Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desperate for help with Window Police Pro Malware


  • This topic is locked This topic is locked
43 replies to this topic

#1 forever681

forever681

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 31 August 2009 - 09:04 PM

I post on the other forum and was advice to post here instead. I can't run malware byte or any exe file on my computer, the screen is black. The only thing I was able to run is OTL report, which is below since Rootrepel won't run either, please help, thanks so much.




OTL Extras logfile created on: 8/31/2009 5:58:18 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\Andy\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.38 Mb Total Physical Memory | 261.89 Mb Available Physical Memory | 25.84% Memory free
2.24 Gb Paging File | 1.52 Gb Available in Paging File | 67.88% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 56.27 Gb Free Space | 51.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDY-TOSHIBA
Current User Name: Andy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- C:\Windows\System32\desote.exe File not found
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 0
"UpdatesDisableNotify" = 1
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1679199247-1024483943-2079821399-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00BEE068-5E45-40DA-8F29-989E3AD997D4}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orbir.exe |
"{0930763A-A78D-40BE-AEC9-5550FB6E131B}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orbir.exe |
"{0B78E837-9665-435F-97E3-CB7C06DF190E}" = protocol=6 | dir=in | app=c:\windows\system32\winlogon.exe |
"{1C7C9A7E-6999-46DD-976A-86E253378F32}" = protocol=6 | dir=in | app=c:\windows\system32\lsass.exe |
"{24C7DE4E-A251-40BC-955C-F224ECECAA11}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orbtray.exe |
"{25CD12B9-22AA-4D3B-BC1F-04F72A338FC9}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orbtray.exe |
"{2AFFAAFB-7ADD-4169-9C49-69E6431CAC2A}" = protocol=17 | dir=in | app=c:\windows\system32\lsass.exe |
"{2B25973B-32C6-4F37-B981-4C292DA6AEA6}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{302397F4-2D58-42AA-8399-974E0AFD9E93}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{482F37EA-8DEB-479F-8B75-3F580CAE09FC}" = protocol=17 | dir=in | app=c:\windows\system32\wininit.exe |
"{4D417091-D3CC-48F0-8CF1-CEEEDB5A5D6C}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orbstreamerclient.exe |
"{4F20358F-FF66-42FE-B9C0-84E29AD42E66}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orbstreamerclient.exe |
"{506497B4-78CD-4386-B08A-D88015FDE5A4}" = protocol=6 | dir=in | app=c:\windows\system32\wininit.exe |
"{50C0D580-A9A2-4F4D-8DEF-C563227036B7}" = protocol=6 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe |
"{5A80D612-C899-46DB-B396-1661EBB8BA43}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{656119B5-BC92-423C-9F0B-F2C94716C598}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{65663ABD-3342-48E3-98D0-50419DEAA8A8}" = protocol=6 | dir=in | app=c:\programdata\14963174\14963174.exe |
"{71FC689B-1E77-4155-9F50-35AC0CCF7F22}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{7B5D1DD8-9408-4E98-A51C-A56EE3B12252}" = protocol=6 | dir=in | app=c:\windows\system32\wininit.exe |
"{8940A32B-B891-4272-AD61-033ED50FA204}" = protocol=6 | dir=in | app=c:\windows\system32\lsass.exe |
"{8A8A5B02-0A58-45FD-AC5F-93AB8B96B1B6}" = protocol=17 | dir=in | app=c:\programdata\14963174\14963174.exe |
"{8AB7D360-B79B-4826-9A27-B8E88BBB4CC8}" = protocol=17 | dir=in | app=c:\windows\system32\winlogon.exe |
"{8C0FBABC-0D5B-48D6-8222-39064B8665A3}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8DE66C91-F43C-494C-8895-217F68D83C07}" = protocol=17 | dir=in | app=c:\windows\system32\wininit.exe |
"{9D423ACA-92FF-4721-BADC-2CC2FB6EA0CA}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"{A2BAC750-B4A7-4D33-9CBA-37DA09D07B6A}" = protocol=17 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe |
"{A3992878-AE14-4DC4-BDF4-64418D809178}" = protocol=17 | dir=in | app=c:\programdata\14963174\14963174.exe |
"{AE198AA1-A952-485C-B842-6EE93B60637A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B916D675-F2DF-433F-81D1-44E6D7831631}" = protocol=17 | dir=in | app=c:\windows\system32\winlogon.exe |
"{BA244A00-9FA2-45A8-ADE0-B5501C716E40}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{BE577486-5938-477D-94CF-0997E3ECD3DB}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{C7512124-D0C1-4456-AB32-C90D84858566}" = protocol=6 | dir=in | app=c:\programdata\14963174\14963174.exe |
"{DA83FB9D-0ECF-42FE-BD04-4F035A383672}" = protocol=6 | dir=in | app=c:\program files\winamp remote\bin\orb.exe |
"{DC6E9C0A-0F5D-4A3A-83F4-5A457F94A81E}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"{DE7911D6-6D31-442D-9F30-FBB593076E2B}" = protocol=17 | dir=in | app=c:\programdata\14963174\14963174.exe |
"{DF94E5FE-068F-4569-8908-598E7E536FDD}" = protocol=17 | dir=in | app=c:\windows\system32\lsass.exe |
"{E085E8B3-E2F8-4EAD-8AC7-C8CBA2141C43}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{E199369F-59E2-443B-8B32-703048DAA89C}" = protocol=6 | dir=in | app=c:\windows\system32\winlogon.exe |
"{E7E85F4B-397C-4CC9-9609-C03E228FC98D}" = protocol=17 | dir=in | app=c:\program files\winamp remote\bin\orb.exe |
"TCP Query User{34AD66BA-24AF-4C2D-868D-6C12197A219F}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{6695B5A1-0061-46F6-8831-D2192B043742}C:\program files\bitzip\bitzip.exe" = protocol=6 | dir=in | app=c:\program files\bitzip\bitzip.exe |
"TCP Query User{FA395FBD-C6B0-454A-816A-BAA65DDAB25A}C:\program files\nero\nero8\nero showtime\showtime.exe" = protocol=6 | dir=in | app=c:\program files\nero\nero8\nero showtime\showtime.exe |
"TCP Query User{FF66C881-7D7A-4165-806D-0A3C24AED31D}C:\program files\aim\aim.exe" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"UDP Query User{5E707D8E-13E9-4F45-9C10-6E93D620B5D4}C:\program files\aim\aim.exe" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"UDP Query User{828A7FAE-5B1B-49C4-8CB9-9253FD5DA8BF}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{B40BA67A-1C53-4D88-BF1D-D22F453C44C9}C:\program files\nero\nero8\nero showtime\showtime.exe" = protocol=17 | dir=in | app=c:\program files\nero\nero8\nero showtime\showtime.exe |
"UDP Query User{B92DDF63-5B2D-4381-8C5D-64644A1D4455}C:\program files\bitzip\bitzip.exe" = protocol=17 | dir=in | app=c:\program files\bitzip\bitzip.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C28BDA4-6D99-4DD0-9F22-6A90A445E982}" = Symantec AntiVirus
"{7078C6C2-F5A5-4A5F-86A8-CD1301CA07DF}" = Mobipocket Reader 6.1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}" = Nero 8
"{9ECE13D2-C028-44CB-8A96-A65196E7BBE7}_is1" = Convert AVI to MP4 1.3
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = TOSHIBA Software Modem
"AnyDVD" = AnyDVD
"AOL Instant Messenger" = AOL Instant Messenger
"ApecSoft AVI 3GP Joiner_is1" = AVI 3GP Joiner V1.20
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1" = DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.2.2.2
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"ImgBurn" = ImgBurn
"ImTOO DVD to MP4 Converter" = ImTOO DVD to MP4 Converter
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Photodex Presenter" = Photodex Presenter
"ProShow Gold" = ProShow Gold
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WinRAR archiver" = WinRAR archiver
"WT015806" = Penguins!
"Yahoo! SiteBuilder" = Yahoo! SiteBuilder

