i believe my pc is infected, possible Svchost.exe problems, help plz!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
Hello there!

my computer has been giving me multiple symptoms of infection. i cannot run windows update, it gives me an error message every time i try. when im on internet explorer (ive got to use IE because firefox crashes every 5-10 minutes, so i just uninstalled it) i constantly get redirected to this wal mart award web site, or a survey website with the same layout every time, only a diffirent name which pertains to what im searching for online at the time. IE also experiences frequent freezes when trying to load pages and sometimes cant load them at all and ive got to click refresh 5 times or so before it will actually load the page, IE also crashes alot. sometimes windows explorer stops responding and i have to either hard shut down my pc, or just let it sit until it finally starts to respond again.

ive noticed that there are multiple instances of a "svchost.exe" running in my processes, 13 of them to be precise. and one of them uses the more memory than any other programs i use. ive done research on it, and it says that it is a windows process, however there are also viruses out there also called "svchost.exe" and i dont wanna mess around with that and possible screw up something.

anyhow im just sick of the way my computer has been acting and i think its time that i do something about it.
help is greatly appreciated, thanks!

Here are all of the logs:

hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:29:36 PM, on 1/4/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.speedapps.com/search.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SuggestMeYesBHO - {0FB6A909-6086-458F-BD92-1F8EE10042A0} - C:\Program Files\AutocompletePro\AutocompletePro.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - file:///E:/win/setup/iaieplay.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} (IAMCE Class) - file:///E:/win/setup/iamce.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Manager for Adobe Products (FLEXnet Licensing Manager) - Unknown owner - C:\Windows\system\regsrv.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7946 bytes




DDS log


DDS (Ver_10-12-12.02) - NTFSx86
Run by Rizzle at 16:12:40.44 on Tue 01/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2259 [GMT -7:00]

AV: Trend Micro Internet Security Pro *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Internet Security Pro *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Windows\TEMP\~nsu.tmp\wsget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Rizzle\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
uSearch Page =
uSearch Bar =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.speedapps.com/search.htm
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - file:///E:/win/setup/iaieplay.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file:///E:/win/setup/iamce.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-18 145424]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/30 19:25:21];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-25 176128]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-7-18 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-18 50256]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-7-18 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-9-29 36432]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-7-18 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-18 256528]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-11-25 6472192]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-11-25 228352]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2010-11-25 100368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FLEXnet Licensing Manager;FLEXnet Licensing Manager for Adobe Products;c:\windows\system\regsrv.exe --> c:\windows\system\regsrv.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-20 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-20 251904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-01-04 04:42:49 388096 ----a-r- c:\users\rizzle\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-29 09:13:57 -------- d-----w- c:\program files\Feedback Tool
2010-12-28 07:53:24 -------- d-----w- c:\users\rizzle\appdata\roaming\Registry Mechanic
2010-12-28 07:02:58 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ed63581a-b25b-4da7-86e7-20680134c134}\mpengine.dll
2010-12-26 02:27:59 -------- d-----w- c:\users\rizzle\appdata\roaming\FixCleaner
2010-12-26 02:27:52 -------- d-----w- c:\program files\FixCleaner
2010-12-17 20:57:43 -------- d-----w- c:\users\rizzle\dwhelper
2010-12-17 20:55:22 -------- d-----w- c:\program files\AutocompletePro
2010-12-09 16:38:28 749832 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll

==================== Find3M ====================

2010-12-29 08:13:23 18 ----a-w- c:\windows\system\msg.bat
2010-12-29 08:13:23 1646 ----a-w- c:\windows\system\msg.reg
2010-11-25 07:01:01 4077568 ----a-w- c:\windows\system32\atiumdag.dll
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-10-31 20:29:44 22328 ----a-w- c:\users\rizzle\appdata\roaming\PnkBstrK.sys
2010-10-31 20:29:31 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-31 20:28:53 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-10-31 20:28:53 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 18:58:58 233960 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-10-19 17:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 08:36:52 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 08:36:50 13642904 ----a-w- c:\windows\system32\xlivefnt.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST350062 rev.HP24 -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x871B6555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x871bc7b0]; MOV EAX, [0x871bc82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8207D962] -> \Device\Harddisk0\DR0[0x86B1CAC8]
3 CLASSPNP[0x828978B3] -> ntkrnlpa!IofCallDriver[0x8207D962] -> [0x861555F8]
5 acpi[0x827466BC] -> ntkrnlpa!IofCallDriver[0x8207D962] -> [0x85D49C90]
\Driver\nvstor32[0x871A5680] -> IRP_MJ_CREATE -> 0x871B6555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5d; }
detected disk devices:
\Device\00000062 -> \??\SCSI#Disk&Ven_ST350062&Prod_0AS#4&ac26b09&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x85ca61f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:13:17.82 ===============




GMER log

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-04 17:33:14
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000019 ST350062 rev.HP24
Running: 44t711fi.exe; Driver: C:\Users\Rizzle\AppData\Local\Temp\fwldrpob.sys


