Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Connection unstable with popups


  • This topic is locked This topic is locked
24 replies to this topic

#1 Tikibum

Tikibum

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 27 May 2010 - 10:17 PM

Over the past week my wireless connection varies with every restart. Sometimes I start up with no problems to my connection while other times I must constantly restart until I get lucky enough to get an internet connection. What also happens when my internet doesn't start is that my taskbar becomes grey in color, as if was changed to look like Classic mode from themes. When I look at Services.msc I notice most of them to have the -k netsvcs at the end of the executable path of most of the services. I've run SUPERAntiSpyware, AVG, and Malwarebytes and all have come through clean. Also, whenever I get internet I get popups every 6 minutes and my searches are usually redirected to pages completely different than what i've searched. I've run DDS and GMER, but GMER restarts my computer each time it is run. Thank you in advance for your time and hope this is enough info for now laugh.gif



DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 18:31:41.70 on Thu 05/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.121 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0560.0\msneshellx.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-3-4 52872]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-8-20 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-8-20 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-7-1 103792]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-4 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-4 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-19 242896]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-8-20 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 68168]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-4 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-4 308064]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-7-9 199152]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-8-8 53032]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-20 113664]
R3 DCamUSBNovatek;USB2.0 UVC Camera;c:\windows\system32\drivers\nvtcam.sys [2010-1-5 2701040]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-5-11 56480]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-20 165888]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S4 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]

=============== Created Last 30 ================

2010-05-28 01:29:45 0 ----a-w- c:\documents and settings\david\defogger_reenable
2010-05-26 22:30:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 22:30:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 22:30:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 08:29:31 0 d-----w- c:\docume~1\david\applic~1\ElevatedDiagnostics
2010-05-26 07:51:03 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 07:32:15 0 d-----w- c:\windows\system32\URTTEMP
2010-05-15 01:32:04 0 d-----w- c:\docume~1\david\applic~1\Malwarebytes
2010-05-15 01:31:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-14 07:40:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-30 23:44:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-30 23:44:04 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-30 23:44:04 0 d-----w- c:\docume~1\david\applic~1\SUPERAntiSpyware.com
2010-04-30 23:43:44 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2010-04-19 19:26:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-03-05 06:03:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-21 01:17:05 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-21 01:17:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2010-01-05 16:15:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010520100106\index.dat

============= FINISH: 18:34:40.50 ===============


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 29 May 2010 - 06:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Gmer is the best but can be hard to get a log lets try this and see what we get.

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 01 June 2010 - 04:21 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Tikibum

Tikibum
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 01 June 2010 - 11:09 PM

Sorry for the long reply, Memorial Day weekend and all smile.gif Hope you enjoyed yours.

Another thing I have also noticed is that I cannot update Windows at all. From the safety tab I get "Internet Explorer cannot display the webpage". When I enter from the Microsoft website, I get onto the update site, but I get "The website has encountered a problem and cannot display the page you are trying to view." I also get the error number 0x80072EFF.

Also, I ran rkunhooker and first thing I get when I open the program is "Rootkit Unhooker has detected a parasite in itself! It is recommended to remove parasite, okay?

Parasite type: Unknown remote thread
Thread ID: 4352
Priority: 8
Thread start address: 0x77DF848A
Module: advapi32.dll

I click OK and run with the tabs checked as you requested, but as it gets to scan the Files, it stays on "Getting list of files and directories (C:\)" and does not continue at all. I've let it run for 5 hours twice at different times and it does nothing, so I cancelled it after the 2nd time to let it continue with the rest of the scan. It completed the scan without the files being scanned.

Last, over the weekend my brother installed zonealarm to try and solve the problem against my advice to do nothing and wait, so I apologize if this causes any problems. Once again I apologize for the long time between replies and hope this info helps smile.gif Thank you for your time.


