1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

win 32 reveton ink

Discussion in 'Virus & Other Malware Removal' started by rem_2007, Dec 29, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Hello again friends, I got a virus that keeps appearing on my desktop similar to a web page, like a police warning asking for money.
    I tried to scan the computer with a kaspersky, avast and a specific BD removal trojan ransom ice pol and no luck.
    The virus deactivated my wireless connection also and now I connected my laptop to the internet through a vodafone stick in order to contact you.
    Please help me, what should I do:(
    Thank you very much.
    ( Microsoft essentials said that the trojan is win 32 reveton ink)
    OS= Microsoft Profesional XP 2002, service pack 3

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:59:01 PM, on 12/29/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\idt\wdm\STacSV.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Atheros\ACU.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Alma\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?ilc=8
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=8
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    R3 - URLSearchHook: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
    O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
    O4 - HKLM\..\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Alma\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
    O4 - HKUS\S-1-5-21-1275210071-630328440-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-1275210071-630328440-1801674531-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
    O4 - HKUS\S-1-5-21-1275210071-630328440-1801674531-1003\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
    O4 - HKUS\S-1-5-21-1275210071-630328440-1801674531-1003\..\Run: [Facebook Update] "C:\Documents and Settings\Alma\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
    O4 - HKUS\S-1-5-18\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'Default user')
    O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1287577797984
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe
    O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 11980 bytes