---- System - GMER 1.0.15 ----

SSDT 88EC0000 ZwCreateKey
SSDT 88EBF240 ZwCreateProcess
SSDT 88EBF500 ZwCreateProcessEx
SSDT 88EC0E60 ZwCreateThread
SSDT 88EC0580 ZwDeleteKey
SSDT 88EC0840 ZwDeleteValueKey
SSDT 88EC11A0 ZwLoadDriver
SSDT 88EBFA80 ZwOpenProcess
SSDT 88EC02C0 ZwSetValueKey
SSDT 88EBFD40 ZwTerminateProcess
SSDT 88EC0CC0 ZwWriteVirtualMemory
SSDT 88EC1000 ZwCreateThreadEx
SSDT 88EBF7C0 ZwCreateUserProcess

INT 0x51 ? 85CA2BF8
INT 0x62 ? 8762DBF8
INT 0x72 ? 8762DBF8
INT 0x92 ? 85CA1BF8
INT 0xA2 ? 85CA2BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 1E9 820E594C 4 Bytes [00, 00, EC, 88]
.text ntkrnlpa.exe!KeSetEvent + 209 820E596C 8 Bytes [40, F2, EB, 88, 00, F5, EB, ...]
.text ntkrnlpa.exe!KeSetEvent + 221 820E5984 4 Bytes [60, 0E, EC, 88]
.text ntkrnlpa.exe!KeSetEvent + 2D5 820E5A38 4 Bytes [80, 05, EC, 88]
.text ntkrnlpa.exe!KeSetEvent + 2E1 820E5A44 4 Bytes [40, 08, EC, 88]
.text ...
? System32\Drivers\spqz.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8BB4741B 5 Bytes JMP 8762D1D8
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90A02000, 0x349D76, 0xE8000020]
? C:\Windows\system32\DRIVERS\tmcomm.sys Access is denied.
? C:\Windows\system32\DRIVERS\tmevtmgr.sys Access is denied.
? C:\Windows\system32\DRIVERS\tmactmon.sys Access is denied.
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA1AA1300, 0x3AF78, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA1AE4300, 0x1BCE, 0xE8000020]
.text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xA35B7000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xA35DA050]
? C:\Users\Rizzle\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 77C04D34 5 Bytes JMP 004C000A
.text C:\Windows\system32\svchost.exe[1188] ntdll.dll!NtWriteVirtualMemory 77C05674 5 Bytes JMP 0061000A
.text C:\Windows\system32\svchost.exe[1188] ntdll.dll!KiUserExceptionDispatcher 77C05DC8 5 Bytes JMP 004B000A
.text C:\Windows\system32\svchost.exe[1188] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 0068000A
.text C:\Windows\system32\svchost.exe[1188] USER32.dll!GetCursorPos 76470B88 5 Bytes JMP 0136000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] ntdll.dll!NtProtectVirtualMemory 77C04D34 5 Bytes JMP 0033000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] ntdll.dll!NtWriteVirtualMemory 77C05674 5 Bytes JMP 00A7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] ntdll.dll!KiUserExceptionDispatcher 77C05DC8 5 Bytes JMP 0032000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] ntdll.dll!NtProtectVirtualMemory 77C04D34 5 Bytes JMP 0034000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] ntdll.dll!NtWriteVirtualMemory 77C05674 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] ntdll.dll!KiUserExceptionDispatcher 77C05DC8 5 Bytes JMP 002F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2212] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\Explorer.EXE[2804] ntdll.dll!NtProtectVirtualMemory 77C04D34 5 Bytes JMP 0173000A
.text C:\Windows\Explorer.EXE[2804] ntdll.dll!NtWriteVirtualMemory 77C05674 5 Bytes JMP 0184000A
.text C:\Windows\Explorer.EXE[2804] ntdll.dll!KiUserExceptionDispatcher 77C05DC8 5 Bytes JMP 002F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4280] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4548] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4920] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4996] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5276] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EAEDBCB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EAEDD81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EA51CA2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EAF4832 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EA19315 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6EC0E021 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6EC0DFBE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6EC0E084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6EC0DF51 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6EC0DEE6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6EC0DE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6EC0DE22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5748] ole32.dll!CoCreateInstance 762A9F3E 5 Bytes JMP 6EAF488E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85CA81F8
Device \FileSystem\udfs \UdfsCdRom 887D41F8
Device \FileSystem\udfs \UdfsDisk 887D41F8
Device \Driver\volmgr \Device\VolMgrControl 85CA41F8
Device \Driver\usbohci \Device\USBPDO-0 8764E1F8
Device \Driver\usbehci \Device\USBPDO-1 876311F8

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\nvstor32 \Device\00000063 85CA71F8
Device \Driver\volmgr \Device\HarddiskVolume1 85CA41F8
Device \Driver\netbt \Device\NetBT_Tcpip_{E81D856C-2A78-4958-9815-792BAE32AED4} 887A21F8
Device \Driver\volmgr \Device\HarddiskVolume2 85CA41F8
Device \Driver\cdrom \Device\CdRom0 876451F8
Device \Driver\atapi \Device\Ide\IdePort0 85CA61F8
Device \Driver\atapi \Device\Ide\IdePort1 85CA61F8
Device \Driver\netbt \Device\NetBt_Wins_Export 887A21F8
Device \Driver\Smb \Device\NetbiosSmb 886DC1F8
Device \Driver\nvstor32 \Device\RaidPort0 85CA71F8

AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\iScsiPrt \Device\RaidPort1 87652500
Device \Driver\usbohci \Device\USBFDO-0 8764E1F8
Device \Driver\usbehci \Device\USBFDO-1 876311F8
Device \Device\00000062 -> \??\SCSI#Disk&Ven_ST350062&Prod_0AS#4&ac26b09&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xB4 0x6D 0x90 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0xFE 0x8C 0x5D 0xA2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0xB4 0x6D 0x90 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\[email protected] 0xFE 0x8C 0x5D 0xA2 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FDE9172A-DDE9-B144-F627-96525AE7577A}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FDE9172A-DDE9-B144-F627-96525AE7577A}@majofelkcmphpjomglhjjjenim 0x6A 0x61 0x63 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FDE9172A-DDE9-B144-F627-96525AE7577A}@napephoodpnklngfhjmgieadmfdc 0x6A 0x61 0x63 0x6D ...

---- EOF - GMER 1.0.15 ----



and the attachment
 

Attachments

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
my questions been 48 hours and no reply yet so im just replying to "bump up" my question.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Hiya rizzle425,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Before saving to your Desktop re-name Combofix to Gotcha.exe as follows:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in your reply please,

Kevin
 

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
hello kevinf80,

thank you for your reply, it is appreciated! i followed your instructions to the point and i can not get combofix to run. I made sure to name it gotcha.exe when i saved it, and i saved it to the desktop. i disabled my antivirus and firewall before running, but i can not seem to get it to work.

Ive tried running normally and as administrator in regular windows, and Ive attempted running normally and as administrator in safe mode as well, all attempts failed. i got a blue screen and a system reboot every time the initial loading bar of the combofix would complete. there was one exception where i didnt get a blue screen, but my pc froze and i had to do a hard shutdown and restart.

any ideas?

Rizzle425
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Keep your security OFF and try the following:

Please download Rkill and save to your Desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If you get an alert that RKill is a threat, leave that alert open and re-run RKill again.

If RKill is successful give Combofix (Gotcha.exe) another try
 

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
I downloaded the Rkill as instructed and had the same results as combofix, it either blue screened and restarted or it froze up my pc when i tried to run the rkill.exe from my desktop.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Re-boot your PC and continuously tap the F8 key until you see the Windows Advanced Menu, from the options select "Safe Mode with Networking"

Next,

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.




  • If an infected file is detected, the default action will be Cure, click on Continue.




  • If a suspicious file is detected, the default action will be Skip, click on Continue.




  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.




  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

See if that works, post the log if successful,
 

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
okay good news i got that one to work and ive got the log, here it is:


2011/01/08 19:38:57.0634 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/08 19:38:57.0634 ================================================================================
2011/01/08 19:38:57.0634 SystemInfo:
2011/01/08 19:38:57.0634
2011/01/08 19:38:57.0634 OS Version: 6.0.6002 ServicePack: 2.0
2011/01/08 19:38:57.0634 Product type: Workstation
2011/01/08 19:38:57.0634 ComputerName: ROWDYPC
2011/01/08 19:38:57.0634 UserName: Rizzle
2011/01/08 19:38:57.0634 Windows directory: C:\Windows
2011/01/08 19:38:57.0634 System windows directory: C:\Windows
2011/01/08 19:38:57.0634 Processor architecture: Intel x86
2011/01/08 19:38:57.0634 Number of processors: 2
2011/01/08 19:38:57.0634 Page size: 0x1000
2011/01/08 19:38:57.0634 Boot type: Safe boot with network
2011/01/08 19:38:57.0634 ================================================================================
2011/01/08 19:38:57.0915 Initialize success
2011/01/08 19:39:07.0977 ================================================================================
2011/01/08 19:39:07.0977 Scan started
2011/01/08 19:39:07.0977 Mode: Manual;
2011/01/08 19:39:07.0977 ================================================================================
2011/01/08 19:39:09.0272 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/01/08 19:39:09.0428 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/01/08 19:39:09.0693 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/01/08 19:39:09.0740 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/01/08 19:39:09.0833 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/01/08 19:39:09.0927 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/01/08 19:39:09.0974 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/01/08 19:39:10.0020 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/01/08 19:39:10.0052 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/01/08 19:39:10.0083 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/01/08 19:39:10.0114 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/01/08 19:39:10.0130 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/01/08 19:39:10.0145 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/01/08 19:39:10.0332 amdkmdag (5ab10c74c8ea15e98a6c771b7269615e) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/01/08 19:39:10.0582 amdkmdap (e9890f7ec1ab4d09afeb09dd76334622) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/01/08 19:39:10.0676 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/01/08 19:39:10.0691 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/01/08 19:39:10.0738 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/01/08 19:39:10.0769 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/01/08 19:39:10.0800 AtiHDAudioService (99a0f5c917558624cbeb113cb12e3f25) C:\Windows\system32\drivers\AtihdLH3.sys
2011/01/08 19:39:10.0832 AtiHdmiService (5e1cbda7d52289579e25283549e99425) C:\Windows\system32\drivers\AtiHdmi.sys
2011/01/08 19:39:10.0988 atikmdag (5ab10c74c8ea15e98a6c771b7269615e) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/01/08 19:39:11.0050 atksgt (e46d344412d1abc60c58e95c73bcdc70) C:\Windows\system32\DRIVERS\atksgt.sys
2011/01/08 19:39:11.0112 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/01/08 19:39:11.0144 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/01/08 19:39:11.0175 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/01/08 19:39:11.0206 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/01/08 19:39:11.0222 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/01/08 19:39:11.0253 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/01/08 19:39:11.0284 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/01/08 19:39:11.0300 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/01/08 19:39:11.0315 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/01/08 19:39:11.0331 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/01/08 19:39:11.0362 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/01/08 19:39:11.0409 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/01/08 19:39:11.0440 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/01/08 19:39:11.0487 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/01/08 19:39:11.0549 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/01/08 19:39:11.0580 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
2011/01/08 19:39:11.0612 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/01/08 19:39:11.0643 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/01/08 19:39:11.0705 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/01/08 19:39:11.0783 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/01/08 19:39:11.0830 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/01/08 19:39:11.0877 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2011/01/08 19:39:11.0924 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/01/08 19:39:12.0002 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/01/08 19:39:12.0048 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/01/08 19:39:12.0095 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/01/08 19:39:12.0142 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/01/08 19:39:12.0189 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/01/08 19:39:12.0220 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/01/08 19:39:12.0251 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/01/08 19:39:12.0282 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/01/08 19:39:12.0329 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/01/08 19:39:12.0360 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/01/08 19:39:12.0376 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/01/08 19:39:12.0407 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/01/08 19:39:12.0454 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/01/08 19:39:12.0485 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/01/08 19:39:12.0516 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/01/08 19:39:12.0548 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/01/08 19:39:12.0594 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/01/08 19:39:12.0672 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/01/08 19:39:12.0813 HSF_DP (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys
2011/01/08 19:39:12.0922 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2011/01/08 19:39:13.0016 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/01/08 19:39:13.0047 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/01/08 19:39:13.0078 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/01/08 19:39:13.0109 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/01/08 19:39:13.0140 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/01/08 19:39:13.0234 IntcAzAudAddService (5d26ccb06e1f3b5c26e863df3f4f2611) C:\Windows\system32\drivers\RTKVHDA.sys
2011/01/08 19:39:13.0296 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/01/08 19:39:13.0312 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/01/08 19:39:13.0343 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/01/08 19:39:13.0390 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/01/08 19:39:13.0406 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/01/08 19:39:13.0437 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/01/08 19:39:13.0452 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/01/08 19:39:13.0499 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/01/08 19:39:13.0530 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/01/08 19:39:13.0546 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/01/08 19:39:13.0624 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/01/08 19:39:13.0671 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/01/08 19:39:13.0718 kl1 (cd6a8fa9395460ffe7fd8881a6c67254) C:\Windows\system32\DRIVERS\kl1.sys
2011/01/08 19:39:13.0749 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/01/08 19:39:13.0827 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\Windows\system32\DRIVERS\lirsgt.sys
2011/01/08 19:39:13.0905 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/01/08 19:39:13.0952 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/01/08 19:39:13.0967 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/01/08 19:39:13.0998 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/01/08 19:39:14.0030 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/01/08 19:39:14.0076 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/01/08 19:39:14.0123 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/01/08 19:39:14.0154 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/01/08 19:39:14.0186 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/01/08 19:39:14.0217 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/01/08 19:39:14.0264 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/01/08 19:39:14.0295 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/01/08 19:39:14.0326 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/01/08 19:39:14.0388 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/01/08 19:39:14.0420 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/01/08 19:39:14.0451 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/01/08 19:39:14.0498 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/01/08 19:39:14.0544 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/01/08 19:39:14.0560 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/01/08 19:39:14.0591 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/01/08 19:39:14.0607 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/01/08 19:39:14.0669 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/01/08 19:39:14.0700 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/01/08 19:39:14.0732 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/01/08 19:39:14.0794 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/01/08 19:39:14.0825 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/01/08 19:39:14.0856 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/01/08 19:39:14.0903 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/01/08 19:39:14.0934 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/01/08 19:39:14.0950 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/01/08 19:39:14.0981 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/01/08 19:39:15.0044 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/01/08 19:39:15.0090 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/01/08 19:39:15.0122 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/01/08 19:39:15.0137 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/01/08 19:39:15.0184 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/01/08 19:39:15.0215 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/01/08 19:39:15.0231 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/01/08 19:39:15.0262 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/01/08 19:39:15.0324 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/01/08 19:39:15.0371 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/01/08 19:39:15.0387 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/01/08 19:39:15.0449 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/01/08 19:39:15.0496 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/01/08 19:39:15.0512 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/01/08 19:39:15.0590 NVENETFD (ae78a7285df03a277415fc62f8ce8f24) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2011/01/08 19:39:15.0808 nvlddmkm (36574da5c3a40621830783741f46b446) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/01/08 19:39:15.0964 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/01/08 19:39:15.0995 nvrd32 (0d15327134e5871c922760acd7449e84) C:\Windows\system32\drivers\nvrd32.sys
