Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying svchost / ave.exe virus


  • This topic is locked This topic is locked
35 replies to this topic

#1 concept

concept

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 10 April 2010 - 09:14 PM

I followed instructions on getting rid of the Ave.exe and svchost virus but it doesn't seem to have disappeared. This virus is scary. svchost.exe starts taking up way too much memory than it should being in usage and ave.exe returns within a day of removal. PLEASE help me with this, i'm lost and trying to keep my cpu on in safe mode with networking as i wait for a reply.

OTL logfile created on: 4/10/2010 10:14:08 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = F:\
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 532.00 Mb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.75 Gb Total Space | 12.99 Gb Free Space | 9.03% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.44% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 465.64 Gb Total Space | 442.35 Gb Free Space | 95.00% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FMO
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/10 22:13:54 | 000,561,664 | ---- | M] (OldTimer Tools) -- F:\OTL(2).exe
PRC - [2010/04/05 01:20:13 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/12 11:17:04 | 001,695,744 | ---- | M] () -- C:\Program Files\NoAdware\NoAdware5.exe


========== Modules (SafeList) ==========

MOD - [2010/04/10 22:13:54 | 000,561,664 | ---- | M] (OldTimer Tools) -- F:\OTL(2).exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/01/07 17:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2008/10/25 15:13:51 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008/10/25 15:13:42 | 000,151,297 | ---- | M] (Avira GmbH) [On_Demand | Stopped] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2008/02/05 19:22:36 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2008/02/05 19:20:42 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/02/05 19:18:48 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/16 20:04:12 | 001,094,936 | ---- | M] (Diskeeper Corporation) [Auto | Stopped] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2006/10/18 11:49:40 | 000,139,264 | ---- | M] (Prevx) [Auto | Stopped] -- C:\Program Files\Prevx1\PXAgent.exe -- (PREVXAgent)
SRV - [2006/07/31 13:50:21 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2004/10/20 10:40:04 | 000,010,328 | ---- | M] (America Online) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2004/10/15 16:54:14 | 000,100,016 | ---- | M] (America Online, Inc) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe -- (AOL TopSpeedMonitor)
SRV - [2003/04/01 23:08:30 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)


========== Driver Services (SafeList) ==========

DRV - [2010/01/07 17:07:04 | 000,019,160 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/05/27 22:42:51 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/05/27 22:42:39 | 000,052,056 | ---- | M] (Avira GmbH) [File_System | On_Demand | Stopped] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009/05/27 22:42:28 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2009/01/06 15:50:17 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2008/12/18 05:49:58 | 000,016,512 | ---- | M] (Adaptec) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2008/11/08 03:50:15 | 000,004,930 | ---- | M] (Logix4u) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\hwinterface32B01.sys -- (hwinterface32B01)
DRV - [2008/06/19 17:24:30 | 000,028,544 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Stopped] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/05 22:21:48 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2008/02/05 22:21:37 | 004,658,456 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam E3500(UVC)
DRV - [2008/02/05 22:21:25 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/02/05 22:20:40 | 000,628,760 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/02/05 19:20:08 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/02/05 19:18:12 | 000,689,176 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/07/26 19:06:18 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/07/26 19:06:18 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/03/01 10:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007/01/17 15:36:52 | 000,022,528 | ---- | M] (Resplendence) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rrSpy.sys -- (RRSPY)
DRV - [2006/09/08 11:19:32 | 000,100,864 | ---- | M] (Prevx Limited, http://www.prevx1.com/) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PxEmu.sys -- (PrevxEmulator)
DRV - [2006/09/08 11:19:30 | 000,018,432 | ---- | M] (Prevx Limited, http://www.prevx1.com/) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\pxtdi.sys -- (PrevxTdi)
DRV - [2006/09/08 11:19:28 | 000,266,112 | ---- | M] (Prevx Limited, http://www.prevx1.com/) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pxfsf.sys -- (PrevxDriver)
DRV - [2006/04/06 17:20:44 | 004,258,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/02/13 16:24:10 | 000,020,699 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2006/01/18 21:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2006/01/16 00:48:08 | 001,477,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/12/21 11:14:52 | 000,100,957 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emDevice.sys -- (DCamUSBEMPIA)
DRV - [2005/12/21 11:14:52 | 000,019,712 | ---- | M] (Pinnacle Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emAudio.sys -- (emAudio)
DRV - [2005/12/21 11:14:52 | 000,005,245 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emFilter.sys -- (FiltUSBEMPIA)
DRV - [2005/12/21 11:14:52 | 000,004,493 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emScan.sys -- (ScanUSBEMPIA)
DRV - [2005/06/02 20:28:38 | 000,171,008 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/03/17 12:51:16 | 001,033,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/03/17 12:50:36 | 000,221,440 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2005/03/17 12:50:32 | 000,705,280 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/08 21:15:10 | 000,291,456 | ---- | M] (Sonic Solutions) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2005/03/08 21:14:44 | 000,024,064 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2005/03/08 21:05:30 | 000,141,184 | ---- | M] (Windows ® 2000 DDK provider) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2005/03/08 20:54:48 | 000,202,496 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\Udfreadr.sys -- (UDFReadr)
DRV - [2005/03/08 20:53:56 | 000,023,808 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2005/03/08 20:38:32 | 000,117,760 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Pwd_2k.sys -- (pwd_2k)
DRV - [2005/01/27 03:22:00 | 000,088,016 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\drvmcdb.sys -- (drvmcdb)
DRV - [2004/08/04 01:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/12/19 02:00:00 | 000,006,656 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cinemsup.sys -- (Cinemsup)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/07/24 14:52:26 | 000,998,004 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2002/07/19 11:48:32 | 000,156,604 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2002/07/19 11:48:22 | 000,213,860 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2002/07/19 11:48:08 | 000,011,068 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2002/07/19 11:48:04 | 000,195,432 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2002/07/19 11:47:52 | 000,837,548 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2002/07/19 11:46:28 | 000,127,948 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2002/06/14 14:49:56 | 000,010,194 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT)
DRV - [2001/08/18 00:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/18 00:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/18 00:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/18 00:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/18 00:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 23:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 23:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 23:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 23:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 23:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 23:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 23:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 23:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 23:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 23:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 13:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 13:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 13:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 13:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T5048
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=T5048
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.mystart.com?pr=oovoo2_0
IE - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
IE - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {43c35458-c907-439b-bcfd-07d373834689}:2.1.8
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.4
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.36.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="


FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/06 00:06:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 01:20:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/08 10:38:03 | 000,000,000 | ---D | M]

