Here is the Hi-Jack Log.
I tried to remove what you told me to, but they keep comming back.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:56:46 PM, on 3/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://go.microsoft.com/fwlink/?LinkId=74005R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) -
http://cgmls.fnismls.com/Paragon/Codebase/FNISPrintControl.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - file://F:\win\setup\iaieplay.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
https://support.microsoft.com/OAS/ActiveX/odc.cabO16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
http://aolcc.aol.com/computercheckup/qdiagcc.cabO16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) -
http://www.cyberlink.com/winxp/CheckDVD.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126482186562O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204817669703O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) -
http://download.eset.com/special/eos/OnlineScanner.cabO16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) -
http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Media Center Monitor Service (ehMonitor) - Unknown owner - C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9871162dbbbf2) (gupdate1c9871162dbbbf2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 8641 bytes
Here is the combo fix log:
ComboFix 10-03-10.02 - Sean and Wylene 03/10/2010 18:11:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1454 [GMT -5:00]
Running from: c:\documents and settings\Sean and Wylene\My Documents\Antivirus\REMOVAL\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\Cache
.
((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))
.
2010-03-10 22:49 . 2010-03-10 22:49 0 ----a-w- c:\documents and settings\Sean and Wylene\settings.dat
2010-03-10 18:13 . 2010-03-10 18:13 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-10 17:04 . 2010-03-10 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-03-10 17:04 . 2010-03-10 17:04 -------- d-----w- c:\documents and settings\Sean and Wylene\Application Data\OnlineArmor
2010-03-10 17:03 . 2009-12-05 12:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-03-10 17:03 . 2009-12-05 12:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-03-10 17:03 . 2009-12-05 12:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-03-10 17:03 . 2010-03-10 17:03 -------- d-----w- c:\program files\Tall Emu
2010-03-02 21:38 . 2010-03-02 21:38 39720 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-17 17:11 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-17 17:11 . 2010-02-17 17:11 -------- d-----w- c:\program files\Panda Security
2010-02-16 13:03 . 2003-07-30 19:00 9216 -c--a-w- c:\windows\system32\dllcache\wamps51.dll
2010-02-16 13:02 . 2010-03-07 21:52 -------- d-----w- c:\windows\system32\Logfiles
2010-02-16 13:02 . 2010-02-16 13:04 -------- d-----w- C:\Inetpub
2010-02-15 17:24 . 2010-02-15 17:24 52224 ----a-w- c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 17:24 . 2010-02-15 17:24 117760 ----a-w- c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 17:23 . 2010-02-15 17:23 -------- d-----w- c:\documents and settings\Taylor\Application Data\SUPERAntiSpyware.com
2010-02-15 13:37 . 2010-02-15 13:37 -------- d-----w- c:\program files\AVG
2010-02-15 13:24 . 2010-02-15 13:24 -------- d-----w- c:\documents and settings\Sean and Wylene\Application Data\Yahoo!
2010-02-15 01:59 . 2010-02-15 01:59 52224 ----a-w- c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 01:59 . 2010-02-15 01:59 117760 ----a-w- c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 01:59 . 2010-02-15 01:59 -------- d-----w- c:\documents and settings\Forrest\Application Data\SUPERAntiSpyware.com
2010-02-14 18:27 . 2010-02-14 18:27 388096 ----a-r- c:\documents and settings\Sean and Wylene\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 18:27 . 2010-02-14 18:27 -------- d-----w- c:\program files\TrendMicro
2010-02-12 21:07 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-12 21:07 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-02-12 21:07 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-02-12 21:07 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-02-12 21:07 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-02-12 21:07 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-02-12 21:07 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-02-12 21:07 . 2004-08-04 06:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-02-12 21:07 . 2004-08-04 06:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-02-12 21:07 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-02-12 21:05 . 2001-08-17 18:28 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2010-02-12 21:04 . 2001-08-17 18:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-02-12 21:03 . 2001-08-17 17:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-02-12 21:02 . 2001-08-17 19:56 182272 -c--a-w- c:\windows\system32\dllcache\s3mt3d.dll