2011/01/08 19:39:16.0026 nvsmu (c44ee36dd84fa95eb81d79c374756003) C:\Windows\system32\drivers\nvsmu.sys
2011/01/08 19:39:16.0042 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/01/08 19:39:16.0073 nvstor32 (fa7b8eca6e845b244b7e30a9dcd82c6c) C:\Windows\system32\DRIVERS\nvstor32.sys
2011/01/08 19:39:16.0120 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/01/08 19:39:16.0182 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/01/08 19:39:16.0229 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/01/08 19:39:16.0276 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/01/08 19:39:16.0292 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/01/08 19:39:16.0354 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/01/08 19:39:16.0370 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/01/08 19:39:16.0416 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/01/08 19:39:16.0448 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/01/08 19:39:16.0588 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/01/08 19:39:16.0604 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/01/08 19:39:16.0650 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/01/08 19:39:16.0713 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/01/08 19:39:16.0775 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/01/08 19:39:16.0853 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/01/08 19:39:16.0869 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/01/08 19:39:16.0947 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/01/08 19:39:16.0978 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/01/08 19:39:17.0025 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/01/08 19:39:17.0056 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/01/08 19:39:17.0072 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/01/08 19:39:17.0118 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/01/08 19:39:17.0134 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/01/08 19:39:17.0181 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/01/08 19:39:17.0243 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/01/08 19:39:17.0274 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/01/08 19:39:17.0384 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\SECDRV.SYS
2011/01/08 19:39:17.0462 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/01/08 19:39:17.0508 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/01/08 19:39:17.0571 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/01/08 19:39:17.0618 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/01/08 19:39:17.0649 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/01/08 19:39:17.0664 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/01/08 19:39:17.0711 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/01/08 19:39:17.0867 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/01/08 19:39:17.0898 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/01/08 19:39:17.0930 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/01/08 19:39:17.0976 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/01/08 19:39:18.0023 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/01/08 19:39:18.0070 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\Windows\system32\Drivers\sptd.sys
2011/01/08 19:39:18.0070 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/01/08 19:39:18.0086 sptd - detected Locked file (1)
2011/01/08 19:39:18.0148 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/01/08 19:39:18.0242 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/01/08 19:39:18.0273 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/01/08 19:39:18.0320 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/01/08 19:39:18.0366 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/01/08 19:39:18.0413 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/01/08 19:39:18.0460 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/01/08 19:39:18.0585 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/01/08 19:39:18.0663 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/01/08 19:39:18.0725 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/01/08 19:39:18.0772 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/01/08 19:39:18.0803 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/01/08 19:39:18.0850 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/01/08 19:39:18.0897 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/01/08 19:39:18.0959 tmactmon (02ffe7402fb07f2f64d1ac6866345087) C:\Windows\system32\DRIVERS\tmactmon.sys
2011/01/08 19:39:18.0990 tmcomm (8762cb58a489b385feef2aea7f7718f3) C:\Windows\system32\DRIVERS\tmcomm.sys
2011/01/08 19:39:19.0022 tmevtmgr (efe60b70fa964459dde55039c5b05be7) C:\Windows\system32\DRIVERS\tmevtmgr.sys
2011/01/08 19:39:19.0053 tmlwf (d5ce61a14f7489d1ae827de8ddd9a87d) C:\Windows\system32\DRIVERS\tmlwf.sys
2011/01/08 19:39:19.0131 tmpreflt (9cbbe54780770fdb7aaa73be530e4d80) C:\Windows\system32\DRIVERS\tmpreflt.sys
2011/01/08 19:39:19.0209 tmtdi (ce1321671eee4520b9b50cd513f67dad) C:\Windows\system32\DRIVERS\tmtdi.sys
2011/01/08 19:39:19.0240 tmwfp (abd052191da6d8d6f5357c600a179d48) C:\Windows\system32\DRIVERS\tmwfp.sys
2011/01/08 19:39:19.0302 tmxpflt (6cc393305bd60056ca09a4c8032a169a) C:\Windows\system32\DRIVERS\tmxpflt.sys
2011/01/08 19:39:19.0349 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/01/08 19:39:19.0380 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/01/08 19:39:19.0427 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/01/08 19:39:19.0443 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/01/08 19:39:19.0490 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/01/08 19:39:19.0536 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/01/08 19:39:19.0568 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/01/08 19:39:19.0599 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/01/08 19:39:19.0661 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/01/08 19:39:19.0677 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/01/08 19:39:19.0786 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2011/01/08 19:39:19.0911 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/01/08 19:39:19.0926 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/01/08 19:39:19.0973 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/01/08 19:39:20.0004 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/01/08 19:39:20.0036 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2011/01/08 19:39:20.0082 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/01/08 19:39:20.0114 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/01/08 19:39:20.0192 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/01/08 19:39:20.0238 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/01/08 19:39:20.0270 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/01/08 19:39:20.0285 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/01/08 19:39:20.0316 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/01/08 19:39:20.0332 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/01/08 19:39:20.0363 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/01/08 19:39:20.0472 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/01/08 19:39:20.0504 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/01/08 19:39:20.0566 vsapint (bbdd84ca629c1f7c8172b4405867f196) C:\Windows\system32\DRIVERS\vsapint.sys
2011/01/08 19:39:20.0613 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/01/08 19:39:20.0644 VSTHWBS2 (c466021d31ff6c0a6069d12299d80c0b) C:\Windows\system32\DRIVERS\VSTBS23.SYS
2011/01/08 19:39:20.0675 VST_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/01/08 19:39:20.0738 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/01/08 19:39:20.0769 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/08 19:39:20.0847 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/08 19:39:20.0878 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/01/08 19:39:20.0909 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/01/08 19:39:21.0221 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/01/08 19:39:21.0362 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2011/01/08 19:39:21.0455 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/01/08 19:39:21.0486 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/01/08 19:39:21.0533 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/01/08 19:39:21.0611 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2011/01/08 19:39:21.0705 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (74ec37b9eaf9fca015b933a526825c7a) C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl
2011/01/08 19:39:21.0736 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/08 19:39:21.0736 ================================================================================
2011/01/08 19:39:21.0736 Scan finished
2011/01/08 19:39:21.0736 ================================================================================
2011/01/08 19:39:21.0752 Detected object count: 2
2011/01/08 19:39:56.0571 Locked file(sptd) - User select action: Skip
2011/01/08 19:39:56.0602 \HardDisk0 - will be cured after reboot
2011/01/08 19:39:56.0602 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/08 19:40:09.0644 Deinitialize success
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
OK, nice job.See if Combofix (Gotcha.exe) will run now....