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1679199247-1024483943-2079821399-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/30/2009 9:58:17 PM | Computer Name = Andy-Toshiba | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6001.18000 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 18f4 Start Time: 01ca29ddcab4fa06 Termination Time: 0

Error - 8/30/2009 10:54:36 PM | Computer Name = Andy-Toshiba | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.38.0.0, time stamp 0x4a39169f,
faulting module mbam.exe, version 1.38.0.0, time stamp 0x4a39169f, exception code
0x80000003, fault offset 0x00002dd0, process id 0xf34, application start time 0x01ca29e65bbd71c4.

Error - 8/30/2009 10:54:58 PM | Computer Name = Andy-Toshiba | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.38.0.0, time stamp 0x4a39169f,
faulting module mbam.exe, version 1.38.0.0, time stamp 0x4a39169f, exception code
0x80000003, fault offset 0x00002dd0, process id 0xb6c, application start time 0x01ca29e66a817944.

Error - 8/30/2009 10:55:10 PM | Computer Name = Andy-Toshiba | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.38.0.0, time stamp 0x4a39169f,
faulting module mbam.exe, version 1.38.0.0, time stamp 0x4a39169f, exception code
0x80000003, fault offset 0x00002dd0, process id 0xf3c, application start time 0x01ca29e672986584.

Error - 8/31/2009 3:27:35 AM | Computer Name = Andy-Toshiba | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 7.0.6001.18000 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 14e4 Start Time: 01ca2a0c369cfc44 Termination Time: 0

Error - 8/31/2009 3:37:43 AM | Computer Name = Andy-Toshiba | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.38.0.0, time stamp 0x4a39169f,
faulting module mbam.exe, version 1.38.0.0, time stamp 0x4a39169f, exception code
0x80000003, fault offset 0x00002dd0, process id 0x1658, application start time 0x01ca2a0de7b4a0e4.

Error - 8/31/2009 3:40:49 AM | Computer Name = Andy-Toshiba | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.38.0.0, time stamp 0x4a39169f,
faulting module mbam.exe, version 1.38.0.0, time stamp 0x4a39169f, exception code
0x80000003, fault offset 0x00002dd0, process id 0x1714, application start time 0x01ca2a0e5634f564.

Error - 8/31/2009 6:55:31 AM | Computer Name = Andy-Toshiba | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 8/31/2009 6:55:32 AM | Computer Name = Andy-Toshiba | Source = Microsoft-Windows-CAPI2 | ID = 131585
Description =

Error - 8/31/2009 8:48:46 PM | Computer Name = Andy-Toshiba | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6001.18000, time stamp
0x47918f11, faulting module gujayiwo.dll, version 0.0.0.0, time stamp 0x4a5f5e62,
exception code 0xc0000005, fault offset 0x0000eb9b, process id 0x3d4, application
start time 0x01ca2a9dbe1d74d0.

[ System Events ]
Error - 8/31/2009 8:50:13 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7034
Description =

Error - 8/31/2009 8:50:13 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7034
Description =

Error - 8/31/2009 8:50:13 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7034
Description =

Error - 8/31/2009 8:53:22 PM | Computer Name = Andy-Toshiba | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:50:15 PM on 8/31/2009 was unexpected.

Error - 8/31/2009 8:54:14 PM | Computer Name = Andy-Toshiba | Source = HTTP | ID = 15016
Description =

Error - 8/31/2009 8:55:56 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7023
Description =

Error - 8/31/2009 8:55:56 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7001
Description =

Error - 8/31/2009 8:55:56 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7000
Description =

Error - 8/31/2009 8:55:56 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7009
Description =

Error - 8/31/2009 8:55:56 PM | Computer Name = Andy-Toshiba | Source = Service Control Manager | ID = 7026
Description =