2010-02-12 21:01 . 2001-08-18 03:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-02-12 21:00 . 2001-08-17 19:56 91488 -c--a-w- c:\windows\system32\dllcache\n9i3disp.dll
2010-02-12 20:59 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-02-12 20:58 . 2001-08-17 18:51 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2010-02-12 20:57 . 2001-08-17 18:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-02-12 20:56 . 2001-08-17 17:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys
2010-02-12 20:55 . 2001-08-18 03:36 236060 -c--a-w- c:\windows\system32\dllcache\ditrace.exe
2010-02-12 20:54 . 2001-08-17 19:02 272640 -c--a-w- c:\windows\system32\dllcache\cinemclc.sys
2010-02-12 20:53 . 2001-08-17 18:12 3168 -c--a-w- c:\windows\system32\dllcache\brparimg.sys
2010-02-12 20:52 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-02-12 20:46 . 2010-02-12 20:46 -------- d-----w- c:\documents and settings\Sean and Wylene\Application Data\Auslogics
2010-02-12 20:36 . 2010-02-12 20:36 -------- d-----w- c:\program files\Auslogics
2010-02-12 20:17 . 2010-03-08 18:13 -------- d-----w- c:\program files\SpywareBlaster
2010-02-12 20:13 . 2010-02-12 20:13 -------- d-----w- c:\program files\WOT
2010-02-12 20:01 . 2010-02-12 20:02 -------- d-----w- c:\program files\Secunia
2010-02-12 08:27 . 2010-02-19 00:26 8139800 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{728D2B6C-EF40-5718-E9F9-D749100268B3}-acssetup.exe
2010-02-12 08:27 . 2010-02-19 00:26 8139800 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{6B6DD3C2-8578-DB28-2FF5-D6FA577E5B20}-acssetup.exe
2010-02-11 22:41 . 2010-02-11 22:41 503808 ----a-w- c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\msvcp71.dll
2010-02-11 22:41 . 2010-02-11 22:41 499712 ----a-w- c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\jmc.dll
2010-02-11 22:41 . 2010-02-11 22:41 348160 ----a-w- c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-53b6d6b5-n\msvcr71.dll
2010-02-11 22:41 . 2010-02-11 22:41 61440 ----a-w- c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b7cb5f2-n\decora-sse.dll
2010-02-11 22:41 . 2010-02-11 22:41 12800 ----a-w- c:\documents and settings\Forrest\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b7cb5f2-n\decora-d3d.dll
2010-02-11 18:48 . 2010-02-11 18:48 -------- d-----w- c:\program files\ESET
2010-02-11 18:40 . 2010-02-24 14:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-11 18:35 . 2010-03-10 13:32 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-10 23:42 . 2010-02-10 23:42 503808 ----a-w- c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\msvcp71.dll
2010-02-10 23:42 . 2010-02-10 23:42 499712 ----a-w- c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\jmc.dll
2010-02-10 23:42 . 2010-02-10 23:42 348160 ----a-w- c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2679089b-n\msvcr71.dll
2010-02-10 23:42 . 2010-02-10 23:42 61440 ----a-w- c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b9a8257-n\decora-sse.dll
2010-02-10 23:42 . 2010-02-10 23:42 12800 ----a-w- c:\documents and settings\Taylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b9a8257-n\decora-d3d.dll
2010-02-10 23:42 . 2010-03-08 01:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-09 22:36 . 2010-02-09 22:36 503808 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\msvcp71.dll
2010-02-09 22:36 . 2010-02-09 22:36 499712 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\jmc.dll
2010-02-09 22:36 . 2010-02-09 22:36 348160 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-43f0a589-n\msvcr71.dll
2010-02-09 22:35 . 2010-02-09 22:35 61440 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ff5c2e1-n\decora-sse.dll
2010-02-09 22:35 . 2010-02-09 22:35 12800 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1ff5c2e1-n\decora-d3d.dll
2010-02-09 22:01 . 2010-02-09 22:01 -------- d-----w- c:\documents and settings\Sean and Wylene\Application Data\Malwarebytes
2010-02-09 22:01 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 22:01 . 2010-02-09 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 22:01 . 2010-02-09 22:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 22:01 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 01:47 . 2010-02-09 01:47 52224 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-09 01:47 . 2010-03-08 18:07 117760 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-09 01:46 . 2010-02-09 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-09 01:46 . 2010-03-06 23:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-09 01:46 . 2010-02-09 01:46 -------- d-----w- c:\documents and settings\Sean and Wylene\Application Data\SUPERAntiSpyware.com
2010-02-09 01:45 . 2010-02-09 01:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 18:13 . 2008-02-29 20:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-15 17:14 . 2007-08-21 18:48 -------- d-----w- c:\program files\Yahoo!