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
    Run by Alma at 17:22:24 on 2012-12-29
    .
    ============== Running Processes ================
    .
    C:\Program Files\Atheros\ACU.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.facebook.com/
    mStart Page = hxxp://www.yahoo.com/?ilc=8
    mDefault_Page_URL = hxxp://www.yahoo.com/?ilc=8
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
    uURLSearchHooks: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    mWinlogon: Userinit = c:\windows\system32\userinit.exe
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
    uRun: [Facebook Update] "c:\documents and settings\alma\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [MobileConnect] c:\program files\vodafone\vodafone mobile connect\bin\MobileConnect.exe /silent
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
    mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
    dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.207\SSScheduler.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287577797984
    TCP: NameServer = 81.12.128.206 81.12.132.206
    TCP: Interfaces\{F8370354-2DFF-455D-BBF7-E2F29B234C27} : DHCPNameServer = 81.12.128.206 81.12.132.206
    Notify: crypt32chain - crypt32.dll
    Notify: cryptnet - cryptnet.dll
    Notify: cscdll - cscdll.dll
    Notify: dimsntfy - c:\windows\system32\dimsntfy.dll
    Notify: igfxcui - igfxdev.dll
    Notify: ScCertProp - wlnotify.dll
    Notify: Schedule - wlnotify.dll
    Notify: sclgntfy - sclgntfy.dll
    Notify: SensLogn - WlNotify.dll
    Notify: termsrv - wlnotify.dll
    Notify: WgaLogon - WgaLogon.dll
    Notify: wlballoon - wlnotify.dll
    AppInit_DLLs= c:\windows\system32\guard32.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\alma\application data\mozilla\firefox\profiles\46bdjjcf.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
    FF - plugin: c:\documents and settings\alma\application data\mozilla\firefox\profiles\46bdjjcf.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\documents and settings\alma\local settings\application data\facebook\messenger\2.1.4651.0\npFbDesktopPlugin.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
    FF - plugin: c:\windows\system32\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npptools.dll
    FF - ExtSQL: 2012-12-29 16:43; {e001c731-5e37-4538-a5cb-8168736a2360}; c:\documents and settings\alma\application data\mozilla\firefox\profiles\46bdjjcf.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2012-12-29 14:43:31 -------- d-----w- c:\documents and settings\alma\application data\QuickScan
    2012-12-29 07:31:57 -------- d--h--w- C:\VritualRoot
    2012-12-29 07:31:30 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6ae9302-b038-472b-a4c6-d9dccd9e3372}\offreg.dll
    2012-12-29 07:30:58 428096 ----a-w- c:\windows\system32\drivers\sfi.dat
    2012-12-29 07:26:27 -------- d-----w- c:\documents and settings\all users\application data\Comodo
    2012-12-29 07:26:22 -------- d-----w- c:\program files\COMODO
    2012-12-29 07:26:21 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2012-12-29 07:26:21 1060864 ----a-w- c:\windows\system32\mfc71.dll
    2012-12-29 07:15:23 -------- d-----w- c:\documents and settings\all users\application data\Comodo Downloader
    2012-12-29 07:14:38 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6ae9302-b038-472b-a4c6-d9dccd9e3372}\mpengine.dll
    2012-12-28 19:14:14 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
    2012-12-27 08:04:05 6812136 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-12-24 13:55:36 -------- d-----w- c:\documents and settings\alma\local settings\application data\Facebook
    2012-12-20 22:56:33 -------- d-----w- c:\documents and settings\alma\local settings\application data\Apple Computer
    2012-12-20 22:56:11 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-12-20 22:55:12 -------- d-----w- c:\program files\iPod
    2012-12-20 22:55:02 -------- d-----w- c:\program files\iTunes
    2012-12-20 22:55:02 -------- d-----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-12-20 22:54:36 -------- d-----w- c:\documents and settings\alma\local settings\application data\Apple
    2012-12-20 22:53:41 -------- d-----w- c:\program files\Bonjour
    2012-12-16 13:34:06 -------- d-----w- c:\program files\SopCast
    2012-12-05 20:52:59 15840 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2012-12-05 20:15:29 -------- d-----w- c:\documents and settings\alma\local settings\application data\adawarebp
    2012-12-05 19:37:16 -------- d-----w- c:\documents and settings\alma\local settings\application data\adaware
    2012-12-05 19:32:53 -------- d-----w- c:\documents and settings\alma\application data\adawaretb
    2012-12-05 19:32:48 -------- d-----w- c:\program files\adawaretb
    2012-12-05 19:31:52 -------- d-----w- c:\documents and settings\alma\application data\Ad-Aware Antivirus
    .
    ==================== Find3M ====================
    .
    2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-11 18:45:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-12-11 18:45:00 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
    2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
    2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-01 12:17:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
    2012-10-02 18:04:21 58368 ----a-w- c:\windows\system32\synceng.dll
    .
    ============= FINISH: 17:24:21.98 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    .
    ==== Disk Partitions =========================
    .
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.62
    Ad-Aware Browsing Protection
    Ad-Aware Security Toolbar
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.5.2
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Arcade Classic Pack 5.10
    Atheros Client Installation Program
    Bonjour
    COMODO GeekBuddy
    COMODO Internet Security
    Compatibility Pack for the 2007 Office system
    DivX Setup
    EasyCleaner
    Facebook Messenger 2.1.4651.0
    Google Toolbar for Firefox
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB2779562)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB969084)
    HP Quick Launch Buttons
    HP Wireless Assistant
    IDT Audio
    InstallIQ Updater
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Rapid Storage Technology
    iTunes
    Java 7 Update 9
    Java Auto Updater
    McAfee Security Scan Plus
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 17.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP3 Parser (KB2721691)
    MSXML 4.0 SP3 Parser (KB973685)
    QLBCASL
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek USB 2.0 Card Reader
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB2761465)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2124261)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2290570)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2483614)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2727528)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB2753842-v2)
    Security Update for Windows XP (KB2753842)
    Security Update for Windows XP (KB2758857)
    Security Update for Windows XP (KB2761226)
    Security Update for Windows XP (KB2770660)
    Security Update for Windows XP (KB2779030)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB970483)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975254)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SopCast 3.5.0
    Synaptics Pointing Device Driver
    TeamViewer 7
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2362765)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB958752)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.6195
    VLC media player 1.1.7
    Vodafone Mobile Connect Lite
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Yahoo! Messenger
    Yahoo! Software Update
    .
    ==== End Of File ===========================

