Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ieplore.exe opening by itself


  • This topic is locked This topic is locked
53 replies to this topic

#1 ouroboros

ouroboros

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 March 2009 - 03:28 PM

hello,

first let me say thanks in advance for any help that i might get.

heres the problem...2 days ago started noticing that as i was using my computer i would start hearing what sounded like tv shows or random audio clips. naturaly i opened proccess explorer and noticed that there was an iexplore.exe on the list. i dont use internet explorer so i was imediatly susspicious. sure enough if i killed iexplore.exe...the strange audio would stop. for a little while anyway.

it would of course come back eventually...sometimes in 2 mins....sometimes in 2 hours. if i look at the properties of iexplore.exe in procexp i can see there is a command line entry telling it to go to some website. the website changes but its usualy edotfind.com or filldotfind.com. if i try to bring iexplore.exe to the foreground it says there is no window. i also can not find a way to change the command line telling it to do that. the path is correct c/program files/internet explorer/iexplore.exe. i even went so far as to rename iexplore.exe to iexplore.exeold....but a few mins after the audio was back and there was a new iexplore.exe in the folder.

anyway here is my log...and thanks again for the help.


DDS (Ver_09-03-16.01) - NTFSx86
Run by b at 16:11:25.35 on Mon 03/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2038 [GMT -4:00]

AV: ESET NOD32 antivirus system 0.0 *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\NCH Software\Components\mp3el\mp3enc.exe
C:\Program Files\NCH Software\Components\mp3el\mp3enc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\Program Files\Stardock\Object Desktop\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HDD Health\HDDHealth.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\DOCUME~1\b\LOCALS~1\Temp\{FC4BC2FE-F660-4480-88E3-2C670A4D9F96}\Combined II.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
svchost.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\WINDOWS\System32\CTPdeSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Documents and Settings\b\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SACert Class: {740fe5fb-65f1-46c5-9e54-a19c8a8d7ac2} - c:\windows\system32\SoftAheadCert.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Translator: {ff284f5c-7cf9-4682-8701-d467c1dbb99f} - c:\program files\prmt7\prmtie\prmtie.dll
uRun: [Creative Detector] c:\program files\ashampoo\ashampoo uninstaller platinum 2\UIWatcher.exe
uRun: [CursorXP] c:\program files\stardock\object desktop\CursorXP.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Orb] "c:\program files\orb networks\orb\bin\OrbTray.exe" /background
uRun: [On2Share] c:\program files\on2share\On2Share MediaServer.exe -no-notifywnd
uRun: [HDDHealth] c:\program files\hdd health\HDDHealth.exe -wl
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; .NET CLR 2.0.50727;

.NET CLR 1.1.4322; WWTClient2; .NET CLR 3.0.04506.30; MAXTHON 2.0)" -"http://www.adultswim.com/games/game/index.html?game=athf_strippoker"
mRun: [MULTIMEDIA KEYBOARD] "c:\progra~1\stardock\object~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [WINDVDPatch] c:\program files\common files\stardock\TrayServer.exe
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\object~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio

emulator\AudDrvEm.dll"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [THGuard] "c:\program files\trojanhunter 5.0\THGuard.exe"
mRun: [EasyTuneV] c:\program files\gigabyte\et5\ETcall.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [BroadWave] "c:\program files\nch swift sound\broadwave\broadwave.exe" -logon
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
StartupFolder: c:\docume~1\b\startm~1\programs\startup\combin~1.lnk - c:\downloads\Combined II.exe
StartupFolder: c:\docume~1\b\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\documents and settings\b\start menu\programs\startup\Product Registration.lnk.disabled
StartupFolder: c:\docume~1\b\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Bluetooth.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\DualCoreCenter.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Loadout Manager.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Norton GoBack.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Run BBDTMngr.exe.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Virtual Desk.lnk.disabled
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-explorer: <NO NAME> =
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll/206
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\imon.dll
Trusted Zone: adobe.com\www
Trusted Zone: askaninja.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: ebaumsworld.com
Trusted Zone: etherlords.com\www
Trusted Zone: gamespyarcade.com\www
Trusted Zone: get-hed.com\www
Trusted Zone: hotmail.com
Trusted Zone: mets.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: mixman.com\www
Trusted Zone: mlb.com
Trusted Zone: myspace.com
Trusted Zone: sierra.com\www
Trusted Zone: tribesvengeance.com\www
Trusted Zone: void(playMedia2({w_id:'498659',w:'/2006/open/tp/archive05/053106
Trusted Zone: yahoo.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by113w.bay113.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205686701859
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205686665656
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38904.4747106481
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\alieng~1\wbsrv.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\ewido anti-spyware 4.0\shellexecutehook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\b\applic~1\mozilla\firefox\profiles\qhv39rpk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-12-21 13696]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R1 ewido anti-spyware 4.0 driver;ewido anti-spyware 4.0 driver;c:\program files\ewido anti-spyware 4.0\guard.sys [2006-6-16 3968]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-9-4 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-1 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-1 51440]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-12-21 372824]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 BroadWaveService;BroadWave;c:\program files\nch swift sound\broadwave\broadwave.exe [2009-3-12 499716]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-2-20 472320]
R2 ewido anti-spyware 4.0 guard;ewido anti-spyware 4.0 guard;c:\program files\ewido anti-spyware 4.0\guard.exe [2006-6-16 172032]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 53248]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2006-9-4 28672]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-8-6 552064]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2008-2-21 33792]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-8-27 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-8-27 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-8-27 72728]
R3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2008-2-24 19776]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2006-6-14 19968]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S0 shdbus;shdbus; [x]
S0 Shield;Shield; [x]
S0 Shieldf;Shieldf; [x]
S0 shieldm;shieldm; [x]
S1 cloverm;cloverm;c:\windows\system32\drivers\cloverm.sys --> c:\windows\system32\drivers\cloverm.sys [?]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2007-11-28 245248]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\b\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\b\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2007-12-26 9600]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-24 22821]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-26

79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-8-27 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-8-27 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-8-27 72728]
S3 DigiCellDriver;DigiCellDriver;c:\program files\msi\dualcorecenter\NTGLM7X.sys [2008-2-4 27648]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-29 10664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1204.tmp --> c:\windows\system32\1204.tmp [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-4-3 31872]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 RushTopDevice2;RushTopDevice2;c:\program files\msi\dualcorecenter\RushTop.sys [2008-2-4 39424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-12 15:54 <DIR> --d----- c:\program files\NCH Swift Sound
2009-03-12 15:53 <DIR> --d----- c:\program files\NCH Software
2009-03-12 15:53 <DIR> --d----- c:\docume~1\b\applic~1\NCH Software
2009-02-25 23:01 <DIR> --d----- c:\program files\HDD Health
2009-02-25 19:40 211,189 a------- c:\windows\system32\nvapps.nvb
2009-02-21 13:13 <DIR> --d----- c:\program files\Singular Inversions
2009-02-20 13:49 <DIR> --d----- c:\program files\Oblivion Face Exchange Lite
2009-02-19 20:18 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-02-19 02:58 <DIR> --d----- c:\program files\WBGames
2009-02-18 14:51 <DIR> --d----- c:\program files\MediaSystem
2009-02-18 12:31 453,152 a------- c:\windows\system32\nvudisp.exe
2009-02-18 12:31 205,204 a------- c:\windows\system32\nvapps.xml
2009-02-18 12:31 18,795 a------- c:\windows\system32\nvdisp.nvu
2009-02-18 12:31 <DIR> --d----- c:\windows\nview
2009-02-18 12:30 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-18 10:19 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-18 10:19 22,328 a------- c:\docume~1\b\applic~1\PnkBstrK.sys
2009-02-18 10:16 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-02-18 10:16 682,280 a------- c:\windows\system32\pbsvc.exe
2009-02-18 10:16 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-02-18 10:16 <DIR> --d----- c:\windows\system32\LogFiles
2009-02-17 01:20 109 a--sh--- c:\windows\system32\3633491944.dat
2009-02-14 19:55 <DIR> --d----- c:\windows\ERUNT
2009-02-14 19:47 <DIR> --d----- C:\SDFix

==================== Find3M ====================

2009-03-15 23:38 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-03-15 23:38 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-02-25 19:36 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-01-16 19:24 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-29 21:57 737,280 a------- c:\windows\iun6002.exe
2008-12-26 22:07 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-12-26 22:07 109,080 a------- c:\windows\system32\OpenAL32.dll
2008-02-15 18:19 364,887 a------- c:\documents and settings\b\Silent Runners.vbs
2007-03-24 17:43 32 a----r-- c:\documents and settings\all users\hash.dat
2006-06-29 15:28 461 ac------ c:\program files\INSTALL.LOG

============= FINISH: 16:12:24.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:01 AM

Posted 28 March 2009 - 12:45 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 28 March 2009 - 10:25 PM

thanks

the problem is getting much much worse multiple iexpore.exe instances are showing up now...and im getting frequent crashes.