2010-02-15 01:32 . 2008-02-24 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-15 01:32 . 2008-02-24 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-13 15:03 . 2003-12-17 08:10 -------- d-----w- c:\program files\Common Files\Real
2010-02-13 15:01 . 2006-07-10 22:13 -------- d-----w- c:\program files\InterActual
2010-02-11 18:25 . 2005-09-11 23:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\GTek
2010-02-11 17:15 . 2005-08-10 17:05 -------- d-----w- c:\program files\ShowCase
2010-02-09 22:36 . 2003-12-17 06:32 -------- d-----w- c:\program files\Common Files\Java
2010-02-09 22:35 . 2003-12-17 06:32 -------- d-----w- c:\program files\Java
2010-02-09 18:47 . 2009-09-28 13:28 -------- d-----w- c:\program files\Coupons
2010-02-09 18:39 . 2010-02-09 18:39 824 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-02-09 18:39 . 2009-07-16 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-02-08 19:04 . 2008-03-26 23:05 -------- d-----w- c:\program files\Enigma Software Group
2010-02-08 10:12 . 2008-12-14 23:38 -------- d-----w- c:\program files\Google
2010-02-01 14:11 . 2004-07-13 17:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 13:43 . 2008-03-07 13:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2003-12-17 04:29 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 15:14 . 2009-12-22 15:14 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-21 19:14 . 2005-06-18 03:49 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 22:14 . 2009-01-06 15:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2004-01-20 18:08 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-01-20 18:04 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2010-01-26 1724728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]
c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete \??\0autocheck autochk *
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Sean and Wylene^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
path=c:\documents and settings\Sean and Wylene\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
backup=c:\windows\pss\reminder-ScanSoft Product Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-04-10 13:53 50520 ----a-w- c:\documents and settings\Sean and Wylene\Application Data\mjusbsp\cdloader2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScanSoft OmniPage 16-reminder]
2007-07-20 13:50 328992 ----a-w- c:\program files\ScanSoft\OmniPage16\Ereg\Ereg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Documents and Settings\\Sean and Wylene\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/17/2010 12:11 PM 28552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/10/2010 12:03 PM 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/10/2010 12:03 PM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/10/2010 12:03 PM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
R2 CX88XBAR;Conexant 2388x Crossbar Dual Input;c:\windows\system32\drivers\cx88xbardual.sys [2/17/2004 3:37 PM 7040]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/31/2009 7:24 PM 55152]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/10/2010 12:03 PM 1282248]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 7:09 PM 11032]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/10/2010 12:03 PM 3291336]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S0 omoecx;omoecx;c:\windows\system32\drivers\lncww.sys --> c:\windows\system32\drivers\lncww.sys [?]
S2 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe --> c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [?]
S2 gupdate1c9871162dbbbf2;Google Update Service (gupdate1c9871162dbbbf2);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2009 4:41 PM 133104]
S3 azt2320;Aztech 2320 Audio Driver (WDM);c:\windows\system32\drivers\aztw2320.sys [8/20/2009 8:44 AM 36992]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 5:08 PM 533360]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [7/23/2006 6:17 PM 17408]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
.
Contents of the 'Scheduled Tasks' folder
2010-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 21:41]
2010-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 21:41]
2010-03-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]
2010-03-10 c:\windows\Tasks\User_Feed_Synchronization-{A4B2D6E0-A34D-4D32-B546-B1A3ACC18990}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Sean and Wylene\Application Data\Mozilla\Firefox\Profiles\614r5ppc.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.
enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "
http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi
n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-03-10 18:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(508)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1472)
c:\windows\system32\WININET.dll
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-03-10 18:26:30
ComboFix-quarantined-files.txt 2010-03-10 23:26
ComboFix2.txt 2010-02-11 18:02
Pre-Run: 154,075,000,832 bytes free
Post-Run: 154,165,317,632 bytes free
- - End Of File - - E4F97104DE10A6DEF587F62765311078
Here is the rootrepeal logfor ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/10 17:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD5D4000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79BB000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAAD28000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\documents and settings\sean and wylene\cookies\
[email protected][2].txt
Status: Size mismatch (API: 275, Raw: 269)
SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73f420
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73fc60
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73da90
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad74ccb0
#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d740
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73a320
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73a710
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad739de0
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73bca0
#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c900
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d410
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73eb40
#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad74d420
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73b630
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73a080
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c1c0
#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73f8a0
#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73efb0
#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73fe00
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73e690
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad74c940
#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d060
#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73de80
#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c6e0
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73caa0
#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ea10
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73d240
#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ce60
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73cc90
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ba30
#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73c4b0
#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73ed70
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad73fa70
Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7385c0
#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad738940
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735470
#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7372b0
#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad736df0
#: 324 Function Name: NtUserCallTwoParam
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737e30
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735f00
#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7375b0
#: 401 Function Name: NtUserGetDC
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad738270
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735dd0
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735ca0
#: 439 Function Name: NtUserGetWindowDC
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad738410
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad736030
#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737950
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7365b0
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad736a10
#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad7352f0
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737050
#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737450
#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737720
#: 546 Function Name: NtUserSetWindowPos
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737ce0
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad734e10
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad734a20
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad735080
#: 555 Function Name: NtUserShowWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xad737bf0
==EOF==