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-12-29 18:44:44
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST916031 rev.HP07
    Running: 2v08j6i6.exe; Driver: C:\DOCUME~1\Alma\LOCALS~1\Temp\ufldqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xA78088B2]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xA7807E48]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xA7808518]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xA7809126]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xA7807D28]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xA780B1E0]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xA780B568]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xA7807714]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xA7808A9E]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xA7808C9E]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xA780751A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xA7809864]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xA7809ABA]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xA780ABF0]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xA7808110]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xA78086F4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xA7809116]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xA7807148]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xA78083B4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xA780734C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xA7809CC8]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xA780A11C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xA7809EDA]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xA780967C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRequestWaitReplyPort [0xA780A68C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSecureConnectPort [0xA780A940]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xA7808EEE]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xA780AEE8]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xA78093F4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xA780807A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xA78082A0]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xA7807B2A]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xA7807918]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2F9C 80504894 4 Bytes CALL 98F7C947
    ? System32\DRIVERS\cmderd.sys The system cannot find the path specified. !
    ? System32\DRIVERS\cmdguard.sys The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[236] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\Explorer.EXE[236] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[252] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[380] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[452] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Java\jre7\bin\jqs.exe[556] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[572] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\spoolsv.exe[668] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text c:\program files\idt\wdm\STacSV.exe[708] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 003CCE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D5680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003CCF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003D26F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003D3280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 003D1220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 003D1B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003DDF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 003DE410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\acs.exe[812] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 003DE1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[840] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1136] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1412] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10028AC0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10028860 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\services.exe[1504] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\lsass.exe[1516] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1692] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1700] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1740] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program[1780] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 0061DD20 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    .text C:\Program[1780] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00635CB0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    .text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\svchost.exe[1852] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\MsMpEng.exe[1872] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2100] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2336] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 0038CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00395680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0038CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003926F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00393280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 0039DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 00391220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 00391B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 0039E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxtray.exe[2348] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 0039E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 0038CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00395680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0038CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003926F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00393280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 0039DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 00391220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 00391B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 0039E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\hkcmd.exe[2388] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 0039E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\igfxpers.exe[2396] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\WINDOWS\system32\ctfmon.exe[2696] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 0039CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003A5680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0039CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 003A26F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 003A3280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003ADF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 003A1220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 003A1B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 003AE410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\IDT\WDM\sttray.exe[3008] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 003AE1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[3016] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3024] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 009FCE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A05680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 009FCF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A026F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A03280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 00A01220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 00A01B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00A0DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 00A0E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Atheros\ACU.exe[3144] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 00A0E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3184] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3332] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe[3492] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3504] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Microsoft Security Client\msseces.exe[3572] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3588] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3624] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\iPod\bin\iPodService.exe[3980] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe[3988] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ole32.dll!CoCreateInstanceEx 774FF164 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll
    .text C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe[4000] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
    ---- Processes - GMER 1.0.15 ----

    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [236] 0x10000000
    Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [236] 0x044E0000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [252] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [380] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [452] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Java\jre7\bin\jqs.exe [556] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe [572] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [668] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ c:\program files\idt\wdm\STacSV.exe [708] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\acs.exe [812] 0x003B0000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [840] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1136] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [1412] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1460] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1504] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1516] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1692] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1700] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1740] 0x10000000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x00400000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program [1780] 0x10000000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x01410000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x01460000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x02360000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x023C0000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x01F60000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x02570000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x025D0000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x02650000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x02FC0000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03000000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03040000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03080000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x030E0000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03150000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03190000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x031D0000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03210000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03480000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03500000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x035D0000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03620000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03680000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x03790000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x70A40000
    Library C:\Program (*** hidden *** ) @ C:\Program [1780] 0x64980000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1852] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [1872] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2100] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [2336] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\igfxtray.exe [2348] 0x00370000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\hkcmd.exe [2388] 0x00370000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\igfxpers.exe [2396] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2696] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\IDT\WDM\sttray.exe [3008] 0x00380000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [3016] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3024] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Atheros\ACU.exe [3144] 0x009E0000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [3184] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [3332] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe [3492] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\DivX\DivX Update\DivXUpdate.exe [3504] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Microsoft Security Client\msseces.exe [3572] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Common Files\Java\Java Update\jusched.exe [3588] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [3624] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [3748] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [3980] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe [3988] 0x10000000
    Library C:\WINDOWS\system32\guard32.dll (*** hidden *** ) @ C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe [4000] 0x10000000

    ---- Files - GMER 1.0.15 ----

    File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes
    File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes
    File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd\BASE_END_USER_v14713.cav 133419008 bytes

    ---- EOF - GMER 1.0.15 ----
     
  2. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    I dear to bring my problem to your attention. Thank you and happy new year!
     
  3. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Hi re_2007, please run the following scans and post the logs.

    You have two Anti Virus programs which needs to be dealt with. Ad-Aware is no longer recommended so you will need to uninstall it after we have cleaned up the system of the infection. More than one Anti Virus can cause conflicts, reduce system performance and reduce the systems security level even if there is only one active.