...here is a new log:



DDS (Ver_09-03-16.01) - NTFSx86
Run by b at 23:19:21.21 on Sat 03/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2186 [GMT -4:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NCH Software\Components\mp3el\mp3enc.exe
C:\Program Files\NCH Software\Components\mp3el\mp3enc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
C:\Program Files\Stardock\Object Desktop\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\HDD Health\HDDHealth.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
svchost.exe
C:\DOCUME~1\b\LOCALS~1\Temp\{FC4BC2FE-F660-4480-88E3-2C670A4D9F96}\Combined II.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\Documents and Settings\b\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SACert Class: {740fe5fb-65f1-46c5-9e54-a19c8a8d7ac2} - c:\windows\system32\SoftAheadCert.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Translator: {ff284f5c-7cf9-4682-8701-d467c1dbb99f} - c:\program files\prmt7\prmtie\prmtie.dll
uRun: [Creative Detector] c:\program files\ashampoo\ashampoo uninstaller platinum 2\UIWatcher.exe
uRun: [CursorXP] c:\program files\stardock\object desktop\CursorXP.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Orb] "c:\program files\orb networks\orb\bin\OrbTray.exe" /background
uRun: [On2Share] c:\program files\on2share\On2Share MediaServer.exe -no-notifywnd
uRun: [HDDHealth] c:\program files\hdd health\HDDHealth.exe -wl
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; WWTClient2; .NET CLR 3.0.04506.30; MAXTHON 2.0)" -"http://www.adultswim.com/games/game/index.html?game=athf_strippoker"
mRun: [MULTIMEDIA KEYBOARD] "c:\progra~1\stardock\object~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [WINDVDPatch] c:\program files\common files\stardock\TrayServer.exe
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\object~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [THGuard] "c:\program files\trojanhunter 5.0\THGuard.exe"
mRun: [EasyTuneV] c:\program files\gigabyte\et5\ETcall.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [BroadWave] "c:\program files\nch swift sound\broadwave\broadwave.exe" -logon
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
StartupFolder: c:\docume~1\b\startm~1\programs\startup\combin~1.lnk - c:\downloads\Combined II.exe
StartupFolder: c:\docume~1\b\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\documents and settings\b\start menu\programs\startup\Product Registration.lnk.disabled
StartupFolder: c:\docume~1\b\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Bluetooth.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\DualCoreCenter.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Loadout Manager.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Norton GoBack.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Run BBDTMngr.exe.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Virtual Desk.lnk.disabled
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-explorer: <NO NAME> =
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.6.26.dll/206
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\imon.dll
Trusted Zone: adobe.com\www
Trusted Zone: askaninja.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: ebaumsworld.com
Trusted Zone: etherlords.com\www
Trusted Zone: gamespyarcade.com\www
Trusted Zone: get-hed.com\www
Trusted Zone: hotmail.com
Trusted Zone: mets.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: mixman.com\www
Trusted Zone: mlb.com
Trusted Zone: myspace.com
Trusted Zone: sierra.com\www
Trusted Zone: tribesvengeance.com\www
Trusted Zone: void(playMedia2({w_id:'498659',w:'/2006/open/tp/archive05/053106
Trusted Zone: yahoo.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by113w.bay113.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205686701859
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205686665656
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38904.4747106481
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: MCPClient - c:\program files\common files\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\alieng~1\wbsrv.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\ewido anti-spyware 4.0\shellexecutehook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\b\applic~1\mozilla\firefox\profiles\qhv39rpk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ace mega codecs pack\systems\realmedia\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-12-21 13696]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R1 ewido anti-spyware 4.0 driver;ewido anti-spyware 4.0 driver;c:\program files\ewido anti-spyware 4.0\guard.sys [2006-6-16 3968]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-9-4 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-1 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-1 51440]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-12-21 372824]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 BroadWaveService;BroadWave;c:\program files\nch swift sound\broadwave\broadwave.exe [2009-3-12 499716]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2007-11-28 245248]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-2-20 472320]
R2 ewido anti-spyware 4.0 guard;ewido anti-spyware 4.0 guard;c:\program files\ewido anti-spyware 4.0\guard.exe [2006-6-16 172032]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 53248]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2006-9-4 28672]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-8-6 552064]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2008-2-21 33792]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-8-27 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-8-27 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-8-27 72728]
R3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32 [2008-2-24 19776]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2006-6-14 19968]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S0 shdbus;shdbus; [x]
S0 Shield;Shield; [x]
S0 Shieldf;Shieldf; [x]
S0 shieldm;shieldm; [x]
S1 cloverm;cloverm;c:\windows\system32\drivers\cloverm.sys --> c:\windows\system32\drivers\cloverm.sys [?]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [2001-8-23 3584]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\b\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\b\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2007-12-26 9600]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-24 22821]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-12-26 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-8-27 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-8-27 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-8-27 72728]
S3 DigiCellDriver;DigiCellDriver;c:\program files\msi\dualcorecenter\NTGLM7X.sys [2008-2-4 27648]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-29 10664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1204.tmp --> c:\windows\system32\1204.tmp [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-4-3 31872]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 RushTopDevice2;RushTopDevice2;c:\program files\msi\dualcorecenter\RushTop.sys [2008-2-4 39424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-26 20:44 <DIR> --d----- c:\program files\Susteen
2009-03-24 15:48 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-03-23 18:00 30,592 ac------ c:\windows\system32\dllcache\SET32CB.tmp
2009-03-23 18:00 30,592 ac------ c:\windows\system32\dllcache\SET32CA.tmp
2009-03-23 18:00 12,800 ac------ c:\windows\system32\dllcache\SET32C9.tmp
2009-03-23 18:00 12,800 ac------ c:\windows\system32\dllcache\SET32C8.tmp
2009-03-20 22:09 107,832 a------- c:\docume~1\b\applic~1\PnkBstrB.exe
2009-03-13 10:06 357,101 a------- c:\windows\reset.exe
2009-03-12 15:54 <DIR> --d----- c:\program files\NCH Swift Sound
2009-03-12 15:53 <DIR> --d----- c:\program files\NCH Software
2009-03-12 15:53 <DIR> --d----- c:\docume~1\b\applic~1\NCH Software

==================== Find3M ====================

2009-03-28 23:08 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-03-28 23:08 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-03-20 22:09 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-03-20 22:09 682,280 a------- c:\windows\system32\pbsvc.exe
2009-02-25 19:36 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-02-18 12:46 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-18 10:19 22,328 a------- c:\docume~1\b\applic~1\PnkBstrK.sys
2009-02-18 10:16 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-02-05 11:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-16 19:24 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-29 21:57 737,280 a------- c:\windows\iun6002.exe
2008-02-15 18:19 364,887 a------- c:\documents and settings\b\Silent Runners.vbs
2007-03-24 17:43 32 a----r-- c:\documents and settings\all users\hash.dat
2006-06-29 15:28 461 ac------ c:\program files\INSTALL.LOG

============= FINISH: 23:20:15.43 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 29 March 2009 - 11:13 AM

Hello.

Please do the following first.

Download and run DelDomains

Please download Deldomains and save it to your desktop.
  • Right-click DelDomains.inf and select: Install.
  • You may not see any noticeable changes or prompts; this is normal.
Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

Post back with:
-MBAM log
-GMER log
-New DDS log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 11:39 AM

hi

thnx for the help.

i did step 1 with deldomains

but i can not install malwarebytes. when i click it the run box apears but when i click that it just dissapears and nothing happens.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 29 March 2009 - 11:45 AM

Hello.