< End of report >





OTL logfile created on: 8/31/2009 5:58:18 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Users\Andy\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.38 Mb Total Physical Memory | 261.89 Mb Available Physical Memory | 25.84% Memory free
2.24 Gb Paging File | 1.52 Gb Available in Paging File | 67.88% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 56.27 Gb Free Space | 51.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANDY-TOSHIBA
Current User Name: Andy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2006/10/13 20:44:22 | 00,107,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/08/30 15:18:27 | 00,042,496 | ---- | M] (PROMO Software) -- C:\Windows\System32\drivers\smss.exe
PRC - [2008/10/28 23:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.exe
PRC - [2006/09/12 09:03:20 | 00,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2009/08/30 15:25:07 | 00,163,840 | ---- | M] () -- C:\Windows\svchasts.exe
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/10/14 06:02:04 | 00,030,920 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2007/08/08 09:25:08 | 00,836,904 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
PRC - [2008/01/19 00:33:22 | 00,160,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PresentationSettings.exe
PRC - [2007/09/06 23:31:43 | 00,181,312 | ---- | M] () -- C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
PRC - [2006/05/25 19:30:16 | 00,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2006/08/23 17:39:48 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2009/08/31 17:51:40 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/09/12 09:03:20 | 00,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio [Auto | Running])
SRV - [2009/08/30 15:25:07 | 00,163,840 | ---- | M] () -- C:\Windows\svchasts.exe -- (AntipPro2009_100 [Auto | Running])
SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/08/29 11:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2006/10/13 20:44:22 | 00,107,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
SRV - [2006/10/13 20:44:22 | 00,107,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/01/05 04:26:41 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2006/10/14 06:02:04 | 00,030,920 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2008/01/19 00:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2006/11/02 05:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 05:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2008/01/19 00:36:53 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2008/01/05 04:21:53 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/01/05 04:21:39 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/01/06 14:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2006/10/12 12:57:43 | 02,541,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2007/08/08 09:25:08 | 00,836,904 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Auto | Running])
SRV - [2008/01/05 04:21:39 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/03 12:51:18 | 00,382,248 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])
SRV - [2006/05/11 18:15:50 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\Windows\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2006/10/14 06:02:20 | 00,122,056 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2007/09/06 23:31:43 | 00,181,312 | ---- | M] () -- C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe -- (ScsiAccess [Auto | Running])
SRV - [2006/10/14 06:02:14 | 01,956,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Stopped])
SRV - [2006/05/25 19:30:16 | 00,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv [Auto | Running])
SRV - [2006/08/23 17:39:48 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper [Auto | Running])
SRV - [2008/01/19 00:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Stopped])
SRV - [2008/01/19 00:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/11/02 02:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])
DRV - [2006/11/02 02:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])
DRV - [2006/11/02 02:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])
DRV - [2006/11/02 02:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
DRV - [2006/08/31 07:53:00 | 01,161,152 | ---- | M] (Agere Systems) -- C:\Windows\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2006/11/02 02:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])
DRV - [2006/11/02 02:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Disabled | Stopped])
DRV - [2009/05/09 16:40:09 | 00,103,872 | ---- | M] (SlySoft, Inc.) -- C:\Windows\System32\Drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
DRV - [2006/11/02 02:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Disabled | Stopped])
DRV - [2006/11/02 02:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])
DRV - [2007/07/14 05:30:00 | 00,742,400 | ---- | M] (Atheros Communications, Inc.) -- C:\Windows\System32\DRIVERS\athr.sys -- (athr [On_Demand | Running])
DRV - [2006/11/02 01:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])
DRV - [2006/11/02 01:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])
DRV - [2006/11/02 01:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [Disabled | Stopped])
DRV - [2006/11/02 01:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [Disabled | Stopped])
DRV - [2006/11/02 01:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [Disabled | Stopped])
DRV - [2006/11/02 01:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2006/11/02 02:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])
DRV - [2006/11/02 00:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
DRV - [2009/08/27 01:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/02/17 10:11:30 | 00,024,232 | ---- | M] (Elaborate Bytes AG) -- C:\Windows\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Running])
DRV - [2006/11/02 02:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])
DRV - [2009/08/27 01:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2008/04/17 14:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/11/02 02:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Disabled | Stopped])
DRV - [2008/02/11 19:36:10 | 02,302,976 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (ialm [On_Demand | Stopped])
DRV - [2006/11/02 02:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Disabled | Stopped])
DRV - [2008/02/11 19:36:10 | 02,302,976 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (igfx [On_Demand | Running])
DRV - [2006/11/02 02:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])
DRV - [2006/11/08 20:09:24 | 01,647,976 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2006/11/02 02:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])
DRV - [2006/11/02 02:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])
DRV - [2006/02/14 11:50:52 | 00,216,320 | ---- | M] (TOSHIBA CORPORATION) -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I [Disabled | Stopped])
DRV - [2005/09/27 16:57:38 | 00,207,104 | ---- | M] (TOSHIBA CORPORATION) -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N [Disabled | Stopped])
DRV - [2006/09/27 20:06:56 | 00,479,488 | ---- | M] (TOSHIBA CORPORATION) -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP [Disabled | Stopped])
DRV - [2006/07/28 17:25:26 | 00,019,456 | ---- | M] (COMPAL ELECTRONIC INC.) -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter [Boot | Running])
DRV - [2006/11/02 02:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
DRV - [2006/11/02 02:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
DRV - [2006/11/02 02:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
DRV - [2006/11/02 02:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Disabled | Stopped])
DRV - [2006/11/02 02:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Disabled | Stopped])
DRV - [2009/08/27 01:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20090828.037\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/08/27 01:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20090828.037\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2006/11/02 00:30:54 | 01,781,760 | ---- | M] (Intel® Corporation) -- C:\Windows\System32\DRIVERS\NETw3v32.sys -- (NETw3v32 [On_Demand | Stopped])
DRV - [2006/11/02 02:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])
DRV - [2006/11/02 00:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])
DRV - [2006/11/02 02:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])
DRV - [2006/11/02 02:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])
DRV - [2007/12/11 22:27:39 | 00,047,360 | ---- | M] (VSO Software) -- C:\Windows\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2006/11/02 02:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])
DRV - [2006/11/02 02:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])
DRV - [2008/01/25 09:46:40 | 00,106,496 | ---- | M] (Realtek Corporation ) -- C:\Windows\System32\DRIVERS\Rtlh86.sys -- (RTL8169 [On_Demand | Running])
DRV - [2009/06/18 12:55:41 | 00,018,816 | ---- | M] (Sophos Plc) -- C:\Windows\System32\SAVRKBootTasks.sys -- (SAVRKBootTasks [System | Running])
DRV - [2006/11/01 23:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
DRV - [2006/11/02 02:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])
DRV - [2006/11/02 02:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
DRV - [2006/10/06 14:26:16 | 00,406,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [System | Running])
DRV - [2008/04/15 19:02:18 | 00,717,296 | ---- | M] () -- C:\Windows\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2006/10/11 20:29:14 | 00,245,368 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SRTSP.SYS -- (SRTSP [System | Running])
DRV - [2006/10/11 20:29:20 | 00,275,064 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SRTSPL.SYS -- (SRTSPL [On_Demand | Stopped])
DRV - [2006/10/11 20:29:18 | 00,024,184 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2006/11/02 02:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])
DRV - [2006/10/09 18:47:58 | 00,110,256 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2006/10/12 20:00:44 | 00,026,384 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Stopped])
DRV - [2006/10/12 20:00:50 | 00,185,744 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2006/11/02 02:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])