    SCAN 1
    1. Download Malwarebytes Anti-Rootkit from this link mbar
    2. Unzip the File to a convenient location. (Recommend the Desktop)
    3. Open the folder where the contents were unzipped to run mbar.exe

    [​IMG]

    4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

    [​IMG]

    5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

    6. The following image opens, select Next.

    [​IMG]

    7. The following image opens, select Update

    [​IMG]

    8. When the Update completes, select Next

    [​IMG]

    9. In the following window ensure "Targets" are ticked. Then select "Scan"

    [​IMG]

    10. If an infection/s is found the "Cleanup Button" to remove threats will be available. A list of infected files will be listed like the following example:

    [​IMG]

    11. Do not select the "Clean up Button" select the "Exit" button, there will be a warning as follows:

    [​IMG]

    12. Select "Yes" to close down the program. If NO infections were found you will see the following image:

    [​IMG]

    13. Select "Exit" to close down.
    14. Copy and paste the two following logs from the mbar folder:

    System - log
    Mbar - log Date and time of scan will also be shown

    [​IMG]


    =======================================================================

    SCAN 2
    Please download Farbar Service Scanner and run it on the computer with the issue.

    • Put a check mark in all the boxes.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  4. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Hello and thank you! Here are the results:

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2013.01.02.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Alma :: COMPAQ [administrator]

    1/2/2013 8:55:32 PM
    mbar-log-2013-01-02 (20-55-32).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 27083
    Time elapsed: 20 minute(s), 29 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad (Exploit.Drop.GSA) -> Delete on reboot.

    (end)

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 1.662000 GHz
    Memory total: 2074976256, free: 1276502016

    ------------ Kernel report ------------
    01/02/2013 20:33:40
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    PartMgr.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    VolSnap.sys
    iaStor.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    MpFilter.sys
    PxHelp20.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\athw.sys
    \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\Wdf01000.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\ew_jubusenum.sys
    \SystemRoot\system32\DRIVERS\wsimd.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\drivers\sthda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\Drivers\aswKbd.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\ewusbmdm.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\System32\Drivers\Modem.SYS
    \SystemRoot\system32\DRIVERS\ewusbnet.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR5
    Upper Device Object: 0xffffffff87265900
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000009a\
    Lower Device Object: 0xffffffff86f64490
    Lower Device Driver Name: \Driver\usbstor\
    Driver name found: usbstor
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8a56b868
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8a55c028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2013.01.02.07
    Downloaded database version: v2012.12.27.02
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8a56b868, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8a55fe08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8a56b868, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8a55c028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe2d81b20, 0xffffffff8a56b868, 0xffffffff86d37040
    Lower DeviceData: 0xffffffffe35d7d88, 0xffffffff8a55c028, 0xffffffff878ca040
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 92398F54

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 134223012
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 134223075 Numsec = 178353630

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 160041885696 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xffffffff87265900, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff86ef2020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff87265900, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff86f64490, DeviceName: \Device\0000009a\, DriverName: \Driver\usbstor\
    ------------ End ----------
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\context-menu-settings.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\WSCConfig.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\guid.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\AIR\eulaAccepted" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\Updater6\AdobeESDGlobalApps.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Mozilla\logs\maintenanceservice-install.log" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Vodafone\Log\L20120422-165733-2328-VmbService.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Vodafone\Log\L20120422-170240-2372-VmbService.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\application-settings.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\definitions-date.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\gaming-mode.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\language.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\protection-status.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\update-parameters.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\DDMSettings\settings.ddi" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\google%2Eimages.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\google%2Emaps.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\U%5Fs94057670%2Eonlinehome%2Eus%5F8N139WOUD2F2D9ZG2ZE2%2Exml.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\U%5Ftoolbar%2Egoogle%2Ecom%5FCHW6HL2ILDOMNY4CTR3Q%2Exml.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\MSO1046.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\MSO1048.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\Word12.pip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Proof\CUSTOM.DIC" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Stellarium\data\user_locations.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\vlc\ml.xspf" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Outlook Express\msoe.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Windows Media Player\npdrmv2.zip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\login.cmd" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\l_except.nls" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\rp_rules.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\rp_stats.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\View Channels.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\dsound.vxd" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\pcl.sep" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perfci.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perffilt.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perfwci.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\prodspec.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\pscript.sep" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\cmos.ram" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\etc\networks" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migrate.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\msobe.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\oobeinfo.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\reg.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\wbem\wmiclivalueformat.xsl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\ntuser.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\ODBC.INI" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vb.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vbaddin.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\_delis43.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\DtcInstall.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\explorer.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\cmsetacl.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\dao\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Graph\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Publisher\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.SmartTag\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Debug\blastcln.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\muweb.inf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Fonts\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\conf.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\connect.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\mshearts.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\msnauth.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\nocontnt.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ratings.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\update.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\windows.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\winhlp32.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state_perf.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInUtil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\default.win32manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\EdmGen.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Web\bullet.gif" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Google\firefox-toolbar.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Microsoft\Media Player\wmpfolders.wmdb" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Google\firefox-toolbar.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
    Infected: C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad --> [Exploit.Drop.GSA]
    Done!
    Scan finished
    =======================================


    Farbar Service Scanner Version: 23-12-2012
    Ran by Alma (administrator) on 02-01-2013 at 20:57:51
    Running from "C:\Documents and Settings\Alma\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) WSIMD(8)
    0x0900000005000000010000000200000003000000040000000A00000007000000080000000C000000
    IpSec Tag value is correct.