[2009/03/14 19:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Extensions
[2009/03/14 19:28:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/10 16:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Firefox\Profiles\5td3fu02.default\extensions
[2009/10/22 14:39:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Firefox\Profiles\5td3fu02.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/16 14:16:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Firefox\Profiles\5td3fu02.default\extensions\{43c35458-c907-439b-bcfd-07d373834689}
[2009/11/05 11:26:29 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Firefox\Profiles\5td3fu02.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2009/11/05 11:26:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.FMO\Application Data\Mozilla\Firefox\Profiles\5td3fu02.default\extensions\firebug@software.joehewitt.com
[2010/04/10 16:04:11 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/09 19:10:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (URLDetector Class) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (Prevx Ltd.)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe ()
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006..\Run: [Aim] C:\Program Files\AIM7\aim.exe (AOL LLC)
O4 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006..\Run: [ccleaner] C:\Program Files\CCleaner\ccleaner.exe (Piriform Ltd)
O4 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006..\Run: [ooVoo.exe] C:\Program Files\ooVoo\ooVoo.exe (ooVoo LLC)
O4 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (Research In Motion Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 0
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 0
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 0
O7 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1365152532-2487360119-377298570-1006\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.4.1/jinstall-...indows-i586.cab (Java Plug-in 1.4.1_04)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) - C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe) - C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 05:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/02/09 14:59:36 | 000,000,000 | R--D | M] - F:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/09 19:11:31 | 000,000,000 | ---D | C] -- C:\RECYCLER
[2010/04/09 19:11:30 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner.FMO\Recent
[2010/04/09 18:47:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/09 18:47:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/09 18:47:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/09 18:47:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/09 13:15:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/08 10:39:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/08 10:39:03 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/08 10:39:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/08 10:39:03 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/08 10:39:03 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/08 06:17:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/08 03:07:01 | 000,000,000 | ---D | C] -- C:\Program Files\Novixys Software
[2010/04/08 02:02:32 | 000,000,000 | ---D | C] -- C:\Program Files\Email-Business
[2010/04/08 02:01:13 | 000,000,000 | ---D | C] -- C:\Program Files\fec
[2010/04/08 01:57:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.FMO\Email_Spider.azeak
[2010/04/08 01:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.FMO\Super Email Spider v2.71
[2010/03/18 20:56:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.FMO\Application Data\oovootb
[2010/03/16 01:26:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DivX Shared
[2009/11/27 02:07:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/04/01 14:38:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/03/12 21:44:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009/03/12 21:41:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/03/01 06:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2009/03/01 05:12:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/01/27 20:04:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/01/25 12:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/04/17 19:33:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\AOL
[2007/05/14 21:47:15 | 000,036,963 | R--- | C] (Cypress Semiconductor) -- C:\Program Files\Common Files\SM1updtr.dll
[2007/01/29 23:02:34 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2006/12/26 14:40:43 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Owner.FMO\Application Data\pcouffin.sys
[2006/10/21 18:13:08 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/10/20 22:09:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2006/06/17 05:45:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/06/17 05:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[24 C:\Documents and Settings\Owner.FMO\My Documents\*.tmp files -> C:\Documents and Settings\Owner.FMO\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/10 22:09:57 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/10 22:09:57 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/10 22:09:57 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/10 22:05:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/10 22:03:49 | 000,010,684 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000003-00001102-00000002-00211102}.rfx
[2010/04/10 22:03:49 | 000,010,684 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000003-00001102-00000002-00211102}.rfx
[2010/04/10 22:03:49 | 000,006,864 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000003-00001102-00000002-00211102}.rfx
[2010/04/10 22:03:49 | 000,006,864 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000003-00001102-00000002-00211102}.rfx
[2010/04/10 22:03:36 | 009,699,328 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\NTUSER.DAT
[2010/04/10 22:03:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner.FMO\ntuser.ini
[2010/04/10 22:01:27 | 000,181,760 | -HS- | M] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\1322718845.dll
[2010/04/10 22:01:05 | 000,002,680 | -HS- | M] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\mE20
[2010/04/10 22:01:05 | 000,002,680 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\mE20
[2010/04/10 21:49:43 | 000,044,164 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\24785_418813801270_724496270_5653112_3449564_n.jpg
[2010/04/10 10:48:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/10 10:11:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/10 06:11:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/09 20:01:54 | 000,055,808 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\NEWpromoters and lists.doc
[2010/04/09 19:17:40 | 000,009,470 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/09 19:12:27 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/04/09 19:10:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/09 19:09:40 | 000,000,438 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/04/09 19:07:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2010/04/09 18:42:48 | 003,373,917 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000003-00001102-00000002-00211102}.CDF
[2010/04/09 12:50:28 | 000,347,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/09 12:38:46 | 000,000,687 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\Desktop\NoAdware.lnk
[2010/04/09 12:37:53 | 007,721,381 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\NoAdware_5.0_MG4.rar
[2010/04/09 12:14:08 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/09 11:25:43 | 003,911,239 | R--- | M] () -- C:\Documents and Settings\Owner.FMO\Desktop\Orlando.exe
[2010/04/08 21:25:51 | 000,013,604 | -HS- | M] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\olV3RohQ
[2010/04/08 21:25:51 | 000,013,604 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\olV3RohQ
[2010/04/08 21:24:25 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\emailsandpw4ro.doc
[2010/04/08 12:07:10 | 000,083,968 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/08 11:59:40 | 000,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2010/04/08 10:38:42 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/08 10:38:42 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/08 10:38:42 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/08 10:38:42 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/04/08 10:38:41 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/04/08 06:17:12 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/08 04:06:13 | 000,085,493 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftc.vcf
[2010/04/08 04:05:08 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\~$ftc.vcf
[2010/04/08 03:35:26 | 000,023,098 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftccrap1.csv
[2010/04/08 03:28:40 | 000,121,946 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftccrap.csv
[2010/04/08 03:27:16 | 000,119,754 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftccrap
[2010/04/08 03:13:43 | 000,023,098 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftheclub.csv
[2010/04/08 03:08:43 | 000,000,280 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\WORKBOOK.csv
[2010/04/08 03:08:43 | 000,000,197 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\EXCELWORKBOOK.csv
[2010/04/08 03:08:43 | 000,000,162 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\DOCUMENTPROPERTIES.csv
[2010/04/08 03:08:43 | 000,000,053 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\WORKSHEET.csv
[2010/04/08 03:08:43 | 000,000,035 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\STYLES.csv
[2010/04/08 03:08:43 | 000,000,021 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\XML_DOCS.csv
[2010/04/08 03:06:12 | 000,023,098 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftcluba.csv
[2010/04/08 03:05:41 | 000,099,051 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftclub.xml
[2010/04/08 03:00:46 | 000,023,098 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftclub1.csv
[2010/04/08 03:00:00 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2010/04/08 02:56:14 | 000,023,098 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftclub.csv
[2010/04/08 02:01:14 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\Desktop\Super Email Spider.lnk
[2010/04/07 14:38:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/02 20:21:10 | 000,048,128 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\crazydonkey promoters and list.doc
[2010/03/31 21:11:57 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/03/31 19:22:53 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/31 15:43:52 | 122,514,717 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\100_0171.MOV
[2010/03/31 15:38:50 | 093,447,796 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\100_0170.MOV
[2010/03/31 15:25:54 | 083,930,451 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\100_0163.MOV
[2010/03/30 14:28:54 | 000,000,665 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/30 12:12:16 | 000,000,671 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\Application Data\vso_ts_preview.xml
[2010/03/27 21:03:28 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\list.xls
[2010/03/26 20:00:59 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\promoters and lists.doc
[2010/03/26 20:00:59 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\~$omoters and lists.doc
[2010/03/26 12:59:19 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\Film CLass.doc
[2010/03/26 12:59:19 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\~$lm CLass.doc
[2010/03/20 20:34:32 | 000,058,742 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\My Documents\list.xps
[2010/03/16 01:27:28 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2010/03/16 01:27:07 | 000,000,831 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Converter.lnk
[2010/03/16 01:26:15 | 000,001,476 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\Desktop\DivX Movies.lnk