DRV - [2006/11/02 02:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])
DRV - [2008/04/03 10:51:34 | 00,199,600 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2006/10/18 12:50:04 | 00,016,128 | ---- | M] (TOSHIBA Corporation.) -- C:\Windows\System32\DRIVERS\tdcmdpst.sys -- (tdcmdpst [On_Demand | Running])
DRV - [2006/07/06 14:44:00 | 00,168,448 | ---- | M] (Texas Instruments) -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21 [On_Demand | Running])
DRV - [2006/10/23 17:32:20 | 00,009,216 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\DRIVERS\tosrfec.sys -- (tosrfec [On_Demand | Stopped])
DRV - [2006/10/05 23:22:14 | 00,016,768 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ [Boot | Running])
DRV - [2006/11/02 02:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])
DRV - [2006/11/02 02:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])
DRV - [2006/11/02 02:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
DRV - [2008/11/07 15:23:30 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2006/11/02 02:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Disabled | Stopped])
DRV - [2006/11/02 02:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
IE - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\S-1-5-21-1679199247-1024483943-2079821399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\S-1-5-21-1679199247-1024483943-2079821399-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: (734 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {036d6a92-7b48-4e06-a62f-c3401eb016a3} - C:\Windows\System32\boyedoha.dll ()
O2 - BHO: (ICQSys (IE PlugIn)) - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02} - C:\Windows\System32\dddesot.dll (ASC - AntiSpyware)
O3 - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\..\Toolbar\WebBrowser: (no name) - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - No CLSID value found.
O4 - HKLM..\Run: [14963174] C:\ProgramData\14963174\14963174.exe ()
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [CPM51766c3b] C:\Windows\System32\gujayiwo.DLL ()
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [misamikafi] C:\Windows\System32\goradoja.DLL ()
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [misamikafi] C:\Windows\System32\wibiragu.DLL File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [misamikafi] C:\Windows\System32\wibiragu.DLL File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.DLL (Microsoft Corporation)
O4 - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [*WerKernelReporting] C:\Windows\System32\WerFault.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\S-1-5-21-1679199247-1024483943-2079821399-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\Windows\system32\wesofege.dll) - C:\Windows\System32\wesofege.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\gujayiwo.dll) - C:\Windows\System32\gujayiwo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (rundll32.exe) - File not found
O20 - HKLM Winlogon: Shell - (tapi.nfo) - C:\Windows\System32\tapi.nfo ()
O20 - HKLM Winlogon: Shell - (beforeglav) - File not found
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\drivers\smss.exe) - C:\Windows\System32\drivers\smss.exe (PROMO Software)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - C:\Windows\System32\gujayiwo.dll ()
O22 - SharedTaskScheduler: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - STS - C:\Windows\System32\gujayiwo.dll ()
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{255d9dca-ceef-11dd-9565-0016d4fd1b50}\Shell\Explore\command - "" = E:\system.exe -- File not found
O33 - MountPoints2\{255d9dca-ceef-11dd-9565-0016d4fd1b50}\Shell\Open\command - "" = E:\system.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2099/01/01 12:00:00 | 00,011,168 | -H-- | C] () -- C:\Windows\System32\junejosi
[2009/08/31 17:51:38 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe
[2009/08/31 08:10:40 | 00,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\System32\SAVRKBootTasks.sys
[2009/08/31 00:39:01 | 00,000,000 | ---- | C] () -- C:\Users\Andy\Desktop\settings.dat
[2009/08/30 20:15:57 | 00,000,000 | ---D | C] -- C:\Program Files\Sophos
[2009/08/30 19:43:56 | 00,464,491 | ---- | C] () -- C:\Users\Andy\Desktop\RootRepeal.zip
[2009/08/30 17:43:14 | 00,000,000 | -H-D | C] -- C:\Windows\PIF
[2009/08/30 17:30:26 | 00,000,007 | ---- | C] () -- C:\Windows\System32\cmpwrap.dat
[2009/08/30 17:15:25 | 00,000,680 | ---- | C] () -- C:\Users\Andy\AppData\Local\d3d9caps.dat
[2009/08/30 16:21:57 | 00,000,004 | ---- | C] () -- C:\Windows\System32\bincd32.dat
[2009/08/30 15:40:52 | 00,019,968 | ---- | C] () -- C:\Windows\System32\uacserf.dll
[2009/08/30 15:40:45 | 00,954,368 | ---- | C] () -- C:\Windows\System32\uacav.dll
[2009/08/30 15:40:44 | 00,000,174 | ---- | C] () -- C:\Windows\System32\uacsr.dat
[2009/08/30 15:40:43 | 00,006,536 | ---- | C] () -- C:\Windows\System32\uacinit.dll
[2009/08/30 15:33:00 | 00,019,456 | ---- | C] () -- C:\Users\Andy\Desktop\DS.doc
[2009/08/30 15:26:19 | 00,008,547 | ---- | C] () -- C:\Windows\System32\wispex.html
[2009/08/30 15:26:18 | 00,000,000 | ---D | C] -- C:\Windows\System32\images
[2009/08/30 15:25:07 | 00,000,003 | ---- | C] () -- C:\Windows\ppp3.dat
[2009/08/30 15:25:06 | 00,163,840 | ---- | C] () -- C:\Windows\svchasts.exe
[2009/08/30 15:25:06 | 00,000,058 | ---- | C] () -- C:\Windows\ppp4.dat
[2009/08/30 15:24:52 | 00,488,960 | ---- | C] (ASC - AntiSpyware) -- C:\Windows\System32\dddesot.dll
[2009/08/30 15:24:49 | 00,000,009 | ---- | C] () -- C:\Windows\System32\bennuar.old
[2009/08/30 15:24:47 | 00,000,036 | ---- | C] () -- C:\Windows\System32\sysnet.dat
[2009/08/30 15:24:44 | 00,000,097 | ---- | C] () -- C:\Windows\System32\sonhelp.htm
[2009/08/30 15:24:09 | 80,674,309 | ---- | C] () -- C:\Users\Andy\Desktop\1969_Mario_And_Sonic_At_The_Olympic_Games_USA_NDS-Micronauts.zip
[2009/08/30 15:22:04 | 00,000,000 | ---D | C] -- C:\ProgramData\14963174
[2009/08/30 15:19:47 | 00,042,496 | ---- | C] (PROMO Software) -- C:\Windows\System32\drivers\smss.exe
[2009/08/30 15:19:23 | 00,025,088 | ---- | C] () -- C:\Windows\System32\tapi.nfo
[2009/08/30 15:19:06 | 00,024,064 | ---- | C] () -- C:\Windows\System32\UACtbuikidmxq.dll
[2009/08/30 15:18:08 | 00,050,176 | ---- | C] () -- C:\Windows\System32\drivers\UACektwekpwxy.sys
[2009/08/30 15:16:34 | 12,961,228 | ---- | C] () -- C:\Users\Andy\Desktop\1924_Imagine_Master_Chef_USA_NDS-SirVG.zip
[2009/08/17 22:41:37 | 00,024,064 | ---- | C] () -- C:\Users\Andy\Desktop\Alaska.doc
[2009/08/16 14:44:41 | 00,019,968 | ---- | C] () -- C:\Users\Andy\Desktop\List_of_things_to_bring_on_the_Cruise.doc
[2009/08/04 00:12:07 | 00,000,000 | ---D | C] -- C:\Users\Andy\Documents\AnyDVDHD
[2009/08/03 23:56:43 | 00,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib
[2009/08/03 23:56:43 | 00,000,000 | ---D | C] -- C:\ProgramData\SlySoft
[2009/08/03 23:54:41 | 00,000,894 | ---- | C] () -- C:\Users\Public\Desktop\AnyDVD.lnk
[2009/08/03 23:54:29 | 00,000,000 | ---D | C] -- C:\Program Files\SlySoft
[2009/08/03 23:53:18 | 00,000,000 | ---D | C] -- C:\AnyDVD & AnyDVD HD v6.5.4.9 FINAL + Patch-Reg By ChattChitto
[2009/08/03 23:25:40 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/08/03 23:25:04 | 17,903,3777 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/05/31 17:46:26 | 00,006,489 | -HS- | C] () -- C:\Windows\System32\lujorosu.dll
[2009/05/31 17:46:17 | 00,084,480 | -HS- | C] () -- C:\Windows\System32\gujayiwo.dll
[2009/05/31 17:46:17 | 00,037,376 | -HS- | C] () -- C:\Windows\System32\yehifuni.dll
[2009/05/31 03:19:35 | 00,049,664 | -HS- | C] () -- C:\Windows\System32\wesofege.dll
[2009/05/31 03:19:35 | 00,049,664 | -HS- | C] () -- C:\Windows\System32\goradoja.dll
[2009/05/31 03:19:35 | 00,049,664 | -HS- | C] () -- C:\Windows\System32\boyedoha.dll
[2009/05/31 03:19:02 | 00,084,992 | -HS- | C] () -- C:\Windows\System32\sakobusi.dll
[2009/05/31 03:19:02 | 00,049,664 | -HS- | C] () -- C:\Windows\System32\likehiko.dll
[2009/05/31 03:19:02 | 00,038,400 | -HS- | C] () -- C:\Windows\System32\vemidiyu.dll
[2009/05/30 15:19:10 | 00,006,489 | -HS- | C] () -- C:\Windows\System32\kopavawi.dll
[2009/05/30 15:18:46 | 00,209,408 | -HS- | C] () -- C:\Windows\System32\rumadune.dll
[2009/05/30 15:18:46 | 00,209,408 | -HS- | C] () -- C:\Windows\System32\pojevejo.dll
[2008/04/15 19:02:18 | 00,717,296 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2008/03/26 19:00:49 | 00,061,440 | ---- | C] () -- C:\Windows\System32\cygz.dll
[2008/02/11 19:55:18 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/10/18 10:12:20 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1350.dll
[2007/09/25 18:56:26 | 00,000,182 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007/09/16 16:42:17 | 00,000,000 | ---- | C] () -- C:\Windows\ToDisc.INI
[2007/09/07 00:19:57 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/09/06 23:34:19 | 00,000,000 | ---- | C] () -- C:\Windows\vpc32.INI
[2007/08/24 19:46:48 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1322.dll
[2007/01/05 16:35:18 | 00,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007/01/05 15:59:02 | 00,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007/01/05 15:59:02 | 00,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007/01/05 15:59:02 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007/01/05 15:59:02 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007/01/05 15:59:02 | 00,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007/01/05 15:59:02 | 00,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/01/05 15:35:11 | 00,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007/01/05 15:35:11 | 00,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007/01/05 15:35:11 | 00,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007/01/05 15:35:11 | 00,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2006/11/28 22:12:18 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1132.dll
[2006/11/24 08:48:44 | 00,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2006/11/02 05:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 03:23:31 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 01:43:04 | 00,062,464 | ---- | C] () -- C:\Windows\System32\cngaudit.dll
[2006/11/02 00:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 10:58:00 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== Files - Modified Within 30 Days ==========