    **** End of log ****

    PS. I apologize for telling you that the virus blocked my wireless connection, I think i turn'it off myself by mistake, today I connected myself through wireless.
     
  5. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    We have a few things to deal with, first do another scan with Mbar and when you see the Clean Up button as shown above at instruction 10 select it to remove the threats. Post the logs when done.

    Please tell me when that is complete if the initial problem has gone. We will then need to run some repairs to fix some missing registry keys.
     
  6. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Dear Mark,

    I did the "clean up" with Mbar, restart computer and another shut down/restart and the virus has not appeared. I think is gone..
    Here are the logs:

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2013.01.02.10

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Alma :: COMPAQ [administrator]

    1/3/2013 10:06:47 AM
    mbar-log-2013-01-03 (10-06-47).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 27106
    Time elapsed: 20 minute(s), 38 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad (Exploit.Drop.GSA) -> Delete on reboot.

    (end)


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 1.662000 GHz
    Memory total: 2074976256, free: 1276502016

    ------------ Kernel report ------------
    01/02/2013 20:33:40
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    PartMgr.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    VolSnap.sys
    iaStor.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    MpFilter.sys
    PxHelp20.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\athw.sys
    \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\Wdf01000.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\ew_jubusenum.sys
    \SystemRoot\system32\DRIVERS\wsimd.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\drivers\sthda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\Drivers\aswKbd.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\ewusbmdm.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\System32\Drivers\Modem.SYS
    \SystemRoot\system32\DRIVERS\ewusbnet.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR5
    Upper Device Object: 0xffffffff87265900
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000009a\
    Lower Device Object: 0xffffffff86f64490
    Lower Device Driver Name: \Driver\usbstor\
    Driver name found: usbstor
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8a56b868
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8a55c028
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2013.01.02.07
    Downloaded database version: v2012.12.27.02
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8a56b868, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8a55fe08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8a56b868, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8a55c028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe2d81b20, 0xffffffff8a56b868, 0xffffffff86d37040
    Lower DeviceData: 0xffffffffe35d7d88, 0xffffffff8a55c028, 0xffffffff878ca040
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 92398F54

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 134223012
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 134223075 Numsec = 178353630

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 160041885696 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xffffffff87265900, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff86ef2020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff87265900, DeviceName: \Device\Harddisk1\DR5\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff86f64490, DeviceName: \Device\0000009a\, DriverName: \Driver\usbstor\
    ------------ End ----------
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\context-menu-settings.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\WSCConfig.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\guid.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\AIR\eulaAccepted" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\Updater6\AdobeESDGlobalApps.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Mozilla\logs\maintenanceservice-install.log" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Vodafone\Log\L20120422-165733-2328-VmbService.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Vodafone\Log\L20120422-170240-2372-VmbService.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\application-settings.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\definitions-date.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\gaming-mode.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\language.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\protection-status.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\update-parameters.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\DDMSettings\settings.ddi" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\google%2Eimages.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\google%2Emaps.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\U%5Fs94057670%2Eonlinehome%2Eus%5F8N139WOUD2F2D9ZG2ZE2%2Exml.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\U%5Ftoolbar%2Egoogle%2Ecom%5FCHW6HL2ILDOMNY4CTR3Q%2Exml.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\MSO1046.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\MSO1048.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\Word12.pip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Proof\CUSTOM.DIC" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Stellarium\data\user_locations.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\vlc\ml.xspf" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Outlook Express\msoe.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Windows Media Player\npdrmv2.zip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\login.cmd" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\l_except.nls" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\rp_rules.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\rp_stats.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\View Channels.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\dsound.vxd" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\pcl.sep" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perfci.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perffilt.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perfwci.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\prodspec.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\pscript.sep" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\cmos.ram" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\etc\networks" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migrate.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\msobe.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\oobeinfo.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\reg.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\wbem\wmiclivalueformat.xsl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\ntuser.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\ODBC.INI" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vb.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vbaddin.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\_delis43.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\DtcInstall.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\explorer.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\cmsetacl.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\dao\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Graph\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Publisher\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.SmartTag\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Debug\blastcln.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\muweb.inf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Fonts\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\conf.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\connect.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\mshearts.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\msnauth.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\nocontnt.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ratings.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\update.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\windows.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\winhlp32.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state_perf.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInUtil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\default.win32manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\EdmGen.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Web\bullet.gif" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Google\firefox-toolbar.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Microsoft\Media Player\wmpfolders.wmdb" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Google\firefox-toolbar.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
    Infected: C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad --> [Exploit.Drop.GSA]
    Done!
    Scan finished
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 5.1.2600 Windows XP Service Pack 3 x86