Okay, that makes sence. Please run Combofix. Follow the instructions exactly as written below. Any questions please ask.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Drag the "Recovery Console" file as mentioned in the link on how to use Combofix on to Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 12:55 PM

ok...ran combofix...i dont know what it did, but now my comp. can not see any wireless connections...im on a dif. computer now.

here is the log...i had to break it up as its too long to post the whole thing

ComboFix 09-03-28.06 - b 2009-03-29 13:14:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2537 [GMT -4:00]
Running from: c:\documents and settings\b\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\program files\INSTALL.LOG
c:\windows\system32\drivers\ss.sys
c:\windows\system32\drivers\UAClkfsqska.sys
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\system32\UACdcjgiyol.dll
c:\windows\system32\UACebxmcqii.dll
c:\windows\system32\UACevjvqjkc.dat
c:\windows\system32\UAChiwojeyu.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACklvgfktm.log
c:\windows\system32\UACkpyfrqlt.dll
c:\windows\system32\UAClusvasba.dll
c:\windows\system32\UACppyydtod.dll
c:\windows\system32\UACpuyfqdww.dll
c:\windows\system32\UACtdnappab.log
c:\windows\system32\UACvhmpsjgu.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-26 20:44 . 2009-03-26 20:44 <DIR> d-------- c:\program files\Susteen
2009-03-24 15:48 . 2009-03-26 20:15 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-03-23 18:00 . 2005-10-20 21:47 30,592 --a--c--- c:\windows\system32\dllcache\SET32CB.tmp
2009-03-23 18:00 . 2005-10-20 21:47 30,592 --a--c--- c:\windows\system32\dllcache\SET32CA.tmp
2009-03-23 18:00 . 2005-10-20 21:47 12,800 --a--c--- c:\windows\system32\dllcache\SET32C9.tmp
2009-03-23 18:00 . 2005-10-20 21:47 12,800 --a--c--- c:\windows\system32\dllcache\SET32C8.tmp
2009-03-20 22:09 . 2009-03-20 22:09 107,832 --a------ c:\documents and settings\b\Application Data\PnkBstrB.exe
2009-03-20 02:20 . 2009-03-20 02:20 0 --a------ c:\windows\system32\UACdcjgiyol.Vdll
2009-03-14 19:44 . 2009-03-29 12:32 1,896,749 --a------ c:\windows\system32\uactmp.db
2009-03-13 10:06 . 2009-03-13 13:28 357,101 --a------ c:\windows\reset.exe
2009-03-12 15:54 . 2009-03-12 15:54 <DIR> d-------- c:\program files\NCH Swift Sound
2009-03-12 15:54 . 2009-03-12 15:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-03-12 15:53 . 2009-03-12 15:55 <DIR> d-------- c:\program files\NCH Software
2009-03-12 15:53 . 2009-03-12 15:53 <DIR> d-------- c:\documents and settings\b\Application Data\NCH Software
2009-03-12 15:53 . 2009-03-12 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 17:21 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-29 17:21 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-03-29 17:06 9,468,928 ----a-w c:\windows\Internet Logs\xDB241.tmp
2009-03-29 16:53 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-29 15:57 --------- d-----w c:\documents and settings\b\Application Data\MxBoost
2009-03-28 01:14 --------- d-----w c:\program files\Trillian
2009-03-27 21:08 --------- d-----w c:\program files\ESET
2009-03-27 20:54 --------- d-----w c:\program files\BitComet
2009-03-27 00:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 23:09 --------- d-----w c:\program files\PeerGuardian2
2009-03-26 04:24 --------- d-----w c:\program files\Blaze Media Pro
2009-03-23 20:43 --------- d-----w c:\program files\Digsby
2009-03-16 08:14 --------- d-----w c:\program files\Lavasoft
2009-03-12 19:03 --------- d-----w c:\program files\Winamp
2009-03-11 22:47 --------- d-----w c:\documents and settings\b\Application Data\Move Networks
2009-03-11 18:20 9,268,224 ----a-w c:\windows\Internet Logs\xDB240.tmp
2009-03-11 00:52 --------- d-----w c:\documents and settings\b\Application Data\OpenOffice.org2
2009-02-26 05:39 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-26 03:01 --------- d-----w c:\program files\HDD Health
2009-02-25 23:43 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 23:42 --------- d-----w c:\program files\AGEIA Technologies
2009-02-25 07:48 --------- d-----w c:\program files\Bethesda Softworks
2009-02-21 17:13 --------- d-----w c:\program files\Singular Inversions
2009-02-20 17:50 --------- d-----w c:\program files\Oblivion Face Exchange Lite
2009-02-20 05:46 3,314,688 ----a-w c:\windows\Internet Logs\xDB23F.tmp
2009-02-20 00:18 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-19 06:58 --------- d-----w c:\program files\WBGames
2009-02-18 18:51 --------- d-----w c:\program files\MediaSystem
2009-02-18 16:46 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-18 15:06 9,128,960 ----a-w c:\windows\Internet Logs\xDB23E.tmp
2009-02-18 15:06 2,973,696 ----a-w c:\windows\Internet Logs\xDB23D.tmp
2009-02-18 14:19 22,328 ----a-w c:\documents and settings\b\Application Data\PnkBstrK.sys
2009-02-18 04:02 9,114,624 ----a-w c:\windows\Internet Logs\xDB23C.tmp
2009-02-18 04:02 3,865,088 ----a-w c:\windows\Internet Logs\xDB23B.tmp
2009-02-15 00:52 --------- d-----w c:\program files\Noise Cradle
2009-02-14 23:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-14 22:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 04:29 --------- d-----w c:\program files\Hired Sword Software
2009-02-11 22:23 --------- d-----w c:\program files\Atari
2009-02-11 01:24 --------- d-----w c:\documents and settings\b\Application Data\Trillian
2009-02-10 06:24 8,937,472 ----a-w c:\windows\Internet Logs\xDB23A.tmp
2009-02-10 06:24 3,149,824 ----a-w c:\windows\Internet Logs\xDB239.tmp
2009-02-09 18:18 6,307,328 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-02-03 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2008-12-30 01:57 737,280 ----a-w c:\windows\iun6002.exe
2008-02-15 22:19 364,887 ----a-w c:\documents and settings\b\Silent Runners.vbs
2007-03-24 21:43 32 ----a-r c:\documents and settings\All Users\hash.dat
2007-12-13 18:54 259 ----a-w c:\program files\internet explorer\plugins\IEImageRR.dll
.

------- Sigcheck -------

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-04-20 07:38 340480 b8158e2a6112c0a5ca67bc158fc70218 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2002-08-29 04:58 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-11-18 20:44 360064 ecf02439fd31bbd0dbc2ec05600cf08a c:\windows\system32\dllcache\tcpip.sys
2008-11-18 20:44 360064 ecf02439fd31bbd0dbc2ec05600cf08a c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe" [2006-08-18 1436160]
"CursorXP"="c:\program files\Stardock\Object Desktop\CursorXP.exe" [2005-01-19 140288]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-08 1470464]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2008-11-11 510416]
"HDDHealth"="c:\program files\HDD Health\HDDHealth.exe" [2008-06-15 1692672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="c:\progra~1\Stardock\OBJECT~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"WINDVDPatch"="c:\program files\Common Files\Stardock\TrayServer.exe" [2003-02-14 81920]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\OBJECT~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 1046688]
"EasyTuneV"="c:\program files\Gigabyte\ET5\ETcall.exe" [2007-04-26 24576]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"BroadWave"="c:\program files\NCH Swift Sound\BroadWave\broadwave.exe" [2009-03-12 499716]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 c:\windows\system32\Ctxfihlp.exe]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-01-23 181624]