[2009/08/31 18:03:43 | 00,011,168 | -H-- | M] () -- C:\Windows\System32\junejosi
[2009/08/31 18:02:11 | 00,718,152 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/08/31 18:02:11 | 00,619,500 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/08/31 18:02:11 | 00,104,510 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/08/31 17:54:51 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/08/31 17:54:51 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/08/31 17:54:14 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/08/31 17:53:02 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/08/31 17:51:40 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Users\Andy\Desktop\OTL.exe
[2009/08/31 17:49:13 | 00,000,004 | ---- | M] () -- C:\Windows\System32\bincd32.dat
[2009/08/31 17:47:17 | 00,831,012 | -HS- | M] () -- C:\Windows\System32\yayutoto.exe
[2009/08/31 17:46:19 | 00,084,480 | -HS- | M] () -- C:\Windows\System32\gujayiwo.dll
[2009/08/31 17:46:18 | 00,037,376 | -HS- | M] () -- C:\Windows\System32\yehifuni.dll
[2009/08/31 17:45:10 | 17,903,3777 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/08/31 03:19:33 | 00,049,664 | -HS- | M] () -- C:\Windows\System32\likehiko.dll
[2009/08/31 03:19:12 | 00,831,524 | -HS- | M] () -- C:\Windows\System32\dagamami.exe
[2009/08/31 03:19:03 | 00,084,992 | -HS- | M] () -- C:\Windows\System32\sakobusi.dll
[2009/08/31 03:19:02 | 00,038,400 | -HS- | M] () -- C:\Windows\System32\vemidiyu.dll
[2009/08/31 00:39:01 | 00,000,000 | ---- | M] () -- C:\Users\Andy\Desktop\settings.dat
[2009/08/30 20:09:53 | 00,000,182 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2009/08/30 20:09:45 | 00,000,680 | ---- | M] () -- C:\Users\Andy\AppData\Local\d3d9caps.dat
[2009/08/30 20:03:56 | 00,006,536 | ---- | M] () -- C:\Windows\System32\uacinit.dll
[2009/08/30 19:44:00 | 00,464,491 | ---- | M] () -- C:\Users\Andy\Desktop\RootRepeal.zip
[2009/08/30 17:30:26 | 00,000,007 | ---- | M] () -- C:\Windows\System32\cmpwrap.dat
[2009/08/30 15:40:52 | 00,019,968 | ---- | M] () -- C:\Windows\System32\uacserf.dll
[2009/08/30 15:40:49 | 00,954,368 | ---- | M] () -- C:\Windows\System32\uacav.dll
[2009/08/30 15:40:44 | 00,000,174 | ---- | M] () -- C:\Windows\System32\uacsr.dat
[2009/08/30 15:37:38 | 00,488,960 | ---- | M] (ASC - AntiSpyware) -- C:\Windows\System32\dddesot.dll
[2009/08/30 15:35:17 | 00,000,058 | ---- | M] () -- C:\Windows\ppp4.dat
[2009/08/30 15:35:17 | 00,000,003 | ---- | M] () -- C:\Windows\ppp3.dat
[2009/08/30 15:33:05 | 00,019,456 | ---- | M] () -- C:\Users\Andy\Desktop\DS.doc
[2009/08/30 15:25:07 | 00,163,840 | ---- | M] () -- C:\Windows\svchasts.exe
[2009/08/30 15:24:49 | 00,000,009 | ---- | M] () -- C:\Windows\System32\bennuar.old
[2009/08/30 15:24:47 | 00,000,036 | ---- | M] () -- C:\Windows\System32\sysnet.dat
[2009/08/30 15:24:44 | 00,000,097 | ---- | M] () -- C:\Windows\System32\sonhelp.htm
[2009/08/30 15:24:35 | 80,674,309 | ---- | M] () -- C:\Users\Andy\Desktop\1969_Mario_And_Sonic_At_The_Olympic_Games_USA_NDS-Micronauts.zip
[2009/08/30 15:19:07 | 00,024,064 | ---- | M] () -- C:\Windows\System32\UACtbuikidmxq.dll
[2009/08/30 15:19:02 | 00,831,012 | -HS- | M] () -- C:\Windows\System32\yediyigu.exe
[2009/08/30 15:18:55 | 00,209,408 | -HS- | M] () -- C:\Windows\System32\rumadune.dll
[2009/08/30 15:18:55 | 00,209,408 | -HS- | M] () -- C:\Windows\System32\pojevejo.dll
[2009/08/30 15:18:27 | 00,042,496 | ---- | M] (PROMO Software) -- C:\Windows\System32\drivers\smss.exe
[2009/08/30 15:18:18 | 00,050,176 | ---- | M] () -- C:\Windows\System32\drivers\UACektwekpwxy.sys
[2009/08/30 15:17:28 | 00,025,088 | ---- | M] () -- C:\Windows\System32\tapi.nfo
[2009/08/30 15:17:16 | 12,961,228 | ---- | M] () -- C:\Users\Andy\Desktop\1924_Imagine_Master_Chef_USA_NDS-SirVG.zip
[2009/08/27 21:55:17 | 01,636,471 | -H-- | M] () -- C:\Users\Andy\AppData\Local\IconCache.db
[2009/08/27 21:40:49 | 00,024,064 | ---- | M] () -- C:\Users\Andy\Desktop\Alaska.doc
[2009/08/26 02:24:45 | 00,008,547 | ---- | M] () -- C:\Windows\System32\wispex.html
[2009/08/16 14:48:09 | 00,019,968 | ---- | M] () -- C:\Users\Andy\Desktop\List_of_things_to_bring_on_the_Cruise.doc
[2009/08/13 09:30:56 | 00,076,288 | ---- | M] () -- C:\Users\Andy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/05 20:32:41 | 00,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2009/08/04 00:00:50 | 00,000,040 | -HS- | M] () -- C:\ProgramData\.zreglib
[2009/08/03 23:54:41 | 00,000,894 | ---- | M] () -- C:\Users\Public\Desktop\AnyDVD.lnk

