:33 . 2011-11-04 19:20 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-31 18:18 . 2011-12-31 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2011-12-31 18:17 . 2011-12-31 18:17 -------- d-----w- c:\program files\Macrium
2011-12-31 16:15 . 2011-12-31 16:15 161 ----a-w- C:\Delme.bat
2011-12-31 14:01 . 2011-12-31 14:02 -------- d-----w- c:\documents and settings\Sandra\Local Settings\Application Data\Solid State Networks
2011-12-31 13:59 . 2011-12-31 13:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-31 13:22 . 2011-12-21 07:24 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-31 13:22 . 2011-12-21 07:24 814040 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-31 13:22 . 2011-12-21 07:24 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-31 13:22 . 2011-12-21 07:24 2124760 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-31 13:22 . 2011-12-21 07:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-31 13:22 . 2011-12-21 04:30 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-31 13:22 . 2011-12-21 04:30 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-31 13:22 . 2011-12-21 04:30 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-31 13:22 . 2011-12-21 07:24 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-31 13:22 . 2011-12-21 07:24 486360 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-31 13:22 . 2011-12-21 04:30 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-31 13:22 . 2011-12-21 04:30 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2011-10-30 12:55 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-31 13:59 . 2011-11-07 01:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-22 22:16 . 2011-12-22 22:16 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-12-22 22:16 . 2011-12-22 22:16 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-12-22 22:16 . 2011-12-22 22:16 47256 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-12-20 18:05 . 2010-12-09 08:02 103944 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2011-12-19 18:59 . 2010-09-11 06:40 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 18:59 . 2010-09-11 06:40 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 18:59 . 2010-09-11 06:40 494816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 18:59 . 2010-09-11 06:40 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 18:58 . 2011-10-26 13:15 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 18:58 . 2010-09-11 06:41 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-10 22:24 . 2010-12-19 02:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 13:11 . 2011-05-30 11:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 17:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 17:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-10 17:51 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-10 17:51 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2004-08-10 17:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 17:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 17:51 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 17:51 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 17:51 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 17:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-10 17:51 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 03:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-06-07 21:03 . 2011-04-19 15:09 28672 ----a-w- c:\program files\SysRestorePoint.exe
2011-12-21 07:24 . 2011-12-31 13:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 18:46 21864 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartWatch"="c:\program files\SoftWx\StartWatch\StartWatch.exe" [2008-01-14 315392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-16 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"TaskPlus"="c:\documents and settings\Sandra\TaskPlus\taskplus0.exe" [2010-10-21 5406064]
.
c:\documents and settings\Sandra\Start Menu\Programs\Startup\
Printkey.exe [1998-11-27 589824]
WallMaster.lnk - c:\program files\WallMaster\wallmast.exe [2010-12-19 288256]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Task Plus.lnk - c:\documents and settings\Sandra\TaskPlus\taskplus0.exe [2006-9-27 5406064]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoWinKeys"= 01000000
"NoNetworkConnections"= 01000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-04 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2011-06-22 17:17 395392 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2010-06-26 18:09 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2011-06-22 17:15 2637824 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [12/22/2011 3:16 PM 16024]
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [9/25/2011 1:26 PM 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [9/25/2011 1:26 PM 83392]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 494816]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 31704]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [12/9/2010 1:02 AM 103944]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 10:48 AM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/18/2010 7:05 PM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/18/2010 7:05 PM 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [12/22/2011 3:16 PM 224920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 38965294
*NewlyCreated* - MPKSL53DE4A1D
*Deregistered* - 38965294
*Deregistered* - MpKsl53de4a1d
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 331828d3-5dcd-44f4-a8de-5b6b4f1151a5.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-08-04 13:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 74.50.130.108 74.50.130.109
FF - ProfilePath - c:\documents and settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9kxjav6t.default\
FF - prefs.js: browser.startup.homepage - about:blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 16:50
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):5c,c5,8c,2a,2a,eb,6a,96,47,61,0f,ac,62,97,bf,24,5b,7e,89,fc,9e,
67,cc,a3,d6,6d,0d,19,62,1b,33,c1,59,ba,15,3f,0a,7a,74,df,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{df869d8c-b58c-4fce-a3ff-4c3b868bf4f6}]
@Denied: (Full) (Everyone)
"Model"=dword:00000043
"Therad"=dword:00000014
"MData"=hex(0):6c,ad,00,7b,63,e8,0f,1b,e4,03,00,3d,ae,41,d7,9f,fd,5d,1e,41,88,
ed,a6,87,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-RPAV-VYHR-9DQ6-1E3A-AVCJ-CFAY7F5"
"Activated"="Y"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
c:\documents and settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
.
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\program files\Internet Download Manager\IDMNetMon.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(780)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2012-01-22 16:53:36
ComboFix-quarantined-files.txt 2012-01-22 23:53
ComboFix2.txt 2012-01-22 23:29
.
Pre-Run: 96,183,226,368 bytes free
Post-Run: 96,164,327,424 bytes free
.
- - End Of File - - F9C562E43A65F8EBFAD8136E97F8AA5B