c:\documents and settings\b\Start Menu\Programs\Startup\
Combined II.lnk - c:\downloads\Combined II.exe [2009-03-13 1481216]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-08-30 575488]
Product Registration.lnk.disabled [2008-07-27 1017]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-02-24 2664184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-03-15 1757]
Bluetooth.lnk.disabled [2007-12-10 637]
DualCoreCenter.lnk.disabled [2008-02-04 869]
Loadout Manager.lnk.disabled [2007-03-01 1732]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-11 805392]
Norton GoBack.lnk.disabled [2008-01-27 1691]
Run BBDTMngr.exe.lnk.disabled [2008-07-05 2094]
Virtual Desk.lnk.disabled [2006-09-08 1724]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 16:13 49152 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-20 23:57 176128 c:\progra~1\ALIENG~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"SENTINEL"= snti386.dll
"midi1"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^b^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitwarePKLite
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule]
--a------ 2005-06-08 14:31 96256 c:\program files\iolo\System Mechanic Professional 6\Delay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2009-02-09 14:18 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-02-09 14:18 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-26 23:06 282624 c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 23:32 53248 c:\program files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2006-12-20 18:47 557056 c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-05 21:18 1271032 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIWatcher]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-10-16 21:57 4347120 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]
--a------ 2002-07-02 18:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2009-02-09 14:18 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-03-01 16:22 577536 c:\windows\soundman.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe"
"UIWatcher"=c:\program files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
"CTRegRun"=c:\windows\CTRegRun.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"UpdReg"=c:\windows\UpdReg.EXE
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
"WheelMouse"=c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\msiupdat.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Documents and Settings\\b\\Desktop\\utorrent.exe"=
"c:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\WBGames\\Monolith Productions\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"c:\\Games\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Games\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25455:TCP"= 25455:TCP:BitComet 25455 TCP
"25455:UDP"= 25455:UDP:BitComet 25455 UDP
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"85:TCP"= 85:TCP:BroadWave Web Server

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-12-21 13696]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-09-04 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-02-01 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-01 51440]
R2 BroadWaveService;BroadWave;c:\program files\NCH Swift Sound\BroadWave\broadwave.exe [2009-03-12 499716]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2007-11-28 245248]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2006-09-04 28672]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2008-02-21 33792]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-08-27 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-08-27 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-08-27 72728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S0 shdbus;shdbus; [x]
S0 Shield;Shield; [x]
S0 Shieldf;Shieldf; [x]
S0 shieldm;shieldm; [x]
S1 cloverm;cloverm;c:\windows\system32\DRIVERS\cloverm.sys --> c:\windows\system32\DRIVERS\cloverm.sys [?]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [2001-08-23 3584]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\b\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\b\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2007-12-26 9600]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-12-26 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-08-27 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-08-27 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-08-27 72728]
S3 DigiCellDriver;DigiCellDriver;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2008-02-04 27648]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-08-29 10664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1204.tmp --> c:\windows\system32\1204.tmp [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-04-03 31872]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [2008-02-04 39424]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MARKFUN_NT
*Deregistered* - MarkFun_NT

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-23 20:37]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-On2Share - c:\program files\On2Share\On2Share MediaServer.exe
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; WWTClient2; .NET CLR 3.0.04506.30;
SharedTaskScheduler-IPC Configuration Utility - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\PRMT7\PRMTIE\prmtie5.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\PRMT7\PRMTIE\options.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
LSP: c:\windows\system32\imon.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\b\Application Data\Mozilla\Firefox\Profiles\qhv39rpk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 13:28:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


c:\docume~1\b\LOCALS~1\Temp\suggestedName-130.tmp 455349 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-142.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-143.tmp 16112 bytes
c:\docume~1\b\LOCALS~1\Temp\~5ba22a85970f1c77580bff33800.jpg 1253 bytes
c:\docume~1\b\LOCALS~1\Temp\~5e74a42488c91c75ed22168ae00.jpd 21 bytes
c:\docume~1\b\LOCALS~1\Temp\~DF906E.tmp 16384 bytes
c:\docume~1\b\LOCALS~1\Temp\~DF90C1.tmp 16384 bytes

Edited by extremeboy, 29 March 2009 - 01:40 PM.
Remove Redundant lines


#8 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 12:56 PM

here is the rest of the combofix log:


c:\docume~1\b\LOCALS~1\Temp\VSD55A0.tmp\DotNetFX
c:\docume~1\b\LOCALS~1\Temp\VSD55A0.tmp\DotNetFX\dotnetchk.exe 61632 bytes executable
c:\docume~1\b\LOCALS~1\Temp\VSD55A0.tmp\install.log 2479 bytes
c:\docume~1\b\LOCALS~1\Temp\vx5296F.tmp 0 bytes
c:\docume~1\b\LOCALS~1\Temp\WCESCOMM.LOG 760 bytes
c:\docume~1\b\LOCALS~1\Temp\WCESLog.log 19348 bytes
c:\docume~1\b\LOCALS~1\Temp\WCESMgr.log 23675 bytes
c:\docume~1\b\LOCALS~1\Temp\WcesView.log 3610 bytes
c:\docume~1\b\LOCALS~1\Temp\WER4d81.dir00
c:\docume~1\b\LOCALS~1\Temp\WER4d81.dir00\explorer.exe.hdmp 31169760 bytes
c:\docume~1\b\LOCALS~1\Temp\WER4d81.dir00\explorer.exe.mdmp 88148 bytes
c:\docume~1\b\LOCALS~1\Temp\WER7b6b.dir00
c:\docume~1\b\LOCALS~1\Temp\WER7b6b.dir00\appcompat.txt 16296 bytes
c:\docume~1\b\LOCALS~1\Temp\WER7b6b.dir00\explorer.exe.hdmp 29420939 bytes
c:\docume~1\b\LOCALS~1\Temp\WER7b6b.dir00\explorer.exe.mdmp 92360 bytes
c:\docume~1\b\LOCALS~1\Temp\WER7b6b.dir00\manifest.txt 1924 bytes
c:\docume~1\b\LOCALS~1\Temp\locutus-1.wav 51842 bytes
c:\docume~1\b\LOCALS~1\Temp\me 003-1.jpg 421916 bytes
c:\docume~1\b\LOCALS~1\Temp\movie4.mpg 1589252 bytes
c:\docume~1\b\LOCALS~1\Temp\nakedness-1.bmp 57656 bytes
c:\docume~1\b\LOCALS~1\Temp\nsf63D.tmp
c:\docume~1\b\LOCALS~1\Temp\nsf63D.tmp\ioSpecial.ini 283 bytes
c:\docume~1\b\LOCALS~1\Temp\nsf63D.tmp\LangDLL.dll 5632 bytes executable
c:\docume~1\b\LOCALS~1\Temp\nsf63D.tmp\modern-wizard.bmp 26494 bytes
c:\docume~1\b\LOCALS~1\Temp\nsmail-1.html 433 bytes
c:\docume~1\b\LOCALS~1\Temp\nsmail-15.html 5822 bytes
c:\docume~1\b\LOCALS~1\Temp\nsmail-3.html 320 bytes
c:\docume~1\b\LOCALS~1\Temp\nsmail-9.html 248 bytes
c:\docume~1\b\LOCALS~1\Temp\TheDangersOfInternetDating.wmv 1432187 bytes
c:\docume~1\b\LOCALS~1\Temp\TheHandbag.wmv 2075552 bytes
c:\docume~1\b\LOCALS~1\Temp\Theodora.xml 3497 bytes
c:\docume~1\b\LOCALS~1\Temp\thethread.bmp 21176 bytes
c:\docume~1\b\LOCALS~1\Temp\They're Watching_{E431CEC6-FA6D-469C-A1F0-0A562AFEDA96}.xml 2765 bytes
c:\docume~1\b\LOCALS~1\Temp\Tiled Up_{13F4D7E5-D931-443D-99AF-E9021029322C}.xml 2645 bytes
c:\docume~1\b\LOCALS~1\Temp\tmobilesidekick.bmp 21176 bytes
c:\docume~1\b\LOCALS~1\Temp\tmp18062.WMC
c:\docume~1\b\LOCALS~1\Temp\tmp18062.WMC\allservices.xml 0 bytes
c:\docume~1\b\LOCALS~1\Temp\TMP2680.tmp 239 bytes
c:\docume~1\b\LOCALS~1\Temp\TMP26CC.tmp 239 bytes
c:\docume~1\b\LOCALS~1\Temp\MSI5723f.LOG 370 bytes
c:\docume~1\b\LOCALS~1\Temp\MSI7f60.LOG 168 bytes
c:\docume~1\b\LOCALS~1\Temp\MSIe320c.LOG 434 bytes
c:\docume~1\b\LOCALS~1\Temp\MSIedf2d.LOG 168 bytes
c:\docume~1\b\LOCALS~1\Temp\msqpdx000 0 bytes
c:\docume~1\b\LOCALS~1\Temp\my pic.jpg 17547 bytes
c:\docume~1\b\LOCALS~1\Temp\m_a084ffbcb4eb81a0b7bf5205c17c2bbd[1].jpg 3441 bytes
c:\docume~1\b\LOCALS~1\Temp\n1setup.exe 527565 bytes executable
c:\docume~1\b\LOCALS~1\Temp\n5Dd5Lo5.zip.part 467915 bytes
c:\docume~1\b\LOCALS~1\Temp\Cookies
c:\docume~1\b\LOCALS~1\Temp\Cookies\index.dat 32768 bytes
c:\docume~1\b\LOCALS~1\Temp\Obj1D93.tmp 0 bytes
c:\docume~1\b\LOCALS~1\Temp\Obj1D94.tmp 0 bytes
c:\docume~1\b\LOCALS~1\Temp\ObjectDock.dmp 85844 bytes
c:\docume~1\b\LOCALS~1\Temp\ObjectDock.xml 19721 bytes
c:\docume~1\b\LOCALS~1\Temp\obmm
c:\docume~1\b\LOCALS~1\Temp\OfficeStress1_1.wmv 1295331 bytes
c:\docume~1\b\LOCALS~1\Temp\OfficeStress2_1.wmv 1679686 bytes
c:\docume~1\b\LOCALS~1\Temp\OfficeStress3_1.wmv 1363151 bytes
c:\docume~1\b\LOCALS~1\Temp\OfficeStress4_1.wmv 816301 bytes