========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\Windows:C42C5CA0AEAFE9D5
< End of report >

Edited by forever681, 31 August 2009 - 09:41 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 03 September 2009 - 10:20 PM

Hello forever681,

I can't run malware byte or any exe file on my computer


See if this helps:
This utility fixes the exe file associations in the registry automatically. http://windowsxp.mvps.org/exefile.htm


If the above works, then download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Post those logs back in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 03 September 2009 - 11:50 PM

I was able to run Root Repeal, when it scan for like a minute, it just shut down by itself and went back to the desktop folder. Please advise.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 03 September 2009 - 11:59 PM

Hi,

Lets see if this one works. :(


Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 04 September 2009 - 09:51 AM

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/30/2009 at 20:17:27 PM
User "Andy" on computer "ANDY-TOSHIBA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\USBSTOR\Disk&Ven_Sony&Prod_Storage_Media&Rev_0100\5A08073116640&0_0-{05901221-D566-11d1-B2F0-00A0C9062910}
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmrinbqbek
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\DivX.dll
Hidden: file C:\Users\Andy\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Program Files\DVDFab 5\Options\DVDFabMobile.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{F7B05784-334C-4F76-8BAB-30ABEB7FD534}\ISSetup.dll
Hidden: file C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\3gp-video-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\audio-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\cd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-audio-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-creator.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\ipod-movie-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mov-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mpeg-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\psp-video-converter.exe
Hidden: file C:\Program Files\uTorrent\uTorrent.exe
Hidden: file C:\ProgramData\WildTangent\oem-eula.exe
Hidden: file C:\Program Files\Nero\Nero8\Nero Mobile\SetupNeroMobile.exe
Hidden: file C:\ProgramData\Symantec\SRTSP\Quarantine\APQ169A.tmp
Hidden: file C:\Program Files\ApecSoft\AVI 3GP Joiner\AVI3GPJoiner.exe
Hidden: file C:\Program Files\ImgBurn\ImgBurn.exe
Hidden: file C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file C:\Windows\System32\dddesot.dll
Hidden: file C:\Windows\System32\cngaudit.dll
Hidden: file C:\Users\Andy\Desktop\b\RootRepeal.exe
Hidden: file C:\SetupDVDDecrypter_3.5.4.0.exe
Hidden: file C:\Program Files\DVD Decrypter\DVDDecrypter.exe
Hidden: file C:\Users\Andy\AppData\Roaming\Move Networks\ie_bin\qsp2ie071303000004.dll
Hidden: file C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Windows\System32\resdll.dll
Hidden: file C:\Windows\System32\wscsvc32.exe
Hidden: file C:\Windows\System32\uacbbr.dll
Hidden: file C:\Windows\Temp\Installer.exe
Hidden: file C:\Windows\System32\kbiwkmbisilcxq.dat
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\JPHBUD1S\Po.nU7.UL_w9K6gIBiOVLpH8IQGEEvyDX8oO.u6gGIgVl7iyTsAFIYfZhcpdc8Njqs.nKxpMpdGf3ghdedaEY9JYGX0Po3DD7MoPkqgPf7SgGW1u7DCBwLVRIEDWWpBdoLL_LIknW131zrBhHkWtMf.FN602vhHbM9o5849LvABKmgq[1]
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\HA7E28SB\X2vHlXznSwrg3Bz5KvQNs.266opvvCfN[1].wukljh5SKr2XtoIfZXzS3cdXtRw0rYivQZIYryErNEXDgU5PNILLjzTMjKIzv0jk2yKBwgPSNk5Y284S2fXnOAjIUGFqt2hD5CBT3mP1EW3qh8jiEdR1Z8252T9IIoWabQU7K_ax8oAPUW
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\1G2BXSIH\Po.nU7.UL_w9K6gIBiOVLpH8IQGEEvyDX8oO.u6gGIgVl7iyTsAFIYfZhcpdc8Njqs.nKxpMpdGf3ghdedaEY9JYGX0Po3DD7MoPkqgPf7SgGW1u7DCBwLVRIEDWWpBdoLL_LIknW131zrBhHkWtMf.FN602vhHbM9o5849LvABKmgq[1]
Hidden: file C:\Users\Andy\AppData\Local\Temp\mpnewhrmmr.tmp
Hidden: file C:\Windows\System32\drivers\kbiwkmpaprrwvn.sys
Hidden: file C:\Windows\System32\kbiwkmbpyxtlcc.dll
Hidden: file C:\Windows\System32\kbiwkmocroytlc.dat
Hidden: file C:\Windows\System32\kbiwkmbvxuvvyd.dll
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\HA7E28SB\08KJw6kJ19mbA9EVGL0qQkizfbAhkFATyNlldOdMYrrTWdaw1177aw1hbvBjxVonik3gxeoULIQq1QAeC1QJ5bkN2An4DlMtVOBGHTCXGE8K4b0fdjay_8sJUqD5.P.fUCuBqwYgY4DMynU1ggqPMsql_3qJvCxOCMViV0R9WOe[1].css
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\M07LW3SF\.sm[1].8b__VHKShNnZF_pJmHG5Fl45QXgXOANf7IX6rPAHNgtNE4kA5AhaDqHkl1FG284DNZIkEvGEIN6ThTzod7vIbxlHuUWZydR9HNjPgUYTqhxPKhUQwoFhvngaB4KlWJWaPA5pFeCBfXwYjW_FsuzIpSOtEj1dmhjR3__8AC3WSxh
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\HA7E28SB\yoPTLtgshDKmUo_gaBByUasYgAzgu6MwU2Jlid4ubz.AeJjQ9tqpYwuIQSpxcN9O_.ryBT2ZGLRUzFngKIgR4PTLQYk418Z_AeyFagnRl3jM3mnKNpE5zQ1cQuluQm8lwkaO5srQCa3UbJOTaLivSbnCtzcWheM7GYirc_P_C_j[1].css
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\E37B8E21\.sm[1].8b__VHKShNnZF_pJmHG5Fl45QXgXOANf7IX6rPAHNgtNE4kA5AhaDqHkl1FG284DNZIkEvGEIN6ThTzod7vIbxlHuUWZydR9HNjPgUYTqhxPKhUQwoFhvngaB4KlWJWaPA5pFeCBfXwYjW_FsuzIpSOtEj1dmhjR3__8AC3WSxh
Hidden: file C:\Users\Andy\Desktop\a\RootRepeal.exe
Stopped logging on 8/30/2009 at 21:38:25 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/30/2009 at 21:54:44 PM
User "Andy" on computer "ANDY-TOSHIBA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmrinbqbek
Stopped logging on 8/30/2009 at 22:02:21 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/30/2009 at 22:22:01 PM
User "Andy" on computer "ANDY-TOSHIBA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmrinbqbek
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\DivX.dll
Hidden: file C:\Users\Andy\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{F7B05784-334C-4F76-8BAB-30ABEB7FD534}\ISSetup.dll
Hidden: file C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\3gp-video-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\audio-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\cd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-audio-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-creator.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\ipod-movie-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mov-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mpeg-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\psp-video-converter.exe
Hidden: file C:\Program Files\uTorrent\uTorrent.exe
Hidden: file C:\ProgramData\WildTangent\oem-eula.exe
Hidden: file C:\Windows\System32\desote.exe
Hidden: file C:\Program Files\Nero\Nero8\Nero Mobile\SetupNeroMobile.exe
Hidden: file C:\Program Files\ApecSoft\AVI 3GP Joiner\AVI3GPJoiner.exe
Hidden: file C:\Program Files\ImgBurn\ImgBurn.exe
Hidden: file C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file C:\Windows\System32\dddesot.dll
Hidden: file C:\Windows\System32\cngaudit.dll
Hidden: file C:\Users\Andy\Desktop\a\RootRepeal.exe
Hidden: file C:\SetupDVDDecrypter_3.5.4.0.exe
Hidden: file C:\Program Files\DVD Decrypter\DVDDecrypter.exe
Hidden: file C:\Users\Andy\AppData\Roaming\Move Networks\ie_bin\qsp2ie071303000004.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Users\Andy\Desktop\b\RootRepeal.exe
Hidden: file C:\Users\Andy\Desktop\c\RootRepeal.exe
Hidden: file C:\Windows\System32\kbiwkmbisilcxq.dat
Hidden: file C:\Windows\System32\drivers\kbiwkmpaprrwvn.sys
Hidden: file C:\Windows\System32\kbiwkmbpyxtlcc.dll
Hidden: file C:\Windows\System32\kbiwkmocroytlc.dat
Hidden: file C:\Windows\System32\kbiwkmbvxuvvyd.dll
Stopped logging on 8/30/2009 at 23:39:56 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/31/2009 at 0:41:33 AM
User "Andy" on computer "ANDY-TOSHIBA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmrinbqbek
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\DivX.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{F7B05784-334C-4F76-8BAB-30ABEB7FD534}\ISSetup.dll
Hidden: file C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\3gp-video-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\audio-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\cd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-audio-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-creator.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\ipod-movie-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mov-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mpeg-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\psp-video-converter.exe
Hidden: file C:\Program Files\uTorrent\uTorrent.exe
Hidden: file C:\ProgramData\WildTangent\oem-eula.exe
Hidden: file C:\Program Files\Nero\Nero8\Nero Mobile\SetupNeroMobile.exe
Hidden: file C:\Program Files\ApecSoft\AVI 3GP Joiner\AVI3GPJoiner.exe
Hidden: file C:\Program Files\ImgBurn\ImgBurn.exe
Hidden: file C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file C:\Windows\System32\dddesot.dll
Hidden: file C:\Windows\System32\cngaudit.dll
Hidden: file C:\Windows\System32\kbiwkmbisilcxq.dat
Hidden: file C:\Program Files\DVD Decrypter\DVDDecrypter.exe
Hidden: file C:\Users\Andy\AppData\Roaming\Move Networks\ie_bin\qsp2ie071303000004.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\IGCOHOKV\RootRepeal[1].exe
Hidden: file C:\Users\Andy\Desktop\RootRepeal.exe
Hidden: file C:\Windows\Temp\kbiwkmgdgtiurlhb.tmp
Hidden: file C:\Windows\System32\drivers\kbiwkmpaprrwvn.sys
Hidden: file C:\Windows\System32\kbiwkmbpyxtlcc.dll
Hidden: file C:\Windows\System32\kbiwkmocroytlc.dat
Hidden: file C:\Windows\System32\kbiwkmbvxuvvyd.dll
Stopped logging on 8/31/2009 at 2:02:37 AM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/3/2009 at 22:06:31 PM
User "Andy" on computer "ANDY-TOSHIBA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmrinbqbek
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\DivX.dll
Hidden: file C:\Program Files\DivX\DivXBundleUninstall.exe
Hidden: file C:\Program Files\DVDFab 5\Options\DVDFabMobile.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{F7B05784-334C-4F76-8BAB-30ABEB7FD534}\ISSetup.dll
Hidden: file C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\3gp-video-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\audio-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\cd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-audio-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-creator.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\ipod-movie-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mov-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mpeg-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\psp-video-converter.exe
Hidden: file C:\Program Files\uTorrent\uTorrent.exe
Hidden: file C:\Program Files\Common Files\Nero\NAS\nas\NasEditor.nvl
Hidden: file C:\ProgramData\WildTangent\oem-eula.exe
Hidden: file C:\Program Files\Nero\Nero8\Nero Mobile\SetupNeroMobile.exe
Hidden: file C:\Program Files\ApecSoft\AVI 3GP Joiner\AVI3GPJoiner.exe
Hidden: file C:\Program Files\ImgBurn\ImgBurn.exe
Hidden: file C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file C:\Windows\System32\cngaudit.dll
Hidden: file C:\SetupDVDDecrypter_3.5.4.0.exe
Hidden: file C:\Program Files\DVD Decrypter\DVDDecrypter.exe
Hidden: file C:\Users\Andy\AppData\Roaming\Move Networks\ie_bin\qsp2ie071303000004.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Program Files\DivX\DivXCodecUninstall.exe
Hidden: file C:\Users\Andy\AppData\Local\Temp\Temporary Internet Files\Content.IE5\IGCOHOKV\RootRepeal[1].exe
Hidden: file C:\Windows\System32\kbiwkmbisilcxq.dat
Hidden: file C:\Users\Andy\Desktop\exefix_xp.com
Hidden: file C:\Users\Andy\Desktop\OTL.exe
Hidden: file C:\Users\Andy\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Users\Andy\Desktop\sar_15_sfx.exe
Hidden: file C:\Windows\System32\drivers\kbiwkmpaprrwvn.sys
Hidden: file C:\Windows\System32\kbiwkmbpyxtlcc.dll
Hidden: file C:\Windows\System32\kbiwkmocroytlc.dat
Hidden: file C:\Windows\System32\kbiwkmbvxuvvyd.dll
Stopped logging on 9/3/2009 at 23:58:47 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 9/4/2009 at 0:09:51 AM
User "Andy" on computer "ANDY-TOSHIBA"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbiwkmrinbqbek
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmrinbqbek
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\DivX.dll
Hidden: file C:\Program Files\DivX\DivXBundleUninstall.exe
Hidden: file C:\Program Files\DVDFab 5\Options\DVDFabMobile.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\ISSetup.dll
Hidden: file C:\Program Files\InstallShield Installation Information\{F7B05784-334C-4F76-8BAB-30ABEB7FD534}\ISSetup.dll
Hidden: file C:\Program Files\DVD Shrink\DVD Shrink 3.2.exe
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\3gp-video-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\audio-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\cd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-audio-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-creator.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\dvd-ripper.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\ipod-movie-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mov-converter.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\mpeg-encoder.exe
Hidden: file C:\ImTOO_Complete_Package\ImTOO Complete Package\psp-video-converter.exe
Hidden: file C:\Program Files\uTorrent\uTorrent.exe
Hidden: file C:\ProgramData\WildTangent\oem-eula.exe
Hidden: file C:\Program Files\Nero\Nero8\Nero Mobile\SetupNeroMobile.exe
Hidden: file C:\Program Files\ApecSoft\AVI 3GP Joiner\AVI3GPJoiner.exe
Hidden: file C:\Program Files\ImgBurn\ImgBurn.exe
Hidden: file C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file C:\Windows\System32\dddesot.dll
Hidden: file C:\Windows\System32\cngaudit.dll
Hidden: file C:\SetupDVDDecrypter_3.5.4.0.exe
Hidden: file C:\Program Files\DVD Decrypter\DVDDecrypter.exe
Hidden: file C:\Users\Andy\AppData\Roaming\Move Networks\ie_bin\qsp2ie071303000004.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Windows\System32\kbiwkmbisilcxq.dat
Hidden: file C:\Users\Andy\Desktop\OTL.exe
Hidden: file C:\Users\Andy\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Windows\System32\drivers\kbiwkmpaprrwvn.sys
Hidden: file C:\Windows\System32\kbiwkmbpyxtlcc.dll
Hidden: file C:\Windows\System32\kbiwkmocroytlc.dat
Hidden: file C:\Windows\System32\kbiwkmbvxuvvyd.dll
Stopped logging on 9/4/2009 at 1:30:34 AM

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 04 September 2009 - 09:55 AM

Hi,


Please tell me the antivirus program you are using.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 04 September 2009 - 10:02 AM

Norton Antivirus but I can't access it or anything, since my desktop is black without any taskbar.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 04 September 2009 - 10:05 AM

Hi forever681,

I am confused. :(
How did you run Sophos Anti-Rootkit if your desktop is black?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 04 September 2009 - 10:10 AM

It's black, but whenever Windows started, the C:\MyDocuments folder is open, so I was able to run from there. And I could access the memory stick so I could cut and paste it on this computer and access the Internet on another computer.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 04 September 2009 - 10:15 AM

Hi forever681,

I need to use another tool to look deeper.

If you need to, transfer these tools to the infected machine via flash drive (also known as key drive, thumb drives, jump drives, USB, pen drives).

If you use the flash drive which has been inserted into the computer with infections be sure to hold down the shift key if you put it back into the clean computer, this is to disable the autorun function in case the flash drive has became infected.

I am always a little leery of having people use flash drives which have been in infected machines until they are reformatted.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.

Edited by SifuMike, 04 September 2009 - 03:24 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 04 September 2009 - 10:27 PM

I can't scan it, it scan for like 3 minutes then the blue screen pop up and restart my computer.

#12 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 04 September 2009 - 10:41 PM

this is all I could copy before it crash on me again.

GMER 1.0.15.15077 [y6l8zwf7.exe] - http://www.gmer.net
Rootkit scan 2009-09-04 20:37:31
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

INT 0x62 ? 85929BF8
INT 0x72 ? 85929BF8
INT 0x82 ? 83A44BF8
INT 0x92 ? 83A44BF8
INT 0xA2 ? 85929BF8

Code 8627CF30 ZwEnumerateKey
Code 86198EC0 ZwFlushInstructionCache
Code 86198DA6 ZwSaveKey
Code 8619510E ZwSaveKeyEx
Code 8617DA3D IofCallDriver
Code 861CC1BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 8208E169 5 Bytes JMP 8617DA42
.text ntoskrnl.exe!IofCompleteRequest 8208E1D6 5 Bytes JMP 861CC1C3
PAGE ntoskrnl.exe!ZwFlushInstructionCache 821F01C2 5 Bytes JMP 86198EC4
PAGE ntoskrnl.exe!ZwEnumerateKey 8221B58C 5 Bytes JMP 8627CF34
PAGE ntoskrnl.exe!ZwSaveKey 8229132F 5 Bytes JMP 86198DAA
PAGE ntoskrnl.exe!ZwSaveKeyEx 82291436 5 Bytes JMP 86195112
? System32\Drivers\spfl.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8A7D946F 5 Bytes JMP 859291D8
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\wininit.exe[656] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\wininit.exe[656] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\wininit.exe[656] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\services.exe[744] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\services.exe[744] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\services.exe[744] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[928] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[928] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[928] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1036] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1036] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\spoolsv.exe[1080] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\spoolsv.exe[1080] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\spoolsv.exe[1080] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1168] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1168] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1168] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\svchost.exe[1248] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\svchost.exe[1248] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\svchost.exe[1248] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1280] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1280] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1280] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\svchost.exe[1356] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\svchost.exe[1356] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\System32\svchost.exe[1356] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1412] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1412] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[1412] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
UPX1 C:\Windows\system32\drivers\smss.exe[1940] C:\Windows\system32\drivers\smss.exe entry point in "UPX1" section [0x004182B0]
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1952] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1952] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1952] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\Explorer.exe[1984] ntdll.dll!LdrLoadDll 77A27933 5 Bytes JMP 0176000A
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[2112] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[2400] GDI32.dll!OffsetRgn + E5 762882AC 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[2400] GDI32.dll!GetCharABCWidthsW + B1 7628F4F8 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
.text C:\Windows\system32\svchost.exe[2400] USER32.dll!NotifyWinEvent + 2CC 775E8D83 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\C2FE278B.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 83A432D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [82A63C4C] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [82A63CA0] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82A336D2] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82A33040] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82A337FC] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82A330BE] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82A3313C] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 83A442D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 859292D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [82A43048] \SystemRoot\System32\Drivers\spfl.sys
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 858A65E0

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\wininit.exe[656] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\wininit.exe[656] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\services.exe[744] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\services.exe[744] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[928] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[928] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[1036] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\System32\spoolsv.exe[1080] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\System32\spoolsv.exe[1080] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[1168] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\System32\svchost.exe[1248] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\System32\svchost.exe[1248] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1280] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1280] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\System32\svchost.exe[1356] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\System32\svchost.exe[1356] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[1412] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[1412] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1952] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1952] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[2112] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[2112] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[2400] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll
IAT C:\Windows\system32\svchost.exe[2400] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\C2FE278B.x86.dll

---- Devices - GMER 1.0.15 ----

Device 848011F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 83FDF1F8
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 83A461F8
Device \Driver\usbuhci \Device\USBPDO-0 857931F8
Device \Driver\usbuhci \Device\USBPDO-1 857931F8
Device \Driver\usbuhci \Device\USBPDO-2 857931F8
Device \Driver\usbuhci \Device\USBPDO-3 857931F8
Device \Driver\usbehci \Device\USBPDO-4 857C71F8

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\volmgr \Device\HarddiskVolume1 83A461F8
Device \Driver\volmgr \Device\HarddiskVolume2 83A461F8
Device \Driver\cdrom \Device\CdRom0 858B71F8
Device \Driver\USBSTOR \Device\00000072 83FFC500
Device \Driver\volmgr \Device\HarddiskVolume3 83A461F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 848001F8
Device \Driver\atapi \Device\Ide\IdePort0 848001F8
Device \Driver\atapi \Device\Ide\IdePort1 848001F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 848001F8
Device \Driver\USBSTOR \Device\00000073 83FFC500
Device \Driver\netbt \Device\NetBT_Tcpip_{923B438C-D655-4F07-ABAE-AD77850EA9A1} 861A3500
Device \Driver\netbt \Device\NetBt_Wins_Export 861A3500
Device \Driver\Smb \Device\NetbiosSmb 861961F8
Device \Driver\iScsiPrt \Device\RaidPort0 858A71F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 857931F8
Device \Driver\usbuhci \Device\USBFDO-1 857931F8
Device \Driver\usbuhci \Device\USBFDO-3 857931F8
Device \Driver\usbehci \Device\USBFDO-4 857C71F8
Device \Driver\netbt \Device\NetBT_Tcpip_{A09571E1-ABC9-4273-AD14-1577614854A7} 861A3500
Device \FileSystem\fastfat \Fat 83FDF1F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 842921F8
Device \FileSystem\cdfs \Cdfs B1E36797
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [656] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [744] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [928] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1036] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\System32\spoolsv.exe [1080] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1168] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1248] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1280] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1356] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1412] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [1952] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [2112] 0x35670000
Library \\?\globalroot\Device\__max++>\C2FE278B.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [2400] 0x35670000

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 04 September 2009 - 10:56 PM

Hi forever681.

GMER is showing a very nasty rootkit. :(

Let's begin.....

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 forever681

forever681
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 04 September 2009 - 10:58 PM

Oh I just scan it again, it's been scanning so far, so should I stop and run Win32KDiag? Thanks

Nevermind it crash, I will run Win32KDiag now.

Edited by forever681, 04 September 2009 - 11:02 PM.


#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:34 AM

Posted 04 September 2009 - 11:02 PM

Oh I just scan it again, it's been scanning so far, so should I stop and run Win32KDiag?



You lost me. :( Scanning what? You mean the GMER is still running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users