#17 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 23 January 2012 - 12:21 AM

Very well :)

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

#18 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 23 January 2012 - 01:12 AM

OTL logfile created on: 1/22/2012 5:48:40 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Sandra\Desktop\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 69.06% Memory free
3.85 Gb Paging File | 3.10 Gb Available in Paging File | 80.41% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.59 Gb Total Space | 89.53 Gb Free Space | 82.45% Space Free | Partition Type: NTFS
Drive D: | 36.48 Gb Total Space | 21.71 Gb Free Space | 59.51% Space Free | Partition Type: NTFS
Drive E: | 252.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: SANDRA | User Name: Sandra | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/22 17:47:18 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sandra\Desktop\Downloads\OTL.exe
PRC - [2012/01/16 06:09:10 | 003,462,552 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IDMan.exe
PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/12/24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/12/21 00:24:51 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/12/20 17:41:43 | 006,676,808 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2011/12/19 11:58:58 | 001,960,584 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2011/12/15 18:32:51 | 004,616,064 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2011/08/17 14:46:36 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/10/21 07:27:27 | 005,406,064 | ---- | M] (Contact Plus Corporation) -- C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe
PRC - [2010/05/25 05:28:58 | 000,263,600 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IEMonitor.exe
PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/11/22 22:00:00 | 000,288,256 | ---- | M] (Tropical Wares) -- C:\Program Files\WallMaster\wallmast.exe
PRC - [1998/11/27 18:41:00 | 000,589,824 | ---- | M] (Fred's Software Company) -- C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe

========== Modules (No Company Name) ==========

MOD - [2012/01/22 17:09:58 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
MOD - [2012/01/22 17:09:58 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
MOD - [2012/01/22 17:08:05 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
MOD - [2011/12/21 00:24:51 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/08/04 06:07:01 | 000,117,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
MOD - [2011/08/04 06:07:01 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
MOD - [2010/12/19 17:58:57 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
MOD - [2010/12/19 17:58:47 | 000,117,760 | ---- | M] () -- C:\Documents and Settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
MOD - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2010/01/08 16:51:11 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\Sandra\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/12/22 15:16:20 | 000,224,920 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService.exe)
SRV - [2011/12/19 11:58:58 | 001,960,584 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2011/08/17 14:46:36 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/06/22 10:17:08 | 000,846,056 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)

========== Driver Services (SafeList) ==========

DRV - [2011/12/22 15:16:34 | 000,016,024 | ---- | M] (Macrium Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pssnap.sys -- (pssnap)
DRV - [2011/12/20 11:05:38 | 000,103,944 | ---- | M] (Tonec Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\idmtdi.sys -- (IDMTDI)
DRV - [2011/12/19 11:59:22 | 000,097,760 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2011/12/19 11:59:21 | 000,031,704 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2011/12/19 11:59:20 | 000,494,816 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/09/25 13:26:16 | 000,601,408 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2011/09/25 13:26:09 | 000,125,472 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vididr.sys -- (vididr)
DRV - [2011/09/25 13:26:07 | 000,083,392 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vsflt53.sys -- (vidsflt53) Acronis Disk Storage Filter (53)
DRV - [2011/09/25 13:25:51 | 000,169,088 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2011/08/04 06:03:32 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/04 06:03:32 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2009/11/12 13:48:56 | 000,005,504 | ---- | M] () [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2008/04/14 00:26:08 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2005/09/08 03:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 03:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 03:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 03:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 03:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 03:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 03:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 10:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 10:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2004/09/17 12:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/04 03:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 03:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2003/11/17 19:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 19:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 19:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.9.1
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.1
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20091028
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/31 09:10:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/31 09:10:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/12/31 09:10:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Documents and Settings\Sandra\Application Data\IDM\idmmzcc5 [2012/01/22 15:22:37 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\SeaMonkey\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Documents and Settings\Sandra\Application Data\IDM\idmmzcc5 [2012/01/22 15:22:37 | 000,000,000 | ---D | M]

[2009/06/26 17:41:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Extensions
[2010/12/18 13:11:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/01/04 19:01:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9kxjav6t.default\extensions
[2011/12/31 06:24:18 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9kxjav6t.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/12/31 06:24:50 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9kxjav6t.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/12/31 06:44:04 | 000,000,000 | ---D | M] (IDM CC) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\9kxjav6t.default\extensions\mozilla_cc@internetdownloadmanager.com
[2011/12/31 06:12:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions
[2011/12/31 06:12:38 | 000,000,000 | ---D | M] (Toolbar Buttons) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
[2011/12/31 06:12:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/31 06:12:37 | 000,000,000 | ---D | M] (Old Style Comeback) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF5B34A}
[2011/12/31 06:12:37 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/12/31 06:12:37 | 000,000,000 | ---D | M] ("Firefox Classic") -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\{aee7dfe0-5dad-11dd-ad8b-0800200c9a66}
[2011/12/31 06:12:37 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/12/31 06:12:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old\6df90juu.default\extensions\staged-xpis
[2011/12/31 06:12:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions
[2011/12/31 06:12:26 | 000,000,000 | ---D | M] (Toolbar Buttons) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
[2011/12/31 06:12:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/31 06:12:26 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/12/31 06:12:25 | 000,000,000 | ---D | M] ("Firefox Classic") -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\{aee7dfe0-5dad-11dd-ad8b-0800200c9a66}
[2011/12/31 06:12:25 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/12/31 06:12:24 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/12/31 06:12:26 | 000,000,000 | ---D | M] (IDM CC) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\old1\9kxjav6t.default\extensions\mozilla_cc@internetdownloadmanager.com
[2010/12/18 17:41:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions
[2010/12/18 17:41:00 | 000,000,000 | ---D | M] (Toolbar Buttons) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
[2010/12/18 17:41:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/12/18 17:41:00 | 000,000,000 | ---D | M] (Old Style Comeback) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\{3205B348-523A-4fac-9BC4-9939CBF5B34A}
[2010/12/18 17:41:00 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/12/18 17:41:01 | 000,000,000 | ---D | M] ("Firefox Classic") -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\{aee7dfe0-5dad-11dd-ad8b-0800200c9a66}
[2010/12/18 17:41:01 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/12/18 17:41:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sandra\Application Data\Mozilla\Firefox\Profiles\z6df90juu.default\extensions\staged-xpis
[2011/12/31 06:59:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/12/31 06:59:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\SANDRA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9KXJAV6T.DEFAULT\EXTENSIONS\THROBBER@FIREFOX.XPI
[2011/12/21 00:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/12/31 06:59:17 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2011/12/20 21:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/20 21:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDM integration (IDMIEHlprObj Class)) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TaskPlus] C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe (Contact Plus Corporation)
O4 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006..\Run: [StartWatch] C:\Program Files\SoftWx\StartWatch\StartWatch.exe (SoftWx Inc.)
O4 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Task Plus.lnk = C:\Documents and Settings\Sandra\TaskPlus\taskplus0.exe (Contact Plus Corporation)
O4 - Startup: C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\Printkey.exe (Fred's Software Company)
O4 - Startup: C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe (Tropical Wares)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWinKeys = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1292712666031 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 74.50.130.108 74.50.130.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{01A3F69E-B2E3-4E55-8901-5862CFE1E187}: DhcpNameServer = 74.50.130.108 74.50.130.109
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc - No CLSID value found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) -C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Sandra\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sandra\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 11:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1996/09/11 03:36:16 | 000,215,478 | R--- | M] () - E:\AUTORUN.BMP -- [ CDFS ]
O32 - AutoRun File - [1996/09/09 09:51:12 | 000,025,088 | R--- | M] (New World Computing, Inc.) - E:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [1996/09/09 09:51:12 | 000,000,029 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [1996/09/24 06:20:54 | 000,000,287 | R--- | M] () - E:\AUTORUN.INI -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
Drivers32: wave2 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/01/22 17:08:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/01/22 16:53:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/01/22 16:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sandra\Desktop\Root
[2012/01/22 16:14:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/22 16:14:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/22 16:14:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/22 16:14:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/22 16:13:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/22 16:13:46 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/22 14:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sandra\Desktop\Downloaded
[2012/01/22 09:08:51 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2012/01/22 09:05:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/01/22 09:05:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2012/01/22 09:05:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Sandra\Start Menu\Programs\Administrative Tools
[2012/01/15 10:29:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/15 07:02:36 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Documents\mbam-setup-1.60.0.1800.exe
[2012/01/06 11:07:57 | 000,000,000 | ---D | C] -- C:\Program Files\Karen's Power Tools
[2012/01/06 11:07:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Karen's Power Tools
[2012/01/06 11:07:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
[2012/01/05 18:41:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sandra\Application Data\ElevatedDiagnostics
[2012/01/05 18:40:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2012/01/05 18:39:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2012/01/05 18:19:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/01/05 15:34:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2011/12/31 11:20:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sandra\My Documents\Reflect
[2011/12/31 11:18:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Macrium
[2011/12/31 11:17:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Macrium
[2011/12/31 11:17:45 | 000,000,000 | ---D | C] -- C:\Program Files\Macrium
[2011/12/31 07:01:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sandra\Local Settings\Application Data\Solid State Networks
[2011/12/31 06:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sandra\Desktop\Downloads
[2011/04/19 08:09:38 | 000,028,672 | ---- | C] (Doug Knox) -- C:\Program Files\SysRestorePoint.exe

========== Files - Modified Within 30 Days ==========

[2012/01/22 17:07:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/22 15:41:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/22 13:42:00 | 000,000,512 | ---- | M] () -- C:\WINDOWS\tasks\SUPERAntiSpyware Scheduled Task 331828d3-5dcd-44f4-a8de-5b6b4f1151a5.job
[2012/01/15 09:48:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/15 06:38:44 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Documents\mbam-setup-1.60.0.1800.exe
[2012/01/14 08:02:27 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\Sandra\Desktop\Notepad.lnk
[2012/01/05 19:17:44 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/01/05 19:13:44 | 000,255,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/05 16:04:14 | 000,482,976 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/05 16:04:14 | 000,080,380 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/31 09:15:20 | 000,000,161 | ---- | M] () -- C:\Delme.bat
[2011/12/31 06:23:03 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