scan completed successfully
hidden files: 3803

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet074\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1204.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{254355E2-A22B-48B2-12C2-82CF0484DC5A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abgcjnedijpaphmmmmdhjefamoondiccnb"=hex:61,61,00,00
"bbgcjnedijpaphmmmmggeeicdijgmkapaoca"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,cc,a5,20,99,62,7e,eb,ea,5c,b8,f0,6b,a6,13,7e,b8,6d,8f,50,4d,09,09,
ab,05,09,a1,bc,c4,d7,ba,1b,2b,62,1b,6e,97,22,86,df,e7,b7,08,89,00,7e,58,4b,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:dd,c5,16,9b,fa,18,a8,b2,be,8b,54,d5,23,9e,6f,ef,3d,04,3b,83,cb,
dd,87,7d,28,c0,2e,19,49,f0,e4,c0,fe,16,d0,87,c8,ed,38,62,d8,39,54,3d,e0,e8,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\1w;_w4w*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\ALIENG~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(6820)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\Stardock\ObjectDock\Docklets\menuhook.func
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Stardock\Object Desktop\CurXP0.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\NCH Software\Components\mp3el\mp3enc.exe
c:\program files\NCH Software\Components\mp3el\mp3enc.exe
c:\program files\ewido anti-spyware 4.0\guard.exe
c:\program files\Norton GoBack\GBPoll.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\ESET\nod32krn.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\program files\Common Files\Stardock\SDMCP.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\snmp.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\CTxfispi.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\docume~1\b\LOCALS~1\Temp\{FC4BC2FE-F660-4480-88E3-2C670A4D9F96}\Combined II.exe
.
**************************************************************************
.
Completion time: 2009-03-29 13:40:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 17:38:58
ComboFix2.txt 2008-03-23 21:58:16
ComboFix3.txt 2008-03-12 22:18:48
ComboFix4.txt 2008-02-24 12:30:59

Pre-Run: 47,428,005,888 bytes free
Post-Run: 47,304,626,176 bytes free

Current=74 Default=74 Failed=73 LastKnownGood=75 Sets=1,11,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75
4257

Edited by extremeboy, 29 March 2009 - 01:37 PM.
Remove Redundant lines


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 29 March 2009 - 01:12 PM

Hello.

You have a rootkit infection. Best option is to format. However, if you don't then give me some time to review the log.

Let me give you the rootkit warning first and act accordingly first. Let me know if you wish to continue or format.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 01:33 PM

ok....i fixed the wireless connection so im back on the computer in question.

i really really really do not want to re format my drive.

i would like to try to clean it first...if it still has problems then i guess ill have to, but thats an absolute last resort.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 29 March 2009 - 01:47 PM

Hello.

Glad your wireless is back. That was just a minor problem. It can usually be fixed via one of the following methods just for your refrence.

1. Reboot your machine
2. Disabling/re-enabling the network connection restores it.
3. Go to Control Panel > Network Connections
4. "Repair" the connection via right-click>Repair


Let's continue.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    C:\windows\system32\UACdcjgiyol.Vdll
    c:\windows\system32\uactmp.db
    c:\windows\iun6002.exe
    c:\windows\system32\1204.tmp 
    REGLOCK::
    [HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    Drivers::
    shdbus
    Shield
    Shieldf
    shieldm
    MEMSWEEP2
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
  • If you receive no notice, click on the Scan button near the bottom.
  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.If GMER doesn't work in Normal Mode try running it in Safe Mode
Note: Do Not run any program while GMER is running

Important!:Please do not select the Show all checkbox during the scan.

There is still more to do next post, but I need some more information first.

POst back with:
-Combofix log
-GMER log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 07:20 PM

new combofix log part 1:

ComboFix 09-03-28.06 - b 2009-03-29 15:19:23.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2535 [GMT -4:00]
Running from: c:\documents and settings\b\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\b\Desktop\Cfscript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\iun6002.exe
c:\windows\system32\1204.tmp
c:\windows\system32\UACdcjgiyol.Vdll
c:\windows\system32\uactmp.db
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\iun6002.exe
c:\windows\system32\drivers\ss.sys
c:\windows\system32\UACdcjgiyol.Vdll
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-29 14:25 . 2009-03-29 14:25 20,747 --a------ c:\windows\system32\drivers\AegisP.sys
2009-03-29 14:24 . 2004-04-30 15:12 40,960 --a------ c:\windows\system32\F5D9050.dll
2009-03-26 20:44 . 2009-03-26 20:44 <DIR> d-------- c:\program files\Susteen
2009-03-24 15:48 . 2009-03-26 20:15 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-03-23 18:00 . 2005-10-20 21:47 30,592 --a--c--- c:\windows\system32\dllcache\SET32CB.tmp
2009-03-23 18:00 . 2005-10-20 21:47 30,592 --a--c--- c:\windows\system32\dllcache\SET32CA.tmp
2009-03-23 18:00 . 2005-10-20 21:47 12,800 --a--c--- c:\windows\system32\dllcache\SET32C9.tmp
2009-03-23 18:00 . 2005-10-20 21:47 12,800 --a--c--- c:\windows\system32\dllcache\SET32C8.tmp
2009-03-20 22:09 . 2009-03-20 22:09 107,832 --a------ c:\documents and settings\b\Application Data\PnkBstrB.exe
2009-03-13 10:06 . 2009-03-13 13:28 357,101 --a------ c:\windows\reset.exe
2009-03-12 15:54 . 2009-03-12 15:54 <DIR> d-------- c:\program files\NCH Swift Sound
2009-03-12 15:54 . 2009-03-12 15:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-03-12 15:53 . 2009-03-12 15:55 <DIR> d-------- c:\program files\NCH Software
2009-03-12 15:53 . 2009-03-12 15:53 <DIR> d-------- c:\documents and settings\b\Application Data\NCH Software
2009-03-12 15:53 . 2009-03-12 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 19:26 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-03-29 19:26 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2009-03-29 19:11 --------- d-----w c:\documents and settings\b\Application Data\MxBoost
2009-03-29 18:24 --------- d-----w c:\program files\Belkin
2009-03-29 17:06 9,468,928 ----a-w c:\windows\Internet Logs\xDB241.tmp
2009-03-29 16:53 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-28 01:14 --------- d-----w c:\program files\Trillian
2009-03-27 21:08 --------- d-----w c:\program files\ESET
2009-03-27 20:54 --------- d-----w c:\program files\BitComet
2009-03-27 00:45 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-26 23:09 --------- d-----w c:\program files\PeerGuardian2
2009-03-26 04:24 --------- d-----w c:\program files\Blaze Media Pro
2009-03-23 20:43 --------- d-----w c:\program files\Digsby
2009-03-16 08:14 --------- d-----w c:\program files\Lavasoft
2009-03-12 19:03 --------- d-----w c:\program files\Winamp
2009-03-11 22:47 --------- d-----w c:\documents and settings\b\Application Data\Move Networks
2009-03-11 18:20 9,268,224 ----a-w c:\windows\Internet Logs\xDB240.tmp
2009-03-11 00:52 --------- d-----w c:\documents and settings\b\Application Data\OpenOffice.org2
2009-02-26 05:39 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-26 03:01 --------- d-----w c:\program files\HDD Health
2009-02-25 23:43 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 23:42 --------- d-----w c:\program files\AGEIA Technologies
2009-02-25 07:48 --------- d-----w c:\program files\Bethesda Softworks
2009-02-21 17:13 --------- d-----w c:\program files\Singular Inversions
2009-02-20 17:50 --------- d-----w c:\program files\Oblivion Face Exchange Lite
2009-02-20 05:46 3,314,688 ----a-w c:\windows\Internet Logs\xDB23F.tmp
2009-02-20 00:18 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-19 06:58 --------- d-----w c:\program files\WBGames
2009-02-18 18:51 --------- d-----w c:\program files\MediaSystem
2009-02-18 16:46 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-18 15:06 9,128,960 ----a-w c:\windows\Internet Logs\xDB23E.tmp
2009-02-18 15:06 2,973,696 ----a-w c:\windows\Internet Logs\xDB23D.tmp
2009-02-18 14:19 22,328 ----a-w c:\documents and settings\b\Application Data\PnkBstrK.sys
2009-02-18 04:02 9,114,624 ----a-w c:\windows\Internet Logs\xDB23C.tmp
2009-02-18 04:02 3,865,088 ----a-w c:\windows\Internet Logs\xDB23B.tmp
2009-02-15 00:52 --------- d-----w c:\program files\Noise Cradle
2009-02-14 23:50 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-14 22:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-12 04:29 --------- d-----w c:\program files\Hired Sword Software
2009-02-11 22:23 --------- d-----w c:\program files\Atari
2009-02-11 01:24 --------- d-----w c:\documents and settings\b\Application Data\Trillian
2009-02-10 06:24 8,937,472 ----a-w c:\windows\Internet Logs\xDB23A.tmp
2009-02-10 06:24 3,149,824 ----a-w c:\windows\Internet Logs\xDB239.tmp
2009-02-09 18:18 6,307,328 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-02-03 15:56 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2008-02-15 22:19 364,887 ----a-w c:\documents and settings\b\Silent Runners.vbs
2007-03-24 21:43 32 ----a-r c:\documents and settings\All Users\hash.dat
2007-12-13 18:54 259 ----a-w c:\program files\internet explorer\plugins\IEImageRR.dll
.

------- Sigcheck -------

2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-04-20 07:38 340480 b8158e2a6112c0a5ca67bc158fc70218 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 02:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2002-08-29 04:58 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2004-08-04 02:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-11-18 20:44 360064 ecf02439fd31bbd0dbc2ec05600cf08a c:\windows\system32\dllcache\tcpip.sys
2008-11-18 20:44 360064 ecf02439fd31bbd0dbc2ec05600cf08a c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-29_13.30.49.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-29 19:28:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_624.dat
+ 2009-03-29 19:27:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_658.dat
+ 2009-03-29 19:31:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe" [2006-08-18 1436160]
"CursorXP"="c:\program files\Stardock\Object Desktop\CursorXP.exe" [2005-01-19 140288]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-08 1470464]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2008-11-11 510416]
"HDDHealth"="c:\program files\HDD Health\HDDHealth.exe" [2008-06-15 1692672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="c:\progra~1\Stardock\OBJECT~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"WINDVDPatch"="c:\program files\Common Files\Stardock\TrayServer.exe" [2003-02-14 81920]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\OBJECT~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 909208]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 755480]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 1046688]
"EasyTuneV"="c:\program files\Gigabyte\ET5\ETcall.exe" [2007-04-26 24576]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-08-24 240112]
"DMXLauncher"="c:\program files\Roxio\CinePlayer\DMXLauncher.exe" [2007-08-14 113136]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"BroadWave"="c:\program files\NCH Swift Sound\BroadWave\broadwave.exe" [2009-03-12 499716]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-02-14 1531904]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-10-08 c:\windows\system32\Ctxfihlp.exe]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-01-23 181624]

c:\documents and settings\b\Start Menu\Programs\Startup\
Combined II.lnk - c:\downloads\Combined II.exe [2009-03-13 1481216]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-08-30 575488]
Product Registration.lnk.disabled [2008-07-27 1017]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-02-24 2664184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2008-03-15 1757]
Bluetooth.lnk.disabled [2007-12-10 637]
DualCoreCenter.lnk.disabled [2008-02-04 869]
Loadout Manager.lnk.disabled [2007-03-01 1732]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-11 805392]
Norton GoBack.lnk.disabled [2008-01-27 1691]
Run BBDTMngr.exe.lnk.disabled [2008-07-05 2094]
Virtual Desk.lnk.disabled [2006-09-08 1724]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 16:13 49152 c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-20 23:57 176128 c:\progra~1\ALIENG~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"SENTINEL"= snti386.dll
"midi1"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0smrgdf c:\program files\iolo\System Mechanic Professional 6\\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^b^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioloDelayModule]
--a------ 2005-06-08 14:31 96256 c:\program files\iolo\System Mechanic Professional 6\Delay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2009-02-09 14:18 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-02-09 14:18 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-26 23:06 282624 c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 23:32 53248 c:\program files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
--a------ 2006-12-20 18:47 557056 c:\program files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-05 21:18 1271032 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIWatcher]
--------- 2004-12-02 18:23 102400 c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-10-16 21:57 4347120 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]
--a------ 2002-07-02 18:56 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2009-02-09 14:18 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-03-01 16:22 577536 c:\windows\soundman.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe"
"UIWatcher"=c:\program files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
"CTRegRun"=c:\windows\CTRegRun.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"UpdReg"=c:\windows\UpdReg.EXE
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
"WheelMouse"=c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\msiupdat.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Documents and Settings\\b\\Desktop\\utorrent.exe"=
"c:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\WBGames\\Monolith Productions\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"c:\\Games\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Games\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25455:TCP"= 25455:TCP:BitComet 25455 TCP
"25455:UDP"= 25455:UDP:BitComet 25455 UDP
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"85:TCP"= 85:TCP:BroadWave Web Server

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-12-21 13696]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 33800]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2006-09-04 6656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-02-01 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-01 51440]
R2 BroadWaveService;BroadWave;c:\program files\NCH Swift Sound\BroadWave\broadwave.exe [2009-03-12 499716]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2007-11-28 245248]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2006-09-04 28672]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [2008-02-21 33792]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-08-27 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-08-27 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-08-27 72728]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S0 shdbus;shdbus; [x]
S0 Shield;Shield; [x]
S0 Shieldf;Shieldf; [x]
S0 shieldm;shieldm; [x]
S1 cloverm;cloverm;c:\windows\system32\DRIVERS\cloverm.sys --> c:\windows\system32\DRIVERS\cloverm.sys [?]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [2001-08-23 3584]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2007-08-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-08-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-08-24 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\b\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\b\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2007-12-26 9600]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-12-26 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-08-27 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-08-27 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-08-27 72728]
S3 DigiCellDriver;DigiCellDriver;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2008-02-04 27648]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-08-29 10664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1204.tmp --> c:\windows\system32\1204.tmp [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2006-04-03 31872]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2007-08-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-08-24 1083888]
S3 RushTopDevice2;RushTopDevice2;c:\program files\MSI\DualCoreCenter\RushTop.sys [2008-02-04 39424]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MARKFUN_NT
*Deregistered* - MarkFun_NT