    Account is Administrative

    Internet Explorer version: 8.0.6001.18702

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 1.662000 GHz
    Memory total: 2074976256, free: 1170939904

    ------------ Kernel report ------------
    01/03/2013 09:45:24
    ------------ Loaded modules -----------
    \WINDOWS\system32\ntkrnlpa.exe
    \WINDOWS\system32\hal.dll
    \WINDOWS\system32\KDCOM.DLL
    \WINDOWS\system32\BOOTVID.dll
    ACPI.sys
    \WINDOWS\system32\DRIVERS\WMILIB.SYS
    pci.sys
    isapnp.sys
    compbatt.sys
    \WINDOWS\system32\DRIVERS\BATTC.SYS
    MountMgr.sys
    ftdisk.sys
    dmload.sys
    dmio.sys
    PartMgr.sys
    ACPIEC.sys
    \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    VolSnap.sys
    iaStor.sys
    disk.sys
    \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    fltMgr.sys
    sr.sys
    MpFilter.sys
    PxHelp20.sys
    KSecDD.sys
    Ntfs.sys
    NDIS.sys
    Mup.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\igxpmp32.sys
    \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\athw.sys
    \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
    \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\Wdf01000.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\imapi.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\redbook.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\audstub.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\psched.sys
    \SystemRoot\system32\DRIVERS\msgpc.sys
    \SystemRoot\system32\DRIVERS\ptilink.sys
    \SystemRoot\system32\DRIVERS\raspti.sys
    \SystemRoot\system32\DRIVERS\rdpdr.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\update.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\ew_jubusenum.sys
    \SystemRoot\system32\DRIVERS\wsimd.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\system32\drivers\sthda.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\AESTAud.sys
    \SystemRoot\system32\drivers\IntcHdmi.sys
    \SystemRoot\System32\Drivers\Fs_Rec.SYS
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\Drivers\aswKbd.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\Drivers\mnmdd.SYS
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\rasacd.sys
    \SystemRoot\system32\DRIVERS\ipsec.sys
    \SystemRoot\system32\DRIVERS\tcpip.sys
    \SystemRoot\system32\DRIVERS\netbt.sys
    \SystemRoot\system32\DRIVERS\ipnat.sys
    \SystemRoot\System32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\System32\Drivers\Fips.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\Drivers\Cdfs.SYS
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\watchdog.sys
    \SystemRoot\System32\drivers\dxg.sys
    \SystemRoot\System32\drivers\dxgthk.sys
    \SystemRoot\System32\igxpgd32.dll
    \SystemRoot\System32\igxprd32.dll
    \SystemRoot\System32\igxpdv32.DLL
    \SystemRoot\System32\igxpdx32.DLL
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\ewusbmdm.sys
    \SystemRoot\system32\DRIVERS\mrxdav.sys
    \SystemRoot\system32\drivers\wdmaud.sys
    \SystemRoot\system32\drivers\sysaudio.sys
    \SystemRoot\system32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\HTTP.sys
    \SystemRoot\System32\Drivers\Modem.SYS
    \SystemRoot\system32\DRIVERS\ewusbnet.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    \WINDOWS\system32\ntdll.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff8a56b868
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff8a55c028
    Lower Device Driver Name: \Driver\iaStor\
    Device already Exists: 0xffffffff878ca040
    Downloaded database version: v2013.01.02.08
    Downloaded database version: v2013.01.02.09
    Downloaded database version: v2013.01.02.10
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 1
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff8a56b868, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff8a55fe08, DeviceName: Unknown, DriverName: \Driver\PartMgr\
    DevicePointer: 0xffffffff8a56b868, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff8a55c028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xffffffffe2d5f650, 0xffffffff8a56b868, 0xffffffff86d37040
    Lower DeviceData: 0xffffffffe19352a0, 0xffffffff8a55c028, 0xffffffff878ca040
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\WINDOWS\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 92398F54