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF4CE9000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 7966720 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 186.27 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 5918720 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 186.27 )
0xEC841000 C:\WINDOWS\System32\Drivers\nvtcam.sys 2695168 bytes (NTK, 96610 PC Camera mini Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF4B2A000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 1748992 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xEFBCC000 C:\WINDOWS\system32\drivers\sthda.sys 1581056 bytes (IDT, Inc., IDT PC Audio)
0xF5482000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 958464 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xF720F000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEB063000 C:\WINDOWS\System32\vsdatant.sys 528384 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xF55B8000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xEB276000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF4A81000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEB16C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB73F2000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB6CEF000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xEB132000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xF5633000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 229376 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xEB242000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xF7358000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB83A8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71E2000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB50A3000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEB2E6000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF556C000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xEB0E4000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xEB10C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEB4BA000 C:\WINDOWS\System32\Drivers\dump_nvgts.sys 151552 bytes
0xF7303000 nvgts.sys 151552 bytes (NVIDIA Corporation, NVIDIAŽ nForce™ Sata Performance Driver)
0xEFBA8000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF5594000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF4ADF000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEB041000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xEB01F000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72CB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7328000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xEB1D8000 C:\WINDOWS\system32\drivers\InCDFs.sys 126976 bytes (Nero AG, InCD File System Driver)
0xEFB8C000 C:\WINDOWS\system32\drivers\AESTAud.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver)
0xF71C8000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF72EB000 C:\WINDOWS\system32\drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF72B3000 syscow32x.sys 98304 bytes (Sonic Solutions, BackOnTrack Component)
0xF729C000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF4B13000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB851B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF4CD5000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEB1C5000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7347000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF4B02000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7657000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7677000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6ADC000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF6ABC000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 57344 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xF74C7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF76D7000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7667000 C:\WINDOWS\system32\drivers\nvhda32.sys 53248 bytes (NVIDIA Corporation, NVIDIA HDMI Audio Driver)
0xF7537000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xEBF2B000 C:\WINDOWS\System32\Drivers\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF74A7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF74F7000 avgrkx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xF7557000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xEF679000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7497000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7547000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7487000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF56CB000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 40960 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF74D7000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7577000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74B7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xED7FC000 C:\WINDOWS\system32\drivers\InCDPass.sys 36864 bytes (Nero AG, Nero InCD RW Filter Driver)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7567000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xED83C000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF6A8C000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF74E7000 SahdIa32.sys 36864 bytes (Sonic Solutions, Disk Filter Driver)
0xED82C000 C:\WINDOWS\System32\Drivers\SaibVd32.sys 36864 bytes (Sonic Solutions, FileDisk Virtual Disk Driver)
0xEBF3B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xECF6E000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xEC12D000 C:\WINDOWS\System32\Drivers\NVTCAMD2.SYS 32768 bytes (Windows ® Codename Longhorn DDK provider, Universal Serial Bus Camera Driver)
0xF7717000 SaibIa32.sys 32768 bytes (Sonic Solutions, Disk Filter Driver)
0xEC135000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xEFAF7000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xECF7E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xECF76000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7807000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF780F000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xEC125000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF6A42000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xEFB37000 C:\WINDOWS\System32\Drivers\dump_diskdump.sys 16384 bytes
0xF38BE000 C:\WINDOWS\system32\drivers\InCDRec.sys 16384 bytes (Nero AG, Nero InCD File System Recognizer)
0xF6A26000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF7967000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF6A3E000 C:\WINDOWS\system32\DRIVERS\nvsmu.sys 16384 bytes (NVIDIA Corporation, NVIDIA nForce™ SMU Microcontroller Driver)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xEFB1F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7148000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xF6A36000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF38BA000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF6A3A000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xECAFF000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF798B000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xF79B5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79B3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798F000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79B9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79EB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A1B000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798D000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A9A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xEBFDC000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xEBC52000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x85253AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x852F6408 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF7303000 WARNING: suspicious driver modification [nvgts.sys::0x85253AEA]
0xF789B000 WARNING: Virus alike driver modification [compbatt.sys], 12288 bytes
0x05830000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 126976 bytes
0x03D40000 Hidden Image-->System.XML.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 2060288 bytes
0x048A0000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 266240 bytes
0x04630000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 270336 bytes
0x01360000 Hidden Image-->log4net.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 282624 bytes
0x01160000 Hidden Image-->Interop.HPQTOASTERLib.dll [ EPROCESS 0x83B7B300 ] PID: 2656, 28672 bytes
0x03C80000 Hidden Image-->Interop.HPQWMIEXLib.dll [ EPROCESS 0x83B7B300 ] PID: 2656, 28672 bytes
0x042E0000 Hidden Image-->System.Data.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 2961408 bytes
0x04E70000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 307200 bytes
0x03720000 Hidden Image-->System.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 3158016 bytes
0x03A60000 Hidden Image-->HPWAMain.resources.dll [ EPROCESS 0x83B7B300 ] PID: 2656, 36864 bytes
0x05740000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 421888 bytes
0x03510000 Hidden Image-->System.configuration.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 438272 bytes
0x046A0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 479232 bytes
0x050C0000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 5033984 bytes
0x056A0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x84FBDDA0 ] PID: 2248, 634880 bytes
0x04200000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x84FBDDA0 ] PID: 2248, 872448 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D500, Type: Inline - RelativeJump 0x80504500-->8050456B [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D524, Type: Inline - RelativeJump 0x80504524-->80504538 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D534, Type: Inline - RelativeJump 0x80504534-->80504571 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D54C, Type: Inline - RelativeJump 0x8050454C-->80504563 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D564, Type: Inline - RelativeJump 0x80504564-->80504551 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D63C, Type: Inline - RelativeJump 0x8050463C-->8050467F [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D79C, Type: Inline - RelativeJump 0x8050479C-->8050481D [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xEB1AB428-->EB089CBA [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xEB1AB454-->EB0894C8 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xEB1AB460-->EB089672 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xEBF40B4C-->EB089CBA [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xEBF40B1C-->EB087C2A [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xEBF40B3C-->EB0894C8 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xEBF40B28-->EB089672 [vsdatant.sys]
[1372]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1372]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1372]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1372]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1372]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1372]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1372]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[560]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[560]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[560]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[560]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[560]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[560]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[560]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[560]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[560]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[560]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[560]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 01 June 2010 - 11:10 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Tikibum

Tikibum
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 04 June 2010 - 07:10 PM

ComboFix is freezing each time I run it. Installing the Recovery Console was simple enough, but every time I try to run ComboFix, it seems like it freezes before it even does anything. I have run it 3 times: 2 times on different days for 5 hours each (once in safe mode), and then I ran it again overnight for a total time of 15 hours. It displays the scanning files, takes 10 min, probably double for an infected computer, and it never goes farther than that. There are also a couple of things that might have interfered with it. I've disabled both my antivirus and firewall, but with AVG I cannot disable the antispyware scanner without completely removing AVG entirely. Should I uninstall my AVG and then run ComboFix? I've also run the tests while my wireless was disabled if they might affect it. Thank you again for your time.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 04 June 2010 - 07:14 PM

Hello

most likely it is the antivirus causing this please make sure all security programs are turned off during the scans and if needed uninstall it untill we are done

if it takes more that 20min with it looking like it is bot doing anything shut it down and let me know


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Tikibum

Tikibum
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 06 June 2010 - 02:10 AM

Ok now the problem is trying to uninstall AVG. During the process I get this error:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.




#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 06 June 2010 - 02:15 AM

hello

ok go here and download there remover

http://www.avg.com/us-en/download-tools


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Tikibum

Tikibum
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 08 June 2010 - 02:18 AM

ComboFix is taking longer than 20 minwith AVG uninstalled. I have uninstalled AVG with the removal, but now I can't install AVG back onto my computer. The error seems to be the same one as my last reply. And when I try to use windows recovery console, I get a blue screen with the error

STOP: 0x0000007B (0xF7B60524, 0xC00000034, 0x00000000, 0x00000000)

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 08 June 2010 - 02:23 AM

Good morning

ok run this first

TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply

let me have this log then we will decide what to do after, we will deal with avg after we clean up alittle

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Tikibum

Tikibum
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 08 June 2010 - 03:16 AM

01:05:41:703 2080 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
01:05:41:703 2080 ================================================================================
01:05:41:703 2080 SystemInfo:

01:05:41:703 2080 OS Version: 5.1.2600 ServicePack: 3.0
01:05:41:703 2080 Product type: Workstation
01:05:41:703 2080 ComputerName: DAD
01:05:41:703 2080 UserName: David
01:05:41:703 2080 Windows directory: C:\WINDOWS
01:05:41:703 2080 Processor architecture: Intel x86
01:05:41:703 2080 Number of processors: 2
01:05:41:703 2080 Page size: 0x1000
01:05:41:703 2080 Boot type: Normal boot
01:05:41:703 2080 ================================================================================
01:05:42:156 2080 Initialize success
01:05:42:156 2080
01:05:42:156 2080 Scanning Services ...
01:05:42:500 2080 Raw services enum returned 361 services
01:05:42:515 2080
01:05:42:515 2080 Scanning Drivers ...
01:05:42:937 2080 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
01:05:43:031 2080 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:05:43:125 2080 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
01:05:43:187 2080 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
01:05:43:296 2080 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
01:05:43:421 2080 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
01:05:43:531 2080 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
01:05:43:640 2080 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
01:05:43:671 2080 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
01:05:43:703 2080 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
01:05:43:796 2080 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
01:05:43:843 2080 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
01:05:43:906 2080 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
01:05:44:015 2080 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
01:05:44:046 2080 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
01:05:44:062 2080 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
01:05:44:187 2080 ApfiltrService (703caf97e7c6a61c21d389c517885c50) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
01:05:44:218 2080 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
01:05:44:296 2080 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
01:05:44:390 2080 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
01:05:44:437 2080 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:05:44:515 2080 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:05:44:656 2080 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:05:44:687 2080 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:05:44:812 2080 BCM43XX (69dd2805f42f2de52a5fcbcfa9d8848f) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
01:05:44:984 2080 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:05:45:125 2080 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
01:05:45:218 2080 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:05:45:281 2080 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:05:45:359 2080 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
01:05:45:437 2080 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:05:45:515 2080 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
01:05:45:593 2080 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:05:45:750 2080 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
01:05:45:796 2080 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
01:05:45:843 2080 Compbatt (6ad18d8b37a9255055c2bc432b3b1cc9) C:\WINDOWS\system32\DRIVERS\compbatt.sys
01:05:45:843 2080 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 6ad18d8b37a9255055c2bc432b3b1cc9, Fake md5: 6e4c9f21f0fae8940661144f41b13203
01:05:45:843 2080 File "C:\WINDOWS\system32\DRIVERS\compbatt.sys" infected by TDSS rootkit ... 01:05:49:953 2080 Backup copy found, using it..
01:05:49:984 2080 will be cured on next reboot
01:05:50:078 2080 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
01:05:50:093 2080 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
01:05:50:156 2080 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
01:05:50:328 2080 DCamUSBNovatek (55f79fa1f0e3240edbf5832a33f6fb30) C:\WINDOWS\system32\Drivers\nvtcam.sys
01:05:50:390 2080 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
01:05:50:484 2080 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
01:05:50:578 2080 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
01:05:50:640 2080 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:05:50:718 2080 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
01:05:50:828 2080 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
01:05:50:921 2080 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
01:05:51:031 2080 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
01:05:51:062 2080 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
01:05:51:125 2080 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
01:05:51:218 2080 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
01:05:51:265 2080 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
01:05:51:328 2080 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:05:51:390 2080 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:05:51:468 2080 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
01:05:51:531 2080 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:05:51:609 2080 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
01:05:51:671 2080 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:05:51:750 2080 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
01:05:51:859 2080 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
01:05:51:937 2080 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
01:05:52:000 2080 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
01:05:52:062 2080 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
01:05:52:093 2080 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:05:52:156 2080 InCDfs (914b9bd741189335c1f8d0cceda8b639) C:\WINDOWS\system32\drivers\InCDFs.sys
01:05:52:218 2080 InCDPass (4750cb7883952f873f778bdcf09e6c93) C:\WINDOWS\system32\drivers\InCDPass.sys
01:05:52:250 2080 InCDRec (4fadcd138c649545bfa9dc3bbc8fee0d) C:\WINDOWS\system32\drivers\InCDRec.sys
01:05:52:265 2080 incdrm (efe97b244c8dc63600777207df6afac1) C:\WINDOWS\system32\drivers\InCDRm.sys
01:05:52:328 2080 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
01:05:52:359 2080 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
01:05:52:421 2080 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
01:05:52:437 2080 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
01:05:52:437 2080 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:05:52:453 2080 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:05:52:484 2080 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:05:52:562 2080 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:05:52:578 2080 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:05:52:656 2080 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:05:52:671 2080 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:05:52:750 2080 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
01:05:52:781 2080 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
01:05:52:906 2080 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
01:05:53:000 2080 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:05:53:078 2080 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
01:05:53:156 2080 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:05:53:218 2080 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:05:53:296 2080 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
01:05:53:312 2080 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
01:05:53:359 2080 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:05:53:437 2080 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:05:53:500 2080 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
01:05:53:546 2080 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:05:53:593 2080 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:05:53:625 2080 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