[2010/03/15 23:18:45 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\Owner.FMO\pool.bin
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[24 C:\Documents and Settings\Owner.FMO\My Documents\*.tmp files -> C:\Documents and Settings\Owner.FMO\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/10 22:01:27 | 000,181,760 | -HS- | C] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\1322718845.dll
[2010/04/10 21:59:54 | 000,002,680 | -HS- | C] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\mE20
[2010/04/10 21:59:54 | 000,002,680 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\mE20
[2010/04/10 21:49:41 | 000,044,164 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\24785_418813801270_724496270_5653112_3449564_n.jpg
[2010/04/09 20:01:53 | 000,055,808 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\NEWpromoters and lists.doc
[2010/04/09 18:47:00 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/09 18:47:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/09 18:47:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/09 18:47:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/09 18:47:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/09 13:10:14 | 003,911,239 | R--- | C] () -- C:\Documents and Settings\Owner.FMO\Desktop\Orlando.exe
[2010/04/09 12:38:46 | 000,000,687 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Desktop\NoAdware.lnk
[2010/04/09 12:36:53 | 007,721,381 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\NoAdware_5.0_MG4.rar
[2010/04/09 12:14:06 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/08 21:21:47 | 000,013,604 | -HS- | C] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\olV3RohQ
[2010/04/08 14:29:59 | 000,013,612 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\olV3RohQ
[2010/04/08 14:29:59 | 000,013,604 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\olV3RohQ
[2010/04/08 04:05:08 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\~$ftc.vcf
[2010/04/08 03:40:54 | 000,085,493 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftc.vcf
[2010/04/08 03:34:30 | 000,023,098 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftccrap1.csv
[2010/04/08 03:28:40 | 000,121,946 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftccrap.csv
[2010/04/08 03:27:16 | 000,119,754 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftccrap
[2010/04/08 03:13:43 | 000,023,098 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftheclub.csv
[2010/04/08 03:08:43 | 000,000,280 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\WORKBOOK.csv
[2010/04/08 03:08:43 | 000,000,197 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\EXCELWORKBOOK.csv
[2010/04/08 03:08:43 | 000,000,162 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\DOCUMENTPROPERTIES.csv
[2010/04/08 03:08:43 | 000,000,053 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\WORKSHEET.csv
[2010/04/08 03:08:43 | 000,000,035 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\STYLES.csv
[2010/04/08 03:08:43 | 000,000,021 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\XML_DOCS.csv
[2010/04/08 03:06:12 | 000,023,098 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftcluba.csv
[2010/04/08 03:05:41 | 000,099,051 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftclub.xml
[2010/04/08 03:00:46 | 000,023,098 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftclub1.csv
[2010/04/08 02:56:14 | 000,023,098 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\ftclub.csv
[2010/04/08 02:02:37 | 000,001,406 | ---- | C] () -- C:\Program Files\favicon.ico
[2010/04/08 02:01:14 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Desktop\Super Email Spider.lnk
[2010/03/31 15:43:52 | 122,514,717 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\100_0171.MOV
[2010/03/31 15:38:50 | 093,447,796 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\100_0170.MOV
[2010/03/31 15:25:54 | 083,930,451 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\100_0163.MOV
[2010/03/26 20:00:59 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\promoters and lists.doc
[2010/03/26 20:00:59 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\~$omoters and lists.doc
[2010/03/26 12:59:19 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\Film CLass.doc
[2010/03/26 12:59:19 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\~$lm CLass.doc
[2010/03/20 20:34:39 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\list.xls
[2010/03/20 20:34:16 | 000,058,742 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\My Documents\list.xps
[2010/03/16 01:27:28 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2010/03/16 01:27:07 | 000,000,831 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Converter.lnk
[2010/03/16 01:26:15 | 000,001,476 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Desktop\DivX Movies.lnk
[2010/02/10 06:05:46 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/12/19 19:51:26 | 005,937,684 | R--- | C] () -- C:\Documents and Settings\Owner.FMO\Lil Wayne Ft. Eminem - Drop The World _hithiphop.com_.mp3
[2009/11/22 02:11:18 | 000,000,584 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\exehelperlog.txt
[2009/11/21 23:22:24 | 000,014,704 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\hs_err_pid54920.log
[2009/10/21 21:58:23 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\rrsec.dll
[2009/06/13 22:13:33 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\pool.bin
[2009/03/11 18:38:02 | 000,014,523 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\hs_err_pid7120.log
[2009/03/01 04:59:55 | 000,000,032 | ---- | C] () -- C:\WINDOWS\System32\work.ini
[2009/01/25 13:34:04 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2009/01/25 13:34:04 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2009/01/25 13:34:04 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2009/01/25 13:34:04 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2009/01/25 13:34:03 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2009/01/25 13:30:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2009/01/25 13:26:35 | 000,002,275 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\SAS7_000.DAT
[2009/01/25 13:22:17 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2009/01/25 13:22:17 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2009/01/19 23:14:47 | 000,066,482 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/01/14 11:04:41 | 003,353,773 | ---- | C] () -- C:\Program Files\intro.mp3
[2009/01/11 16:54:32 | 003,869,031 | ---- | C] () -- C:\Program Files\phantomwoah.mp3
[2009/01/08 22:45:05 | 000,023,213 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\flood
[2009/01/06 12:06:50 | 000,128,019 | ---- | C] () -- C:\Program Files\bb.mp3
[2008/11/19 18:33:34 | 012,869,925 | ---- | C] () -- C:\Program Files\phonecall.mp3
[2008/10/18 14:59:00 | 004,385,854 | ---- | C] () -- C:\Program Files\special - blood manor.zip
[2008/10/16 13:45:12 | 004,447,331 | ---- | C] () -- C:\Program Files\blood manor 5.mp3
[2008/10/16 13:43:10 | 004,474,436 | ---- | C] () -- C:\Program Files\special - blood manor.mp3
[2008/10/16 13:40:30 | 004,537,403 | ---- | C] () -- C:\Program Files\blood manor 3.mp3
[2008/10/16 13:37:48 | 004,308,053 | ---- | C] () -- C:\Program Files\blood manor2.mp3
[2008/10/16 13:25:29 | 004,568,652 | ---- | C] () -- C:\Program Files\Blood Manor1.mp3
[2008/09/30 20:48:13 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\vso_ts_preview.xml
[2008/09/06 05:09:34 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Owner.FMO\NTUSER.DAT.rctemp.LOG
[2008/08/20 21:38:10 | 000,000,000 | -HS- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\0048acc487e9b206ff3f9861bd6006c73278e337000ba1e2bc.dat
[2008/06/19 13:22:40 | 000,000,033 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\install.ini
[2008/06/10 20:07:20 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/10 20:03:26 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/02/05 19:20:08 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2007/12/11 01:22:19 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\default.pls
[2007/12/11 00:25:38 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/11/16 03:52:37 | 000,001,721 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/11/01 15:23:18 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2007/11/01 15:23:16 | 000,152,064 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2007/11/01 15:23:14 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/08/30 14:16:25 | 000,000,022 | ---- | C] () -- C:\WINDOWS\ExtractAudio.INI
[2007/07/22 22:54:29 | 000,000,073 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2007/07/22 22:53:34 | 000,001,502 | ---- | C] () -- C:\WINDOWS\XMailer.INI
[2007/05/11 13:48:47 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2007/03/20 18:47:06 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/01/29 23:04:13 | 000,000,128 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2007/01/29 23:04:09 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2007/01/29 23:02:46 | 000,037,727 | ---- | C] () -- C:\WINDOWS\System32\Emu10kx.ini
[2007/01/29 23:02:46 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/01/29 23:02:37 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2006/12/27 14:18:16 | 003,423,744 | ---- | C] () -- C:\WINDOWS\System32\libfilefmt-1.1.0.dll
[2006/12/27 14:18:16 | 000,706,048 | ---- | C] () -- C:\WINDOWS\System32\libmcl-3.1.1.dll
[2006/12/27 14:18:16 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\libavi-dd-1.2.0.dll
[2006/12/26 14:41:21 | 000,000,055 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\pcouffin.log
[2006/12/26 14:40:43 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\ezpinst.exe
[2006/12/26 14:40:43 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\pcouffin.cat
[2006/12/26 14:40:43 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Application Data\pcouffin.inf
[2006/12/17 13:51:40 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/11/15 20:56:28 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\fusioncache.dat
[2006/11/11 20:26:13 | 000,006,798 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\UserCustomPreset_Adobe Premiere Pro 2.0.vpr
[2006/11/05 19:39:46 | 003,309,887 | ---- | C] () -- C:\Program Files\fab.mp3
[2006/11/04 18:02:00 | 000,000,091 | ---- | C] () -- C:\WINDOWS\Retrieve.INI
[2006/10/29 17:28:04 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dsplib.dll
[2006/10/22 17:46:02 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/21 18:32:31 | 000,083,968 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/10/20 21:50:26 | 000,294,912 | -H-- | C] () -- C:\Documents and Settings\Owner.FMO\ntuser.dat.LOG
[2006/10/20 21:50:26 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Owner.FMO\ntuser.ini
[2006/10/20 21:50:25 | 009,699,328 | ---- | C] () -- C:\Documents and Settings\Owner.FMO\NTUSER.DAT
[2006/10/20 21:50:25 | 007,077,888 | -H-- | C] () -- C:\Documents and Settings\Owner.FMO\NTUSER.DAT.rcbak
[2006/07/31 14:02:00 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/07/31 13:55:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/07/31 13:52:33 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2006/07/31 13:52:33 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2006/06/21 05:48:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 05:24:58 | 000,001,386 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 05:24:57 | 000,000,469 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/08/06 00:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/27 13:40:30 | 000,002,572 | ---- | C] () -- C:\WINDOWS\WINDVDBOOTRECDOE.sys
[2005/02/28 15:17:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/11/30 04:10:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2004/01/27 08:13:54 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2004/01/27 08:13:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2003/12/19 02:00:00 | 000,013,387 | ---- | C] () -- C:\WINDOWS\System32\CinemSup.sys
[2003/10/02 01:00:00 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
< End of report >





OTL Extras logfile created on: 4/10/2010 10:14:08 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = F:\
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 532.00 Mb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.75 Gb Total Space | 12.99 Gb Free Space | 9.03% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 3.40 Gb Free Space | 64.44% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
Drive F: | 465.64 Gb Total Space | 442.35 Gb Free Space | 95.00% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FMO
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe File not found

[HKEY_USERS\S-1-5-21-1365152532-2487360119-377298570-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"443:TCP" = 443:TCP:*:Enabled:ooVoo TCP port 443
"443:UDP" = 443:UDP:*:Enabled:ooVoo UDP port 443
"37674:TCP" = 37674:TCP:*:Enabled:ooVoo TCP port 37674
"37674:UDP" = 37674:UDP:*:Enabled:ooVoo UDP port 37674
"37675:UDP" = 37675:UDP:*:Enabled:ooVoo UDP port 37675

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\1154369075\EE\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1154369075\EE\aolsoftware.exe:*:Enabled:AOL Services -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\1154369075\EE\aim6.exe" = C:\Program Files\Common Files\AOL\1154369075\EE\aim6.exe:*:Enabled:AIM -- (America Online, Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AIM7\aim.exe" = C:\Program Files\AIM7\aim.exe:*:Enabled:AIM -- (AOL LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03B0EB18-51D2-4302-B92C-BBAE869FFBBF}" = BlackBerry Device Software Updater
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1700" = Canon iP1700
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{208755CA-746A-4973-A435-4E8B9D151FC8}" = BlackBerry Device Software v4.5.0 for the BlackBerry 8300 smartphone
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}" = Cypress USB Mass Storage Driver Installation
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{312FA0F1-8EB0-472B-BF50-B863C5D92A76}" = Blaine's Custom Speed Effects
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{355C98D0-C2F6-4BD0-94CE-972192CBB2C4}" = BlackBerry Device Software v4.5.0 for the BlackBerry 8300 smartphone
"{36756DBA-10A2-4BDE-B6C7-F4307478D9AD}" = Blaine's Custom TV Ratings
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}" = Sound Blaster Live! Web 2K/XP
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{4ECCF281-ED79-4EA7-AE89-5E39D3291C2A}" = Diskeeper 2008 Pro Premier
"{53735ECE-E461-4FD0-B742-23A352436D3A}" = Logitech Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6444D9D9-CD6C-4464-B970-55C606C944DC}" = Logitech QuickCam
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}" = Digital Voice Editor 3
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.3.2.100
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{786C5747-1437-443D-B06E-79A00FE45110}" = Adobe Stock Photos 1.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{82D423F4-0941-4AFF-9ABE-C1905D90099E}" = BlackBerry Desktop Software 4.6
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{A99C6296-A311-4D6C-9602-53B4241921D5}" = Roxio Easy Media Creator 7
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{ACD27BF3-7CDC-11D7-9D4D-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_04
"{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}" = Adobe Bridge 1.0
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}" = Dragon NaturallySpeaking 9 Recorder Edition
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}" = ooVoo
"{FFFF6D5C-E2F1-4B40-BC89-8923312E89EB}}_is1" = ACE Mega CoDecS Pack
"3GP Video Converter 3" = 3GP Video Converter 3
"3ivx D4 4.5.1" = 3ivx D4 4.5.1 (remove only)
"AC3ACM" = AC-3 ACM Codec
"Account Creator" = Account Creator
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"AIM_7" = AIM 7
"Antares Auto-Tune v4.39" = Antares Auto-Tune v4.39
"AntiVir PersonalEdition Classic" = Avira AntiVir Personal - Free Antivirus
"AOL Connectivity Services" = AOL Connectivity Services
"AOL Spyware Protection" = AOL Spyware Protection
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"ATI Display Driver" = ATI Display Driver
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.5 (Unicode)
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"BlackBerry_{82D423F4-0941-4AFF-9ABE-C1905D90099E}" = BlackBerry Desktop Software 4.6
"Boilsoft Video Joiner_is1" = Boilsoft Video Joiner 5.24
"Canon iP1700 User Registration" = Canon iP1700 User Registration
"CanonMyPrinter" = Canon My Printer
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"Collab" = Collab
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Ripper Platinum 4" = DVD Ripper Platinum 4
"DVDx_is1" = DVDx
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"ESET Online Scanner" = ESET Online Scanner v3
"FileASSASSIN" = FileASSASSIN
"FL Studio 6" = FL Studio 6
"FL Studio 6.3 public beta" = FL Studio 6.3 public beta
"FL Studio 8" = FL Studio 8
"Flash DVD Ripper" = Flash DVD Ripper
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IL Download Manager" = IL Download Manager
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"IrfanView" = IrfanView (remove only)
"LimeWire" = LimeWire PRO 5.1.2
"lvdrivers_11.70" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MIKSOFT Mobile 3GP converter_is1" = MIKSOFT Mobile 3GP converter
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NoAdware 5.0_is1" = NoAdware v5.0
"P2P Energy Toolbar" = P2P Energy Toolbar
"Port Magic" = Pure Networks Port Magic
"RegCure" = RegCure 1.5.1.3
"Registrar Registry Manager (Lite Edition)_is1" = Registrar Registry Manager 5.02
"save2pc Light_is1" = save2pc Light 3.21
"ScummVM_is1" = ScummVM 0.11.1
"SM1FX_AT" = USB Storage Adapter FX (SM1)
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Super Email Spider_is1" = Super Email Spider
"Uninstall_is1" = Uninstall 1.0.0.0
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 (Beta2)
"Xilisoft 3GP Video Converter" = Xilisoft 3GP Video Converter

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/9/2010 12:50:53 PM | Computer Name = FMO | Source = Media Center Receiver | ID = 4
Description = TV tuner malfunction. (0xc0040597) Dazzle DVC100 TVTuner

Error - 4/9/2010 12:54:24 PM | Computer Name = FMO | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft Office Professional Edition 2003 -- Error 25090.
Office Setup encountered a problem with the Office Source Engine, system error:
-2147023843. Please open C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM
and look for "Office Source Engine" for information on how to resolve this problem.

Error - 4/9/2010 12:54:34 PM | Computer Name = FMO | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Update
for Office 2003 (KB907417): OTKLOADR' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 4/9/2010 12:57:53 PM | Computer Name = FMO | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Office
2003 Service Pack 2 (SP2): MAINSP2ff' could not be installed. Error code 1603.
Windows Installer can create logs to help troubleshoot issues with installing software
packages. Use the following link for instructions on turning on logging support:
http://go.microsoft.com/fwlink/?LinkId=23127

Error - 4/9/2010 12:58:00 PM | Computer Name = FMO | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Professional Edition 2003 - Update 'Update
for Outlook 2003: Junk E-mail Filter (KB979771): OUTLFLTR' could not be installed.
Error code 1603. Windows Installer can create logs to help troubleshoot issues
with installing software packages. Use the following link for instructions on turning
on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 4/9/2010 6:42:11 PM | Computer Name = FMO | Source = Media Center Receiver | ID = 4
Description = TV tuner malfunction. (0xc0040597) Dazzle DVC100 TVTuner

Error - 4/9/2010 7:08:02 PM | Computer Name = FMO | Source = Media Center Receiver | ID = 4
Description = TV tuner malfunction. (0xc0040597) Dazzle DVC100 TVTuner

Error - 4/10/2010 8:02:39 AM | Computer Name = FMO | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80004002 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 4/10/2010 10:47:37 AM | Computer Name = FMO | Source = EventSystem | ID = 4612
Description = The COM+ Event System ran out of memory during its internal processing,
at line 20 of d:\comxp_sp3\com\com1x\src\events\shared\stringfuncs.

Error - 4/10/2010 3:54:16 PM | Computer Name = FMO | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80080005 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

[ System Events ]
Error - 4/10/2010 10:48:59 AM | Computer Name = FMO | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 4/10/2010 3:54:16 PM | Computer Name = FMO | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 4/10/2010 3:54:16 PM | Computer Name = FMO | Source = DCOM | ID = 10010
Description = The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register
with DCOM within the required timeout.

Error - 4/10/2010 3:54:47 PM | Computer Name = FMO | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 4/10/2010 9:39:15 PM | Computer Name = FMO | Source = Service Control Manager | ID = 7031
Description = The Background Intelligent Transfer Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
60000 milliseconds: Restart the service.

Error - 4/10/2010 9:39:15 PM | Computer Name = FMO | Source = Service Control Manager | ID = 7034
Description = The COM+ Event System service terminated unexpectedly. It has done
this 4 time(s).

Error - 4/10/2010 9:39:15 PM | Computer Name = FMO | Source = Service Control Manager | ID = 7034
Description = The Network Location Awareness (NLA) service terminated unexpectedly.
It has done this 4 time(s).

Error - 4/10/2010 9:39:28 PM | Computer Name = FMO | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 4/10/2010 10:06:28 PM | Computer Name = FMO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/10/2010 10:07:00 PM | Computer Name = FMO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avgio avipbb cdudf_xp Cinemsup Fips hwinterface32B01 intelppm kl1 pavboot SASKUTIL ssmdrv


< End of report >

Merged posts. ~ OB

Edited by Orange Blossom, 11 April 2010 - 02:04 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 13 April 2010 - 07:27 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run Gmer, a rootkit scanner

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 14 April 2010 - 09:56 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-04-14 22:55:56
Windows 5.1.2600 Service Pack 3
Running: tqjfwryi.exe; Driver: C:\DOCUME~1\Owner.FMO\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwAlertResumeThread [0xF741583D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwAllocateUserPhysicalPages [0xF7415847]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwAllocateVirtualMemory [0xF7415851]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwClose [0xF741585B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCompactKeys [0xF7415865]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCompressKey [0xF741586F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateDirectoryObject [0xF7415879]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateEvent [0xF7415883]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateEventPair [0xF741588D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateFile [0xF7415897]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateIoCompletion [0xF74158A1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateJobObject [0xF74158AB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateKey [0xF74158B5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateMailslotFile [0xF74158BF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateMutant [0xF74158C9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateNamedPipeFile [0xF74158D3]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreatePort [0xF74158DD]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateProcess [0xF74158E7]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateProcessEx [0xF74158F1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateSection [0xF74158FB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateSemaphore [0xF7415905]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateSymbolicLinkObject [0xF741590F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateThread [0xF7415919]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateTimer [0xF7415923]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateToken [0xF741592D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeleteFile [0xF7415937]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeleteKey [0xF7415941]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeleteValueKey [0xF741594B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeviceIoControlFile [0xF7415955]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDuplicateObject [0xF741595F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwEnumerateKey [0xF7415969]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwEnumerateValueKey [0xF7415973]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwFreeUserPhysicalPages [0xF741597D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwFreeVirtualMemory [0xF7415987]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwImpersonateAnonymousToken [0xF7415991]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwImpersonateThread [0xF741599B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLoadDriver [0xF74159A5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLoadKey [0xF74159AF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLoadKey2 [0xF74159B9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLockRegistryKey [0xF74159C3]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLockVirtualMemory [0xF74159CD]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwMapViewOfSection [0xF74159D7]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenFile [0xF74159E1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenKey [0xF74159EB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenProcess [0xF74159F5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenProcessToken [0xF74159FF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenSection [0xF7415A09]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenThread [0xF7415A13]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenThreadToken [0xF7415A1D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwProtectVirtualMemory [0xF7415A27]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryInformationProcess [0xF7415A31]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryInformationThread [0xF7415A3B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryKey [0xF7415A45]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryMultipleValueKey [0xF7415A4F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryOpenSubKeys [0xF7415A59]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryValueKey [0xF7415A63]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueueApcThread [0xF7415A6D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwReadFile [0xF7415A77]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwReadVirtualMemory [0xF7415A81]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwRenameKey [0xF7415A8B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwReplaceKey [0xF7415A95]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwRestoreKey [0xF7415A9F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwResumeProcess [0xF7415AA9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwResumeThread [0xF7415AB3]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSaveKey [0xF7415ABD]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSaveKeyEx [0xF7415AC7]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSaveMergedKeys [0xF7415AD1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetContextThread [0xF7415ADB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetInformationKey [0xF7415AE5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetInformationProcess [0xF7415AEF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetInformationThread [0xF7415AF9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetSystemInformation [0xF7415B03]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetValueKey [0xF7415B0D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSuspendProcess [0xF7415B17]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSuspendThread [0xF7415B21]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSystemDebugControl [0xF7415B2B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwTerminateJobObject [0xF7415B35]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwTerminateProcess [0xF7415B3F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwTerminateThread [0xF7415B49]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnloadDriver [0xF7415B53]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnloadKey [0xF7415B5D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnloadKeyEx [0xF7415B67]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnlockVirtualMemory [0xF7415B71]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnmapViewOfSection [0xF7415B7B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwWriteFile [0xF7415B85]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwWriteVirtualMemory [0xF7415B8F]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + FE 804E4958 24 Bytes [79, 58, 41, F7, 83, 58, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 11A 804E4974 16 Bytes [B5, 58, 41, F7, BF, 58, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4988 12 Bytes [DD, 58, 41, F7, E7, 58, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 13E 804E4998 24 Bytes [FB, 58, 41, F7, 05, 59, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 12 Bytes [A5, 59, 41, F7, AF, 59, 41, ...]
.text ...
? npuxdkjt.sys The system cannot find the file specified. !
? nulgnaf.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\system32\svchost.exe[1060] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0087000A
.text C:\WINDOWS\system32\svchost.exe[1060] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0086000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/)
AttachedDevice \FileSystem\Fastfat \Fat pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85A13AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxijdbrisd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules@msqpdxserv
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules@msqpdxl
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 15 April 2010 - 04:12 AM

The Gmer log shows that a system file has been modified. This is the TDSS rootkit's calling card so we need to see which variant we are dealing with.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 15 April 2010 - 11:39 AM

Combofix log

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 15 April 2010 - 04:00 PM

Please rerun Combofix with the following instructions

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\AIM7\aim .exe
c:\program files\CCleaner\ccleaner .exe
c:\program files\Common Files\AOL\IPHSend\IPHSend .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Creative\SBLive\Program\ADGJDet .exe
c:\program files\Digital Media Reader\readericon45G .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Logitech\QuickCam\Quickcam .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg .exe
c:\program files\QuickTime\QTTask   .exe
c:\program files\QuickTime\QTTask  .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Skype\Phone\Skype .exe
c:\windows\ehome\ehtray .exe

AtJob::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now please run Gmer again
Posted Image
m0le is a proud member of UNITE

#7 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 16 April 2010 - 02:57 PM

combo log

Attached Files



#8 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 16 April 2010 - 04:04 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-04-16 17:04:20
Windows 5.1.2600 Service Pack 3
Running: tqjfwryi.exe; Driver: C:\DOCUME~1\Owner.FMO\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwAlertResumeThread [0xF741583D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwAllocateUserPhysicalPages [0xF7415847]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwAllocateVirtualMemory [0xF7415851]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwClose [0xF741585B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCompactKeys [0xF7415865]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCompressKey [0xF741586F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateDirectoryObject [0xF7415879]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateEvent [0xF7415883]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateEventPair [0xF741588D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateFile [0xF7415897]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateIoCompletion [0xF74158A1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateJobObject [0xF74158AB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateKey [0xF74158B5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateMailslotFile [0xF74158BF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateMutant [0xF74158C9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateNamedPipeFile [0xF74158D3]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreatePort [0xF74158DD]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateProcess [0xF74158E7]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateProcessEx [0xF74158F1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateSection [0xF74158FB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateSemaphore [0xF7415905]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateSymbolicLinkObject [0xF741590F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateThread [0xF7415919]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateTimer [0xF7415923]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwCreateToken [0xF741592D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeleteFile [0xF7415937]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeleteKey [0xF7415941]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeleteValueKey [0xF741594B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDeviceIoControlFile [0xF7415955]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwDuplicateObject [0xF741595F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwEnumerateKey [0xF7415969]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwEnumerateValueKey [0xF7415973]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwFreeUserPhysicalPages [0xF741597D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwFreeVirtualMemory [0xF7415987]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwImpersonateAnonymousToken [0xF7415991]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwImpersonateThread [0xF741599B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLoadDriver [0xF74159A5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLoadKey [0xF74159AF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLoadKey2 [0xF74159B9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLockRegistryKey [0xF74159C3]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwLockVirtualMemory [0xF74159CD]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwMapViewOfSection [0xF74159D7]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenFile [0xF74159E1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenKey [0xF74159EB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenProcess [0xF74159F5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenProcessToken [0xF74159FF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenSection [0xF7415A09]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenThread [0xF7415A13]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwOpenThreadToken [0xF7415A1D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwProtectVirtualMemory [0xF7415A27]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryInformationProcess [0xF7415A31]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryInformationThread [0xF7415A3B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryKey [0xF7415A45]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryMultipleValueKey [0xF7415A4F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryOpenSubKeys [0xF7415A59]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueryValueKey [0xF7415A63]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwQueueApcThread [0xF7415A6D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwReadFile [0xF7415A77]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwReadVirtualMemory [0xF7415A81]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwRenameKey [0xF7415A8B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwReplaceKey [0xF7415A95]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwRestoreKey [0xF7415A9F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwResumeProcess [0xF7415AA9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwResumeThread [0xF7415AB3]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSaveKey [0xF7415ABD]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSaveKeyEx [0xF7415AC7]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSaveMergedKeys [0xF7415AD1]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetContextThread [0xF7415ADB]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetInformationKey [0xF7415AE5]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetInformationProcess [0xF7415AEF]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetInformationThread [0xF7415AF9]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetSystemInformation [0xF7415B03]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSetValueKey [0xF7415B0D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSuspendProcess [0xF7415B17]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSuspendThread [0xF7415B21]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwSystemDebugControl [0xF7415B2B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwTerminateJobObject [0xF7415B35]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwTerminateProcess [0xF7415B3F]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwTerminateThread [0xF7415B49]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnloadDriver [0xF7415B53]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnloadKey [0xF7415B5D]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnloadKeyEx [0xF7415B67]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnlockVirtualMemory [0xF7415B71]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwUnmapViewOfSection [0xF7415B7B]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwWriteFile [0xF7415B85]
SSDT pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/) ZwWriteVirtualMemory [0xF7415B8F]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + FE 804E4958 24 Bytes [79, 58, 41, F7, 83, 58, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 11A 804E4974 16 Bytes [B5, 58, 41, F7, BF, 58, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4988 12 Bytes [DD, 58, 41, F7, E7, 58, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 13E 804E4998 24 Bytes [FB, 58, 41, F7, 05, 59, 41, ...]
.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 12 Bytes [A5, 59, 41, F7, AF, 59, 41, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/)
AttachedDevice \FileSystem\Fastfat \Fat pxfsf.sys (PREVX Security Agent for Windows/Prevx Limited, http://www.prevx1.com/)

Device \FileSystem\Cdfs \Cdfs F6683400
Device -> \Driver\atapi \Device\Harddisk0\DR0 858C0AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxijdbrisd.sys
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules@msqpdxserv
Reg HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys\modules@msqpdxl
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 16 April 2010 - 04:54 PM

One trojan down, just the rootkit to see off smile.gif

This rootkit removal can take some time so please be patient.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#10 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 16 April 2010 - 05:12 PM

18:10:20:812 1144 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
18:10:20:812 1144 ================================================================================
18:10:20:812 1144 SystemInfo:

18:10:20:812 1144 OS Version: 5.1.2600 ServicePack: 3.0
18:10:20:812 1144 Product type: Workstation
18:10:20:812 1144 ComputerName: FMO
18:10:20:812 1144 UserName: Owner
18:10:20:812 1144 Windows directory: C:\WINDOWS
18:10:20:812 1144 Processor architecture: Intel x86
18:10:20:812 1144 Number of processors: 2
18:10:20:812 1144 Page size: 0x1000
18:10:20:812 1144 Boot type: Safe boot with network
18:10:20:812 1144 ================================================================================
18:10:20:812 1144 UnloadDriverW: NtUnloadDriver error 2
18:10:20:812 1144 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:10:20:843 1144 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:10:20:843 1144 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:10:20:843 1144 wfopen_ex: Trying to KLMD file open
18:10:20:843 1144 wfopen_ex: File opened ok (Flags 2)
18:10:20:843 1144 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:10:20:843 1144 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:10:20:843 1144 wfopen_ex: Trying to KLMD file open
18:10:20:843 1144 wfopen_ex: File opened ok (Flags 2)
18:10:20:843 1144 Initialize success
18:10:20:843 1144
18:10:20:843 1144 Scanning Services ...
18:10:24:234 1144 Raw services enum returned 427 services
18:10:24:250 1144
18:10:24:250 1144 Scanning Kernel memory ...
18:10:24:250 1144 Devices to scan: 13
18:10:24:250 1144
18:10:24:250 1144 Driver Name: Disk
18:10:24:250 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:250 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:250 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:250 1144 IRP_MJ_READ : F76B5D1F
18:10:24:250 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:250 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:250 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:250 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:250 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:250 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:250 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:250 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:250 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:250 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:250 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:250 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:250 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:250 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:250 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:250 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:250 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:250 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:250 1144 IRP_MJ_POWER : F76B7C82
18:10:24:250 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:250 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:250 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:250 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:296 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:296 1144
18:10:24:296 1144 Driver Name: Disk
18:10:24:296 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:296 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:296 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:296 1144 IRP_MJ_READ : F76B5D1F
18:10:24:296 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:296 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:296 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:296 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:296 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:296 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:296 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:296 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_POWER : F76B7C82
18:10:24:296 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:296 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:296 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:296 1144
18:10:24:296 1144 Driver Name: Disk
18:10:24:296 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:296 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:296 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:296 1144 IRP_MJ_READ : F76B5D1F
18:10:24:296 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:296 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:296 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:296 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:296 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:296 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:296 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:296 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_POWER : F76B7C82
18:10:24:296 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:296 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:296 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:296 1144
18:10:24:296 1144 Driver Name: Disk
18:10:24:296 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:296 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:296 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:296 1144 IRP_MJ_READ : F76B5D1F
18:10:24:296 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:296 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:296 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:296 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:296 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:296 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:296 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:296 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_POWER : F76B7C82
18:10:24:296 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:296 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:296 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:296 1144
18:10:24:296 1144 Driver Name: Disk
18:10:24:296 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:296 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:296 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:296 1144 IRP_MJ_READ : F76B5D1F
18:10:24:296 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:296 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:296 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:296 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:296 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:296 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:296 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:296 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:296 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:296 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:296 1144 IRP_MJ_POWER : F76B7C82
18:10:24:296 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:296 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:296 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:296 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:312 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:312 1144
18:10:24:312 1144 Driver Name: usbstor
18:10:24:312 1144 IRP_MJ_CREATE : F707E218
18:10:24:312 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:312 1144 IRP_MJ_CLOSE : F707E218
18:10:24:312 1144 IRP_MJ_READ : F707E23C
18:10:24:312 1144 IRP_MJ_WRITE : F707E23C
18:10:24:312 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:312 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:312 1144 IRP_MJ_FLUSH_BUFFERS : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:312 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:312 1144 IRP_MJ_DEVICE_CONTROL : F707E180
18:10:24:312 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F70799E6
18:10:24:312 1144 IRP_MJ_SHUTDOWN : 804F9759
18:10:24:312 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:312 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:312 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:312 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:312 1144 IRP_MJ_POWER : F707D5F0
18:10:24:312 1144 IRP_MJ_SYSTEM_CONTROL : F707BA6E
18:10:24:312 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:312 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:312 1144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:10:24:312 1144
18:10:24:312 1144 Driver Name: usbstor
18:10:24:312 1144 IRP_MJ_CREATE : F707E218
18:10:24:312 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:312 1144 IRP_MJ_CLOSE : F707E218
18:10:24:312 1144 IRP_MJ_READ : F707E23C
18:10:24:312 1144 IRP_MJ_WRITE : F707E23C
18:10:24:312 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:312 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:312 1144 IRP_MJ_FLUSH_BUFFERS : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:312 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:312 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:312 1144 IRP_MJ_DEVICE_CONTROL : F707E180
18:10:24:312 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F70799E6
18:10:24:312 1144 IRP_MJ_SHUTDOWN : 804F9759
18:10:24:312 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:312 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:312 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:312 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:312 1144 IRP_MJ_POWER : F707D5F0
18:10:24:312 1144 IRP_MJ_SYSTEM_CONTROL : F707BA6E
18:10:24:312 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:312 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:312 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:328 1144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:10:24:328 1144
18:10:24:328 1144 Driver Name: usbstor
18:10:24:328 1144 IRP_MJ_CREATE : F707E218
18:10:24:328 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:328 1144 IRP_MJ_CLOSE : F707E218
18:10:24:328 1144 IRP_MJ_READ : F707E23C
18:10:24:328 1144 IRP_MJ_WRITE : F707E23C
18:10:24:328 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:328 1144 IRP_MJ_FLUSH_BUFFERS : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_DEVICE_CONTROL : F707E180
18:10:24:328 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F70799E6
18:10:24:328 1144 IRP_MJ_SHUTDOWN : 804F9759
18:10:24:328 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:328 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_POWER : F707D5F0
18:10:24:328 1144 IRP_MJ_SYSTEM_CONTROL : F707BA6E
18:10:24:328 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:328 1144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:10:24:328 1144
18:10:24:328 1144 Driver Name: usbstor
18:10:24:328 1144 IRP_MJ_CREATE : F707E218
18:10:24:328 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:328 1144 IRP_MJ_CLOSE : F707E218
18:10:24:328 1144 IRP_MJ_READ : F707E23C
18:10:24:328 1144 IRP_MJ_WRITE : F707E23C
18:10:24:328 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:328 1144 IRP_MJ_FLUSH_BUFFERS : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_DEVICE_CONTROL : F707E180
18:10:24:328 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F70799E6
18:10:24:328 1144 IRP_MJ_SHUTDOWN : 804F9759
18:10:24:328 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:328 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_POWER : F707D5F0
18:10:24:328 1144 IRP_MJ_SYSTEM_CONTROL : F707BA6E
18:10:24:328 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:328 1144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:10:24:328 1144
18:10:24:328 1144 Driver Name: usbstor
18:10:24:328 1144 IRP_MJ_CREATE : F707E218
18:10:24:328 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:328 1144 IRP_MJ_CLOSE : F707E218
18:10:24:328 1144 IRP_MJ_READ : F707E23C
18:10:24:328 1144 IRP_MJ_WRITE : F707E23C
18:10:24:328 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:328 1144 IRP_MJ_FLUSH_BUFFERS : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_DEVICE_CONTROL : F707E180
18:10:24:328 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F70799E6
18:10:24:328 1144 IRP_MJ_SHUTDOWN : 804F9759
18:10:24:328 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:328 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_POWER : F707D5F0
18:10:24:328 1144 IRP_MJ_SYSTEM_CONTROL : F707BA6E
18:10:24:328 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:328 1144 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
18:10:24:328 1144
18:10:24:328 1144 Driver Name: Disk
18:10:24:328 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:328 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:328 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:328 1144 IRP_MJ_READ : F76B5D1F
18:10:24:328 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:328 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:328 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:328 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:328 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:328 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:328 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:328 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:328 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:328 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:328 1144 IRP_MJ_POWER : F76B7C82
18:10:24:328 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:328 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:328 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:328 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:343 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:343 1144
18:10:24:343 1144 Driver Name: Disk
18:10:24:343 1144 IRP_MJ_CREATE : F76BBBB0
18:10:24:343 1144 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
18:10:24:343 1144 IRP_MJ_CLOSE : F76BBBB0
18:10:24:343 1144 IRP_MJ_READ : F76B5D1F
18:10:24:343 1144 IRP_MJ_WRITE : F76B5D1F
18:10:24:343 1144 IRP_MJ_QUERY_INFORMATION : 804F9759
18:10:24:343 1144 IRP_MJ_SET_INFORMATION : 804F9759
18:10:24:343 1144 IRP_MJ_QUERY_EA : 804F9759
18:10:24:343 1144 IRP_MJ_SET_EA : 804F9759
18:10:24:343 1144 IRP_MJ_FLUSH_BUFFERS : F76B62E2
18:10:24:343 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
18:10:24:343 1144 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
18:10:24:343 1144 IRP_MJ_DIRECTORY_CONTROL : 804F9759
18:10:24:343 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
18:10:24:343 1144 IRP_MJ_DEVICE_CONTROL : F76B63BB
18:10:24:343 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76B9F28
18:10:24:343 1144 IRP_MJ_SHUTDOWN : F76B62E2
18:10:24:343 1144 IRP_MJ_LOCK_CONTROL : 804F9759
18:10:24:343 1144 IRP_MJ_CLEANUP : 804F9759
18:10:24:343 1144 IRP_MJ_CREATE_MAILSLOT : 804F9759
18:10:24:343 1144 IRP_MJ_QUERY_SECURITY : 804F9759
18:10:24:343 1144 IRP_MJ_SET_SECURITY : 804F9759
18:10:24:343 1144 IRP_MJ_POWER : F76B7C82
18:10:24:343 1144 IRP_MJ_SYSTEM_CONTROL : F76BC99E
18:10:24:343 1144 IRP_MJ_DEVICE_CHANGE : 804F9759
18:10:24:343 1144 IRP_MJ_QUERY_QUOTA : 804F9759
18:10:24:343 1144 IRP_MJ_SET_QUOTA : 804F9759
18:10:24:343 1144 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
18:10:24:343 1144
18:10:24:343 1144 Driver Name: atapi
18:10:24:343 1144 IRP_MJ_CREATE : 85A1FAC8
18:10:24:343 1144 IRP_MJ_CREATE_NAMED_PIPE : 85A1FAC8
18:10:24:343 1144 IRP_MJ_CLOSE : 85A1FAC8
18:10:24:343 1144 IRP_MJ_READ : 85A1FAC8
18:10:24:343 1144 IRP_MJ_WRITE : 85A1FAC8
18:10:24:343 1144 IRP_MJ_QUERY_INFORMATION : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SET_INFORMATION : 85A1FAC8
18:10:24:343 1144 IRP_MJ_QUERY_EA : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SET_EA : 85A1FAC8
18:10:24:343 1144 IRP_MJ_FLUSH_BUFFERS : 85A1FAC8
18:10:24:343 1144 IRP_MJ_QUERY_VOLUME_INFORMATION : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SET_VOLUME_INFORMATION : 85A1FAC8
18:10:24:343 1144 IRP_MJ_DIRECTORY_CONTROL : 85A1FAC8
18:10:24:343 1144 IRP_MJ_FILE_SYSTEM_CONTROL : 85A1FAC8
18:10:24:343 1144 IRP_MJ_DEVICE_CONTROL : 85A1FAC8
18:10:24:343 1144 IRP_MJ_INTERNAL_DEVICE_CONTROL : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SHUTDOWN : 85A1FAC8
18:10:24:343 1144 IRP_MJ_LOCK_CONTROL : 85A1FAC8
18:10:24:343 1144 IRP_MJ_CLEANUP : 85A1FAC8
18:10:24:343 1144 IRP_MJ_CREATE_MAILSLOT : 85A1FAC8
18:10:24:343 1144 IRP_MJ_QUERY_SECURITY : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SET_SECURITY : 85A1FAC8
18:10:24:343 1144 IRP_MJ_POWER : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SYSTEM_CONTROL : 85A1FAC8
18:10:24:343 1144 IRP_MJ_DEVICE_CHANGE : 85A1FAC8
18:10:24:343 1144 IRP_MJ_QUERY_QUOTA : 85A1FAC8
18:10:24:343 1144 IRP_MJ_SET_QUOTA : 85A1FAC8
18:10:24:343 1144 Driver "atapi" infected by TDSS rootkit!
18:10:24:359 1144 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
18:10:24:359 1144 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 18:10:24:359 1144 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
18:10:24:359 1144 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:10:24:484 1144 vfvi6
18:10:24:656 1144 !dsvbh1
18:10:27:000 1144 dsvbh2
18:10:27:000 1144 fdfb2
18:10:27:000 1144 Backup copy found, using it..
18:10:27:000 1144 will be cured on next reboot
18:10:27:015 1144 Reboot required for cure complete..
18:10:27:046 1144 Cure on reboot scheduled successfully
18:10:27:046 1144
18:10:27:046 1144 Completed
18:10:27:046 1144
18:10:27:046 1144 Results:
18:10:27:046 1144 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
18:10:27:046 1144 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:10:27:046 1144 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:10:27:062 1144
18:10:27:062 1144 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:10:27:062 1144 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:10:27:062 1144 UnloadDriverW: NtUnloadDriver error 1
18:10:27:078 1144 KLMD(ARK) unloaded successfully


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 16 April 2010 - 05:19 PM

We need to replace the infected file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#12 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 16 April 2010 - 05:29 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:21 on 16/04/2010 by Owner (Administrator - Elevation successful)

No Context: CODE

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [05:43 27/11/2009] [12:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\erdnt\cache\atapi.sys --a--- 96512 bytes [01:31 23/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [15:03 22/10/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [22:03 16/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 16 April 2010 - 05:43 PM

We need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\system32\dllcache\atapi.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren atapi.sys atapi.vir and press Enter.
Then type copy C:\atapi.sys atapi.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run Gmer and post the log.

Thanks thumbup2.gif

Edited by m0le, 16 April 2010 - 05:47 PM.
Changed script. Please note!!

Posted Image
m0le is a proud member of UNITE

#14 concept

concept
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 16 April 2010 - 08:07 PM

I do not thinking you are getting rid of the right virus. I just went to search on firefox, clicked a link and the ave.exe thing came back and gave me the fake virus remover crap. however i did all the steps you told me with the atapi situation. I'm going to run gmer now. there's definitely more wrong here. the ave.exe keeps coming back and i click search links and they redirect me to new places.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:42 PM

Posted 16 April 2010 - 08:27 PM

If we don't remove the TDSS rootkit first we will never be able to get to the ave.exe infection that it is currently protecting.

I've no doubt there are other problems but your biggest is the infected system file. smile.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users