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 134223012
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 134223075 Numsec = 178353630

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 160041885696 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\context-menu-settings.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Lavasoft\AntiMalware\WSCConfig.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\guid.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\AIR\eulaAccepted" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Adobe\Updater6\AdobeESDGlobalApps.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Mozilla\logs\maintenanceservice-install.log" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Vodafone\Log\L20120422-165733-2328-VmbService.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\All Users\Application Data\Vodafone\Log\L20120422-170240-2372-VmbService.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\application-settings.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\definitions-date.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\gaming-mode.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\language.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\protection-status.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Ad-Aware Antivirus\update-parameters.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\DDMSettings\settings.ddi" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\google%2Eimages.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\google%2Emaps.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\U%5Fs94057670%2Eonlinehome%2Eus%5F8N139WOUD2F2D9ZG2ZE2%2Exml.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Google\Local Search History\U%5Ftoolbar%2Egoogle%2Ecom%5FCHW6HL2ILDOMNY4CTR3Q%2Exml.w" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\MSO1046.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\MSO1048.acl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Office\Word12.pip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Proof\CUSTOM.DIC" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\Stellarium\data\user_locations.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Application Data\vlc\ml.xspf" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\brndlog.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Outlook Express\msoe.txt" is compressed (flags = 1)
    Read File: File "C:\Program Files\Windows Media Player\npdrmv2.zip" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\login.cmd" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\l_except.nls" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\rp_rules.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\rp_stats.dat" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\View Channels.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\dsound.vxd" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\pcl.sep" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perfci.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perffilt.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\perfwci.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\prodspec.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\pscript.sep" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\cmos.ram" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\drivers\etc\networks" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\migrate.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\msobe.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\oobeinfo.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\oobe\reg.isp" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\wbem\wmiclivalueformat.xsl" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\ntuser.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\ODBC.INI" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vb.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\vbaddin.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\_delis43.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\DtcInstall.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\explorer.scf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\cmsetacl.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\dao\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Access\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Excel\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Graph\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.PowerPoint\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Publisher\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.SmartTag\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Word\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Debug\blastcln.log" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Downloaded Program Files\muweb.inf" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Fonts\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\conf.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\connect.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\mshearts.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\msnauth.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\nocontnt.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\ratings.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\update.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\windows.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Help\winhlp32.cnt" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state_perf.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInProcess32.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\AddInUtil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\csc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\default.win32manifest" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\EdmGen.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Microsoft.NET\Framework\v3.5\vbc.exe.config" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\Web\bullet.gif" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Google\firefox-toolbar.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Default User\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Microsoft\Media Player\wmpfolders.wmdb" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Google\firefox-toolbar.xml" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Alma\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log" is compressed (flags = 1)
    Read File: File "C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1)
    Infected: C:\Documents and Settings\All Users\Application Data\dsgsdgdsgdsgw.pad --> [Exploit.Drop.GSA]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 1
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal successful. No system shutdown is required.
    =======================================
     
  7. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Please now run this and post the log, then run FSS again which you used earlier and post the new log from it.


    • Click on this link Services Repair and save it to your desktop.
    • Close your browser and double click on the Services Repair icon on you desktop.
    • Accept any confirmation pop ups that may appear to allow the tool to run.
    • A box will pop up showing it has completed, if asked if you want to reboot select yes.
    • After the reboot you will see a new folder created on the desktop called CCSupport. Double click on it, then double click on Logs and then double click on SvcRepair.
    • You will see a log open up, Copy the entire log and Paste it into your next reply.
    • Then run FSS again with all the boxes checked and post the log.
     
  8. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Double click on the attachment and save it to your desktop. Extract the contents of the zip file and then double click on the .reg file, accept all the prompts to allow it to run.

    Please then reboot the PC and run the Farbar Service Scanner you used earlier and post the new log.
     

    Attached Files:

  9. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Hi, here are the logs :
    Log Opened: 2013-01-03 @ 22:55:19
    22:55:19 - -----------------
    22:55:19 - | Begin Logging |
    22:55:19 - -----------------
    22:55:19 - Fix started on a WIN_XP X86 computer
    22:55:19 - Prep in progress. Please Wait.
    22:55:23 - Prep complete
    22:55:23 - Repairing Services Now. Please wait...