01:05:53:671 2080 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:05:53:687 2080 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
01:05:53:734 2080 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
01:05:53:796 2080 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:05:53:906 2080 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
01:05:53:921 2080 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:05:53:937 2080 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:05:53:984 2080 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:05:54:062 2080 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:05:54:125 2080 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
01:05:54:171 2080 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:05:54:312 2080 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:05:54:359 2080 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
01:05:54:421 2080 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
01:05:54:515 2080 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:05:54:875 2080 nv (8a7d9e414d1123cecce9cf1dd55e9f08) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
01:05:55:218 2080 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
01:05:55:343 2080 nvgts (75e2e77c5497f34e60491d27bf03f1cb) C:\WINDOWS\system32\drivers\nvgts.sys
01:05:55:406 2080 NVHDA (8d0b353c0918b39093dca36d47a6a3aa) C:\WINDOWS\system32\drivers\nvhda32.sys
01:05:55:562 2080 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
01:05:55:593 2080 nvsmu (2a085aec3ab2b1211611d2a7b9e22456) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
01:05:55:703 2080 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:05:55:734 2080 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:05:55:765 2080 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
01:05:55:875 2080 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
01:05:55:953 2080 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:05:56:093 2080 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
01:05:56:312 2080 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
01:05:56:421 2080 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
01:05:56:875 2080 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
01:05:57:000 2080 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
01:05:57:062 2080 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:05:57:203 2080 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
01:05:57:281 2080 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:05:57:406 2080 PxHelp20 (5491e4e7d93804f43abe8ce3c39f5a86) C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:05:57:546 2080 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
01:05:57:593 2080 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
01:05:57:609 2080 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
01:05:57:640 2080 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
01:05:57:656 2080 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
01:05:57:765 2080 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:05:57:875 2080 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:05:57:953 2080 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:05:58:046 2080 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:05:58:156 2080 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:05:58:265 2080 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:05:58:421 2080 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
01:05:58:500 2080 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
01:05:58:562 2080 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:05:58:640 2080 RSUSBSTOR (c7c13d4f574cf7794348b3b2a3f198d8) C:\WINDOWS\system32\Drivers\RtsUStor.sys
01:05:58:781 2080 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
01:05:59:281 2080 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\WINDOWS\system32\Drivers\SahdIa32.sys
01:05:59:281 2080 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\WINDOWS\system32\Drivers\SaibIa32.sys
01:05:59:343 2080 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\WINDOWS\system32\Drivers\SaibVd32.sys
01:05:59:421 2080 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
01:05:59:453 2080 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
01:05:59:515 2080 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:05:59:546 2080 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
01:05:59:640 2080 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
01:05:59:718 2080 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
01:05:59:843 2080 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:05:59:937 2080 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
01:06:00:000 2080 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
01:06:00:109 2080 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
01:06:00:156 2080 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
01:06:00:281 2080 STHDA (7a056a17333b28c2551fc94dabb6e36a) C:\WINDOWS\system32\drivers\sthda.sys
01:06:00:390 2080 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:06:00:453 2080 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:06:00:546 2080 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
01:06:00:578 2080 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
01:06:00:593 2080 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
01:06:00:656 2080 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
01:06:00:703 2080 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
01:06:00:781 2080 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
01:06:00:890 2080 SysCow (9c1c6212623484331cce11ebbbfa3139) C:\WINDOWS\system32\drivers\syscow32x.sys
01:06:00:968 2080 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:06:01:046 2080 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:06:01:125 2080 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
01:06:01:171 2080 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:06:01:250 2080 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
01:06:01:296 2080 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
01:06:01:328 2080 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
01:06:01:437 2080 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
01:06:01:500 2080 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:06:01:531 2080 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:06:01:609 2080 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:06:01:656 2080 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
01:06:01:703 2080 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:06:01:781 2080 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:06:01:828 2080 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
01:06:01:859 2080 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
01:06:01:953 2080 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
01:06:02:031 2080 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
01:06:02:078 2080 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
01:06:02:093 2080 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
01:06:02:109 2080 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:06:02:203 2080 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
01:06:02:312 2080 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
01:06:02:390 2080 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
01:06:02:437 2080 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
01:06:02:500 2080 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:06:02:593 2080 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
01:06:02:609 2080 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
01:06:02:625 2080 Reboot required for cure complete..
01:06:02:703 2080 Cure on reboot scheduled successfully
01:06:02:703 2080
01:06:02:703 2080 Completed
01:06:02:703 2080
01:06:02:703 2080 Results:
01:06:02:703 2080 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
01:06:02:703 2080 File objects infected / cured / cured on reboot: 1 / 0 / 1
01:06:02:703 2080
01:06:02:703 2080 KLMD(ARK) unloaded successfully