========== Files Created - No Company Name ==========

[2012/01/22 16:14:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/22 16:14:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/22 16:14:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/22 16:14:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/22 16:14:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/31 09:15:20 | 000,000,161 | ---- | C] () -- C:\Delme.bat
[2011/12/31 07:31:28 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/12/31 06:23:03 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/12/31 06:23:03 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/10/30 06:01:15 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2011/08/20 11:19:56 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2011/08/20 11:16:26 | 000,105,215 | ---- | C] () -- C:\WINDOWS\HPFins09.dat
[2011/08/20 11:16:26 | 000,003,732 | ---- | C] () -- C:\WINDOWS\hpfmdl09.dat
[2011/08/20 10:16:41 | 000,000,818 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2011/08/18 18:17:52 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2011/08/18 10:20:04 | 000,102,833 | ---- | C] () -- C:\WINDOWS\HPFins09.dat.temp
[2011/08/18 10:20:04 | 000,003,732 | ---- | C] () -- C:\WINDOWS\hpfmdl09.dat.temp
[2011/08/18 08:42:03 | 000,000,171 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2011/07/17 10:18:20 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011/02/21 18:21:58 | 000,530,969 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1192078927-2277105327-1989890884-1006-0.dat
[2011/02/20 18:53:26 | 000,243,502 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/02/20 09:24:23 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/22 17:03:14 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Sandra\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/19 08:56:20 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2010/12/19 06:22:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2010/12/18 21:21:45 | 000,804,192 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/12/18 19:00:31 | 000,000,273 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2010/12/18 18:29:15 | 000,000,090 | ---- | C] () -- C:\WINDOWS\System32\ftm31.dat
[2010/12/18 18:14:51 | 000,000,417 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2010/12/18 14:09:33 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2010/12/18 13:34:47 | 000,000,067 | ---- | C] () -- C:\WINDOWS\IDMan.INI
[2009/06/26 18:04:54 | 000,001,044 | ---- | C] () -- C:\Documents and Settings\Sandra\Application Data\wklnhst.dat
[2009/06/26 16:03:59 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Sandra\Local Settings\Application Data\fusioncache.dat
[2006/04/30 05:57:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/30 05:53:19 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/30 05:49:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/04/30 05:46:51 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2006/04/30 05:45:04 | 000,712,704 | ---- | C] () -- C:\WINDOWS\System32\DellSystemRestore.dll
[2006/04/30 05:41:16 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/04/30 05:18:54 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2006/04/30 05:18:36 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2006/04/30 05:18:32 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 06:38:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 11:12:05 | 000,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 11:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 11:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 11:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 10:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 10:57:15 | 000,255,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 10:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 10:51:20 | 000,482,976 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 10:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 10:51:20 | 000,080,380 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 10:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 10:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 10:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 10:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 10:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 10:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 10:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 10:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/02/19 08:42:46 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\idmmbc.dll
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/08/12 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[1999/08/12 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1999/08/12 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[1997/11/10 15:18:48 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[1997/06/18 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/08/04 06:04:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\!SASCORE
[2011/09/25 13:29:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2011/01/05 19:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/07/17 10:18:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011/03/14 10:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Firetrust
[2012/01/06 11:07:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
[2011/12/31 11:18:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrium
[2010/12/18 17:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/06/27 17:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2010/12/18 19:03:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Screentime
[2010/12/18 17:39:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2012/01/22 17:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/12/17 11:57:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/12/19 12:51:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Acronis
[2010/12/18 17:40:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Auslogics
[2011/07/17 10:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Canneverbe Limited
[2012/01/22 17:49:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\DMCache
[2012/01/05 18:41:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\ElevatedDiagnostics
[2011/02/27 18:17:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Firetrust
[2010/12/18 17:40:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Genie-soft
[2012/01/22 15:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\IDM
[2010/12/18 17:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Leadertech
[2011/03/14 10:03:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\MailWasherPro
[2011/09/17 09:51:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Thunderbird
[2010/12/19 05:19:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sandra\Application Data\Windows Search
[2012/01/22 13:42:00 | 000,000,512 | ---- | M] () -- C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task 331828d3-5dcd-44f4-a8de-5b6b4f1151a5.job