    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\BITS.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

    SetACL finished successfully.

    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\SharedAccess.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Setup>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

    SetACL finished successfully.

    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\wscsvc.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

    SetACL finished successfully.

    The operation completed successfully
    INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
    INFORMATION: Input file for restore operation opened: '.\XP\wuauserv.sddl'
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Enum>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
    INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

    SetACL finished successfully.
    22:55:26 - Services Repair Complete.
    22:55:45 - Reboot Initiated

    Farbar Service Scanner Version: 23-12-2012
    Ran by Alma (administrator) on 03-01-2013 at 23:02:03
    Running from "C:\Documents and Settings\Alma\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    Checking Start type: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ImagePath: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking ServiceDll: ATTENTION!=====> Unable to open winmgmt registry key. The service key does not exist.
    Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) WSIMD(8)
    0x0900000005000000010000000200000003000000040000000A00000007000000080000000C000000
    IpSec Tag value is correct.

    **** End of log ****


    the last log after running winmgmt:

    Farbar Service Scanner Version: 23-12-2012
    Ran by Alma (administrator) on 03-01-2013 at 23:12:23
    Running from "C:\Documents and Settings\Alma\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    The ImagePath of winmgmt service is OK.
    The ServiceDll of winmgmt service is OK.
    Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    The ImagePath of winmgmt service is OK.
    The ServiceDll of winmgmt service is OK.
    Checking LEGACY_winmgmt: ATTENTION!=====> Unable to open LEGACY_winmgmt\0000 registry key. The key does not exist.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) WSIMD(8)
    0x0900000005000000010000000200000003000000040000000A00000007000000080000000C000000
    IpSec Tag value is correct.

    **** End of log ****
     
  10. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    That's weird, I edited post 7 to read as post 8 does as I realized just after posting it that the Services Repair did not repair the missing key, no harm done though.

    There is another related key to replace, do the same again with the attachment, reboot and do another scan with FSS and post the log.
     

    Attached Files:

  11. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Hi Mark, no problem, weird things are happening to me all the time.
    Here is the last scan:
    Farbar Service Scanner Version: 23-12-2012
    Ran by Alma (administrator) on 04-01-2013 at 08:40:03
    Running from "C:\Documents and Settings\Alma\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    The ImagePath of winmgmt service is OK.
    The ServiceDll of winmgmt service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    The ImagePath of winmgmt service is OK.
    The ServiceDll of winmgmt service is OK.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) WSIMD(8)
    0x0900000005000000010000000200000003000000040000000A00000007000000080000000C000000
    IpSec Tag value is correct.

    **** End of log ****
     
  12. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    The services are now repaired, but not running.

    Download this and save it to the desktop: Windows Repair

    Close your browser and any running programs, double click on the Tweaking icon to run the tool. When the program opens click on the Step 4 tab. Under System Restore click on Create and wait for the confirmation to appear just below the button.

    When complete click on the tab Start Repairs, click on the Start button. Then click on Unselect All and tick the boxes next to the following items only.

    Set Windows Services To Default Startup

    When done click on the Start button and leave it undisturbed until complete.

    Once done, reboot the system and run FSS again and post the new log.
     
  13. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Hi, better to ask you:
    I went to the link you sent me and i downloaded: tweaking.com_windows_repair_aio_setup
    This program wants an installation and I am having trouble finding step 4 tab.
    should I install first?
    Thank you.
     
  14. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    Not quite sure where you have a problem with this, when you run the program you should see a welcome message, a row of tabs 1 to 4 and Startup Repair.
     
  15. rem_2007

    rem_2007 Thread Starter

    Joined:
    Nov 21, 2007
    Messages:
    63
    Ok now, I installed it and I have the tabs
    here is the log:
    Farbar Service Scanner Version: 23-12-2012
    Ran by Alma (administrator) on 04-01-2013 at 12:33:24
    Running from "C:\Documents and Settings\Alma\Desktop"
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    The ImagePath of winmgmt service is OK.
    The ServiceDll of winmgmt service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.

    winmgmt Service is not running. Checking service configuration:
    The start type of winmgmt service is OK.
    The ImagePath of winmgmt service is OK.
    The ServiceDll of winmgmt service is OK.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) WSIMD(8)
    0x0900000005000000010000000200000003000000040000000A00000007000000080000000C000000
    IpSec Tag value is correct.

    **** End of log ****
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1082865

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice