Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 Albear

Albear

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 02 June 2010 - 03:40 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/318460/hijacked-help-please/ ~ OB

Last September I purchased a new Dell PC . At the time I had (and still have) a Toshiba laptop.

I have been o the internet at home since 1997 and my first proper job in 1974 was as a computer operator on a giant ICL mainframe. I have driven computers all my life but am not a techie. I have had nothing but despair since I purchased the Dell. On day two when I was loading the software I purchased from Dell I had a vista error message. I rang Dell and they told me my system was corrupt and it would need reinstalling. I said fine and then they told me I had to pay £100+ for them to come and do it!!!

I had paid for 4 years breakdown insurance but they told me this only covered hardware! So they came and reinstalled of note was the fact that the ati radeon driver was not on the Dell supplied disc (I don't know if this is where my vunrelability has come from?). So the technician downloaded it. The machine was supplied with vista, wireless card and wireless keyboard and mouse (no ps2).

Over the next few months I kept losing connectivity or getting multiple networks and unidentified networks. When I looked at seevices, remote call was always running spoll was as was remote registry. I was signed in as admin on the machine but was being denied access o many items. For example windows diagnostic service would not start. When I'd access the service it was stopped and all greyed out, which was the same with all the remote access services.

I contacted dell and they asked me for £100+ for software support, hey ho so I went for it and they were pretty stroppy with me by the time I finished contacting them. They were telling me there was nothing wrong with my machine, but I was losing connectivity regularly, I had no control over what was running on my machine and some of my software was getting corrupted.

One of my programs ia a database for recording racing pigeon details, pedigrees and velocities, I had files that were alien and a Borland error. I contacted the vendor who has sold over 30,000 copies and he didn't have a clue he posted the error on Borland forums and no one there had ever seen the error!

On my machine I had a mass storage device appear and all my drives according to device manger became portable devices. And I had terredo tunneling devices and Async adapters and ATapi adapters (though I'm not sure that the atapi were always there). I went on to control panel/uninstall and saw the modem device was being used 'regularly'but I never use the modem or Fax.

Let me clarify the use on this machine. It is for home use only no other purpose and it is (should not) be shared or accessed by anyone (or my laptop) and nothing should be shared.

However my machine shows all the hallmarks of being shared (hijacked!).
In December last year Dell (after asking me for more money ) told me I was entitled to a free upgrade to windows 7 and that would solve all my problems (they had lost the image on my machine, whatever that meant?). So I did and the one thing it did do was show me that I had a VPN on my machine, when I converted and looked at Network & Security centre, I had my two normal adapters aPLUS a VPN, I immediatley disabled it.

I spent January/February contacting Dell and they at one stage accused me of meddling with the machine , well firstly I hadn't but secondly it is my machine!!
Then Mcafee played up (not for the first time since September). I had the green tick but could not configure it, the chat reps kept telling me if I had the green tick it was OK BUT I could not configure it, everything was greyed out!! So eventually for 3 weeks Mcafee accessed my machine remotely every day and none could sort it.

Eventually I got escalated to the top technician (I was told) and he ran combofix which identified a root kit. He cleared it (I think) but then told me my system was corrupt and I should get back to the manufacturer. I posted on Bleeping computers after this asking for help and at the same time had my Toshiba in wat PC World because of similar problems.

PC World advised a complete wiping of the disc and reinstall. I then decided to do the same with the Dell and withdrew my request on Bleeping. I contacted Dell and asked that they wipe my hard disc and reinstall and take my wireless card and yes I would pay them to do it but they must wipe my disc! So they came and they took my wireless card out and they DIDN't wipe the disc!! I got back to them and at this stage my dvd drive had stopped operating (no error messages) just not reading.

So they took the Dell in and returned it two weeks later but they had not wiped they had changed the disc drive (which I was not expecting). We had a big bust up where the supervisor told me there was nothing wrong with my machine!! I DID A REINSTALL MYSELF BUT STILL HAD PROBLEMS Where to go??? I found a local computer man in the telephone directory he came around he has good experience and was very genuine.

He took my machine away to reinstall 'properly' as he put it. He brought it back and told me it was a super machine and I might have had something on it but now it was OK and that i had become a computer hypochondriac. He connected it and straight away I felt it was still not right, it connected in to Network (2) why 2? For me it meant I had two networks on but I had to go with it.

But here we go again there was a teredo tunnel adapter and the old remote services were running, even though since December I had prohibited remote access on the machine. I tried to install my printer but of course my disc was for vista so I would need to go mto HP website but then when I took the disc out windows started installing my printer drivers. I was told this was because 7 is so intuitive, maybe. But it didn't feel right. I had then tried to install my printer wirelessly on my Toshiba laptop and it wouldn't install it told me that i could not have my printer and computer on different networks!

Then last week (week before?)I lost my lan adapter from my Dell, so i restored back about a week to a good point, and to my surprise when I looked at devices and printers I once again had a mass storage device but more surprisingly i had another device a 'wireless optical desktop'. I have no idea what one is. So in panic I undid the restore and the driver for the optical desktop download but quickly 'masked' itself as a USB driver.

I have not touched the machine since because I opened a topic to help cure my Toshiba laptop which is ongoing.

I also have a mass storage device installed on this Dell machine, and my ancilliary card readers now show as portable devices of this device. When I connected to the internet this morning (have not used this machine for a couple of weeks, I was asked to choose what type of Network, I chose Homegroup interestingly this is called Network 2, which makes me tink there is another network running, this is compounded by the fact that when I went in to homegroup settings for file sharing etc I had two lots of settings I could configure, homegroup and public?

I have also been configuring my firewall, I have blocked all the basic settings, SMB, file sharing etc. This machine is a personal PC and should not be connected in anyway with any other machine including my laptop and is purely for home use, no business use. (the only one I can't block is BootP outgoing, if I block this I lose internet connection. Those programs Norton has autimatically allowed access to the internet all connect to port 53. They all I see also have inbound connections to port 49155 which I have blocked (I could not find details of this port in the Norton list). I would be pleased to have advice on whether these port settings are correct.

I was advised today I need to open a new topic for help with the dell, so that's what I'm doing now. I'll post the link to that topic below in the hope it will help because I believe they are one and the same. Extreme boy has been helping me with my Toshiba and I'd like again to thank him for his help and patience because as you can see from this post I ramble but I don't want to leave out any detail that may be important. And this has been a total blight on my life this past 7 moths , because everyone has been telling me there's nothing wrong with my machines.

http://www.bleepingcomputer.com/forums/t/315475/please-check-my-log-files/

DDS File

DDS (Ver_10-03-17.01) - NTFSx86
Run by Alan at 9:17:18.57 on 02/06/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3326.2452 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Norton 360\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton 360\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Alan\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.5.2.11\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.5.2.11\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: {8AF6171A-34E5-471C-92AA-26FF034D0291} = 192.168.1.254
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.5.2.11\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2010-5-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2010-5-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2010-5-27 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-5-8 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-8 176128]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.5.2.11\ccSvcHst.exe [2010-5-27 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2010-5-27 48688]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-2 1343400]

=============== Created Last 30 ================

2010-06-02 08:15:12 0 ----a-w- c:\users\alan\defogger_reenable
2010-06-02 07:54:31 0 d-----w- c:\windows\system32\Wat
2010-06-02 07:52:31 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-02 07:51:07 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-02 07:42:50 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-02 07:41:50 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-02 07:41:50 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-02 07:41:50 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-27 11:02:58 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-27 11:02:58 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-27 11:02:56 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-27 11:02:54 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-27 11:02:54 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-27 11:02:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-27 11:02:27 0 d-----w- c:\windows\system32\drivers\N360
2010-05-26 18:27:23 65536 --sha-w- c:\users\alan\ntuser.dat{3d532f06-68f2-11df-bbd3-dc814c157d7c}.TM.blf
2010-05-26 18:27:23 524288 --sha-w- c:\users\alan\ntuser.dat{3d532f06-68f2-11df-bbd3-dc814c157d7c}.TMContainer00000000000000000002.regtrans-ms
2010-05-26 18:27:23 524288 --sha-w- c:\users\alan\ntuser.dat{3d532f06-68f2-11df-bbd3-dc814c157d7c}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 18:30:53 65536 --sha-w- c:\users\alan\ntuser.dat{20b16044-6828-11df-8cab-c6eaf901a778}.TM.blf
2010-05-25 18:30:53 524288 --sha-w- c:\users\alan\ntuser.dat{20b16044-6828-11df-8cab-c6eaf901a778}.TMContainer00000000000000000002.regtrans-ms
2010-05-25 18:30:53 524288 --sha-w- c:\users\alan\ntuser.dat{20b16044-6828-11df-8cab-c6eaf901a778}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 18:06:31 65536 --sha-w- c:\users\alan\ntuser.dat{53e08399-6827-11df-a74b-afcc885e5389}.TM.blf
2010-05-25 18:06:31 524288 --sha-w- c:\users\alan\ntuser.dat{53e08399-6827-11df-a74b-afcc885e5389}.TMContainer00000000000000000002.regtrans-ms
2010-05-25 18:06:31 524288 --sha-w- c:\users\alan\ntuser.dat{53e08399-6827-11df-a74b-afcc885e5389}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 18:00:23 524288 --sha-w- c:\users\alan\ntuser.dat{2e28055e-6826-11df-90b4-e503dae6f573}.TMContainer00000000000000000002.regtrans-ms
2010-05-25 18:00:22 65536 --sha-w- c:\users\alan\ntuser.dat{2e28055e-6826-11df-90b4-e503dae6f573}.TM.blf
2010-05-25 18:00:22 524288 --sha-w- c:\users\alan\ntuser.dat{2e28055e-6826-11df-90b4-e503dae6f573}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 17:52:21 524288 --sha-w- c:\users\alan\ntuser.dat{dce47324-6822-11df-a56f-9b99c6af2073}.TMContainer00000000000000000002.regtrans-ms
2010-05-25 17:52:20 65536 --sha-w- c:\users\alan\ntuser.dat{dce47324-6822-11df-a56f-9b99c6af2073}.TM.blf
2010-05-25 17:52:20 524288 --sha-w- c:\users\alan\ntuser.dat{dce47324-6822-11df-a56f-9b99c6af2073}.TMContainer00000000000000000001.regtrans-ms
2010-05-14 12:40:15 524288 --sha-w- c:\users\alan\ntuser.dat{c2205846-5f53-11df-86eb-0024e8174a78}.TMContainer00000000000000000002.regtrans-ms
2010-05-14 12:40:10 65536 --sha-w- c:\users\alan\ntuser.dat{c2205846-5f53-11df-86eb-0024e8174a78}.TM.blf
2010-05-14 12:40:10 524288 --sha-w- c:\users\alan\ntuser.dat{c2205846-5f53-11df-86eb-0024e8174a78}.TMContainer00000000000000000001.regtrans-ms
2010-05-14 11:17:01 65536 --sha-w- c:\users\alan\ntuser.dat{bf0827d5-5f35-11df-989c-0024e8174a78}.TM.blf
2010-05-14 11:17:01 524288 --sha-w- c:\users\alan\ntuser.dat{bf0827d5-5f35-11df-989c-0024e8174a78}.TMContainer00000000000000000002.regtrans-ms
2010-05-14 11:17:01 524288 --sha-w- c:\users\alan\ntuser.dat{bf0827d5-5f35-11df-989c-0024e8174a78}.TMContainer00000000000000000001.regtrans-ms
2010-05-14 08:36:33 0 d-----w- c:\users\alan\appdata\roaming\Regrun
2010-05-14 08:31:07 65536 --sha-w- c:\users\alan\ntuser.dat{d9a30210-5f2a-11df-b89d-0024e8174a78}.TM.blf
2010-05-14 08:31:07 524288 --sha-w- c:\users\alan\ntuser.dat{d9a30210-5f2a-11df-b89d-0024e8174a78}.TMContainer00000000000000000002.regtrans-ms
2010-05-14 08:31:07 524288 --sha-w- c:\users\alan\ntuser.dat{d9a30210-5f2a-11df-b89d-0024e8174a78}.TMContainer00000000000000000001.regtrans-ms
2010-05-13 18:30:48 0 d-sh--r- C:\desktop.ini
2010-05-13 18:30:48 0 d-sh--r- C:\comment.htt
2010-05-13 18:30:48 0 d-sh--r- C:\autorun.inf
2010-05-13 17:17:57 0 d-----w- c:\program files\Greatis
2010-05-13 12:44:28 0 d-----w- c:\program files\Trend Micro
2010-05-13 09:00:36 0 d-----w- c:\programdata\SecTaskMan
2010-05-13 09:00:24 0 d-----w- c:\program files\Security Task Manager
2010-05-12 13:08:04 0 d-----w- c:\programdata\Symantec
2010-05-11 14:14:14 0 d-----w- c:\program files\Symantec
2010-05-11 14:14:14 0 d-----w- c:\program files\common files\Symantec Shared
2010-05-11 14:13:44 0 d-----w- c:\program files\Norton 360
2010-05-11 14:13:43 0 d-----w- c:\programdata\Norton
2010-05-11 14:13:11 0 d-----w- c:\programdata\NortonInstaller
2010-05-11 14:13:11 0 d-----w- c:\program files\NortonInstaller
2010-05-11 13:20:39 524288 --sha-w- c:\users\alan\ntuser.dat{e4ec2fe8-5cff-11df-9788-0024e8174a78}.TMContainer00000000000000000002.regtrans-ms
2010-05-11 13:20:39 524288 --sha-w- c:\users\alan\ntuser.dat{e4ec2fe8-5cff-11df-9788-0024e8174a78}.TMContainer00000000000000000001.regtrans-ms
2010-05-11 13:20:38 65536 --sha-w- c:\users\alan\ntuser.dat{e4ec2fe8-5cff-11df-9788-0024e8174a78}.TM.blf
2010-05-11 12:21:13 0 d-----w- c:\program files\Safer Networking
2010-05-11 11:02:59 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-11 11:02:59 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-11 09:17:04 0 d-----w- c:\program files\Citrix
2010-05-10 20:12:57 0 d-----w- c:\users\alan\Office Genuine Advantage
2010-05-10 20:12:57 0 d-----w- c:\programdata\Office Genuine Advantage
2010-05-10 20:09:13 0 d-----w- c:\programdata\HP
2010-05-10 18:41:10 0 d-----w- c:\windows\PCHEALTH
2010-05-10 18:39:10 0 d-----w- c:\programdata\Microsoft Help
2010-05-10 13:06:27 0 d-----w- c:\programdata\NOS
2010-05-08 20:19:00 0 d-----w- c:\windows\Panther
2010-05-08 20:13:51 0 d--h--w- C:\$WINDOWS.~Q
2010-05-08 20:13:39 0 d--h--w- C:\$INPLACE.~TR
2010-05-08 18:19:59 24 ---ha-r- c:\windows\dell_version
2010-05-08 18:19:59 0 d-----w- c:\windows\system32\OEM
2010-05-08 13:18:28 0 d-----w- c:\users\alan\appdata\roaming\Malwarebytes
2010-05-08 13:18:18 0 d-----w- c:\programdata\Malwarebytes
2010-05-08 13:18:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 11:43:16 0 d-----w- c:\programdata\ATI
2010-05-08 11:42:13 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-05-08 11:42:12 18333 ----a-w- c:\windows\atiogl.xml
2010-05-08 11:41:38 0 d-----w- c:\program files\ATI
2010-05-08 11:40:42 87 ---ha-r- c:\windows\ctfile.rfc
2010-05-08 11:40:42 72704 ----a-w- c:\windows\system32\CmdRtr.DLL
2010-05-08 11:40:42 146432 ----a-w- c:\windows\system32\APOMngr.DLL
2010-05-08 11:40:20 0 d-----w- c:\windows\system32\RTCOM
2010-05-08 11:38:52 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-05-08 11:38:25 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-08 11:38:21 132608 ----a-w- c:\windows\system32\cabview.dll
2010-05-08 11:36:33 0 d-----w- c:\windows\system32\wbem\Performance
2010-05-08 11:35:14 20 --sh--w- c:\users\alan\ntuser.ini
2010-05-08 11:35:08 0 d-sh--w- C:\Recovery
2010-05-08 11:27:43 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-08 11:22:42 10736 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-05-08 11:22:42 10736 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-05-08 11:21:56 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-08 11:21:49 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-08 10:55:56 1890 ----a-w- c:\windows\diagwrn.xml
2010-05-08 10:55:56 1890 ----a-w- c:\windows\diagerr.xml
2010-05-08 10:45:47 0 d-----w- c:\program files\ATI Technologies
2010-05-08 10:14:18 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-08 10:04:17 138240 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2010-05-08 09:58:55 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-05-08 09:58:33 0 d-----w- C:\Intel
2010-05-08 09:49:02 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-05-08 09:49:01 0 d-----w- c:\program files\Realtek
2010-05-08 09:48:58 0 d--h--w- c:\program files\Temp
2010-05-08 09:48:50 0 d-----w- C:\dell
2010-05-08 09:47:48 0 d-----w- c:\windows\system32\vmm32
2010-05-08 09:47:48 0 d-----w- c:\program files\Dell
2010-05-08 09:47:33 0 d-sh--w- c:\windows\Installer
2010-05-08 09:23:51 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

==================== Find3M ====================

2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 9:17:34.45 ===============

Cannot attach 'Attach' file says to big, will try and zip on next post

Edited by Orange Blossom, 02 June 2010 - 03:47 PM.
Adjusted spacing and some spelling for ease of reading. ~ OB


BC AdBot (Login to Remove)

 


#2 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 02 June 2010 - 03:49 AM

Please find attached one of two other files
Thank you

hi can't upload Ark file, keep getting message the file was larger than the available post, the zip file is only 2.81 kb. Advice please
Thanks
Albear

Hi i have copied and pasted ark file below, hope this is OK?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-02 09:26:16
Windows 6.1.7600
Running: gmer.exe; Driver: C:UsersAlanAppDataLocalTempkxldrpog.sys


---- System - GMER 1.0.15 ----

SSDT 8705ABA0 ZwAlertResumeThread
SSDT 8773E7B0 ZwAlertThread
SSDT 8782B6E8 ZwAllocateVirtualMemory
SSDT 86D095E0 ZwAlpcConnectPort
SSDT 87827398 ZwAssignProcessToJobObject
SSDT 878277B8 ZwCreateMutant
SSDT 87827118 ZwCreateSymbolicLinkObject
SSDT 87824068 ZwCreateThread
SSDT 878271E8 ZwCreateThreadEx
SSDT 87827458 ZwDebugActiveProcess
SSDT 8782B840 ZwDuplicateObject
SSDT 8782B548 ZwFreeVirtualMemory
SSDT 877D1048 ZwImpersonateAnonymousToken
SSDT 87679A50 ZwImpersonateThread
SSDT 86D07710 ZwLoadDriver
SSDT 8782B468 ZwMapViewOfSection
SSDT 87819110 ZwOpenEvent
SSDT 8782B9E0 ZwOpenProcess
SSDT 86D9BEC0 ZwOpenProcessToken
SSDT 87821160 ZwOpenSection
SSDT 8782B910 ZwOpenThread
SSDT 878272C8 ZwProtectVirtualMemory
SSDT 86DC9C20 ZwResumeThread
SSDT 86DC8148 ZwSetContextThread
SSDT 8782B310 ZwSetInformationProcess
SSDT 87827518 ZwSetSystemInformation
SSDT 8781A518 ZwSuspendProcess
SSDT 86E5F5E8 ZwSuspendThread
SSDT 86DB6148 ZwTerminateProcess
SSDT 86E5E7A0 ZwTerminateThread
SSDT 86E5A388 ZwUnmapViewOfSection
SSDT 8782B618 ZwWriteVirtualMemory

INT 0x1F SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302AAF8
INT 0x37 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A104
INT 0xC1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A3F4
INT 0xD1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830132D8
INT 0xD2 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83012898
INT 0xDF SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A1DC
INT 0xE1 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A958
INT 0xE3 SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A6F8
INT 0xFD SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302AF2C
INT 0xFE SystemRootsystem32halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302B1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8307C8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8309C3D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 139B 830A3668 8 Bytes [A0, AB, 05, 87, B0, E7, 73, ...]
.text ntoskrnl.exe!KeRemoveQueueEx + 13B3 830A3680 4 Bytes CALL A291B93B
.text ntoskrnl.exe!KeRemoveQueueEx + 13BF 830A368C 4 Bytes [E0, 95, D0, 86]
.text ntoskrnl.exe!KeRemoveQueueEx + 1413 830A36E0 4 Bytes [98, 73, 82, 87]
.text ntoskrnl.exe!KeRemoveQueueEx + 148F 830A375C 4 Bytes [B8, 77, 82, 87]
.text ...
.text C:Windowssystem32DRIVERSatikmdag.sys section is writeable [0x98409000, 0x2D41EC, 0xE8000020]
.text peauth.sys 9D95EC9D 28 Bytes [CF, 65, B0, 69, D9, A7, EB, ...]
.text peauth.sys 9D95ECC1 28 Bytes [CF, 65, B0, 69, D9, A7, EB, ...]
PAGE peauth.sys 9D96502C 102 Bytes [87, A2, FB, A8, 51, FF, 02, ...]

---- User code sections - GMER 1.0.15 ----

.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!CreateWindowExW 75E60E51 5 Bytes JMP 632080F7 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!DialogBoxIndirectParamW 75E84AA7 5 Bytes JMP 6332F218 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!DialogBoxParamW 75E8564A 5 Bytes JMP 63124B7F C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!DialogBoxParamA 75E9CF6A 5 Bytes JMP 6332F1B5 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!DialogBoxIndirectParamA 75E9D29C 5 Bytes JMP 6332F27B C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!MessageBoxIndirectA 75EAE8C9 5 Bytes JMP 6332F14A C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!MessageBoxIndirectW 75EAE9C3 5 Bytes JMP 6332F0DF C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!MessageBoxExA 75EAEA29 5 Bytes JMP 6332F07D C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3908] USER32.dll!MessageBoxExW 75EAEA4D 5 Bytes JMP 6332F01B C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] ntdll.dll!wcsncmp + 33B 7745F580 7 Bytes JMP 034B003A
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!CreateDialogParamW 75E59BFF 5 Bytes JMP 6315C548 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!EnableWindow 75E5A72E 5 Bytes JMP 6315C4C3 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!GetAsyncKeyState 75E5C09A 5 Bytes JMP 6311D6C9 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!UnhookWindowsHookEx 75E5CC7B 5 Bytes JMP 632182FA C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!CallNextHookEx 75E5CC8F 5 Bytes JMP 631F9D00 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!CreateWindowExW 75E60E51 5 Bytes JMP 632080F7 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!SetWindowsHookExW 75E6210A 5 Bytes JMP 631B45DB C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!GetKeyState 75E64FDA 5 Bytes JMP 6315D73A C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!IsDialogMessageW 75E66F06 5 Bytes JMP 6312425C C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!CreateDialogParamA 75E73E79 5 Bytes JMP 6332FE19 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!IsDialogMessage 75E7407A 5 Bytes JMP 6332F6BA C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!CreateDialogIndirectParamA 75E79110 5 Bytes JMP 6332FE50 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!CreateDialogIndirectParamW 75E808AD 5 Bytes JMP 6332FE87 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!DialogBoxIndirectParamW 75E84AA7 5 Bytes JMP 6332F218 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!EndDialog 75E8555C 5 Bytes JMP 63125AC1 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!DialogBoxParamW 75E8564A 5 Bytes JMP 63124B7F C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!SetKeyboardState 75E86B52 5 Bytes JMP 6332FA1F C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!SendInput 75E87055 5 Bytes JMP 633305E8 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!SetCursorPos 75E9C1D8 5 Bytes JMP 63330640 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!DialogBoxParamA 75E9CF6A 5 Bytes JMP 6332F1B5 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!DialogBoxIndirectParamA 75E9D29C 5 Bytes JMP 6332F27B C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!MessageBoxIndirectA 75EAE8C9 5 Bytes JMP 6332F14A C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!MessageBoxIndirectW 75EAE9C3 5 Bytes JMP 6332F0DF C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!MessageBoxExA 75EAEA29 5 Bytes JMP 6332F07D C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!MessageBoxExW 75EAEA4D 5 Bytes JMP 6332F01B C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] USER32.dll!keybd_event 75EAEC9B 5 Bytes JMP 63330973 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] SHELL32.dll!SHChangeNotification_Lock + 45BA 7600B3E8 4 Bytes [11, 36, F0, 6E]
.text C:Program FilesInternet Exploreriexplore.exe[3996] SHELL32.dll!SHChangeNotification_Lock + 45C2 7600B3F0 8 Bytes [5F, 35, F0, 6E, D0, 73, EF, ...] {POP EDI; XOR EAX, 0x73d06ef0; OUT DX, EAX; OUTSB }
.text C:Program FilesInternet Exploreriexplore.exe[3996] ole32.dll!OleLoadFromStream 76FC5B88 4 Bytes JMP 6332F576 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] ole32.dll!CoGetContextToken + 5C0 76FFA2CF 7 Bytes JMP 034B01A6
.text C:Program FilesInternet Exploreriexplore.exe[3996] ole32.dll!CoCreateInstance 770157FC 4 Bytes JMP 63208BE5 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[3996] ole32.dll!CoCreateInstance + 3E 7701583A 7 Bytes JMP 034B00F0
.text C:Program FilesInternet Exploreriexplore.exe[4832] ntdll.dll!wcsncmp + 33B 7745F580 7 Bytes JMP 02BF003A
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!CreateDialogParamW 75E59BFF 5 Bytes JMP 6315C548 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!EnableWindow 75E5A72E 5 Bytes JMP 6315C4C3 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!GetAsyncKeyState 75E5C09A 5 Bytes JMP 6311D6C9 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!UnhookWindowsHookEx 75E5CC7B 5 Bytes JMP 632182FA C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!CallNextHookEx 75E5CC8F 5 Bytes JMP 631F9D00 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!CreateWindowExW 75E60E51 5 Bytes JMP 632080F7 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!SetWindowsHookExW 75E6210A 5 Bytes JMP 631B45DB C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!GetKeyState 75E64FDA 5 Bytes JMP 6315D73A C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!IsDialogMessageW 75E66F06 5 Bytes JMP 6312425C C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!CreateDialogParamA 75E73E79 5 Bytes JMP 6332FE19 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!IsDialogMessage 75E7407A 5 Bytes JMP 6332F6BA C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!CreateDialogIndirectParamA 75E79110 5 Bytes JMP 6332FE50 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!CreateDialogIndirectParamW 75E808AD 5 Bytes JMP 6332FE87 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!DialogBoxIndirectParamW 75E84AA7 5 Bytes JMP 6332F218 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!EndDialog 75E8555C 5 Bytes JMP 63125AC1 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!DialogBoxParamW 75E8564A 5 Bytes JMP 63124B7F C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!SetKeyboardState 75E86B52 5 Bytes JMP 6332FA1F C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!SendInput 75E87055 5 Bytes JMP 633305E8 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!SetCursorPos 75E9C1D8 5 Bytes JMP 63330640 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!DialogBoxParamA 75E9CF6A 5 Bytes JMP 6332F1B5 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!DialogBoxIndirectParamA 75E9D29C 5 Bytes JMP 6332F27B C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!MessageBoxIndirectA 75EAE8C9 5 Bytes JMP 6332F14A C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!MessageBoxIndirectW 75EAE9C3 5 Bytes JMP 6332F0DF C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!MessageBoxExA 75EAEA29 5 Bytes JMP 6332F07D C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!MessageBoxExW 75EAEA4D 5 Bytes JMP 6332F01B C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] USER32.dll!keybd_event 75EAEC9B 5 Bytes JMP 63330973 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] SHELL32.dll!SHChangeNotification_Lock + 45BA 7600B3E8 4 Bytes [11, 36, F0, 6E]
.text C:Program FilesInternet Exploreriexplore.exe[4832] SHELL32.dll!SHChangeNotification_Lock + 45C2 7600B3F0 8 Bytes [5F, 35, F0, 6E, D0, 73, EF, ...] {POP EDI; XOR EAX, 0x73d06ef0; OUT DX, EAX; OUTSB }
.text C:Program FilesInternet Exploreriexplore.exe[4832] ole32.dll!OleLoadFromStream 76FC5B88 4 Bytes JMP 6332F576 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] ole32.dll!CoGetContextToken + 5C0 76FFA2CF 7 Bytes JMP 02BF03D9
.text C:Program FilesInternet Exploreriexplore.exe[4832] ole32.dll!CoCreateInstance 770157FC 4 Bytes JMP 63208BE5 C:Windowssystem32IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:Program FilesInternet Exploreriexplore.exe[4832] ole32.dll!CoCreateInstance + 3E 7701583A 7 Bytes JMP 02BF0323

---- Devices - GMER 1.0.15 ----

AttachedDevice Drivertdx DeviceTcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device DriverACPI_HAL Device00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice Drivervolmgr DeviceHarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivervolmgr DeviceHarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice Drivertdx DeviceUdp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice Drivertdx DeviceRawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 02 June 2010 - 03:49 PM.


#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 02 June 2010 - 08:19 PM

Hello.

I don't see any evidence of malware. Let's run an online scan to be sure.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select Critical Areas.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


With Regards,
The Panda

#4 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 09 June 2010 - 11:23 AM

Hi sorry for the delay but once again I'm feeling quite desperte about the whole thing. My Toshiba keeps 'losing' my internet explorer, I still have internet connection but IE won't connect. I have no doubt there is still a rootkkit on there as on here. Firts of all i attach a screen print of my computer and devices, as you can see I have a mass storage device and I have left the properties up and you can see it is controlling all my ancilliary card readers. Now I apologise I may have made a mistake this was before I started the topic, none the less it may have impacted on what was showing up. I didchange my keyboard and mouse because the keyboard appered ro be operating as a wireless opticalk desktop and it's main lnguage had been changed to USA.
Sorry can't upload bleping computers is saying 511.74k 0f 512k attachment space used?
Anyway if I explain what I've done on the Toshiba perhaps it may give a clue to whoever this bastard is whose messing my machines up.
I have Norton 360 on my machine and its'intelligence' identifies that I have had shared connections in the past and allows these accordinly, as I told EB I have never intentionally shared any of my machines and have never used them for business purposes they are purely fro home use. I went back to the sysinternals site and looked that they reccomended several rootkit software. So I went to AVG and downloadedc their free scan. Their scan tolsd me that I have no malware however it also told me my system was 'bad' and only 17% effective. This on a sytem with a new HDD and fresh reinstall and the only software on Microsoft Office and two small database programs for working out velocities, results and pedigrees for Racing Pigeons, that lot takes up currently 30GB on my c drive! But only 17% so once again I went and spent some more money and pourchased a key to rectify AVG say they will put all 'good' files to replace and redundant/damaged. Now the reason I went for it, is because I believe however is doing this is actually using legit microosft tools to controlmy machines/router. Somewhere they have found a fault where they can keep control and then take full control of my machine because they then have legit access rights. I'll explain why I thibnk this later. But anyway I got according to AVG blurb a brand new system. But within 24 hours, I was getting unidentified networks and multiple networks, My Norton which I password protecte had a firewall rule 'inserted' which blocked home computing???? So I was connected to the internet, I checked my adapter status and there were packets going and coming but every time I opened IE it failed and when IO hit diagnostics it kept comimg back and telling me to contact my ISP because there was a problem it could not fix.
I got hold of Norton and they told me to uninstall and then asked if I couldconnect to iE I couldn't, they told me it was not a Norton issue then. Maybe maybe not, I just know when I restore back everything is ok and the block rule is not there. I have programs accessing the internet with Norton's automatic approval, windows activation technology services for example is accessing port 443 windows start up application has permission for inbound communication to local port 49152??? What is that. I kep blocking and new rulres spring up!
So on the Toshiba I went back to sysinternals and ran rootkit revealer, (I downloaded sysinternals full suite yesterday and it shows me every file is being read by a 'reader', sysinternals identifies it with a question mark and 'unknown contact', I try to remove but am told I can't because the file is part of a shared folder, I go to the folder and get the same meassge! Then when I gto run RRV (Rootkitrevealer) I get a mssage upsaying a program can't display a messaage on your desktop, it tells me 'this problem happens because of partial incompatibility with windows. Please contact the program or device manufacturer for info. I click return my desktop dissapears I get a grey blank desktop with rootkit revealer dialogue box an I choose scan. It scan and finds 1700 lines and I get very excited lots of files that are hdden from API it says but when I sabve I cannot save my screen keeps going doolly! And evry 30 seconds i keep getting the login screen appear and I have to log in to get back in. Now I mnaged to save the first 10 lines (about), I can't upload so I'll try and copy them from the Tosh and paste them here don't know if they will point to anything but I'm positive it is the same issue on both machines, this Dell you are dealing with and the Tosh EB dealt with.
The other fascinating thing for me is the appearance on the Tosh of an ID (appeared since I ran the AVG rootkit finder)S-1-5-21-34594376467-1123751275-2026211232-1001. This id is in many of my files security properties it is marked with an icon of a single head with a red question mark on it, and it has read and execute permissions. I went to the registry user key and there is no such user??? There is another coincidence PP which is more pertinent to this Dell PC you sre dealing with.
In February this year I could not get Mcafee to configure on this machine, I had the green tick which according to front line meant evrything was hunky dory but finally convinced them it was not, they spent three weeks connecting remotley and on the last day I had a 'top expert' get on my machine, he tried everything and could not configure tried malwarebytes etc and in the end he ran combofix and that found a root kit and the root kit id was S-1-5-21 etc and i bet it's exactly the same as the id above.
Just as a further aside I've left rootkitrevealer running at the side of me on my Toshiba and hit the mouse to bring my screen back and the machine has shut down itself!! I've just logged back in and there is no sign of it ever running!
Below is a copy of the start of Rootkitrevealer's log which I did capture at the start, the rest of it is far more interesting with hundreds of lines of mismatch and files with dat not like the examples below.


HKU\S-1-5-21-3459437647-1123751275-2026211232-1000\Console 31/05/2010 11:38 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN 07/05/2010 17:23 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping 07/05/2010 17:32 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client 02/11/2006 13:54 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener 02/11/2006 13:54 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service 02/11/2006 13:54 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS 07/05/2010 17:32 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\WinRS\CustomRemoteShell 07/05/2010 17:32 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009 02/11/2006 11:33 0 bytes Security mismatch.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C041448-C69A-4D8B-A774-4F3948997407}\DynamicInfo 07/06/2010 10:45 28 bytes Data mismatch between Windows API and raw hive data.


Please advise PP on what to do, I have another key for AVG I could use to get the sytem right on here and I could try to run rootkit revealer or you may wish to try combofix or i supose you may tell me there's nothing wrog (i hope not, cause there is, honest!) oh and I think most of the messages said file hidden in api but visible in raw hive? I think there was also more text to the right of each line which I have not picked up or maybe that was the later lines not sure

Edited by Albear, 09 June 2010 - 11:24 AM.


#5 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 10 June 2010 - 08:38 AM

Hi below is post I made earlier, only way I could connect was by allowing BootP through the firewall and all programs:

As I write this I ncannot connect to the internet with either my Toshiba laptop or DELL. I'm doing it in notepad in the hope that I will be able to get online to post this, probably by allowing everything through my firewall i currently have blocked.
Lat night I ran Rootkitrevealer agin on my Toshiba (twice) to try an find someway of copying the scan log.Some intersting thongs happened. Both times I kept hitting return to my desktop and then to the windows mesage approx every 1 min and 30 seconds respectavley so I could get close to the end of the scan to save more detail because if I didn't windows would take me automayically to my used log in (and the once I failed to rspond yesterday i.e. did not log in, windows shut down itself!).
The first time I watched and when the scan moved from C drive to E the scan on both occasions (dialogue on toolbar stated 'enumerating E'), I got the following message in my desktop window from Norton 'alert', it said:
A process is attempting to launch a target process
Source: c:\users\Toshiba admin\Appdata\Local\Temp\QTL10JEL.exe
Target: c:\Windows\System32\CMD.exe
Command Line:/c chcp6500/&& set DIRCMD=&& "cmd/cd15/4/a/s E:\7 c:users\toshiba admin\desktop\hQ"

On the first run of rootkit revealer I blocked this, I hit the message key on the windows dialogue box to take me back to rootkitrevealer (which once again was running in its own blank grey desktop) and when i got on to this screen there was a dialogue box with a new message.
'An error occured in CMD.exe that prevents rootkitrevealer from accurately analysing your system. If CMD.exe is available on your system please report this failure."
Rootkit revealer at the end of the scan stated '83570 discrepancies found'. I of course tried to save but my screen again went peculiar, wth the screen filling with the first ten or so lines and the last few.
I did try and scribble down some details that I caught
There was one folder with no description but a timestamp date of 01011601 0100hrs!!!
Another can't remember whether a folder or file $repair$Config 05052010 2358 hidden from API
Another $Txflog\$Tops:$T 264.4mb Hidden from Windows API
Another (Ithink it is e and not c , my bloody scribble!!) e\extend\SrmMetadata\$Txflog\$Txflog.Blf
Another e\extend\SrmMetadata\$Txflog\$Txflog.container000000000000000001
Another e\extend\SrmMetadata\$Txflog\$Txflog.container000000000000000004

On the second run of Rootkit Revealer the same thing happened again I had an alert from Norton, the source was different and the command line a bit different
A process is attempting to launch a target process
Source: c:\users\Toshiba admin\Appdata\Local\Temp\NKQUPTX.exe
Target: c:\Windows\System32\CMD.exe
Command Line:/c chcp6500/&& set DIRCMD=&& "cmd/cd15/4/a/s E:\>c:windows\system32\QGACSBMMAA"

When I saw the source I thought I had seen the 'NKQUPTX' somwhere. When I checked the windows dialogue box it listed the path of Rootkitrevealer which is:
C\users\Toshib~\\Appdata\local\temp\NKQUPTX.exe received 9th June 1856. How peculiar, means nothing to me except it must surely be dodgy? You'll know I expect.
The only other things I managed to pick up were the follwing files were hidden from Windows API
c\users\Toshiba admin\Templates
c\users\Toshiba admin\Start Menu
c\users\Toshiba admin\Send to
c\users\Toshiba admin\Recent
c\users\Toshiba admin\Printhood
c\users\Toshiba admin\Nethood
c\users\Toshiba admin\My documents

That's about it on rootkit revealer.
However on the DELL PC which Panda is dealing with, System Restore keeps failing it tells me that some files were in use by the system (forgot to mention this yesterday). However it has tended to be the only way other than to remove all firewall blocks to get access back on to the internet, I keep getting Unidentified network or Network 2 to connect to, I can not remove either network from my machine via network and support centre, I can only configure adapter properties and more often than not I can not connect automatically I have to enter IP details.My profile is public for unidentified netwrok and whhen I try to change it to home I get a message that IPv6 must be enabled before I can create a home network, which I am not prepared to do, when I converted to windows 7 on this dell it highlighted the fact that I had a VPN on the machine and a terredo tunneling adapter and Wan minports that were active.
Hope I can get this on and it makes sense and will help you identify the culprit
Thank you
Alan

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 10 June 2010 - 08:19 PM

Hello Alan.

I've had a busy week, so I'll try to reply to you on this weekend.

Thanks for your patience.

With Regards,
The Panda

#7 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 11 June 2010 - 05:42 AM

OK thank you

#8 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 June 2010 - 08:58 AM

Hi need to post this bfore I forget the detail. Since having problems , i have not configured Outlook which the family normally uses to send and receive e mail. I've used IE and gone to BT Yahoo login via search engin and then signed in. Yesterday IE refused to open BT yahoo login even though the norton safe search found it. So I installed Firefox. This morning firefox is now refusing. So I went to the start and programs to iopen Outlook. I n my list of program files, there are no Office programs. So I went to Programs and Office is there, went o look for Outlook and have something called outlookautodiscover and then within that loads of waht look like isp providers including btinternet.net, now btinternet is .com(??) and it opens an HTML file the details of which I post below.
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
- <Account>
<AccountType>email</AccountType>
<Action>settings</Action>
- <Protocol>
<Type>POP3</Type>
<Server>mail.btinternet.com</Server>
<Port>110</Port>
<SPA>off</SPA>
<SSL>off</SSL>
<AuthRequired>on</AuthRequired>
</Protocol>
- <Protocol>
<Type>SMTP</Type>
<Server>mail.btinternet.com</Server>
<Port>25</Port>
<SPA>off</SPA>
<SSL>off</SSL>
<AuthRequired>on</AuthRequired>
<UsePOPAuth>on</UsePOPAuth>
</Protocol>
</Account>
</Response>
</Autodiscover>

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 13 June 2010 - 09:04 AM

Hello Albear. Sorry again for the delay.

Please try to remember that this section is strictly for malware related issues.

QUOTE
So I went to AVG and downloadedc their free scan. Their scan tolsd me that I have no malware however it also told me my system was 'bad' and only 17% effective
Please provide me a link to this tool.

QUOTE
I have programs accessing the internet with Norton's automatic approval, windows activation technology services for example is accessing port 443 windows start up application has permission for inbound communication to local port 49152??? What is that. I kep blocking and new rulres spring up!
Windows Activation is a legit antipiracy component.

Rootkits revealer has not been updated in some years, and is not fully compatible on Windows 7.

QUOTE
The first time I watched and when the scan moved from C drive to E the scan on both occasions (dialogue on toolbar stated 'enumerating E'), I got the following message in my desktop window from Norton 'alert', it said:
A process is attempting to launch a target process
Source: c:\users\Toshiba admin\Appdata\Local\Temp\QTL10JEL.exe
Target: c:\Windows\System32\CMD.exe
Command Line:/c chcp6500/&& set DIRCMD=&& "cmd/cd15/4/a/s E:\7 c:users\toshiba admin\desktop\hQ"
This is something to investigate. Please run SystemLook to get a look inside the temp folder.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :dir
    c:\users\Toshiba admin\Appdata\Local\Temp /sub

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

With Regards,
The Panda

#10 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 15 June 2010 - 03:18 PM

Hi I need to get the link for the e mail scanner off my email, unfortunately at the mo I can't access it!! I have beeen using IE to access but IE stopped me accessing told me network connection problem, even though I could connect to every other website I tried. SSo I installed firefox and could access, but next day the same thing happened with Firefox!! I can access all websites except BT yahoo login on Firefox.
As to Rootkitrevealer it was run on the Toshiba-laptop 32 bit vista. I contacted EB and he told me to deal with this matter through you. I keep saying my machine has been hijacked but I believe hijacked via a rootkit/malware so this is the right forum (I think?)
I had to copy the system look up on to a memory stick to run on the Toshiba, below is the result;

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:31 on 15/06/2010 by Toshiba admin (Administrator - Elevation successful)

========== dir ==========

c:\users\Toshiba admin\Appdata\Local\Temp - Parameters: "/sub"

---Files---
Toshiba admin.bmp --a--- 31832 bytes [18:46 14/06/2010] [19:30 15/06/2010]

c:\users\Toshiba admin\Appdata\Local\Temp\Low d----- [18:52 14/06/2010]

c:\users\Toshiba admin\Appdata\Local\Temp\WPDNSE d----- [19:30 15/06/2010]

-=End Of File=-

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 17 June 2010 - 07:45 PM

Hello.

So far, I've seen no definate signs of infection. Let's see what ComboFix removed.

Please post the contents of this file:
c:\ComboFix.txt

And, if any of these files exist, post them as well.
c:\QooBox\ComboFix*.txt

With Regards,
The Panda

Edited by PropagandaPanda, 17 June 2010 - 07:45 PM.


#12 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 18 June 2010 - 01:59 AM

Hi Panda, this is going to be confusing and I apologise. As you know I do not have internet access to my Toshiba which is what we've been looking at. At the moment I cannotcopy combofix on to my memory stick for some reason so I will keep trying. I have however un Combofix on the Dell and post the log below, the Dell which is what I am currently using for internet access is on Windows 7. The day before yesterday I ran a program called RKunhooker (www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) and the results of that really frightened me but as I'm ignorant of what these results mean perhaps I'm being paranoid again!!!!). Just to clarify one other thing. These machines are purely for home use, I have never shared them with each other or with any other machine/user/network (knowingly) and they have never been used for business purposes (that I know of!) purely home use.
Posted below are the results for the DELL WINDOWS 7, I will keep trying to get combofix on to the Toshiba and if and when I do I will put those results with the RKunhooker for the Tosh on my next post.

RKunhooker results
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #4
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAlertResumeThread, Type: Address change 0x8331630D-->870CDC88 [Unknown module filename]
ntoskrnl.exe-->NtAlertThread, Type: Address change 0x8329F03B-->87710868 [Unknown module filename]
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x8324C746-->878BBD98 [Unknown module filename]
ntoskrnl.exe-->NtAlpcConnectPort, Type: Address change 0x8325F944-->86E5DBE0 [Unknown module filename]
ntoskrnl.exe-->NtAssignProcessToJobObject, Type: Address change 0x832B7BA1-->877569D0 [Unknown module filename]
ntoskrnl.exe-->NtCreateMutant, Type: Address change 0x832AE5FB-->878BD208 [Unknown module filename]
ntoskrnl.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x8322DA11-->878AFBA8 [Unknown module filename]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x83314586-->878BDED8 [Unknown module filename]
ntoskrnl.exe-->NtCreateThreadEx, Type: Address change 0x8329DD9D-->878AFC78 [Unknown module filename]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address change 0x832E7292-->87893048 [Unknown module filename]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x83299E5F-->878BBEF0 [Unknown module filename]
ntoskrnl.exe-->NtFreeVirtualMemory, Type: Address change 0x830BFCEC-->878BBBF8 [Unknown module filename]
ntoskrnl.exe-->NtImpersonateAnonymousToken, Type: Address change 0x8329288A-->877B1048 [Unknown module filename]
ntoskrnl.exe-->NtImpersonateThread, Type: Address change 0x83270978-->87753048 [Unknown module filename]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x831E4124-->86EAD538 [Unknown module filename]
ntoskrnl.exe-->NtMapViewOfSection, Type: Address change 0x83279243-->878B43A8 [Unknown module filename]
ntoskrnl.exe-->NtOpenEvent, Type: Address change 0x8326F69C-->87719A40 [Unknown module filename]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x8325B63D-->878BC0E0 [Unknown module filename]
ntoskrnl.exe-->NtOpenProcessToken, Type: Address change 0x8329885A-->87082588 [Unknown module filename]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x832A7ED4-->87774F10 [Unknown module filename]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x832B0F25-->878BBFC0 [Unknown module filename]
ntoskrnl.exe-->NtProtectVirtualMemory, Type: Address change 0x8327FB59-->878AFD58 [Unknown module filename]
ntoskrnl.exe-->NtResumeThread, Type: Address change 0x8326B61B-->86FDC140 [Unknown module filename]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x8331568B-->86FAE398 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationProcess, Type: Address change 0x83249A59-->878B4250 [Unknown module filename]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x83226F85-->877EE048 [Unknown module filename]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x83316247-->8772A5B0 [Unknown module filename]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x832D06D0-->87078110 [Unknown module filename]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x8325BAC9-->86CD1358 [Unknown module filename]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x83273058-->860FEB60 [Unknown module filename]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Address change 0x8329BAAA-->86FBCA00 [Unknown module filename]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8328B949-->878BBCC8 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0x9C97D15F-->883439B0 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0x9C99A1DB-->88301B08 [Unknown module filename]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0x9CA7C7E4-->88301A48 [Unknown module filename]
win32k.sys-->NtUserGetKeyState, Type: Address change 0x9C9A6291-->88259B10 [Unknown module filename]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0x9CA88293-->882F9B08 [Unknown module filename]
win32k.sys-->NtUserMessageCall, Type: Address change 0x9C9E17BB-->8824F9F0 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0x9C9D89DA-->8824FB90 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0x9C9D66F1-->8824FAC0 [Unknown module filename]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0x9C9B8513-->881E0CA0 [Unknown module filename]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0x9C9D63B5-->88297FB0 [Unknown module filename]
==============================================
>Processes
==============================================
0x87978930 [288] C:\Windows\System32\smss.exe (Microsoft Corporation, Windows Session Manager)
0x85EA32D8 [416] C:\Program Files\AVG\AVGLS9\avgtray.exe (AVG Technologies CZ, s.r.o., AVG Tray Monitor)
0x88227910 [420] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8853FD40 [492] C:\Windows\System32\wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0x88561B30 [500] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8857FD40 [548] C:\Windows\System32\winlogon.exe (Microsoft Corporation, Windows Logon Application)
0x885997E8 [600] C:\Windows\System32\services.exe (Microsoft Corporation, Services and Controller app)
0x87A4FD40 [608] C:\Windows\System32\lsass.exe (Microsoft Corporation, Local Security Authority Process)
0x88630678 [616] C:\Windows\System32\lsm.exe (Microsoft Corporation, Local Session Manager Service)
0x8861E728 [708] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88722930 [788] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x887C87E0 [888] C:\Windows\System32\atiesrxx.exe (AMD, AMD External Events Service Module)
0x879797D8 [940] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x886EB270 [972] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88830D40 [1004] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88875698 [1136] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88897930 [1296] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x87AF3288 [1360] C:\Windows\System32\atieclxx.exe (AMD, AMD External Events Client Module)
0x8891D030 [1492] C:\Windows\System32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x88934440 [1520] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88A01810 [1612] C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe (Andrea Electronics Corporation, Andrea filters APO access service (32-bit))
0x889CA520 [1644] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x889D6D40 [1692] C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x88ADD5C8 [1808] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88C5CB38 [2060] C:\Windows\System32\WUDFHost.exe (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Host Process)
0x88C9EA58 [2164] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x868EE3D0 [2244] C:\Users\Alan\Downloads\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)
0x864C7D40 [2548] C:\Program Files\AVG\AVGLS9\avgnsx.exe (AVG Technologies CZ, s.r.o., AVG Network scanner Service)
0x88CA3030 [2816] C:\Windows\System32\taskhost.exe (Microsoft Corporation, Host Process for Windows Tasks)
0x88C9F030 [2832] C:\Program Files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x88F1BCF8 [2928] C:\Windows\System32\dwm.exe (Microsoft Corporation, Desktop Window Manager)
0x85931D40 [2964] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0x867BCD40 [3460] C:\Program Files\AVG\AVGLS9\avgwdsvc.exe (AVG Technologies CZ, s.r.o., AVG Watchdog Service)
0x87903260 [3680] C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0x85935740 [3828] C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation, Windows Media Player Network Sharing Service)
0x857C3C78 [4] System
0x8647AD40 [2492] C:\Windows\System32\audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
==============================================
>Drivers
==============================================
0x9A82F000 C:\Windows\system32\DRIVERS\atikmdag.sys 5324800 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x83043000 C:\Windows\system32\ntoskrnl.exe 4194304 bytes (Microsoft Corporation, NT Kernel & System)
0x83043000 PnpManager 4194304 bytes
0x83043000 RAW 4194304 bytes
0x83043000 WMIxWDM 4194304 bytes
0x9993E000 C:\Windows\system32\drivers\RTKVHDA.sys 2658304 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x9C930000 Win32k 2400256 bytes
0x9C930000 C:\Windows\System32\win32k.sys 2400256 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8CC01000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x93434000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100615.022\NAVEX15.SYS 1343488 bytes (Symantec Corporation, AV Engine)
0x8C88B000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x9AD43000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8CA6C000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x8C50D000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x95177000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x95036000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x99827000 C:\Windows\System32\Drivers\N360\0308000.029\ccHPx86.sys 503808 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0x8C43A000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x8C5B8000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8CF6B000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8C9F8000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x936B8000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8CF13000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100604.004\IDSvix86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0x8CEC0000 C:\Windows\System32\Drivers\N360\0308000.029\SRTSP.SYS 339968 bytes (Symantec Corporation, Symantec AutoProtect)
0x95295000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x9AFAB000 C:\Windows\system32\drivers\HdAudio.sys 327680 bytes (Microsoft Corporation, High Definition Audio Function Driver)
0x95246000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8C83C000 C:\Windows\system32\drivers\N360\0308000.029\SYMEFA.SYS 323584 bytes (Symantec Corporation, Symantec Extended File Attributes)
0x9AE5D000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8C6E6000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8C637000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9AF67000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x998B0000 C:\Windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys 270336 bytes (Symantec Corporation, BASH Driver)
0x8C4CB000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x937A4000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x9AEB7000 C:\Windows\system32\DRIVERS\Rt86win7.sys 258048 bytes (Realtek , Realtek 8101E/8168/8169 NDIS 6.20 32-bit Driver )
0x8CD7B000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8CB23000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x95109000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x953B8000 C:\Windows\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0x9ADFA000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x8300C000 ACPI_HAL 225280 bytes
0x8300C000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8C791000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9AF25000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x93661000 C:\Windows\System32\Drivers\N360\0308000.029\SYMTDI.SYS 212992 bytes (Symantec Corporation, Network Dispatch Driver)
0x8CE07000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x93712000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8CD4A000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x9A800000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8CDC2000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x8C9BA000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x9538E000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8C690000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8CE4A000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8CB61000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x93583000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x8C765000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x950E6000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x95218000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x998F2000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x935E0000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x952E6000 C:\Windows\system32\DRIVERS\WUDFRd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x95000000 C:\Windows\System32\Drivers\avgldx86.sys 131072 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x8CEA1000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9AE33000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x9374B000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x9CBC0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x93400000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0x8CB91000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x95144000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8CBAC000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x950BB000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x99925000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8CFC9000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x9363F000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x8CE6F000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x8CFE1000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x8C746000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x936A3000 C:\Windows\System32\Drivers\N360\0308000.029\SYMFW.SYS 86016 bytes (Symantec Corporation, Firewall Filter Driver)
0x95020000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100615.022\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x8CE86000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8C9E5000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x8CBD6000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x93781000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x99913000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x950D4000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8CE39000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x99800000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x8C7C5000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8C6C5000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x8C4B2000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8CBC6000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8CDEF000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x93794000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x8C6D6000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x9AEA8000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x998A2000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x93773000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x93631000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8C738000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8CA55000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x93695000 C:\Windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS 57344 bytes (Symantec Corporation, NDIS Filter Driver)
0x9AF59000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8C629000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x9AEFC000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x99BC7000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x9AF09000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x9AF16000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x95239000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x93601000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x9341D000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x99BF2000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x935D4000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x99BD4000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x99811000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8CB86000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x93429000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x93626000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x93656000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x9AE52000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x8C6BA000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x99BDF000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x937EF000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x937E5000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x9520E000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x935BC000 C:\Windows\system32\drivers\N360\0308000.029\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0x8C788000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x95371000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x8C75C000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x99BE9000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x8CA63000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x95168000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x9376A000 C:\Windows\system32\DRIVERS\SymIMv.sys 36864 bytes (Symantec Corporation, NDIS 6.0 Filter Driver for Windows Vista)
0x9CB90000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8C67F000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8C4C3000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8CDFF000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80B9C000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x8C688000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x9360E000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x93616000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x9361E000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8CDBA000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x935CD000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x9981C000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x935C6000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8C731000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x93744000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x9AEF6000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x9AF23000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9AFFB000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x95331F2E Unknown thread object [ ETHREAD 0x85CCBD00 ] , 600 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\C41CE792.TMP
!-->[Hidden] D:\$RECYCLE.BIN\S-1-5-21-4166073652-4277465495-2796784331-1000\desktop.ini
!-->[Hidden] D:\$RECYCLE.BIN\S-1-5-21-4166073652-4277465495-2796784331-1004\desktop.ini
!-->[Hidden] D:\autorun.inf\lpt3.Drive_is_protected_against_flash_viruses_by_RegRun
!-->[Hidden] D:\bootmgr
!-->[Hidden] D:\BOOTSECT.BAK
!-->[Hidden] D:\Boot\BCD
!-->[Hidden] D:\Boot\BCD.Backup.0001
!-->[Hidden] D:\Boot\BCD.LOG
!-->[Hidden] D:\Boot\BCD.LOG1
!-->[Hidden] D:\Boot\BCD.LOG2
!-->[Hidden] D:\Boot\BOOTSTAT.DAT
!-->[Hidden] D:\Boot\cs-CZ\bootmgr.exe.mui
!-->[Hidden] D:\Boot\da-DK\bootmgr.exe.mui
!-->[Hidden] D:\Boot\de-DE\bootmgr.exe.mui
!-->[Hidden] D:\Boot\el-GR\bootmgr.exe.mui
!-->[Hidden] D:\Boot\en-US\bootmgr.exe.mui
!-->[Hidden] D:\Boot\en-US\memtest.exe.mui
!-->[Hidden] D:\Boot\es-ES\bootmgr.exe.mui
!-->[Hidden] D:\Boot\fi-FI\bootmgr.exe.mui
!-->[Hidden] D:\Boot\Fonts\chs_boot.ttf
!-->[Hidden] D:\Boot\Fonts\cht_boot.ttf
!-->[Hidden] D:\Boot\Fonts\jpn_boot.ttf
!-->[Hidden] D:\Boot\Fonts\kor_boot.ttf
!-->[Hidden] D:\Boot\Fonts\wgl4_boot.ttf
!-->[Hidden] D:\Boot\fr-FR\bootmgr.exe.mui
!-->[Hidden] D:\Boot\hu-HU\bootmgr.exe.mui
!-->[Hidden] D:\Boot\it-IT\bootmgr.exe.mui
!-->[Hidden] D:\Boot\ja-JP\bootmgr.exe.mui
!-->[Hidden] D:\Boot\ko-KR\bootmgr.exe.mui
!-->[Hidden] D:\Boot\memtest.exe
!-->[Hidden] D:\Boot\nb-NO\bootmgr.exe.mui
!-->[Hidden] D:\Boot\nl-NL\bootmgr.exe.mui
!-->[Hidden] D:\Boot\pl-PL\bootmgr.exe.mui
!-->[Hidden] D:\Boot\pt-BR\bootmgr.exe.mui
!-->[Hidden] D:\Boot\pt-PT\bootmgr.exe.mui
!-->[Hidden] D:\Boot\ru-RU\bootmgr.exe.mui
!-->[Hidden] D:\Boot\sv-SE\bootmgr.exe.mui
!-->[Hidden] D:\Boot\tr-TR\bootmgr.exe.mui
!-->[Hidden] D:\Boot\zh-CN\bootmgr.exe.mui
!-->[Hidden] D:\Boot\zh-HK\bootmgr.exe.mui
!-->[Hidden] D:\Boot\zh-TW\bootmgr.exe.mui
!-->[Hidden] D:\comment.htt\lpt3.Drive_is_protected_against_flash_viruses_by_RegRun
!-->[Hidden] D:\desktop.ini\lpt3.Drive_is_protected_against_flash_viruses_by_RegRun
!-->[Hidden] D:\System Volume Information\Chkdsk\Chkdsk20100527033400.log
!-->[Hidden] D:\System Volume Information\Chkdsk\Chkdsk20100614113728.log
!-->[Hidden] D:\System Volume Information\Chkdsk\Chkdsk20100614113915.log
!-->[Hidden] D:\System Volume Information\EfaData\SYMEFA.DB
!-->[Hidden] D:\System Volume Information\LightningSand.CFD
!-->[Hidden] D:\System Volume Information\tracking.log
==============================================
>Hooks
==============================================
IDT-->Int 00h-->Divide Error, Type: IDT modification[83079570] [ntoskrnl.exe]
IDT-->Int 01h-->DEBUG TRAP, Type: IDT modification[83079700] [ntoskrnl.exe]
IDT-->Int 03h-->Breakpoint, Type: IDT modification[83079B70] [ntoskrnl.exe]
IDT-->Int 04h-->INTO, Type: IDT modification[83079CF8] [ntoskrnl.exe]
IDT-->Int 05h-->BOUND/Print Screen, Type: IDT modification[83079E58] [ntoskrnl.exe]
IDT-->Int 06h-->Invalid Opcode, Type: IDT modification[83079FCC] [ntoskrnl.exe]
IDT-->Int 07h-->NPX Not Available, Type: IDT modification[8307A5C8] [ntoskrnl.exe]
IDT-->Int 09h-->NPX Segment Overrun, Type: IDT modification[8307AA28] [ntoskrnl.exe]
IDT-->Int 0Ah-->Invalid TSS, Type: IDT modification[8307AB4C] [ntoskrnl.exe]
IDT-->Int 0Bh-->Segment Not Present, Type: IDT modification[8307AC8C] [ntoskrnl.exe]
IDT-->Int 0Ch-->Stack Fault, Type: IDT modification[8307AEEC] [ntoskrnl.exe]
IDT-->Int 0Dh-->General Protection, Type: IDT modification[8307B1DC] [ntoskrnl.exe]
IDT-->Int 0Eh-->Page Fault, Type: IDT modification[8307B8AC] [ntoskrnl.exe]
IDT-->Int 0Fh-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 10h-->486 coprocessor error, Type: IDT modification[8307BD84] [ntoskrnl.exe]
IDT-->Int 11h-->486 alignment, Type: IDT modification[8307BEC4] [ntoskrnl.exe]
IDT-->Int 13h-->XMMI unmasked numeric exception, Type: IDT modification[8307C030] [ntoskrnl.exe]
IDT-->Int 14h-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 15h-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 16h-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 17h-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 18h-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 19h-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 1Ah-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 1Bh-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 1Ch-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 1Dh-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 1Eh-->Intel Reserved, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 1Fh-->Reserved for APIC, Type: IDT modification[83026AF8] [halmacpi.dll]
IDT-->Int 2Ah-->_KiGetTickCount, Type: IDT modification[83078BEA] [ntoskrnl.exe]
IDT-->Int 2Bh-->_KiCallbackReturn, Type: IDT modification[83078D70] [ntoskrnl.exe]
IDT-->Int 2Ch-->_KiRaiseAssertion, Type: IDT modification[83078EAC] [ntoskrnl.exe]
IDT-->Int 2Dh-->_KiDebugService, Type: IDT modification[83079A48] [ntoskrnl.exe]
IDT-->Int 2Eh-->_KiSystemService, Type: IDT modification[8307859E] [ntoskrnl.exe]
IDT-->Int 2Fh-->Reserved for APIC, Type: IDT modification[8307BC60] [ntoskrnl.exe]
IDT-->Int 30h-->Unexpected Interrupt, Type: IDT modification[83077C60] [ntoskrnl.exe]
IDT-->Int 31h-->Unexpected Interrupt, Type: IDT modification[83077C6A] [ntoskrnl.exe]
IDT-->Int 32h-->Unexpected Interrupt, Type: IDT modification[83077C74] [ntoskrnl.exe]
IDT-->Int 33h-->Unexpected Interrupt, Type: IDT modification[83077C7E] [ntoskrnl.exe]
IDT-->Int 34h-->Unexpected Interrupt, Type: IDT modification[83077C88] [ntoskrnl.exe]
IDT-->Int 35h-->Unexpected Interrupt, Type: IDT modification[83077C92] [ntoskrnl.exe]
IDT-->Int 36h-->Unexpected Interrupt, Type: IDT modification[83077C9C] [ntoskrnl.exe]
IDT-->Int 37h-->Unexpected Interrupt, Type: IDT modification[83026104] [halmacpi.dll]
IDT-->Int 38h-->Unexpected Interrupt, Type: IDT modification[83077CB0] [ntoskrnl.exe]
IDT-->Int 39h-->Unexpected Interrupt, Type: IDT modification[83077CBA] [ntoskrnl.exe]
IDT-->Int 3Ah-->Unexpected Interrupt, Type: IDT modification[83077CC4] [ntoskrnl.exe]
IDT-->Int 3Bh-->Unexpected Interrupt, Type: IDT modification[83077CCE] [ntoskrnl.exe]
IDT-->Int 3Ch-->Unexpected Interrupt, Type: IDT modification[83077CD8] [ntoskrnl.exe]
IDT-->Int 3Dh-->Unexpected Interrupt, Type: IDT modification[83077CE2] [ntoskrnl.exe]
IDT-->Int 3Eh-->Unexpected Interrupt, Type: IDT modification[83077CEC] [ntoskrnl.exe]
IDT-->Int 3Fh-->Unexpected Interrupt, Type: IDT modification[83077CF6] [ntoskrnl.exe]
IDT-->Int 40h-->Unexpected Interrupt, Type: IDT modification[83077D00] [ntoskrnl.exe]
IDT-->Int 41h-->Unexpected Interrupt, Type: IDT modification[83077D0A] [ntoskrnl.exe]
IDT-->Int 42h-->Unexpected Interrupt, Type: IDT modification[83077D14] [ntoskrnl.exe]
IDT-->Int 43h-->Unexpected Interrupt, Type: IDT modification[83077D1E] [ntoskrnl.exe]
IDT-->Int 44h-->Unexpected Interrupt, Type: IDT modification[83077D28] [ntoskrnl.exe]
IDT-->Int 45h-->Unexpected Interrupt, Type: IDT modification[83077D32] [ntoskrnl.exe]
IDT-->Int 46h-->Unexpected Interrupt, Type: IDT modification[83077D3C] [ntoskrnl.exe]
IDT-->Int 47h-->Unexpected Interrupt, Type: IDT modification[83077D46] [ntoskrnl.exe]
IDT-->Int 48h-->Unexpected Interrupt, Type: IDT modification[83077D50] [ntoskrnl.exe]
IDT-->Int 49h-->Unexpected Interrupt, Type: IDT modification[83077D5A] [ntoskrnl.exe]
IDT-->Int 4Ah-->Unexpected Interrupt, Type: IDT modification[83077D64] [ntoskrnl.exe]
IDT-->Int 4Bh-->Unexpected Interrupt, Type: IDT modification[83077D6E] [ntoskrnl.exe]
IDT-->Int 4Ch-->Unexpected Interrupt, Type: IDT modification[83077D78] [ntoskrnl.exe]
IDT-->Int 4Dh-->Unexpected Interrupt, Type: IDT modification[83077D82] [ntoskrnl.exe]
IDT-->Int 4Eh-->Unexpected Interrupt, Type: IDT modification[83077D8C] [ntoskrnl.exe]
IDT-->Int 4Fh-->Unexpected Interrupt, Type: IDT modification[83077D96] [ntoskrnl.exe]
IDT-->Int 50h-->Unexpected Interrupt, Type: IDT modification[83077DA0] [ntoskrnl.exe]
IDT-->Int 51h-->Unexpected Interrupt, Type: IDT modification[8615F058] [unknown_code_page]
IDT-->Int 52h-->Unexpected Interrupt, Type: IDT modification[83077DB4] [ntoskrnl.exe]
IDT-->Int 53h-->Unexpected Interrupt, Type: IDT modification[83077DBE] [ntoskrnl.exe]
IDT-->Int 54h-->Unexpected Interrupt, Type: IDT modification[83077DC8] [ntoskrnl.exe]
IDT-->Int 55h-->Unexpected Interrupt, Type: IDT modification[83077DD2] [ntoskrnl.exe]
IDT-->Int 56h-->Unexpected Interrupt, Type: IDT modification[83077DDC] [ntoskrnl.exe]
IDT-->Int 57h-->Unexpected Interrupt, Type: IDT modification[83077DE6] [ntoskrnl.exe]
IDT-->Int 58h-->Unexpected Interrupt, Type: IDT modification[83077DF0] [ntoskrnl.exe]
IDT-->Int 59h-->Unexpected Interrupt, Type: IDT modification[83077DFA] [ntoskrnl.exe]
IDT-->Int 5Ah-->Unexpected Interrupt, Type: IDT modification[83077E04] [ntoskrnl.exe]
IDT-->Int 5Bh-->Unexpected Interrupt, Type: IDT modification[83077E0E] [ntoskrnl.exe]
IDT-->Int 5Ch-->Unexpected Interrupt, Type: IDT modification[83077E18] [ntoskrnl.exe]
IDT-->Int 5Dh-->Unexpected Interrupt, Type: IDT modification[83077E22] [ntoskrnl.exe]
IDT-->Int 5Eh-->Unexpected Interrupt, Type: IDT modification[83077E2C] [ntoskrnl.exe]
IDT-->Int 5Fh-->Unexpected Interrupt, Type: IDT modification[83077E36] [ntoskrnl.exe]
IDT-->Int 60h-->Unexpected Interrupt, Type: IDT modification[83077E40] [ntoskrnl.exe]
IDT-->Int 61h-->Unexpected Interrupt, Type: IDT modification[87AE72D8] [unknown_code_page]
IDT-->Int 62h-->Unexpected Interrupt, Type: IDT modification[83077E54] [ntoskrnl.exe]
IDT-->Int 63h-->Unexpected Interrupt, Type: IDT modification[83077E5E] [ntoskrnl.exe]
IDT-->Int 64h-->Unexpected Interrupt, Type: IDT modification[83077E68] [ntoskrnl.exe]
IDT-->Int 65h-->Unexpected Interrupt, Type: IDT modification[83077E72] [ntoskrnl.exe]
IDT-->Int 66h-->Unexpected Interrupt, Type: IDT modification[83077E7C] [ntoskrnl.exe]
IDT-->Int 67h-->Unexpected Interrupt, Type: IDT modification[83077E86] [ntoskrnl.exe]
IDT-->Int 68h-->Unexpected Interrupt, Type: IDT modification[83077E90] [ntoskrnl.exe]
IDT-->Int 69h-->Unexpected Interrupt, Type: IDT modification[83077E9A] [ntoskrnl.exe]
IDT-->Int 6Ah-->Unexpected Interrupt, Type: IDT modification[83077EA4] [ntoskrnl.exe]
IDT-->Int 6Bh-->Unexpected Interrupt, Type: IDT modification[83077EAE] [ntoskrnl.exe]
IDT-->Int 6Ch-->Unexpected Interrupt, Type: IDT modification[83077EB8] [ntoskrnl.exe]
IDT-->Int 6Dh-->Unexpected Interrupt, Type: IDT modification[83077EC2] [ntoskrnl.exe]
IDT-->Int 6Eh-->Unexpected Interrupt, Type: IDT modification[83077ECC] [ntoskrnl.exe]
IDT-->Int 6Fh-->Unexpected Interrupt, Type: IDT modification[83077ED6] [ntoskrnl.exe]
IDT-->Int 70h-->Unexpected Interrupt, Type: IDT modification[83077EE0] [ntoskrnl.exe]
IDT-->Int 71h-->Unexpected Interrupt, Type: IDT modification[87AE7CD8] [unknown_code_page]
IDT-->Int 72h-->Unexpected Interrupt, Type: IDT modification[83077EF4] [ntoskrnl.exe]
IDT-->Int 73h-->Unexpected Interrupt, Type: IDT modification[83077EFE] [ntoskrnl.exe]
IDT-->Int 74h-->Unexpected Interrupt, Type: IDT modification[83077F08] [ntoskrnl.exe]
IDT-->Int 75h-->Unexpected Interrupt, Type: IDT modification[83077F12] [ntoskrnl.exe]
IDT-->Int 76h-->Unexpected Interrupt, Type: IDT modification[83077F1C] [ntoskrnl.exe]
IDT-->Int 77h-->Unexpected Interrupt, Type: IDT modification[83077F26] [ntoskrnl.exe]
IDT-->Int 78h-->Unexpected Interrupt, Type: IDT modification[83077F30] [ntoskrnl.exe]
IDT-->Int 79h-->Unexpected Interrupt, Type: IDT modification[83077F3A] [ntoskrnl.exe]
IDT-->Int 7Ah-->Unexpected Interrupt, Type: IDT modification[83077F44] [ntoskrnl.exe]
IDT-->Int 7Bh-->Unexpected Interrupt, Type: IDT modification[83077F4E] [ntoskrnl.exe]
IDT-->Int 7Ch-->Unexpected Interrupt, Type: IDT modification[83077F58] [ntoskrnl.exe]
IDT-->Int 7Dh-->Unexpected Interrupt, Type: IDT modification[83077F62] [ntoskrnl.exe]
IDT-->Int 7Eh-->Unexpected Interrupt, Type: IDT modification[83077F6C] [ntoskrnl.exe]
IDT-->Int 7Fh-->Unexpected Interrupt, Type: IDT modification[83077F76] [ntoskrnl.exe]
IDT-->Int 80h-->Unexpected Interrupt, Type: IDT modification[83077F80] [ntoskrnl.exe]
IDT-->Int 81h-->Unexpected Interrupt, Type: IDT modification[83077F8A] [ntoskrnl.exe]
IDT-->Int 82h-->Unexpected Interrupt, Type: IDT modification[83077F94] [ntoskrnl.exe]
IDT-->Int 83h-->Unexpected Interrupt, Type: IDT modification[83077F9E] [ntoskrnl.exe]
IDT-->Int 84h-->Unexpected Interrupt, Type: IDT modification[83077FA8] [ntoskrnl.exe]
IDT-->Int 85h-->Unexpected Interrupt, Type: IDT modification[83077FB2] [ntoskrnl.exe]
IDT-->Int 86h-->Unexpected Interrupt, Type: IDT modification[83077FBC] [ntoskrnl.exe]
IDT-->Int 87h-->Unexpected Interrupt, Type: IDT modification[83077FC6] [ntoskrnl.exe]
IDT-->Int 88h-->Unexpected Interrupt, Type: IDT modification[83077FD0] [ntoskrnl.exe]
IDT-->Int 89h-->Unexpected Interrupt, Type: IDT modification[83077FDA] [ntoskrnl.exe]
IDT-->Int 8Ah-->Unexpected Interrupt, Type: IDT modification[83077FE4] [ntoskrnl.exe]
IDT-->Int 8Bh-->Unexpected Interrupt, Type: IDT modification[83077FEE] [ntoskrnl.exe]
IDT-->Int 8Ch-->Unexpected Interrupt, Type: IDT modification[83077FF8] [ntoskrnl.exe]
IDT-->Int 8Dh-->Unexpected Interrupt, Type: IDT modification[83078002] [ntoskrnl.exe]
IDT-->Int 8Eh-->Unexpected Interrupt, Type: IDT modification[8307800C] [ntoskrnl.exe]
IDT-->Int 8Fh-->Unexpected Interrupt, Type: IDT modification[83078016] [ntoskrnl.exe]
IDT-->Int 90h-->Unexpected Interrupt, Type: IDT modification[83078020] [ntoskrnl.exe]
IDT-->Int 91h-->Unexpected Interrupt, Type: IDT modification[8307802A] [ntoskrnl.exe]
IDT-->Int 92h-->Unexpected Interrupt, Type: IDT modification[87AE9A58] [unknown_code_page]
IDT-->Int 93h-->Unexpected Interrupt, Type: IDT modification[8307803E] [ntoskrnl.exe]
IDT-->Int 94h-->Unexpected Interrupt, Type: IDT modification[83078048] [ntoskrnl.exe]
IDT-->Int 95h-->Unexpected Interrupt, Type: IDT modification[83078052] [ntoskrnl.exe]
IDT-->Int 96h-->Unexpected Interrupt, Type: IDT modification[8307805C] [ntoskrnl.exe]
IDT-->Int 97h-->Unexpected Interrupt, Type: IDT modification[83078066] [ntoskrnl.exe]
IDT-->Int 98h-->Unexpected Interrupt, Type: IDT modification[83078070] [ntoskrnl.exe]
IDT-->Int 99h-->Unexpected Interrupt, Type: IDT modification[8307807A] [ntoskrnl.exe]
IDT-->Int 9Ah-->Unexpected Interrupt, Type: IDT modification[83078084] [ntoskrnl.exe]
IDT-->Int 9Bh-->Unexpected Interrupt, Type: IDT modification[8307808E] [ntoskrnl.exe]
IDT-->Int 9Ch-->Unexpected Interrupt, Type: IDT modification[83078098] [ntoskrnl.exe]
IDT-->Int 9Dh-->Unexpected Interrupt, Type: IDT modification[830780A2] [ntoskrnl.exe]
IDT-->Int 9Eh-->Unexpected Interrupt, Type: IDT modification[830780AC] [ntoskrnl.exe]
IDT-->Int 9Fh-->Unexpected Interrupt, Type: IDT modification[830780B6] [ntoskrnl.exe]
IDT-->Int A0h-->Unexpected Interrupt, Type: IDT modification[830780C0] [ntoskrnl.exe]
IDT-->Int A1h-->Unexpected Interrupt, Type: IDT modification[830780CA] [ntoskrnl.exe]
IDT-->Int A2h-->Unexpected Interrupt, Type: IDT modification[87AE9558] [unknown_code_page]
IDT-->Int A3h-->Unexpected Interrupt, Type: IDT modification[830780DE] [ntoskrnl.exe]
IDT-->Int A4h-->Unexpected Interrupt, Type: IDT modification[830780E8] [ntoskrnl.exe]
IDT-->Int A5h-->Unexpected Interrupt, Type: IDT modification[830780F2] [ntoskrnl.exe]
IDT-->Int A6h-->Unexpected Interrupt, Type: IDT modification[830780FC] [ntoskrnl.exe]
IDT-->Int A7h-->Unexpected Interrupt, Type: IDT modification[83078106] [ntoskrnl.exe]
IDT-->Int A8h-->Unexpected Interrupt, Type: IDT modification[83078110] [ntoskrnl.exe]
IDT-->Int A9h-->Unexpected Interrupt, Type: IDT modification[8307811A] [ntoskrnl.exe]
IDT-->Int AAh-->Unexpected Interrupt, Type: IDT modification[83078124] [ntoskrnl.exe]
IDT-->Int ABh-->Unexpected Interrupt, Type: IDT modification[8307812E] [ntoskrnl.exe]
IDT-->Int ACh-->Unexpected Interrupt, Type: IDT modification[83078138] [ntoskrnl.exe]
IDT-->Int ADh-->Unexpected Interrupt, Type: IDT modification[83078142] [ntoskrnl.exe]
IDT-->Int AEh-->Unexpected Interrupt, Type: IDT modification[8307814C] [ntoskrnl.exe]
IDT-->Int AFh-->Unexpected Interrupt, Type: IDT modification[83078156] [ntoskrnl.exe]
IDT-->Int B0h-->Unexpected Interrupt, Type: IDT modification[880D82D8] [unknown_code_page]
IDT-->Int B1h-->Unexpected Interrupt, Type: IDT modification[8615FCD8] [unknown_code_page]
IDT-->Int B2h-->Unexpected Interrupt, Type: IDT modification[87AE9058] [unknown_code_page]
IDT-->Int B3h-->Unexpected Interrupt, Type: IDT modification[8307817E] [ntoskrnl.exe]
IDT-->Int B4h-->Unexpected Interrupt, Type: IDT modification[83078188] [ntoskrnl.exe]
IDT-->Int B5h-->Unexpected Interrupt, Type: IDT modification[83078192] [ntoskrnl.exe]
IDT-->Int B6h-->Unexpected Interrupt, Type: IDT modification[8307819C] [ntoskrnl.exe]
IDT-->Int B7h-->Unexpected Interrupt, Type: IDT modification[830781A6] [ntoskrnl.exe]
IDT-->Int B8h-->Unexpected Interrupt, Type: IDT modification[830781B0] [ntoskrnl.exe]
IDT-->Int B9h-->Unexpected Interrupt, Type: IDT modification[830781BA] [ntoskrnl.exe]
IDT-->Int BAh-->Unexpected Interrupt, Type: IDT modification[830781C4] [ntoskrnl.exe]
IDT-->Int BBh-->Unexpected Interrupt, Type: IDT modification[830781CE] [ntoskrnl.exe]
IDT-->Int BCh-->Unexpected Interrupt, Type: IDT modification[830781D8] [ntoskrnl.exe]
IDT-->Int BDh-->Unexpected Interrupt, Type: IDT modification[830781E2] [ntoskrnl.exe]
IDT-->Int BEh-->Unexpected Interrupt, Type: IDT modification[830781EC] [ntoskrnl.exe]
IDT-->Int BFh-->Unexpected Interrupt, Type: IDT modification[830781F6] [ntoskrnl.exe]
IDT-->Int C0h-->Unexpected Interrupt, Type: IDT modification[83078200] [ntoskrnl.exe]
IDT-->Int C1h-->Unexpected Interrupt, Type: IDT modification[830263F4] [halmacpi.dll]
IDT-->Int C2h-->Unexpected Interrupt, Type: IDT modification[83078214] [ntoskrnl.exe]
IDT-->Int C3h-->Unexpected Interrupt, Type: IDT modification[8307821E] [ntoskrnl.exe]
IDT-->Int C4h-->Unexpected Interrupt, Type: IDT modification[83078228] [ntoskrnl.exe]
IDT-->Int C5h-->Unexpected Interrupt, Type: IDT modification[83078232] [ntoskrnl.exe]
IDT-->Int C6h-->Unexpected Interrupt, Type: IDT modification[8307823C] [ntoskrnl.exe]
IDT-->Int C7h-->Unexpected Interrupt, Type: IDT modification[83078246] [ntoskrnl.exe]
IDT-->Int C8h-->Unexpected Interrupt, Type: IDT modification[83078250] [ntoskrnl.exe]
IDT-->Int C9h-->Unexpected Interrupt, Type: IDT modification[8307825A] [ntoskrnl.exe]
IDT-->Int CAh-->Unexpected Interrupt, Type: IDT modification[83078264] [ntoskrnl.exe]
IDT-->Int CBh-->Unexpected Interrupt, Type: IDT modification[8307826E] [ntoskrnl.exe]
IDT-->Int CCh-->Unexpected Interrupt, Type: IDT modification[83078278] [ntoskrnl.exe]
IDT-->Int CDh-->Unexpected Interrupt, Type: IDT modification[83078282] [ntoskrnl.exe]
IDT-->Int CEh-->Unexpected Interrupt, Type: IDT modification[8307828C] [ntoskrnl.exe]
IDT-->Int CFh-->Unexpected Interrupt, Type: IDT modification[83078296] [ntoskrnl.exe]
IDT-->Int D0h-->Unexpected Interrupt, Type: IDT modification[830782A0] [ntoskrnl.exe]
IDT-->Int D1h-->Unexpected Interrupt, Type: IDT modification[8300F2D8] [halmacpi.dll]
IDT-->Int D2h-->Unexpected Interrupt, Type: IDT modification[8300E898] [halmacpi.dll]
IDT-->Int D3h-->Unexpected Interrupt, Type: IDT modification[830782BE] [ntoskrnl.exe]
IDT-->Int D4h-->Unexpected Interrupt, Type: IDT modification[830782C8] [ntoskrnl.exe]
IDT-->Int D5h-->Unexpected Interrupt, Type: IDT modification[830782D2] [ntoskrnl.exe]
IDT-->Int D6h-->Unexpected Interrupt, Type: IDT modification[830782DC] [ntoskrnl.exe]
IDT-->Int D7h-->Unexpected Interrupt, Type: IDT modification[830782E6] [ntoskrnl.exe]
IDT-->Int D8h-->Unexpected Interrupt, Type: IDT modification[830782F0] [ntoskrnl.exe]
IDT-->Int D9h-->Unexpected Interrupt, Type: IDT modification[830782FA] [ntoskrnl.exe]
IDT-->Int DAh-->Unexpected Interrupt, Type: IDT modification[83078304] [ntoskrnl.exe]
IDT-->Int DBh-->Unexpected Interrupt, Type: IDT modification[8307830E] [ntoskrnl.exe]
IDT-->Int DCh-->Unexpected Interrupt, Type: IDT modification[83078318] [ntoskrnl.exe]
IDT-->Int DDh-->Unexpected Interrupt, Type: IDT modification[83078322] [ntoskrnl.exe]
IDT-->Int DEh-->Unexpected Interrupt, Type: IDT modification[8307832C] [ntoskrnl.exe]
IDT-->Int DFh-->Unexpected Interrupt, Type: IDT modification[830261DC] [halmacpi.dll]
IDT-->Int E0h-->Unexpected Interrupt, Type: IDT modification[83078340] [ntoskrnl.exe]
IDT-->Int E1h-->Unexpected Interrupt, Type: IDT modification[83026958] [halmacpi.dll]
IDT-->Int E2h-->Unexpected Interrupt, Type: IDT modification[83078354] [ntoskrnl.exe]
IDT-->Int E3h-->Unexpected Interrupt, Type: IDT modification[830266F8] [halmacpi.dll]
IDT-->Int E4h-->Unexpected Interrupt, Type: IDT modification[83078368] [ntoskrnl.exe]
IDT-->Int E5h-->Unexpected Interrupt, Type: IDT modification[83078372] [ntoskrnl.exe]
IDT-->Int E6h-->Unexpected Interrupt, Type: IDT modification[8307837C] [ntoskrnl.exe]
IDT-->Int E7h-->Unexpected Interrupt, Type: IDT modification[83078386] [ntoskrnl.exe]
IDT-->Int E8h-->Unexpected Interrupt, Type: IDT modification[83078390] [ntoskrnl.exe]
IDT-->Int E9h-->Unexpected Interrupt, Type: IDT modification[8307839A] [ntoskrnl.exe]
IDT-->Int EAh-->Unexpected Interrupt, Type: IDT modification[830783A4] [ntoskrnl.exe]
IDT-->Int EBh-->Unexpected Interrupt, Type: IDT modification[830783AE] [ntoskrnl.exe]
IDT-->Int ECh-->Unexpected Interrupt, Type: IDT modification[830783B8] [ntoskrnl.exe]
IDT-->Int EDh-->Unexpected Interrupt, Type: IDT modification[830783C2] [ntoskrnl.exe]
IDT-->Int EEh-->Unexpected Interrupt, Type: IDT modification[830783C9] [ntoskrnl.exe]
IDT-->Int EFh-->Unexpected Interrupt, Type: IDT modification[830783D0] [ntoskrnl.exe]
IDT-->Int F0h-->Unexpected Interrupt, Type: IDT modification[830783D7] [ntoskrnl.exe]
IDT-->Int F1h-->Unexpected Interrupt, Type: IDT modification[830783DE] [ntoskrnl.exe]
IDT-->Int F2h-->Unexpected Interrupt, Type: IDT modification[830783E5] [ntoskrnl.exe]
IDT-->Int F3h-->Unexpected Interrupt, Type: IDT modification[830783EC] [ntoskrnl.exe]
IDT-->Int F4h-->Unexpected Interrupt, Type: IDT modification[830783F3] [ntoskrnl.exe]
IDT-->Int F5h-->Unexpected Interrupt, Type: IDT modification[830783FA] [ntoskrnl.exe]
IDT-->Int F6h-->Unexpected Interrupt, Type: IDT modification[83078401] [ntoskrnl.exe]
IDT-->Int F7h-->Unexpected Interrupt, Type: IDT modification[83078408] [ntoskrnl.exe]
IDT-->Int F8h-->Unexpected Interrupt, Type: IDT modification[8307840F] [ntoskrnl.exe]
IDT-->Int F9h-->Unexpected Interrupt, Type: IDT modification[83078416] [ntoskrnl.exe]
IDT-->Int FAh-->Unexpected Interrupt, Type: IDT modification[8307841D] [ntoskrnl.exe]
IDT-->Int FBh-->Unexpected Interrupt, Type: IDT modification[83078424] [ntoskrnl.exe]
IDT-->Int FCh-->Unexpected Interrupt, Type: IDT modification[8307842B] [ntoskrnl.exe]
IDT-->Int FDh-->Unexpected Interrupt, Type: IDT modification[83026F2C] [halmacpi.dll]
IDT-->Int FEh-->Unexpected Interrupt, Type: IDT modification[830271A8] [halmacpi.dll]
IDT-->Int FFh-->Unexpected Interrupt, Type: IDT modification[83078440] [ntoskrnl.exe]
ntoskrnl.exe+0x0005C78C, Type: Inline - RelativeJump 0x8309F78C-->8309F796 [ntoskrnl.exe]
ntoskrnl.exe+0x0005CBEC, Type: Inline - RelativeJump 0x8309FBEC-->8309FB7B [ntoskrnl.exe]

COMBOFIX RESULTS
ComboFix 10-06-17.02 - Alan 18/06/2010 7:39.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3326.1910 [GMT 1:00]
Running from: c:\users\Alan\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 06:41 . 2010-06-18 06:41 -------- d-----w- c:\users\Jacob\AppData\Local\temp
2010-06-18 06:41 . 2010-06-18 06:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-17 09:42 . 2010-06-17 09:42 -------- d-----w- c:\programdata\NOS
2010-06-17 09:42 . 2010-06-17 09:42 -------- d-----w- c:\program files\NOS
2010-06-17 07:16 . 2010-06-17 11:07 0 ----a-w- c:\users\Alan\AppData\Local\prvlcl.dat
2010-06-15 20:56 . 2010-06-15 20:56 -------- d-----w- c:\users\Alan\AppData\Local\AVG Security Toolbar
2010-06-15 20:45 . 2010-06-15 20:45 134792 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-15 20:45 . 2010-06-15 20:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-15 20:45 . 2010-06-15 20:53 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-06-15 20:44 . 2010-06-15 20:44 -------- d-----w- c:\program files\AVG
2010-06-15 20:43 . 2010-06-15 20:44 -------- d-----w- c:\programdata\avg9ls
2010-06-14 10:53 . 2010-06-14 10:53 -------- d-----w- c:\programdata\McAfee
2010-06-13 13:29 . 2010-06-13 13:29 -------- d-----w- c:\windows\system32\Macromed
2010-06-13 13:28 . 2010-06-13 13:28 -------- d-----r- c:\program files\Norton Support
2010-06-12 09:13 . 2010-06-12 09:13 0 ----a-w- c:\windows\nsreg.dat
2010-06-12 09:13 . 2010-06-12 09:13 -------- d-----w- c:\users\Alan\AppData\Local\Mozilla
2010-06-10 15:19 . 2010-06-10 15:19 -------- d-----w- c:\programdata\F-Secure
2010-06-10 13:37 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-10 13:37 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-10 13:37 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-10 13:37 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-10 13:37 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-03 19:52 . 2010-06-03 19:52 -------- d-----w- c:\program files\Common Files\Java
2010-06-03 19:52 . 2010-06-03 19:52 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-03 19:52 . 2010-06-03 19:52 -------- d-----w- c:\program files\Java
2010-06-03 19:43 . 2009-07-14 01:15 307200 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw72.dll
2010-06-02 08:46 . 2010-06-02 08:47 -------- d-----w- c:\users\Alan\AppData\Local\jZip
2010-06-02 08:45 . 2010-06-02 08:45 -------- d-----w- c:\users\Alan\AppData\Roaming\Yahoo!
2010-06-02 08:45 . 2010-06-14 11:08 -------- d-----w- c:\program files\Yahoo!
2010-06-02 08:45 . 2010-06-10 09:25 -------- d-----w- c:\program files\jZip
2010-06-02 07:54 . 2010-06-10 09:25 -------- d-----w- c:\windows\system32\Wat
2010-06-02 07:52 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-06-02 07:51 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-06-02 07:42 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-06-02 07:41 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-06-02 07:41 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-06-02 07:41 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-27 11:02 . 2010-05-27 11:02 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-27 11:02 . 2010-05-27 11:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-27 11:02 . 2010-05-27 11:02 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-27 11:02 . 2010-05-27 11:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-27 11:02 . 2010-06-08 13:38 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-26 18:43 . 2010-05-26 18:43 -------- d-----w- c:\users\Alan\AppData\Local\Microsoft_Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 09:25 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-27 11:20 . 2010-05-11 14:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-27 11:02 . 2010-05-11 14:14 -------- d-----w- c:\program files\Symantec
2010-05-27 11:02 . 2010-05-27 11:02 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-27 11:02 . 2010-05-27 11:02 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-27 11:02 . 2010-05-11 14:13 -------- d-----w- c:\program files\Norton 360
2010-05-27 11:02 . 2010-05-11 14:13 -------- d-----w- c:\programdata\Norton
2010-05-27 11:01 . 2010-05-11 14:13 -------- d-----w- c:\programdata\NortonInstaller
2010-05-27 11:01 . 2010-05-11 14:13 -------- d-----w- c:\program files\NortonInstaller
2010-05-26 18:27 . 2010-05-08 11:35 57560 ----a-w- c:\users\Alan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-26 18:25 . 2010-05-08 13:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 18:25 . 2010-05-13 09:00 -------- d-----w- c:\programdata\SecTaskMan
2010-05-26 18:25 . 2010-05-13 09:00 -------- d-----w- c:\program files\Security Task Manager
2010-05-26 18:25 . 2010-05-12 13:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-26 18:25 . 2010-05-10 18:39 -------- d-----w- c:\programdata\Microsoft Help
2010-05-25 18:25 . 2010-05-08 13:18 -------- d-----w- c:\programdata\Malwarebytes
2010-05-25 18:25 . 2010-05-13 12:44 -------- d-----w- c:\program files\Trend Micro
2010-05-25 18:25 . 2010-05-11 12:21 -------- d-----w- c:\program files\Safer Networking
2010-05-25 18:23 . 2010-05-11 09:17 -------- d-----w- c:\program files\Citrix
2010-05-25 17:49 . 2010-05-13 17:17 -------- d-----w- c:\program files\Greatis
2010-05-14 12:38 . 2010-05-14 08:36 -------- d-----w- c:\users\Alan\AppData\Roaming\Regrun
2010-05-14 11:15 . 2010-05-11 11:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 11:15 . 2010-05-11 11:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-12 13:08 . 2010-05-12 13:08 -------- d-----w- c:\programdata\Symantec
2010-05-10 20:12 . 2010-05-10 20:12 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-10 20:09 . 2010-05-10 20:09 -------- d-----w- c:\programdata\HP
2010-05-10 13:04 . 2010-05-10 13:04 57560 ----a-w- c:\users\Jacob\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 13:04 . 2010-05-10 13:04 -------- d-----w- c:\users\Jacob\AppData\Roaming\ATI
2010-05-08 13:18 . 2010-05-08 13:18 -------- d-----w- c:\users\Alan\AppData\Roaming\Malwarebytes
2010-05-08 11:45 . 2010-05-08 11:45 419 ----a-w- c:\users\Alan\AppData\Local\Win7_Upgrade.bat
2010-05-08 11:43 . 2010-05-08 11:43 -------- d-----w- c:\users\Alan\AppData\Roaming\ATI
2010-05-08 11:43 . 2010-05-08 11:43 -------- d-----w- c:\programdata\ATI
2010-05-08 11:43 . 2010-05-08 10:45 -------- d-----w- c:\program files\ATI Technologies
2010-05-08 11:41 . 2010-05-08 11:41 10134 ----a-r- c:\users\Alan\AppData\Roaming\Microsoft\Installer\{1A6842E0-3047-BD62-9A28-5A7743D88E2A}\ARPPRODUCTICON.exe
2010-05-08 11:41 . 2010-05-08 11:41 -------- d-----w- c:\program files\ATI
2010-05-08 11:40 . 2010-05-08 09:48 -------- d--h--w- c:\program files\Temp
2010-05-08 11:39 . 2010-05-08 09:49 -------- d-----w- c:\program files\Realtek
2010-05-08 11:39 . 2010-05-08 10:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-08 11:27 . 2010-05-08 11:27 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-08 11:24 . 2010-05-08 10:04 -------- d-----w- c:\users\Alan\AppData\Roaming\InstallShield
2010-05-08 11:24 . 2010-05-08 09:58 -------- d-----w- c:\program files\Intel
2010-05-08 11:24 . 2010-05-08 09:47 -------- d-----w- c:\program files\Dell
2010-05-08 11:24 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-05-08 11:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-08 11:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-08 11:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-08 11:24 . 2010-05-08 09:48 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-08 11:21 . 2010-05-08 11:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-08 11:21 . 2010-05-08 11:21 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-08 10:54 . 2010-05-08 09:49 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-05-08 09:47 . 2010-05-08 09:47 45056 ----a-r- c:\users\Alan\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-05-08 09:47 . 2010-05-08 09:47 10134 ----a-r- c:\users\Alan\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
2010-05-08 09:23 . 2010-05-08 09:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-06 09:36 . 2010-05-08 10:14 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-04-23 07:13 . 2010-06-02 07:49 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVGLS9\Toolbar\IEToolbar.dll" [2010-04-19 2121800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2121800 ----a-w- c:\program files\AVG\AVGLS9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVGLS9\Toolbar\IEToolbar.dll" [2010-04-19 2121800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVGLS9\avgtray.exe" [2010-06-15 2064736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVGLS9\Toolbar\ToolbarBroker.exe [2010-04-19 430152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-02 1343400]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2010-05-27 310320]
S1 AvgLdx86;AVG LinkScanner® AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-06-15 134792]
S1 AvgTdiX;AVG LinkScanner® Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-06-15 242896]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2010-05-27 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2010-05-27 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100617.001\IDSvix86.sys [2010-05-28 344112]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-06-15 176128]
S2 avg9wd;AVG LinkScanner®9 WatchDog;c:\program files\AVG\AVGLS9\avgwdsvc.exe [2010-06-15 308064]
S2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2010-05-27 117640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-01 102448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [2010-05-27 48688]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGTDIX
*NewlyCreated* - NORMANDY
*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
Trusted Zone: dreamteamfc.com\www
Trusted Zone: yahoo.com\mail
TCP: {8AF6171A-34E5-471C-92AA-26FF034D0291} = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVGLS9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\Alan\AppData\Roaming\Mozilla\Firefox\Profiles\03277jnn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVGLS9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVGLS9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVGLS9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVGLS9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVGLS9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-18 07:42:59
ComboFix-quarantined-files.txt 2010-06-18 06:42

Pre-Run: 570,590,310,400 bytes free
Post-Run: 570,524,049,408 bytes free

- - End Of File - - F3F9F75D27CB4F6298DC090A287A4981

COMBOFIX QOOBOX file
2010-06-18 06:40:53 . 2010-06-18 06:40:53 3,191 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-06-18 06:38:53 . 2010-06-18 06:39:19 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-07-13 23:20:54 . 2009-07-13 23:20:54 6,656 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\win.com.vir

Edited by Albear, 18 June 2010 - 02:05 AM.


#13 Albear

Albear
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 18 June 2010 - 03:56 PM

Hi the results for the TOSHIBA laptop on Vista

RKunhook first
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAlertResumeThread, Type: Address change 0x81CA5009-->85EF79A0 [Unknown module filename]
ntkrnlpa.exe-->NtAlertThread, Type: Address change 0x81C1DEB5-->86923150 [Unknown module filename]
ntkrnlpa.exe-->NtAllocateVirtualMemory, Type: Address change 0x81C59FD9-->868CAA50 [Unknown module filename]
ntkrnlpa.exe-->NtAlpcConnectPort, Type: Address change 0x81BFC4E7-->85EF7140 [Unknown module filename]
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x81BCFAEF-->868CC948 [Unknown module filename]
ntkrnlpa.exe-->NtCreateMutant, Type: Address change 0x81C3246C-->868CB0D0 [Unknown module filename]
ntkrnlpa.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x81BD2306-->868CDA60 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x81CA367C-->868CAE60 [Unknown module filename]
ntkrnlpa.exe-->NtDebugActiveProcess, Type: Address change 0x81C76802-->868C9810 [Unknown module filename]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x81C0A1B1-->868CABA8 [Unknown module filename]
ntkrnlpa.exe-->NtFreeVirtualMemory, Type: Address change 0x81A96F5F-->868CA8B0 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateAnonymousToken, Type: Address change 0x81BCCEBE-->868CB1A0 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateThread, Type: Address change 0x81BE24C0-->86098048 [Unknown module filename]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x81B7DDF0-->85EF70C8 [Unknown module filename]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x81C224FA-->868CA7D0 [Unknown module filename]
ntkrnlpa.exe-->NtOpenEvent, Type: Address change 0x81C0BA2F-->868D6178 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x81C32C08-->868CAD48 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcessToken, Type: Address change 0x81C1368E-->8601B068 [Unknown module filename]
ntkrnlpa.exe-->NtOpenSection, Type: Address change 0x81C232CD-->868DA548 [Unknown module filename]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x81C2E15A-->868CAC78 [Unknown module filename]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x81C2BF3D-->868CC4F8 [Unknown module filename]
ntkrnlpa.exe-->NtResumeThread, Type: Address change 0x81C2D7A5-->868E0120 [Unknown module filename]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x81CA434F-->8601A120 [Unknown module filename]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Address change 0x81C26528-->868CBAD8 [Unknown module filename]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x81BF8B4B-->868DDA00 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendProcess, Type: Address change 0x81CA4F43-->8610DB90 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x81BAC929-->868DF120 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x81C02DA3-->86053068 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x81C2E18F-->8601D2C8 [Unknown module filename]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Address change 0x81C227BD-->86048108 [Unknown module filename]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x81C1F58D-->868CA980 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThreadEx, Type: Address change 0x81C2DC44-->868CDE30 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0x99566F4C-->85AA5BE0 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0x9947FDCA-->86C26780 [Unknown module filename]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0x9949FE4E-->86C266C0 [Unknown module filename]
win32k.sys-->NtUserGetKeyState, Type: Address change 0x99510FDA-->85AA5A50 [Unknown module filename]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0x9957CA87-->85AA5B10 [Unknown module filename]
win32k.sys-->NtUserMessageCall, Type: Address change 0x9950DF23-->86C26450 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0x9950F1AD-->86C265F0 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0x994ED80B-->86C26520 [Unknown module filename]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0x994E3055-->85AAB108 [Unknown module filename]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0x9949221C-->86C1B1F8 [Unknown module filename]
==============================================
>Processes
==============================================
0x86B2A020 [340] C:\Windows\System32\smss.exe (Microsoft Corporation, Windows Session Manager)
0x86C21208 [480] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x86CE3D90 [524] C:\Windows\System32\wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0x86CEA1B8 [536] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x86D1CD90 [568] C:\Windows\System32\services.exe (Microsoft Corporation, Services and Controller app)
0x86D61D90 [580] C:\Windows\System32\lsass.exe (Microsoft Corporation, Local Security Authority Process)
0x871E6B20 [584] C:\Program Files\Norton PC Checkup\Engine\2.0.3.263\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x86D665B8 [588] C:\Windows\System32\lsm.exe (Microsoft Corporation, Local Session Manager Service)
0x86DE7020 [664] C:\Windows\System32\winlogon.exe (Microsoft Corporation, Windows Logon Application)
0x86E2CD90 [776] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86DC7640 [836] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x871FD8B0 [956] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86F32B20 [1024] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86F358B0 [1068] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86F7D5F8 [1100] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86F86020 [1204] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86FA9020 [1224] C:\Windows\System32\SLsvc.exe (Microsoft Corporation, Microsoft Software Licensing Service)
0x86F9F020 [1264] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x87211D90 [1412] C:\Windows\System32\TCPSVCS.EXE (Microsoft Corporation, TCP/IP Services Application)
0x86FC8398 [1428] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x8720B020 [1468] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x85AAAD90 [1580] C:\Windows\System32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x870388B0 [1612] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x87158B40 [1796] C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x87166D90 [1900] C:\Program Files\Norton Online\Engine\1.2.2.2\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x846E6CC0 [1996] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x8719C9F0 [2020] C:\Program Files\Norton PC Checkup\Engine\2.0.3.263\SymcPCCULaunchSvc.exe (Symantec Corporation, Norton PC Checkup Launcher Service)
0x87294D90 [2088] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x872A5370 [2176] C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0x845415C0 [2228] C:\Windows\System32\SearchFilterHost.exe (Microsoft Corporation, Microsoft Windows Search Filter Host)
0x8712D750 [2668] C:\Windows\System32\dllhost.exe (Microsoft Corporation, COM Surrogate)
0x853980B0 [2908] C:\Windows\System32\SearchProtocolHost.exe (Microsoft Corporation, Microsoft Windows Search Protocol Host)
0x87599788 [2948] C:\Windows\System32\wbem\WmiPrvSE.exe (Microsoft Corporation, WMI Provider Host)
0x875AA020 [3092] C:\Program Files\Norton Online\Engine\1.2.2.2\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x875B3B10 [3100] C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x875D3B20 [3156] C:\Windows\System32\dwm.exe (Microsoft Corporation, Desktop Window Manager)
0x875E8118 [3232] C:\Windows\explorer.exe (Microsoft Corporation, Windows Explorer)
0x87648020 [3396] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x87281D90 [3884] C:\Windows\System32\wbem\unsecapp.exe (Microsoft Corporation, Sink to receive asynchronous callbacks for WMI client application)
0x844C2A00 [4072] C:\Users\Toshiba admin\Desktop\RKUnhookerLE(2).EXE (UG North, RKULE, SR2 Normandy)
0x83A6C020 [4] System
0x86F8AD90 [1176] C:\Windows\System32\audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
==============================================
>Drivers
==============================================
0x8B808000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7057408 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x81A12000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x81A12000 PnpManager 3903488 bytes
0x81A12000 RAW 3903488 bytes
0x81A12000 WMIxWDM 3903488 bytes
0x99450000 Win32k 2105344 bytes
0x99450000 C:\Windows\System32\win32k.sys 2105344 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8CC0F000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100608.004\NAVEX15.SYS 1343488 bytes (Symantec Corporation, AV Engine)
0x87E0A000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x87A09000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x87C05000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x8C00B000 C:\Windows\system32\DRIVERS\athr.sys 946176 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x804D1000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xAD453000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0xAC40C000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8BEC3000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8BF70000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x91F17000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys 548864 bytes (Symantec Corporation, BASH Driver)
0x91E98000 C:\Windows\system32\drivers\N360\0401000.020\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0x8060F000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x878CC000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80407000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0xAC513000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x91E06000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8FE0D000 C:\Windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS 364544 bytes (Symantec Corporation, Network Dispatch Driver)
0x8FF6B000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100528.003\IDSvix86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0x8793D000 C:\Windows\system32\drivers\N360\0401000.020\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0x87839000 C:\Windows\system32\drivers\N360\0401000.020\SYMDS.SYS 352256 bytes (Symantec Corporation, Symantec Data Store)
0x87D94000 C:\Windows\system32\drivers\ADIHdAud.sys 339968 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0x879AA000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x87F53000 C:\Windows\system32\DRIVERS\tos_sps32.sys 307200 bytes (TOSHIBA Corporation, tos_sps2)
0x80741000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8FEAC000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80698000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80490000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8C0FD000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8FF25000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x87B3F000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0xAD402000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x87F1A000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x87D5F000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x81DCB000 ACPI_HAL 208896 bytes
0x81DCB000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xAD531000 C:\Windows\System32\Drivers\RDPWD.SYS 208896 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x87807000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8FE7A000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x807A0000 C:\Windows\system32\DRIVERS\pcmcia.sys 184320 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x87B7A000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8789F000 C:\Windows\system32\drivers\N360\0401000.020\SYMEFA.SYS 184320 bytes (Symantec Corporation, Symantec Extended File Attributes)
0x8C168000 C:\Windows\system32\DRIVERS\SynTP.sys 180224 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x87B14000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8C1D5000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0xAC4CC000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0xAD5D2000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x87FB5000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806EF000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xAC5B2000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x87BA7000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8CD57000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x87D0A000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8CDB3000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x87BCC000 C:\Windows\system32\drivers\N360\0401000.020\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0x8FFC3000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x805B1000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x91E64000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xAC580000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x87CEF000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x91FD6000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0xAC5D9000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8C1A1000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xAD43B000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x91E81000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0xAD564000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8FEF4000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x87994000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xAC59D000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8CD7C000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100608.004\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x8FE66000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8C14A000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0xAC500000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x87FDC000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x80477000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8788F000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0xAC4BC000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x807CD000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8C1C3000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x87D43000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x91FC7000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x87FA6000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x80716000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8C13B000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x80732000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x99690000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8FF17000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8CDEF000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80792000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x91F9D000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8FF0A000 C:\Windows\system32\DRIVERS\SymIMv.sys 53248 bytes (Symantec Corporation, NDIS 6.0 Filter Driver for Windows Vista)
0x87D52000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8068B000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xAD5AF000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0xAD5C6000 C:\Windows\System32\DRIVERS\tssecsrv.sys 49152 bytes (Microsoft Corporation, TS Security Filter Driver)
0x8CDA7000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8BF64000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x91FAA000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8C15D000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8C196000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8CDE4000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8CC00000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0xAD5BB000 C:\Windows\system32\drivers\tdtcp.sys 45056 bytes (Microsoft Corporation, TCP Transport Driver)
0x8C0F2000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x80728000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x91FBD000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8C000000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAC4F6000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8FF61000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xAD5A5000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x87DE7000 C:\Windows\system32\drivers\N360\0401000.020\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0x87FED000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8CD90000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xAD598000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x99670000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x806DE000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x807DD000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x87E00000 C:\Windows\system32\DRIVERS\ATKACPI.sys 32768 bytes (ATK0100, ATK0100 ACPI Utility)
0x80488000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x91FB5000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x806E7000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8CDD4000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8CDDC000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x87F9E000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8CDA0000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8078B000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80400000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8CD99000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8C1B9000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8C1BF000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x80725000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8C1D3000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8C194000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\ProgramData\Microsoft\Windows\Sqm\Upload\Private_591363_04.sqm
!-->[Hidden] C:\Windows\System32\LogFiles\SQM\SQMLogger_2010-6-16-13-0-0_0.etl
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x81ABA7AA-->81ABA7B1 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000AC8A0, Type: Inline - RelativeJump 0x81ABE8A0-->81ABE896 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACB2C, Type: Inline - RelativeJump 0x81ABEB2C-->81ABEB93 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACB70, Type: Inline - RelativeJump 0x81ABEB70-->81ABEB22 [ntkrnlpa.exe]
[2020]SymcPCCULaunchSvc.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[2020]SymcPCCULaunchSvc.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[2020]SymcPCCULaunchSvc.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[2020]SymcPCCULaunchSvc.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[2020]SymcPCCULaunchSvc.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]


AND COMBOFIX
ComboFix 10-06-17.02 - Toshiba admin 18/06/2010 17:06:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2039.1275 [GMT 1:00]
Running from: c:\users\Toshiba admin\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 16:11 . 2010-06-18 16:13 -------- d-----w- c:\users\Toshiba admin\AppData\Local\temp
2010-06-18 16:11 . 2010-06-18 16:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-18 16:11 . 2010-06-18 16:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-18 16:04 . 2010-06-18 16:04 -------- d-----w- C:\32788R22FWJFW
2010-06-08 17:39 . 2009-05-18 21:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-06-08 17:39 . 2008-04-17 20:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-06-06 22:05 . 2010-06-06 22:05 15272 ----a-w- c:\windows\system32\Native.exe
2010-06-06 22:05 . 2010-06-06 22:15 -------- d-----w- C:\ReimageUndo
2010-06-05 21:54 . 2010-06-10 22:35 -------- d-----w- C:\rei
2010-06-05 21:54 . 2010-06-05 21:54 -------- d-----w- c:\program files\Reimage
2010-06-05 19:45 . 2010-06-05 19:45 -------- d-----w- c:\users\Toshiba admin\AppData\Roaming\GARMIN
2010-06-02 12:12 . 2010-06-02 12:12 352513 ----a-w- c:\windows\system32\savapi3.dll
2010-06-02 12:12 . 2010-06-02 12:12 1380403 ----a-w- c:\windows\system32\avgsdk.dll
2010-05-30 21:32 . 2010-05-30 21:32 -------- d-----w- c:\windows\system32\drivers\NSM
2010-05-30 21:32 . 2010-05-30 21:32 -------- d-----w- c:\program files\Norton Online
2010-05-30 21:32 . 2010-05-30 21:32 -------- d-----w- c:\windows\system32\drivers\NOF
2010-05-30 21:10 . 2010-06-02 20:55 -------- d-----w- c:\users\Toshiba admin\AppData\Local\Tific
2010-05-30 21:10 . 2010-06-08 17:35 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2010-05-30 21:10 . 2010-06-08 17:35 -------- d-----w- c:\program files\Norton PC Checkup
2010-05-29 16:29 . 2010-02-04 01:40 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-29 15:20 . 2010-06-08 17:39 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-29 15:19 . 2010-06-08 17:39 -------- d-----w- c:\program files\Symantec
2010-05-29 15:19 . 2010-06-08 17:38 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-29 15:19 . 2010-06-08 17:38 -------- d-----w- c:\program files\Norton 360
2010-05-29 13:54 . 2010-05-30 21:10 -------- d-----w- c:\users\Toshiba admin\AppData\Roaming\Tific
2010-05-27 03:40 . 2010-05-27 03:40 -------- d-----w- C:\N360_BACKUP
2010-05-26 22:01 . 2010-06-10 22:35 -------- d-----w- c:\program files\NortonInstaller
2010-05-26 21:22 . 2010-05-26 21:41 -------- d-----w- C:\inetpub
2010-05-26 21:01 . 2008-06-10 07:42 1140056 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2010-05-26 06:05 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-22 22:13 . 2010-05-22 22:13 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-21 22:39 . 2010-05-21 22:39 680 ----a-w- c:\users\Toshiba admin\AppData\Local\d3d9caps.dat
2010-05-21 21:47 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 21:47 . 2010-05-21 21:47 -------- d-----w- c:\programdata\Malwarebytes
2010-05-21 21:47 . 2010-06-04 22:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 21:47 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 16:10 . 2010-05-21 16:10 -------- d-----w- c:\program files\Hewlett-Packard
2010-05-21 16:10 . 2010-05-21 16:10 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-05-21 16:09 . 2010-05-21 16:09 -------- d-----w- c:\program files\Common Files\HP
2010-05-21 16:01 . 2008-04-16 04:05 729088 ----a-w- c:\windows\system32\hposwia_p01a.dll
2010-05-21 16:01 . 2008-04-16 04:05 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-05-21 16:01 . 2008-02-28 10:08 303104 ----a-w- c:\windows\system32\hposc_p01a.dll
2010-05-21 16:00 . 2010-05-21 16:12 -------- d-----w- c:\program files\HP
2010-05-21 15:59 . 2010-05-26 21:02 -------- d-----w- c:\programdata\HP
2010-05-21 15:59 . 2010-05-21 18:20 165303 ----a-w- c:\windows\hpoins30.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 22:35 . 2007-05-30 08:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 22:35 . 2010-05-13 16:44 -------- d-----w- c:\users\Toshiba admin\AppData\Roaming\Regrun
2010-06-10 22:35 . 2010-05-05 15:16 -------- d-----w- c:\programdata\Norton
2010-06-08 17:39 . 2010-05-29 15:20 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-08 17:39 . 2010-05-29 15:20 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-01 20:17 . 2010-05-05 14:34 91832 ----a-w- c:\users\Toshiba admin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-31 21:54 . 2010-05-05 14:23 -------- d-----w- c:\program files\Atheros
2010-05-30 21:10 . 2010-05-05 15:15 -------- d-----w- c:\programdata\NortonInstaller
2010-05-29 12:07 . 2010-05-29 12:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-29 00:28 . 2007-05-30 08:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-26 20:52 . 2007-05-30 08:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 20:52 . 2007-05-30 07:30 -------- d-----w- c:\program files\TOSHIBA
2010-05-26 20:51 . 2007-05-30 08:40 -------- d-----w- c:\programdata\Toshiba
2010-05-26 07:38 . 2010-05-15 22:55 2 --shatr- c:\windows\winstart.bat
2010-05-23 19:28 . 2007-05-30 08:58 -------- d-----w- c:\programdata\Symantec
2010-05-22 22:14 . 2007-05-30 08:24 -------- d-----w- c:\program files\Common Files\Java
2010-05-22 22:13 . 2007-05-30 08:24 -------- d-----w- c:\program files\Java
2010-05-19 06:44 . 2010-05-19 06:44 -------- d-----w- c:\program files\PIXresizer
2010-05-18 07:25 . 2010-05-17 20:49 -------- d-----w- c:\program files\DrWeb
2010-05-13 16:39 . 2010-05-13 16:39 -------- d-----w- c:\program files\Greatis
2010-05-13 16:10 . 2010-05-08 05:05 -------- d-----w- c:\users\Toshiba admin\AppData\Roaming\Digital Support
2010-05-12 19:04 . 2010-05-12 19:04 -------- d-----w- c:\program files\Enigma Software Group
2010-05-12 07:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 07:16 . 2010-05-10 19:31 -------- d-----w- c:\programdata\Microsoft Help
2010-05-11 09:29 . 2010-05-11 09:29 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-10 19:34 . 2010-05-10 19:34 -------- d-----w- c:\program files\Microsoft.NET
2010-05-10 19:26 . 2010-05-10 19:26 176506 ----a-w- c:\windows\Loft Management System Uninstaller.exe
2010-05-10 19:26 . 2010-05-10 19:00 -------- d-----w- c:\program files\East Coast Software
2010-05-10 19:15 . 2010-05-10 19:00 185267 ----a-w- c:\windows\Federation Secretaries System Uninstaller.exe
2010-05-10 19:00 . 2010-05-10 19:00 -------- d-----w- c:\program files\Common Files\borland
2010-05-10 19:00 . 2010-05-10 19:00 -------- d-----w- c:\program files\dBase
2010-05-10 19:00 . 2010-05-10 19:00 -------- d-----w- c:\program files\Common Files\Thraex Software
2010-05-10 09:59 . 2010-05-10 09:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-10 09:49 . 2010-05-10 09:49 -------- d-----w- c:\users\Toshiba admin\AppData\Roaming\Malwarebytes
2010-05-08 05:57 . 2010-05-08 05:57 -------- d-----w- c:\program files\Trend Micro
2010-05-07 20:26 . 2010-05-07 20:26 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-07 20:26 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-07 18:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-07 18:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-07 18:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-07 18:56 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-07 14:17 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-07 14:17 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-07 13:19 . 2010-05-07 13:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-07 11:28 . 2010-05-07 11:28 -------- d-----w- c:\program files\AVG
2010-05-06 21:05 . 2010-05-06 21:05 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-05-06 09:36 . 2010-05-05 23:49 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 08:46 . 2010-05-06 08:46 -------- d-----w- c:\program files\MSECache
2010-05-06 06:11 . 2010-05-06 06:11 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-05-06 06:11 . 2010-05-06 06:11 270848 ----a-w- c:\windows\system32\schannel.dll
2010-05-06 06:11 . 2010-05-06 06:11 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-05-06 00:41 . 2010-05-06 00:41 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-06 00:41 . 2010-05-06 00:41 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-06 00:41 . 2010-05-06 00:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-06 00:41 . 2010-05-06 00:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-06 00:41 . 2010-05-06 00:41 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-06 00:41 . 2010-05-06 00:41 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-06 00:40 . 2010-05-06 00:40 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-05-06 00:40 . 2010-05-06 00:40 272896 ----a-w- c:\windows\system32\polstore.dll
2010-05-06 00:38 . 2010-05-06 00:38 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-06 00:38 . 2010-05-06 00:38 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-06 00:35 . 2010-05-06 00:35 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-06 00:35 . 2010-05-06 00:35 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-06 00:35 . 2010-05-06 00:35 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-06 00:35 . 2010-05-06 00:35 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-06 00:35 . 2010-05-06 00:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-06 00:35 . 2010-05-06 00:35 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-06 00:35 . 2010-05-06 00:35 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-06 00:35 . 2010-05-06 00:35 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-06 00:35 . 2010-05-06 00:35 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-06 00:31 . 2010-05-06 00:31 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-06 00:31 . 2010-05-06 00:31 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-05-06 00:31 . 2010-05-06 00:31 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-06 00:31 . 2010-05-06 00:31 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-06 00:31 . 2010-05-06 00:31 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-06 00:31 . 2010-05-06 00:31 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-06 00:31 . 2010-05-06 00:31 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-05-06 00:30 . 2010-05-06 00:30 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-06 00:30 . 2010-05-06 00:30 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-06 00:30 . 2010-05-06 00:30 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-05-06 00:30 . 2010-05-06 00:30 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-05-06 00:28 . 2010-05-06 00:28 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-05-06 00:28 . 2010-05-06 00:28 9728 ----a-w- c:\windows\system32\lsass.exe
2010-05-06 00:28 . 2010-05-06 00:28 72704 ----a-w- c:\windows\system32\secur32.dll
2010-05-06 00:28 . 2010-05-06 00:28 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-05-06 00:28 . 2010-05-06 00:28 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-06 00:28 . 2010-05-06 00:28 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-06 00:27 . 2010-05-06 00:27 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-06 00:27 . 2010-05-06 00:27 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-06 00:27 . 2010-05-06 00:27 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-06 00:25 . 2010-05-06 00:25 98816 ----a-w- c:\windows\system32\mfps.dll
2010-05-06 00:25 . 2010-05-06 00:25 2868224 ----a-w- c:\windows\system32\mf.dll
2010-05-06 00:25 . 2010-05-06 00:25 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-05-06 00:25 . 2010-05-06 00:25 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-05-06 00:25 . 2010-05-06 00:25 2048 ----a-w- c:\windows\system32\mferror.dll
2010-05-06 00:23 . 2010-05-06 00:23 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-06 00:23 . 2010-05-06 00:23 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-05-06 00:18 . 2010-05-06 00:18 71680 ----a-w- c:\windows\system32\atl.dll
2010-05-06 00:09 . 2010-05-06 00:09 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-05-06 00:08 . 2010-05-06 00:08 53248 ----a-w- c:\windows\system32\tsgqec.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-25 20:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:3e,fa,13,4f,1b,ee,ca,01

R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [x]
R3 CLSMS;CLSMS;c:\users\TOSHIB~1\AppData\Local\Temp\CLSMS.exe [x]
R3 DVGUGRPJ;DVGUGRPJ;c:\users\TOSHIB~1\AppData\Local\Temp\DVGUGRPJ.exe [x]
R3 JJK;JJK;c:\users\TOSHIB~1\AppData\Local\Temp\JJK.exe [x]
R3 JNYBCW;JNYBCW;c:\users\TOSHIB~1\AppData\Local\Temp\JNYBCW.exe [x]
R3 KEGXBSZP;KEGXBSZP;c:\users\TOSHIB~1\AppData\Local\Temp\KEGXBSZP.exe [x]
R3 LZWOTKDQ;LZWOTKDQ;c:\users\TOSHIB~1\AppData\Local\Temp\LZWOTKDQ.exe [x]
R3 NKQUPTX;NKQUPTX;c:\users\TOSHIB~1\AppData\Local\Temp\NKQUPTX.exe [x]
R3 PORTMON;PORTMON;c:\users\Toshiba admin\Desktop\SysinternalsSuite\PORTMSYS.SYS [2010-06-07 28656]
R3 QTLIOJEL;QTLIOJEL;c:\users\TOSHIB~1\AppData\Local\Temp\QTLIOJEL.exe [x]
R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0102020.002\SymRdr.SYS [2009-10-15 237360]
R3 TI;TI;c:\users\TOSHIB~1\AppData\Local\Temp\TI.exe [x]
R3 VZGIQKHHOVCE;VZGIQKHHOVCE;c:\users\TOSHIB~1\AppData\Local\Temp\VZGIQKHHOVCE.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 NOF;Norton Online;c:\program files\Norton Online\Engine\1.2.2.2\ccSvcHst.exe [2009-10-20 126392]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.3.263\SymcPCCULaunchSvc.exe [2010-05-12 103792]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.3.263\ccSvcHst.exe [2009-08-24 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-28 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
TCP: {B01EE843-A218-4694-852F-5863E14A0310} = 192.168.1.254
TCP: {D0C990AD-C182-489F-A753-A1E0039716E7} = 192.168.1.254
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 17:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\1.2.2.2\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\1.2.2.2\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.3.263\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.3.263\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-06-18 17:16:45
ComboFix-quarantined-files.txt 2010-06-18 16:16

Pre-Run: 27,704,569,856 bytes free
Post-Run: 27,679,244,288 bytes free

- - End Of File - - AC90CFA3C5F1010754FFB356CEC77600

AND COMBOFIX QOOBOX quaranteened files
2010-06-18 16:15:05 . 2010-06-18 16:15:05 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2010-06-18 16:10:15 . 2010-06-18 16:10:15 4,327 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-06-18 16:04:40 . 2010-06-18 16:06:29 62 ----a-w- C:\Qoobox\Quarantine\catchme.log
2006-11-02 08:35:53 . 2006-11-02 08:35:53 6,656 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\win.com.vir




#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 20 June 2010 - 07:52 PM

Hello.

We need to keep to one computer. In any case, those logs look clean too.

I'm a bit confused right now. Please give me a breif summery of the problems on the computer that we were working with originally.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 01 July 2010 - 05:01 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users