========== Purity Check ==========

========== Custom Scans ==========

< >

< %SYSTEMDRIVE%\*.* >
[2004/08/10 11:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/01/05 19:17:44 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/01/22 16:53:37 | 000,016,501 | ---- | M] () -- C:\ComboFix.txt
[2004/08/10 11:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2006/04/30 05:25:26 | 000,005,737 | RH-- | M] () -- C:\dell.sdr
[2011/12/31 09:15:20 | 000,000,161 | ---- | M] () -- C:\Delme.bat
[2010/12/18 12:50:57 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/10 11:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2006/04/30 05:42:23 | 000,000,840 | -H-- | M] () -- C:\IPH.PH
[2010/12/18 19:08:24 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2004/08/10 11:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/12/18 12:57:05 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/01/22 17:07:53 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2011/12/31 11:17:44 | 000,000,000 | ---- | M] () -- C:\ref~tmp~.txt
[2012/01/22 16:31:28 | 000,000,359 | ---- | M] () -- C:\rkill.log
[2006/04/30 05:42:29 | 000,000,087 | ---- | M] () -- C:\SystemInfo.ini
[2012/01/22 15:51:21 | 000,062,352 | ---- | M] () -- C:\TDSSKiller.2.7.6.0_22.01.2012_15.50.19_log.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/10 11:03:42 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2005/10/14 21:41:46 | 000,072,192 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp43a.dll
[2008/07/06 03:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2010/12/31 13:06:36 | 000,038,848 | ---- | M] (AVAST Software) -- C:\WINDOWS\zavastSS.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2010/12/19 08:26:06 | 000,000,092 | -H-- | M] () -- C:\Program Files\desktop.ini
[2007/06/07 14:03:00 | 000,028,672 | ---- | M] (Doug Knox) -- C:\Program Files\SysRestorePoint.exe

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/08/10 10:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2004/08/10 10:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2004/08/10 10:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/12/18 13:01:58 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/12/18 13:06:49 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Sandra\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2004/08/10 11:08:38 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Sandra\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2004/08/04 03:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\ADDINS\fxsext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/12/18 13:06:49 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Sandra\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2012/01/22 17:46:57 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Sandra\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2004/08/03 23:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-10-30 12:51:16

========== Alternate Data Streams ==========

@Alternate Data Stream - 165 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:631CA307

< End of report >

#19 jdhoward Re: [RESOLVED] Rootkit.TDS?

$ Supporting Member

27 posts
Joined: August 16, 2010
4 topics
Skin: IP.Board
Local time: 11:08 AM

Zodiac:Aquarius
Gender:Male
OS:Windows XP
Country:

Offline

Time Online: 3h 43s

Posted 23 January 2012 - 01:13 AM

OTL Extras logfile created on: 1/22/2012 5:48:40 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Sandra\Desktop\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 69.06% Memory free
3.85 Gb Paging File | 3.10 Gb Available in Paging File | 80.41% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 108.59 Gb Total Space | 89.53 Gb Free Space | 82.45% Space Free | Partition Type: NTFS
Drive D: | 36.48 Gb Total Space | 21.71 Gb Free Space | 59.51% Space Free | Partition Type: NTFS
Drive E: | 252.58 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: SANDRA | User Name: Sandra | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ChangeIcon] -- "E:\ChangeIcon.exe" %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{06040048-3E21-46D6-9A91-D927BA08F41D}" = Microsoft Encarta Encyclopedia Standard 2006
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0BF5FBE7-3907-4A1F-9E48-8B66E52850D6}" = TrayApp
"{0CDD5599-836A-4650-8BE7-F33D8D915A0D}" = dj6980
"{0F40754C-F1FD-43df-B73E-9DA38399CDD6}" = hpf_ProductContext
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{14A67CE0-4F30-4607-885B-43EE27BAC746}" = Readme
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{17E3A651-12B9-4149-BAE8-E6FB9A5ADC4F}" = Microsoft Works Suite Add-in for Microsoft Word
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{1E1F1E70-14D8-4380-8652-BD1A895A7D65}" = Status
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java™ 6 Update 30
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37F9D0BD-9AED-4EE6-BCA3-BA0749636E04}" = Hoyle Board Games 2003
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D10E608-A4A3-40AD-B91C-6D963BBD91D5}" = LP6980_Help
"{4041C245-7099-4C96-9738-5EBC23827B3C}" = BufferChm
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BE53DB2-C1F2-44D1-A9AB-1630BA7F2AF1}" = SolutionCenter
"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.24
"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5D95AD35-368F-47D5-B63A-A082DDF00116}" = Microsoft Digital Image Standard 2006 Editor
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{691F4068-81BF-49E3-B32E-FE3E16400112}" = Microsoft Digital Image Standard 2006 Library
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7ADE9F27-A175-447F-A4B4-B05FA82735E1}" = HP Deskjet 6900 series
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{984C17AB-A38C-4F0F-B6D3-075854886884}" = Macrium Reflect Free Edition
"{98936CBC-5E7A-4AD7-B05B-6D34C7C68E37}" = Hoyle Board Games 2005
"{9B683A28-2172-4CF1-B85D-41375E80652A}" = Acronis True Image WD Edition
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{AAA11090-6E99-4655-AAF5-57EB5F677D0C}" = MarketResearch
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B44AA698-B221-4B3B-8CA5-E65EF6A5AF26}" = Hoyle Card Games 2005
"{B642EC22-0915-11D5-B3F1-00485486D0B6}" = Rings of the Magi
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB1F3886-AE9F-46fb-8325-6B0718989285}" = dj_taplugin
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D7CAE58E-26DE-49B7-A75D-EAEDF76726BE}" = HP Photosmart Essential
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{DEBB2986-15B0-4D28-95FA-5C966A396589}" = HPProductAssistant
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC2715CE-C182-483C-84CC-81D7D914CF14}" = WebReg
"{EDABA4A8-8B7E-488A-A85C-17406C1C62CA}" = LP6980Trb
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FD8E178D-8B4E-42DA-B434-EFF270329B1C}" = COMODO Internet Security
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"awinterscene_3274380" = awinterscene_3274380 Screen Saver
"Battleship SURFACE THUNDER" = Battleship SURFACE THUNDER
"Clue" = Clue
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DirectXMediaRuntime" = DirectX Media Runtime 5.1
"ESET Online Scanner" = ESET Online Scanner v3
"FLV Player2.0.25" = FLV Player
"Freecorder4.1" = Freecorder
"Hoyle Solitaire" = Hoyle Solitaire
"Hoyle Word Games" = Hoyle Word Games
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center and Imaging Support Tools 6.0
"HPExtendedCapabilities" = HP Extended Capabilities 6.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{37F9D0BD-9AED-4EE6-BCA3-BA0749636E04}" = Hoyle Board Games 2003
"Internet Download Manager" = Internet Download Manager
"IrfanView" = IrfanView (remove only)
"Karen's Cookie Viewer" = Karen's Cookie Viewer
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"MozBackup_is1" = MozBackup 1.4.7
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Mozilla Thunderbird (6.0)" = Mozilla Thunderbird (6.0)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Password Corral v4.0_is1" = Password Corral v4.0
"PictureItPrem_v11" = Microsoft Digital Image Standard 2006
"PPTView97" = Microsoft PowerPoint Viewer 97
"PROSet" = Intel® PRO Network Adapters and Drivers
"Recuva" = Recuva
"Revo Uninstaller" = Revo Uninstaller 1.92
"Scrabble" = Scrabble
"StartWatch" = StartWatch (remove only)
"thechristmastree_3264062" = thechristmastree_3264062 Screen Saver
"Tweak UI 2.10" = Tweak UI
"VLC media player" = VLC media player 1.1.11
"WallMaster" = WallMaster
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2006Setup" = Microsoft Works Suite 2006 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XLViewer97" = Microsoft Excel Viewer 97

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1192078927-2277105327-1989890884-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Task Plus 3.9.9.7" = Task Plus 3.9.9.7

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/31/2011 10:52:09 AM | Computer Name = SANDRA | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070490, P2 packagesnotapplicable, P3
unspecified, P4 10.3.1781.0, P5 mpsigstub.exe, P6 unspecified, P7 unspecified,
P8 NIL, P9 NIL, P10 NIL.

Error - 12/31/2011 1:57:56 PM | Computer Name = SANDRA | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 12/31/2011 2:06:34 PM | Computer Name = SANDRA | Source = NTBackup | ID = 8001
Description = End Backup of 'C:' 'Warnings or errors were encountered.' Verify:
On Mode: Append Type: Normal Consult the backup report for more details.

Error - 12/31/2011 2:06:35 PM | Computer Name = SANDRA | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 1/5/2012 7:11:02 PM | Computer Name = SANDRA | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 1/15/2012 9:18:57 AM | Computer Name = SANDRA | Source = MBAMService | ID = 131073
Description =

Error - 1/22/2012 11:43:18 AM | Computer Name = SANDRA | Source = Application Error | ID = 1000
Description = Faulting application ncevu5si.exe, version 1.0.15.15641, faulting
module ncevu5si.exe, version 1.0.15.15641, fault address 0x0006ab2c.

Error - 1/22/2012 7:23:16 PM | Computer Name = SANDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/22/2012 7:46:06 PM | Computer Name = SANDRA | Source = Application Error | ID = 1000
Description = Faulting application pev.exe, version 0.0.0.0, faulting module pev.exe,
version 0.0.0.0, fault address 0x0008d1c0.

Error - 1/22/2012 7:48:26 PM | Computer Name = SANDRA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

[ System Events ]
Error - 1/13/2012 8:57:08 AM | Computer Name = SANDRA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.100 for the Network Card with network
address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/15/2012 9:02:38 AM | Computer Name = SANDRA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.100 for the Network Card with network
address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/16/2012 9:17:07 AM | Computer Name = SANDRA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.100 for the Network Card with network
address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/17/2012 2:41:22 PM | Computer Name = SANDRA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 1/19/2012 9:09:27 AM | Computer Name = SANDRA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.101 for the Network Card with network
address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/21/2012 9:03:04 AM | Computer Name = SANDRA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.101 for the Network Card with network
address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/22/2012 8:54:10 AM | Computer Name = SANDRA | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.100 for the Network Card with network
address 00167635B1DB has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/22/2012 12:06:07 PM | Computer Name = SANDRA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 1/22/2012 3:44:53 PM | Computer Name = SANDRA | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 1/22/2012 6:26:04 PM | Computer Name = SANDRA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

< End of report >

#20 Broni Re: [RESOLVED] Rootkit.TDS?

Malware Annihilator

24,883 posts
Joined: October 04, 2004
1,860 topics
Age: 57
Skin: IPBoard wide
Local time: 11:08 AM

Zodiac:Virgo
Gender:Male
Location:Daly City, CA
OS:Windows Vista
Country:

Online

Time Online: 57d 11h 51m 10s

Posted 23 January 2012 - 01:22 AM

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
@Alternate Data Stream - 165 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:631CA307

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

Back to Virus, Spyware and Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

This topic has been visited by 6 user(s)

Broni, Exactly, frazzm737, jdhoward, Larry(ne), mrbubl