Kevin
 

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
okay, i got the combofix successfully complete. here is the log.



ComboFix 11-01-08.05 - Rizzle 01/09/2011 18:27:30.1.2 - x86 NETWORK
Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.3582.3101 [GMT -7:00]
Running from: c:\users\Rizzle\Desktop\gotcha.exe
AV: Trend Micro Internet Security Pro *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security Pro *Disabled/Outdated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Toolbar
c:\program files\Search Toolbar\SearchToolbar.dll
c:\users\Rizzle\AppData\Local\{3BA7F147-C6D8-48DA-BB5E-8651E9003C62}
c:\users\Rizzle\AppData\Local\{3BA7F147-C6D8-48DA-BB5E-8651E9003C62}\chrome.manifest
c:\users\Rizzle\AppData\Local\{3BA7F147-C6D8-48DA-BB5E-8651E9003C62}\chrome\content\_cfg.js
c:\users\Rizzle\AppData\Local\{3BA7F147-C6D8-48DA-BB5E-8651E9003C62}\chrome\content\c.js
c:\users\Rizzle\AppData\Local\{3BA7F147-C6D8-48DA-BB5E-8651E9003C62}\chrome\content\overlay.xul
c:\users\Rizzle\AppData\Local\{3BA7F147-C6D8-48DA-BB5E-8651E9003C62}\install.rdf
c:\windows\expert
c:\windows\expert\Apps\Help.ico
c:\windows\expert\Apps\Home.exe
c:\windows\expert\Apps\Install.ico
c:\windows\expert\Apps\PDF.ICO
c:\windows\expert\Apps\Readme.ico
c:\windows\expert\Apps\Register.exe
c:\windows\expert\Apps\Support.exe
c:\windows\expert\X6820.INI
c:\windows\system32\jusched.exe
c:\windows\system32\service
c:\windows\system32\service\08012010_TIS17_SfFniAU.log
c:\windows\system32\service\08122010_TIS17_SfFniAU.log
c:\windows\system32\service\09032010_TIS17_SfFniAU.log
c:\windows\system32\service\13042010_TIS17_SfFniAU.log
c:\windows\system32\service\16042010_TIS17_SfFniAU.log
c:\windows\system32\service\22062009_TIS17_SfFniAU.log
c:\windows\system32\service\22092010_TIS17_SfFniAU.log
c:\windows\system32\service\25042010_TIS17_SfFniAU.log
c:\windows\system32\service\27122010_TIS17_SfFniAU.log
c:\windows\system32\service\29092009_TIS17_SfFniAU.log
c:\windows\system32\UACchnmiwvbmvmxghsik.db
c:\windows\system32\uactmp.db
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS


((((((((((((((((((((((((( Files Created from 2010-12-10 to 2011-01-10 )))))))))))))))))))))))))))))))
.