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 08 June 2010 - 03:25 AM

good

now lets combofix again

update combofix

I would like you to download an updated virsion of combofix.
    Delete the version of combofix you have now on your desktop and download a new one from here

    **Note: It is important that it is saved directly to your desktop**

    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.

    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Tikibum

Tikibum
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 08 June 2010 - 06:51 PM

ComboFix 10-06-08.02 - David 06/08/2010 16:25:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.386 [GMT -7:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\st326222.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-08 to 2010-06-08 )))))))))))))))))))))))))))))))
.

2010-06-08 02:29 . 2010-06-08 02:29 -------- d-----w- c:\windows\Internet Logs
2010-06-02 20:14 . 2010-06-02 20:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-31 03:24 . 2010-05-31 03:24 -------- d-sh--w- c:\documents and settings\Sarai\IECompatCache
2010-05-26 22:33 . 2010-05-26 22:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-26 22:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 22:30 . 2010-05-26 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 22:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 08:29 . 2010-05-26 08:29 -------- d-----w- c:\documents and settings\David\Application Data\ElevatedDiagnostics
2010-05-26 07:51 . 2010-05-26 07:51 -------- d-----w- c:\program files\Common Files\Java
2010-05-26 07:51 . 2010-05-26 07:51 503808 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eef0729-n\msvcp71.dll
2010-05-26 07:51 . 2010-05-26 07:51 499712 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eef0729-n\jmc.dll
2010-05-26 07:51 . 2010-05-26 07:51 348160 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4eef0729-n\msvcr71.dll
2010-05-26 07:51 . 2010-05-26 07:51 61440 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-43f0d4fb-n\decora-sse.dll
2010-05-26 07:51 . 2010-05-26 07:51 12800 ----a-w- c:\documents and settings\David\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-43f0d4fb-n\decora-d3d.dll
2010-05-26 07:51 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-17 07:57 . 2010-05-17 22:05 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\ApplicationHistory
2010-05-16 07:32 . 2010-05-16 07:32 -------- d-----w- c:\windows\system32\URTTEMP
2010-05-15 01:32 . 2010-05-15 01:32 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-05-15 01:31 . 2010-05-15 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 07:40 . 2010-05-14 07:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 07:33 . 2010-05-15 06:16 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\ogqlalrme

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-08 08:07 . 2008-04-14 16:06 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-06-08 07:02 . 2010-01-07 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-08 02:20 . 2010-01-07 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-06-02 00:18 . 2010-04-30 23:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-02 00:18 . 2010-04-30 23:45 63488 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-02 00:18 . 2010-04-30 23:44 117760 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-26 07:50 . 2009-08-21 01:09 -------- d-----w- c:\program files\Java
2010-05-26 06:04 . 2010-01-08 02:48 -------- d-----w- c:\documents and settings\David\Application Data\MSN6
2010-05-25 18:42 . 2010-02-10 19:56 -------- d-----w- c:\program files\World of Warcraft
2010-05-18 23:26 . 2010-03-03 01:56 -------- d-----w- c:\documents and settings\David\Application Data\vlc
2010-05-17 21:12 . 2010-01-30 08:31 -------- d-----w- c:\program files\Warcraft III
2010-05-12 13:49 . 2009-08-21 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-30 23:45 . 2010-04-30 23:45 52224 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-30 23:44 . 2010-04-30 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-30 23:44 . 2010-04-30 23:44 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2010-04-30 23:43 . 2010-04-30 23:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-08-08 19:28 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-14 2017280]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-13 458844]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-06 737280]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-07-09 212992]
"nwiz"="nwiz.exe" [2009-06-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13762560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-08-08 2049320]
"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-08-08 1083176]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP]
2009-07-14 10:54 589104 ----a-w- c:\program files\Hewlett-Packard\HP QuickSync\QuickSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-01-28 06:30 2387968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-07-09 22:39 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ACDaemon"=2 (0x2)
"LightScribeService"=2 (0x2)
"9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/20/2009 5:34 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/20/2009 5:34 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [7/1/2009 11:10 PM 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/20/2009 5:34 PM 25584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [7/9/2009 4:08 AM 199152]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [8/8/2008 12:28 PM 53032]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/20/2009 5:01 PM 113664]
R3 DCamUSBNovatek;USB2.0 UVC Camera;c:\windows\system32\drivers\nvtcam.sys [1/5/2010 9:20 AM 2701040]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [5/11/2009 11:49 AM 56480]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/20/2009 5:13 PM 165888]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S4 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-01-28 06:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-08 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]

2010-06-08 c:\windows\Tasks\User_Feed_Synchronization-{53E9A076-B9AA-4B46-95F9-5D732C509DE6}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-avgrsstarter - avgrsstx.dll
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\nvLsp.dll
.
Completion time: 2010-06-08 16:47:12
ComboFix-quarantined-files.txt 2010-06-08 23:47

Pre-Run: 62,644,551,680 bytes free
Post-Run: 63,631,052,800 bytes free

- - End Of File - - 09AC4AACB2A0E20ABBF4B0FB68492BE0


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:27 AM

Posted 08 June 2010 - 07:02 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users