Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chronic malware? Stealing Hard drive space?


  • This topic is locked This topic is locked
44 replies to this topic

#1 amb22

amb22

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 13 July 2010 - 10:10 PM

Hi,

First, as always thanks in advance for any help. I really appreciate it.

I have a relatively small hard drive ( I have two drives on my system) and the C drive has been filling up. I've posted in a different thread and was unable to free up much space. Someone mentioned a problem with Malware so I'm posting my log here to see if that may be the cause.

I've generally had pretty good success removing malware with Spybot, Adaware and Malware Bytes but since about February I've been having a few recurrent problems. I used an unsecure network and think I picked up something.

I was getting the AV soft ransom program and was able to effectively remove that. Unfortunately it seemed to come back a few times after removal. It seems to be gone now but I'm wondering if I still have something lurking that is doing something to suck up my hard drive space. Recently, I've been getting random IE boxes opening up and failing to load (404 error). I'm not sure why since I'm using firefox but the IE boxes pop up and fail to load about every hour or so.

I've recently run Malwarebytes, adaware, panda scan and spybot but currently have them removed to save hard drive space which is almost gone now. Any help on my log is greatly appreciate. I'm hoping we can remove something that is causing the hard drive to fill up and the IE errors.

Log attached.

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 16 July 2010 - 10:13 AM

Also wanted to add that I've recently been experiencing a possibly related problem. My wave bar keeps muting in the volume control randomly and I am getting a series of random IE pop ups that fail to load. I also hear the clicking sound of IE in the background even when nothing is going on.

Thanks!

#3 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 16 July 2010 - 08:05 PM

Sorry for another update (not trying to bump, I know patience is key on here) but I wanted to add that I'm also having trouble recently with Windows updates now being able to be installed. Not sure if it is related. FWIW poking around the internet seems to indicate the IE and muting problem is pretty pervasive right now. I've looked at some of the solutions but I'm not confident enough to do them myself without risking messing up my computer worse.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:55 PM

Posted 17 July 2010 - 01:44 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 July 2010 - 03:23 PM

Thanks so much for helping. I am really in a bind and really appreciate your expertise. I am about to proceed with your instructions and will post after working through them. Wanted to quickly add another symptom. In February I had a problem with AVSoft which I (thought) I was able to diagnose and clean myself. It came back a month or so later andI cleaned it again. Just now when I tried to log back into to check this topic, I noticed that some of the old AVsoft symptoms were popping up again (disabling my Microsoft On Access Scanner and not letting me open any other programs) so I immediately restarted in Safe Mode which is what I am in now. I think it is AVsoft coming back but I didn't let it keep going to proceed with the fake virus message it produces. Anyway, will proceed with your instructions but wanted to quickly mention that other symptom that has forced me into safe mode.

#6 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 July 2010 - 03:33 PM

Thanks Gringo! Was able to run some of the programs but had an error when trying to run the RKunhooker. The error reads: "Error loading/opening driver".

1.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Anthony at 16:25:13.42 on Sat 07/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.226 [GMT -4:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Kerio Personal Firewall *disabled* {532EFE70-19BC-4F0F-8F50-D5F15C243133}

============== Running Processes ===============

svchost.exe 4
svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
D:\FireFox\firefox.exe
C:\Documents and Settings\Anthony\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = google.com
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [TP4EX] tp4ex.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117730390554
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: tpfnf2 - notifyf2.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthony\applic~1\mozilla\firefox\profiles\3w44wbp6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.search.selectedengine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\anthony\application data\mozilla\firefox\profiles\3w44wbp6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\anthony\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\anthony\application data\mozilla\firefox\profiles\3w44wbp6.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-5-27 14848]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-3-21 270336]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-5-27 6528]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-5-11 104000]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-25 24652]
S2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\system32\WebUpdateSvc4.exe [2007-10-10 237784]
S3 31f5b1c5-1c4c-49fd-8a9c-b82ee31cc23f;31f5b1c5-1c4c-49fd-8a9c-b82ee31cc23f;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2005-6-2 13594]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-5-11 72264]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-5-11 34152]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-5-11 168776]
S3 Sockblkd;Sockblkd;c:\windows\system32\drivers\sockblkd.sys --> c:\windows\system32\drivers\Sockblkd.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-07-17 20:24:29 0 ----a-w- c:\documents and settings\anthony\defogger_reenable
2010-07-16 18:48:01 0 d-----w- c:\docume~1\anthony\applic~1\Malwarebytes
2010-07-16 18:44:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-16 17:00:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-14 02:45:12 0 d-----w- c:\program files\Trend Micro
2010-07-14 02:27:06 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 02:36:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-04 03:58:05 0 d-----w- c:\windows\system32\TVUAx

==================== Find3M ====================

2010-05-31 23:26:19 69446 -c--a-w- c:\windows\hpoins05.dat
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2002-07-30 23:51:20 13594 -c--a-w- c:\windows\inf\DUBE100.SYS

============= FINISH: 16:25:52.45 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/28/2005 12:23:47 AM
System Uptime: 7/17/2010 4:08:58 PM (0 hours ago)

Motherboard: IBM | | 2668DD4
Processor: Intel® Pentium® M processor 2.13GHz | None | 2128/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 14 GiB total, 0.067 GiB free.
D: is FIXED (NTFS) - 57 GiB total, 14.226 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Beep
Device ID: ROOT\LEGACY_BEEP\0000
Manufacturer:
Name: Beep
PNP Device ID: ROOT\LEGACY_BEEP\0000
Service: Beep

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (L2TP)
Device ID: ROOT\MS_L2TPMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (L2TP)
PNP Device ID: ROOT\MS_L2TPMINIPORT\0000
Service: Rasl2tp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (IP)
Device ID: ROOT\MS_NDISWANIP\0000
Manufacturer: Microsoft
Name: WAN Miniport (IP)
PNP Device ID: ROOT\MS_NDISWANIP\0000
Service: NdisWan

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (PPPOE)
Device ID: ROOT\MS_PPPOEMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPPOE)
PNP Device ID: ROOT\MS_PPPOEMINIPORT\0000
Service: RasPppoe

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (PPTP)
Device ID: ROOT\MS_PPTPMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPTP)
PNP Device ID: ROOT\MS_PPTPMINIPORT\0000
Service: PptpMiniport

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0001
Manufacturer: Microsoft
Name: WAN Miniport (IP) - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0001
Service: PSched

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Access IBM
Access IBM Message Center
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Type Manager 4.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
Bonjour
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Dutch
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Swedish
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
GdiplusUpgrade
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone Express
HP PSC & OfficeJet 4.7
HP PSC 1600 series
HP Software Update
HP Update
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM Themes
IBM ThinkPad Power Manager
IBM ThinkVantage Technologies Welcome Message
Intel® PROSet/Wireless Software
iTunes
Java Auto Updater
Java™ 6 Update 18
Kerio Personal Firewall
Lenovo Battery Program
McAfee VirusScan Enterprise
mCore
mDriver
Message Center Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
mMHouse
MobileMe Control Panel
Mozilla Firefox (3.0.13)
Mozilla Firefox (3.5.10)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
mWlsSafe
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-7)
NMAS Client Components (2.7)
Novell Client for Windows
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
PC-Doctor for Windows
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shockwave
Skins
SoundMAX
System Update
TBS WMP Plug-in
ThinkPad Configuration
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Integrated 56K Modem
ThinkPad Keyboard Customizer Utility
ThinkPad Power Management Driver
ThinkPad Presentation Director
ThinkPad SATA Power Management Driver
ThinkPad UltraNav Driver
ThinkPad UltraNav Wizard
ThinkVantage Access Connections
ThinkVantage Active Protection System
TrackPoint Accessibility Features
Ulead Photo Explorer 8.5 Trial
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Wallpapers
Web Update Wizard (Redistributable) 4.0
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows NT Messaging
Windows XP Service Pack 3
WinZip