2011-01-10 01:37 . 2011-01-10 01:39 -------- d-----w- c:\users\Rizzle\AppData\Local\temp
2011-01-09 05:20 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-01-09 05:13 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5EE2B0CE-D6DC-4561-9B13-DC6E65673C53}\mpengine.dll
2011-01-06 08:52 . 2011-01-08 21:45 -------- d-----w- c:\program files\Runes of Magic
2011-01-04 04:42 . 2011-01-04 04:42 388096 ----a-r- c:\users\Rizzle\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-29 09:13 . 2010-12-29 09:13 -------- d-----w- c:\program files\Feedback Tool
2010-12-28 07:53 . 2010-12-28 07:53 -------- d-----w- c:\users\Rizzle\AppData\Roaming\Registry Mechanic
2010-12-26 02:27 . 2010-12-26 02:35 -------- d-----w- c:\users\Rizzle\AppData\Roaming\FixCleaner
2010-12-26 02:27 . 2010-12-26 02:35 -------- d-----w- c:\program files\FixCleaner
2010-12-17 20:57 . 2010-12-17 20:57 -------- d-----w- c:\users\Rizzle\dwhelper
2010-12-17 20:55 . 2010-12-28 07:53 -------- d-----w- c:\program files\AutocompletePro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-29 08:13 . 2010-09-09 17:41 18 ----a-w- c:\windows\system\msg.bat
2010-12-29 08:13 . 2010-09-09 17:41 1646 ----a-w- c:\windows\system\msg.reg
2010-12-21 01:09 . 2010-09-12 16:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2010-09-12 16:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-09 16:38 . 2010-12-09 16:38 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-25 07:01 . 2009-02-04 04:43 4077568 ----a-w- c:\windows\system32\atiumdag.dll
2010-11-25 07:00 . 2010-11-25 07:00 4407808 ----a-w- c:\windows\system32\aticaldd.dll
2010-11-25 07:00 . 2010-11-25 07:00 16201728 ----a-w- c:\windows\system32\atioglxx.dll
2010-11-25 07:00 . 2010-11-25 07:00 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-11-25 07:00 . 2010-05-05 02:19 536576 ----a-w- c:\windows\system32\aticfx32.dll
2010-11-25 07:00 . 2010-11-25 07:00 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-11-25 07:00 . 2010-11-25 07:00 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-11-25 07:00 . 2010-11-25 07:00 6472192 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-11-25 07:00 . 2009-12-11 20:11 52736 ----a-w- c:\windows\system32\coinst.dll
2010-11-25 07:00 . 2010-11-25 07:00 3953152 ----a-w- c:\windows\system32\atidxx32.dll
2010-11-25 07:00 . 2010-11-25 07:00 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-11-25 07:00 . 2010-11-25 07:00 44032 ----a-w- c:\windows\system32\aticalcl.dll
2010-11-25 07:00 . 2010-11-25 07:00 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-11-25 07:00 . 2010-11-25 07:00 46080 ----a-w- c:\windows\system32\aticalrt.dll
2010-11-25 07:00 . 2010-11-25 07:00 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-11-25 07:00 . 2009-12-11 19:50 28672 ----a-w- c:\windows\system32\atiu9pag.dll
2010-11-25 07:00 . 2010-11-25 07:00 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-11-25 07:00 . 2010-11-25 07:00 19968 ----a-w- c:\windows\system32\atigktxx.dll
2010-11-25 07:00 . 2010-11-25 07:00 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-11-25 07:00 . 2010-11-25 07:00 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-11-25 07:00 . 2010-11-25 07:00 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-11-25 07:00 . 2010-11-25 07:00 228352 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-11-25 07:00 . 2010-11-25 07:00 241664 ----a-w- c:\windows\system32\atiadlxx.dll
2010-11-25 07:00 . 2010-05-05 01:19 3460096 ----a-w- c:\windows\system32\atiumdva.dll
2010-11-25 07:00 . 2010-11-25 07:00 45056 ----a-w- c:\windows\system32\ATIODCLI.exe
2010-11-25 07:00 . 2009-12-11 19:49 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-11-25 07:00 . 2010-11-25 07:00 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-11-25 07:00 . 2010-11-25 07:00 30720 ----a-w- c:\windows\system32\atiuxpag.dll
2010-11-25 07:00 . 2010-11-25 07:00 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-11-25 07:00 . 2010-11-25 07:00 294912 ----a-w- c:\windows\system32\ATIODE.exe
2010-11-25 07:00 . 2010-11-25 07:00 100368 ----a-w- c:\windows\system32\drivers\AtihdLH3.sys
2010-11-25 07:00 . 2010-11-25 07:00 380928 ----a-w- c:\windows\system32\atieclxx.exe
2010-11-21 07:52 . 2009-08-18 18:30 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2010-11-21 07:52 . 2009-08-18 18:24 17816 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-10-31 20:29 . 2010-04-24 16:16 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-31 20:29 . 2009-09-09 23:47 22328 ----a-w- c:\users\Rizzle\AppData\Roaming\PnkBstrK.sys
2010-10-31 20:29 . 2009-12-19 04:39 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-31 20:28 . 2010-04-24 16:15 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-10-31 20:28 . 2009-12-19 04:39 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-10-19 18:58 . 2010-04-25 17:18 233960 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-10-19 17:41 . 2009-12-24 20:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 08:36 . 2010-10-14 08:36 15451288 ----a-w- c:\windows\system32\xlive.dll
2010-10-14 08:36 . 2010-10-14 08:36 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-10-01 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-03-04 20:31 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-03-13 18:58 75048 ------w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-08-09 12:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE]
2009-07-19 05:44 492808 ----a-w- c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 04:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-03 06:08 87336 ------w- c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-07-03 17:27 6266880 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-10-01 05:28 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-22 20:17 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-04-07 09:56 132760 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
2009-10-20 08:50 995528 ----a-w- c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 FLEXnet Licensing Manager;FLEXnet Licensing Manager for Adobe Products;c:\windows\system\regsrv.exe [x]
R3 jDEBWdowLn;jDEBWdowLn;c:\users\Rizzle\Desktop\speedy\ONWAE [x]
R3 LlGzsiIgb;LlGzsiIgb;c:\users\Rizzle\Desktop\speedy\CQHXIH [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-05-03 3584240]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [x]
R3 pHDMLilWrz;pHDMLilWrz;c:\users\Rizzle\Desktop\speedy\LHRUHPSS [x]
R3 sikpYwCehF;sikpYwCehF;c:\users\Rizzle\Desktop\speedy\ITVBIHJM [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2008-01-21 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WvMWWJbHA;WvMWWJbHA;c:\users\Rizzle\Desktop\speedy\LXHFB [x]
R3 YDCxAmHXF;YDCxAmHXF;c:\users\Rizzle\Desktop\speedy\XFGFZMSC [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-08-02 721904]
S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-07-19 145424]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/03/30 19:25];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-03-13 18:58 87536]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-25 176128]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-02-12 181584]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-07-05 50256]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-09-03 497008]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2010-07-30 36432]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-09-03 677128]
S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-07-19 256528]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-11-25 6472192]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-11-25 228352]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2010-11-25 100368]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\HPCeeScheduleForRizzle.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-12 03:03]