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Start.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-23 20:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\PRMT7\PRMTIE\prmtie5.htm
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\PRMT7\PRMTIE\options.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
LSP: c:\windows\system32\imon.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\b\Application Data\Mozilla\Firefox\Profiles\qhv39rpk.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - about:blank
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 15:32:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


c:\docume~1\b\LOCALS~1\Temp\suggestedName-130.tmp 455349 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-131.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-132.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-133.tmp 16112 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-134.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-135.tmp 16112 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-136.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-137.tmp 651757 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-138.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-139.tmp 267675 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-14.tmp 144019 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-140.tmp 13720 bytes
c:\docume~1\b\LOCALS~1\Temp\suggestedName-141.tmp 455349 bytes
scan completed successfully
hidden files: 3793

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet074\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1204.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{254355E2-A22B-48B2-12C2-82CF0484DC5A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abgcjnedijpaphmmmmdhjefamoondiccnb"=hex:61,61,00,00
"bbgcjnedijpaphmmmmggeeicdijgmkapaoca"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,cc,a5,20,99,62,7e,eb,ea,5c,b8,f0,6b,a6,13,7e,b8,6d,8f,50,4d,09,09,
ab,05,09,a1,bc,c4,d7,ba,1b,2b,62,1b,6e,97,22,86,df,e7,b7,08,89,00,7e,58,4b,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-2052111302-1801674531-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:dd,c5,16,9b,fa,18,a8,b2,be,8b,54,d5,23,9e,6f,ef,3d,04,3b,83,cb,
dd,87,7d,28,c0,2e,19,49,f0,e4,c0,fe,16,d0,87,c8,ed,38,62,d8,39,54,3d,e0,e8,\
"rkeysecu"=hex:0c,01,85,43,d9,94,1a,d5,71,29,87,48,26,17,d9,45

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\1w;_w4w*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\progra~1\ALIENG~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(7520)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\program files\Stardock\ObjectDock\Docklets\menuhook.func
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\NCH Software\Components\mp3el\mp3enc.exe
c:\program files\NCH Software\Components\mp3el\mp3enc.exe
c:\program files\ewido anti-spyware 4.0\guard.exe
c:\program files\Norton GoBack\GBPoll.exe
c:\program files\Common Files\Logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\M-Audio\M-Audio Series II MIDI\MA_CMIDI_Inst.exe
c:\program files\ESET\nod32krn.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Stardock\SDMCP.exe
c:\windows\system32\snmp.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\CTxfispi.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
c:\docume~1\b\LOCALS~1\Temp\{FC4BC2FE-F660-4480-88E3-2C670A4D9F96}\Combined II.exe
.
**************************************************************************
.
Completion time: 2009-03-29 15:48:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 19:47:54
ComboFix2.txt 2009-03-29 17:40:06
ComboFix3.txt 2008-03-23 21:58:16
ComboFix4.txt 2008-03-12 22:18:48
ComboFix5.txt 2009-03-29 19:10:11

Pre-Run: 47,150,637,056 bytes free
Post-Run: 47,071,404,032 bytes free

Current=74 Default=74 Failed=73 LastKnownGood=75 Sets=1,11,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75
4219

Edited by extremeboy, 29 March 2009 - 08:40 PM.
Remove Redundant lines


#13 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 08:09 PM

i can not get GMER to complete a scan. it keeps rebooting my computer. ive tried it multiple times in both normal and safe mode.

i will keep trying and if i can get it to finish ill post the log.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:01 AM

Posted 29 March 2009 - 08:33 PM

Hello.

If it continues to fail, when scanning then stop running it and then run the rootkit scan below.

Download and run RootRepeal CR

Please download RootRepeal to your desktop
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on Rooter.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom
  • Now click the Scan button. Posted Image
  • A box will pop up, check the boxes beside ALL SIX
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the log here in your reply.
Post back with:
-GMER log <- If it works
-RootRepeal CR Log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 ouroboros

ouroboros
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 29 March 2009 - 08:47 PM

ok i dont think it worked correctly...when i hit scan no box poped up for me to select anything...it ran the scan in like 2 seconds...ill try again but heres the log i got just in case:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/29 21:40
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000046
Image Path: \Driver\00000046
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF74F7000 Size: 53248 File Visible: -
Status: -

Name: a68ohh3t.SYS
Image Path: C:\WINDOWS\System32\Drivers\a68ohh3t.SYS
Address: 0xF671C000 Size: 303104 File Visible: No
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7269000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xF7807000 Size: 18720 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEFBF3000 Size: 138496 File Visible: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF75C7000 Size: 57344 File Visible: -
Status: -

Name: AmdLLD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
Address: 0xF76F7000 Size: 61440 File Visible: -
Status: -

Name: AmdTools.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdTools.sys
Address: 0xF76E7000 Size: 61440 File Visible: -
Status: -

Name: Amfilter.sys
Image Path: C:\WINDOWS\System32\DRIVERS\Amfilter.sys
Address: 0xF79EB000 Size: 4992 File Visible: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF7657000 Size: 60800 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF71FB000 Size: 98304 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: -
Status: -

Name: atksgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0xBA440000 Size: 271872 File Visible: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7ACB000 Size: 3072 File Visible: -
Status: -

Name: BANTExt.sys
Image Path: C:\WINDOWS\System32\Drivers\BANTExt.sys
Address: 0xF7B28000 Size: 2144 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79E5000 Size: 4224 File Visible: -
Status: -

Name: BIOS.sys
Image Path: C:\WINDOWS\System32\drivers\BIOS.sys
Address: 0xEFC8F000 Size: 13696 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: -
Status: -

Name: bridge.sys
Image Path: C:\WINDOWS\System32\DRIVERS\bridge.sys
Address: 0xF6625000 Size: 71552 File Visible: -
Status: -

Name: btaudio.sys
Image Path: C:\WINDOWS\system32\drivers\btaudio.sys
Address: 0xF6433000 Size: 522432 File Visible: -
Status: -

Name: btkrnl.sys
Image Path: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Address: 0xF6637000 Size: 852288 File Visible: -
Status: -

Name: btport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\btport.sys
Address: 0xF782F000 Size: 28256 File Visible: -
Status: -

Name: Cdr4_2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_2K.SYS
Address: 0xF75E7000 Size: 52192 File Visible: -
Status: -

Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xF7AAA000 Size: 2560 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF75F7000 Size: 49536 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF74C7000 Size: 53248 File Visible: -
Status: -

Name: CT20XUT.SYS
Image Path: C:\WINDOWS\System32\drivers\CT20XUT.SYS
Address: 0xF1FB2000 Size: 180224 File Visible: -
Status: -

Name: ctac32k.sys
Image Path: C:\WINDOWS\System32\drivers\ctac32k.sys
Address: 0xF1FF3000 Size: 638976 File Visible: -
Status: -

Name: ctaud2k.sys
Image Path: C:\WINDOWS\system32\drivers\ctaud2k.sys
Address: 0xF6DD7000 Size: 519552 File Visible: -
Status: -

Name: CTEXFIFX.SYS
Image Path: C:\WINDOWS\System32\drivers\CTEXFIFX.SYS
Address: 0xF1E6B000 Size: 1339392 File Visible: -
Status: -

Name: CTHWIUT.SYS
Image Path: C:\WINDOWS\System32\drivers\CTHWIUT.SYS
Address: 0xF1FDE000 Size: 86016 File Visible: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\drivers\ctoss2k.sys
Address: 0xF6D7E000 Size: 217088 File Visible: -
Status: -

Name: ctprxy2k.sys
Image Path: C:\WINDOWS\System32\drivers\ctprxy2k.sys
Address: 0xF778F000 Size: 32768 File Visible: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\System32\drivers\ctsfm2k.sys
Address: 0xF208F000 Size: 167936 File Visible: -
Status: -

Name: DefragFS.sys
Image Path: DefragFS.sys
Address: 0xF7175000 Size: 77824 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF74B7000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7213000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798B000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7627000 Size: 61440 File Visible: -
Status: -

Name: ds1410d.sys
Image Path: C:\WINDOWS\System32\drivers\ds1410d.sys
Address: 0xF7A19000 Size: 4768 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF399000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DD000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF641F000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7BA3000 Size: 4096 File Visible: -
Status: -