==== Event Viewer Messages From Past Week ========

7/17/2010 2:24:39 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070070: Security Update for Microsoft Office 2003 (KB982311).
7/17/2010 2:24:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070070: Security Update for Microsoft Office Outlook 2003 (KB980373).
7/17/2010 2:24:36 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Security Update for Microsoft Office Excel 2003 (KB982133).
7/17/2010 2:24:29 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Security Update for Microsoft Office Publisher 2003 (KB982122).
7/17/2010 2:24:06 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).
7/17/2010 2:23:27 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070070: Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168).
7/17/2010 12:16:49 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8024002d: Security Update for Microsoft Office Access 2003 (KB981716).
7/15/2010 9:05:25 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Apple Mobile Device service.
7/15/2010 11:53:58 PM, error: PlugPlayManager [12] - The device 'MATbleepA DVD-RAM UJ-842 z' (IDE\CdRomMATbleepA_DVD-RAM_UJ-842_z_______________RC01____\5&2ba179a6&0&0.0.0) disappeared from the system without first being prepared for removal.
7/14/2010 12:22:28 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Outlook 2003 (KB980373).
7/14/2010 12:16:22 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Access 2003 (KB981716).
7/14/2010 12:09:11 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Office Outlook 2003 Junk Email Filter (KB2202122).
7/13/2010 5:29:09 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the PolicyAgent service.
7/13/2010 12:18:20 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Excel 2003 (KB982133).
7/12/2010 7:51:57 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/12/2010 7:51:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
7/12/2010 6:58:47 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office PowerPoint 2003 (KB982157).
7/12/2010 6:14:10 PM, error: ati2mtag [43034] - Unknown EDID version
7/12/2010 12:37:07 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office 2003 (KB982311).
7/12/2010 12:25:51 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Publisher 2003 (KB982122).
7/12/2010 12:25:15 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Office Word 2003 (KB982134).
7/12/2010 12:24:31 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Office Outlook 2003 Junk Email Filter (KB983503).
7/12/2010 1:53:35 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
7/12/2010 1:08:58 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
7/11/2010 7:46:33 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RpcSs service.
7/11/2010 5:28:52 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070641: Security Update for Microsoft Office Excel 2003 (KB982133).
7/11/2010 5:26:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Installer service to connect.
7/11/2010 5:26:31 AM, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/11/2010 5:24:34 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/11/2010 3:34:12 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s).
7/11/2010 3:20:32 AM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
7/11/2010 2:18:46 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee McShield service to connect.
7/11/2010 2:18:46 PM, error: Service Control Manager [7000] - The McAfee McShield service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/11/2010 11:33:19 PM, error: System Error [1003] - Error code 00000050, parameter1 bad0b158, parameter2 00000000, parameter3 805b19c7, parameter4 00000002.
7/11/2010 11:32:02 PM, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2010 11:29:56 PM, error: Service Control Manager [7022] - The McAfee McShield service hung on starting.
7/11/2010 11:27:11 PM, error: Service Control Manager [7001] - The Infrared Monitor service depends on the Terminal Services service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/11/2010 11:27:11 PM, error: Service Control Manager [7000] - The PCASp50 NDIS Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
7/11/2010 10:58:41 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
7/11/2010 10:49:45 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SUService service.
7/10/2010 8:34:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
7/10/2010 11:48:18 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/10/2010 11:47:25 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

==== End Of File ===========================


MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:55 PM

Posted 17 July 2010 - 03:55 PM

Greetings

Don't run anything unless I ask you to Ok and do these scans in normal mode please

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. report from MBRcheck
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 July 2010 - 05:13 PM

Ran the MBR check. Was I suppossed to have it fix something? I noticed it got me to a point where it asked me to type YES and hit enter. I didn't do that because it wasn't in your instructions but I wanted to clarify that.

Steps seemed to have freed up some space on Drive C (800mb or so) though I still need to figure out a way to clear move space I think.

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


ComboFix 10-07-16.01 - Anthony 07/17/2010 17:45:42.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.168 [GMT -4:00]
Running from: c:\documents and settings\Anthony\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Kerio Personal Firewall *disabled* {532EFE70-19BC-4F0F-8F50-D5F15C243133}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sys
c:\windows\sys\Apr-27-15-01-41-test-backup.enc
c:\windows\sys\Apr-28-13-07-42-1391913-backup.enc
c:\windows\sys\Dec-10-17-13-55-1391913-backup.enc
c:\windows\sys\Dec-11-22-39-29-test-backup.enc
c:\windows\sys\Dec-15-17-34-49-1391913-backup.enc
c:\windows\sys\Dec-8-16-11-04-test-backup.enc
c:\windows\sys\May-5-16-28-43-1391913-backup.enc
c:\windows\sys\Nov-17-16-30-26-1391913-backup.enc
c:\windows\sys\RecoveryBack-133033.enc
c:\windows\sys\RecoveryBack-150132.enc
c:\windows\sys\RecoveryBack-83055.enc