2011-01-10 c:\windows\Tasks\User_Feed_Synchronization-{F1EEAB40-F5C5-46ED-824D-FCBDD5D85A69}.job
- c:\windows\system32\msfeedssync.exe [2011-01-09 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.speedapps.com/search.htm
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file:///E:/win/setup/iamce.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-A00F19AFCBEC - c:\users\Rizzle\AppData\Local\Temp\_A00F19AFCBEC.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
MSConfigStartUp-iOmem - c:\users\Rizzle\AppData\Local\TempImages\iOmem.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-net - c:\windows\system32\net.net
MSConfigStartUp-ProxyFirewall - c:\program files\ProxyFirewall\ProxyFirewall.exe
MSConfigStartUp-Vidalia - c:\program files\Vidalia Bundle\Vidalia\vidalia.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-09 18:42
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\jDEBWdowLn]
"ImagePath"="\??\c:\users\Rizzle\Desktop\speedy\ONWAE"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\LlGzsiIgb]
"ImagePath"="\??\c:\users\Rizzle\Desktop\speedy\CQHXIH"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pHDMLilWrz]
"ImagePath"="\??\c:\users\Rizzle\Desktop\speedy\LHRUHPSS"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\sikpYwCehF]
"ImagePath"="\??\c:\users\Rizzle\Desktop\speedy\ITVBIHJM"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WvMWWJbHA]
"ImagePath"="\??\c:\users\Rizzle\Desktop\speedy\LXHFB"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\YDCxAmHXF]
"ImagePath"="\??\c:\users\Rizzle\Desktop\speedy\XFGFZMSC"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2878287562-595671670-2002291222-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FDE9172A-DDE9-B144-F627-96525AE7577A}*]
"majofelkcmphpjomglhjjjenim"=hex:6a,61,63,6d,70,6b,64,70,61,66,6d,6d,6a,66,70,
66,70,70,67,70,00,00
"napephoodpnklngfhjmgieadmfdc"=hex:6a,61,63,6d,70,6b,64,70,61,66,6d,6d,6a,66,
70,66,70,70,67,70,00,fe

[HKEY_USERS\S-1-5-21-2878287562-595671670-2002291222-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9d,81,62,4c,43,8c,ec,d9,67,49,53,91,86,3d,56,18,5a,20,59,54,dd,ea,da,
ad,3e,36,c0,cf,48,74,26,af,03,66,31,0a,9d,77,81,17,d1,ec,d5,c9,15,98,01,90,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-2878287562-595671670-2002291222-1000\Software\SecuROM\License information*]
"datasecu"=hex:8e,1f,09,e2,15,bf,17,61,fc,40,1c,7c,32,cc,8c,e0,f3,41,33,61,9c,
59,31,1b,a2,3a,d2,5e,7c,9b,62,8d,df,55,02,bd,22,fb,fc,ed,20,cd,4e,db,59,85,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-01-09 18:47:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-10 01:47

Pre-Run: 301,791,678,464 bytes free
Post-Run: 301,810,237,440 bytes free

- - End Of File - - 8C8378AA85EE1B99237F83C999981B12
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Hiya rizzle425,

Proceed as follows please :-

Step 1

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the
    button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on
    to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the
    icon on your desktop.
  • Check
  • Click the
    button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the
    button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your
system.

Step 2

Download
OTL from any of the following links and save to your Desktop:

Link 1
Link 2
Link 3

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  • Under the Custom Scan box paste this in
    Code:
          netsvcs
          drivers32
          %SYSTEMDRIVE%\*.*
          %systemroot%\*. /mp /s
          CREATERESTOREPOINT
          %systemroot%\System32\config\*.sav
          HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

What i`d like in your reply :-

  • Log from ESET
  • OTL Txt
  • Extras Txt

Kevin
 

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
i cannot get the ESET scan to work. i clicked the link u gave, accepted security warnings, downloaded and installed, then i accepted the terms of use and clicked start. thats as far as i could get. every time i would accept terms of use and click start it would load the next page with the two tickboxes, but then it would bring up an error message every time stating that internet explorer stopped responding and windows will notify me if a solution becomes available blah blah blah.

so i tried to start my pc in safe mode with networking however i can not get it to run in safe mode either, when i accept terms of use and click start in safe mode it just takes me to the main internet explorer window and pops up a message near the ESET tab saying "this tab has been recovered, A problem with the web page has caused Internet Explorer to close and re-open this tab.

any ideas how i can get it to work?
 

rizzle425

Thread Starter
Joined
Apr 8, 2007
Messages
36
I have double checked to make sure that all security is off, and it is still giving me the same problem. maybe ill try to run it in a different web browser than IE. i cant use Firefox because it crashes ever minute, literally. so i will try downloading safari and see if i can run it on there, ill post again soon with my results on that.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top