Name: eamon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0xBA3F3000 Size: 315392 File Visible: -
Status: -

Name: easdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\easdrv.sys
Address: 0xF65EE000 Size: 45056 File Visible: -
Status: -

Name: emupia2k.sys
Image Path: C:\WINDOWS\System32\drivers\emupia2k.sys
Address: 0xF20B8000 Size: 196608 File Visible: -
Status: -

Name: epfwtdir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Address: 0xF7647000 Size: 49152 File Visible: -
Status: -

Name: ET5Drv.sys
Image Path: C:\WINDOWS\system32\Drivers\ET5Drv.sys
Address: 0xBA260000 Size: 19648 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xBA7DD000 Size: 143360 File Visible: -
Status: -

Name: FileDisk.SYS
Image Path: C:\WINDOWS\System32\Drivers\FileDisk.SYS
Address: 0xF6F18000 Size: 9280 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF65FE000 Size: 34944 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF71DB000 Size: 128896 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79E1000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7239000 Size: 125056 File Visible: -
Status: -

Name: GBDevice.sys
Image Path: GBDevice.sys
Address: 0xF7A4F000 Size: 4000 File Visible: -
Status: -

Name: GBFSHook.SYS
Image Path: C:\WINDOWS\System32\Drivers\GBFSHook.SYS
Address: 0xEF3DD000 Size: 16032 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7847000 Size: 28672 File Visible: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A51000 Size: 1664 File Visible: No
Status: -

Name: GoBack2K.sys
Image Path: GoBack2K.sys
Address: 0xF719F000 Size: 170624 File Visible: -
Status: -

Name: guard.sys
Image Path: C:\Program Files\ewido anti-spyware 4.0\guard.sys
Address: 0xF7B16000 Size: 3968 File Visible: -
Status: -

Name: ha20x2k.sys
Image Path: C:\WINDOWS\system32\drivers\ha20x2k.sys
Address: 0xF20E8000 Size: 1191936 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000 Size: 134400 File Visible: -
Status: -

Name: hardlock.sys
Image Path: C:\WINDOWS\system32\drivers\hardlock.sys
Address: 0xB9F28000 Size: 685056 File Visible: -
Status: -

Name: Haspnt.sys
Image Path: C:\WINDOWS\System32\drivers\Haspnt.sys
Address: 0xBA715000 Size: 47616 File Visible: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Address: 0xF65CE000 Size: 36864 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xF7877000 Size: 28672 File Visible: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xEF9F5000 Size: 9600 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9057000 Size: 262784 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF75D7000 Size: 41856 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xEFC97000 Size: 134912 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xEFD38000 Size: 74752 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7487000 Size: 35840 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF7727000 Size: 24576 File Visible: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdhid.sys
Address: 0xF640B000 Size: 14848 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB8226000 Size: 172416 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6E7E000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7188000 Size: 92032 File Visible: -
Status: -

Name: LHidFilt.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
Address: 0xEFB33000 Size: 28672 File Visible: -
Status: -

Name: lirsgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xBA188000 Size: 18048 File Visible: -
Status: -

Name: LMouFilt.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
Address: 0xF787F000 Size: 30208 File Visible: -
Status: -

Name: lvrs.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lvrs.sys
Address: 0xEF47C000 Size: 621184 File Visible: -
Status: -

Name: lvselsus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lvselsus.sys
Address: 0xF658E000 Size: 59776 File Visible: -
Status: -

Name: LVUSBSta.sys
Image Path: C:\WINDOWS\system32\drivers\LVUSBSta.sys
Address: 0xF659E000 Size: 35072 File Visible: -
Status: -

Name: lvuvc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lvuvc.sys
Address: 0xEF514000 Size: 4651904 File Visible: -
Status: -

Name: markfun.w32
Image Path: C:\Program Files\Gigabyte\ET5\markfun.w32
Address: 0xB8F07000 Size: 36864 File Visible: -
Status: -

Name: mcdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mcdbus.sys
Address: 0xF64E7000 Size: 116736 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79F3000 Size: 4224 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF777F000 Size: 23040 File Visible: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xEFAD3000 Size: 12160 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7497000 Size: 42240 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xEFA21000 Size: 453120 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7777000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF76C7000 Size: 35072 File Visible: -
Status: -

Name: msikbd2k.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msikbd2k.sys
Address: 0xF79EF000 Size: 6656 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF6F28000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF6FAC000 Size: 107904 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF70BB000 Size: 182912 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF6ED0000 Size: 9600 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBA69D000 Size: 12928 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF660E000 Size: 91776 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7567000 Size: 38016 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF7667000 Size: 34560 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xEFCB8000 Size: 162816 File Visible: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF7527000 Size: 61824 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7797000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF70E8000 Size: 574464 File Visible: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A8C000 Size: 2944 File Visible: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 6189056 File Visible: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF677A000 Size: 6307328 File Visible: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF74E7000 Size: 61056 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6708000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF79B9000 Size: 6784 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7258000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A50000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6DB3000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF655D000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF7837000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF74D7000 Size: 36320 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF6528000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF7697000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF76A7000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF76B7000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF784F000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xEFA90000 Size: 174592 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79F7000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF652C000 Size: 196864 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF7607000 Size: 57472 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9640000 Size: 45056 File Visible: No
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF779F000 Size: 28672 File Visible: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xBA0F0000 Size: 20480 File Visible: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xEFAE3000 Size: 131072 File Visible: -
Status: -

Name: SCDEmu.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCDEmu.SYS
Address: 0xF786F000 Size: 29376 File Visible: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF7297000 Size: 98304 File Visible: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xB9EB8000 Size: 40960 File Visible: -
Status: -

Name: SENTINEL.SYS
Image Path: C:\WINDOWS\System32\Drivers\SENTINEL.SYS
Address: 0xBA483000 Size: 73728 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF6EF0000 Size: 15488 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF7637000 Size: 64896 File Visible: -
Status: -

Name: sfdrv01.sys
Image Path: sfdrv01.sys
Address: 0xF6FC7000 Size: 73728 File Visible: -
Status: -

Name: sfhlp02.sys
Image Path: sfhlp02.sys
Address: 0xF7717000 Size: 32768 File Visible: -
Status: -

Name: snapman.sys
Image Path: snapman.sys
Address: 0xF6FD9000 Size: 122560 File Visible: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF798D000 Size: 5248 File Visible: No
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xF72AF000 Size: 880640 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF71C9000 Size: 73472 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF79C1000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBA50D000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xEFCE0000 Size: 360064 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF77CF000 Size: 20480 File Visible: -
Status: -

Name: tdrpman.sys
Image Path: tdrpman.sys
Address: 0xF6FF7000 Size: 361856 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF76D7000 Size: 40704 File Visible: -
Status: -

Name: tifsfilt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
Address: 0xEFBA3000 Size: 37696 File Visible: -
Status: -

Name: timntr.sys
Image Path: timntr.sys
Address: 0xF7050000 Size: 435072 File Visible: -
Status: -

Name: Udfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS
Address: 0xEF984000 Size: 66176 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF64B3000 Size: 209408 File Visible: -
Status: -

Name: usbaudio.sys
Image Path: C:\WINDOWS\system32\drivers\usbaudio.sys
Address: 0xF657E000 Size: 59264 File Visible: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF77EF000 Size: 31616 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF79C5000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF77E7000 Size: 26624 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF7537000 Size: 57600 File Visible: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xF77B7000 Size: 17024 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6EA1000 Size: 143360 File Visible: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF7857000 Size: 26496 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7887000 Size: 20992 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6766000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF74A7000 Size: 52352 File Visible: -
Status: -

Name: vsdatant.sys
Image Path: C:\WINDOWS\System32\vsdatant.sys
Address: 0xEFC15000 Size: 366912 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF7617000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF781F000 Size: 20480 File Visible: -
Status: -

Name: Wdf01000.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Address: 0xEF401000 Size: 503808 File Visible: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Address: 0xF656E000 Size: 53248 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xBA2EE000 Size: 82944 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2142208 File Visible: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF6504000 Size: 12032 File Visible: -
Status: -




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users