.
((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-16 18:48 . 2010-07-16 18:48 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
2010-07-16 18:44 . 2010-07-16 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-16 17:00 . 2010-07-16 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-14 02:45 . 2010-07-14 02:45 -------- d-----w- c:\program files\Trend Micro
2010-07-14 02:27 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 03:40 . 2010-07-15 03:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-11 03:58 . 2010-07-11 03:58 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2010-07-11 02:57 . 2010-07-11 02:57 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-11 02:36 . 2010-07-11 02:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 02:13 . 2010-07-11 02:13 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\Sunbelt Software
2010-07-11 02:06 . 2010-07-13 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-10 17:05 . 2010-07-10 17:05 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-10 06:02 . 2010-07-10 06:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-06 15:37 . 2010-07-06 15:37 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\PCHealth
2010-07-05 04:51 . 2010-07-05 04:51 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\gfaaelyuw
2010-07-04 03:58 . 2010-07-04 03:58 -------- d-----w- c:\windows\system32\TVUAx
2010-06-17 23:21 . 2010-06-18 02:31 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\nidfqhg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 06:14 . 2006-03-14 03:17 -------- d-----w- c:\program files\WinXMedia
2010-07-13 00:09 . 2009-06-02 02:09 -------- d-----w- c:\documents and settings\Anthony\Application Data\Downloaded Installations
2010-07-13 00:04 . 2005-05-28 03:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-01 17:52 . 2010-07-04 04:03 1496064 ----a-w- c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 17:51 . 2010-07-04 04:04 43008 ----a-w- c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 17:51 . 2010-07-04 04:04 338944 ----a-w- c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 17:51 . 2010-07-04 04:03 346112 ----a-w- c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-01 00:19 . 2010-05-18 22:10 -------- d-----w- c:\program files\Hewlett-Packard
2010-06-14 14:31 . 2004-08-09 17:52 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-31 23:26 . 2009-09-10 23:03 69446 -c--a-w- c:\windows\hpoins05.dat
2010-05-20 04:01 . 2010-05-20 04:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-06 10:41 . 1980-01-01 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 1980-01-01 07:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 19:45 . 2010-04-28 19:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-23 10:22 . 2010-04-23 10:22 2898232 ----a-w- c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2010-04-20 05:30 . 1980-01-01 07:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2007-11-22 181536]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 135168]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-22 344064]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-03-14 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-03-14 126976]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-5-11 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 03:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 07:06 40048 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-01-22 01:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2007-04-27 06:33 243248 ------w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2004-08-06 09:10 442368 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-02-14 18:16 512000 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2006-02-14 18:17 110592 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
2005-10-17 05:11 65536 ----a-w- c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
2006-06-03 02:00 856064 ----a-w- c:\program files\ThinkPad\Utilities\TpKmapAp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\itunes\\iTunes.exe"=
"d:\\FireFox\\firefox.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [5/27/2005 11:52 PM 14848]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [3/21/2005 3:39 PM 270336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/25/2008 1:20 AM 24652]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\system32\WebUpdateSvc4.exe [10/10/2007 4:33 AM 237784]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [5/27/2005 11:52 PM 6528]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 31f5b1c5-1c4c-49fd-8a9c-b82ee31cc23f;31f5b1c5-1c4c-49fd-8a9c-b82ee31cc23f;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [6/2/2005 12:21 PM 13594]
S3 Normandy;Normandy SR2; [x]
S3 Sockblkd;Sockblkd;c:\windows\system32\Drivers\Sockblkd.sys --> c:\windows\system32\Drivers\Sockblkd.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-07-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-07-17 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-05-28 08:00]
.
.
------- Supplementary Scan -------
.
uStart Page = google.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.search.selectedengine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Anthony\Application Data\Mozilla\Firefox\Profiles\3w44wbp6.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.sessionstore.resume_from_crash - false
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-ACNotify - ACNotify.dll
Notify-tphotkey - (no file)
MSConfigStartUp-LXSUPMON - c:\windows\system32\LXSUPMON.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 18:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,d2,f2,af,e6,7c,99,43,a2,ea,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,d2,f2,af,e6,7c,99,43,a2,ea,3b,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\McAfee\VirusScan Enterprise\scriptcl.dll
c:\windows\system32\JScript.dll
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\netprovcredman.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-07-17 18:06:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 22:06

Pre-Run: 29,134,848 bytes free
Post-Run: 864,784,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 2C653E722D98B3B42709C16FCCEF177A



Only problems I had was that when Combofix was trying to restart the computer I was getting a message from IE asking to make it the deafault web browser. Was also getting that message when Combofix finished (after combofix rebooted). I haven't tried updating windows yet to see if that is now possible.

Seems to be better so far but I will need to try opening more programs and updating windows to really know how much better it is.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:55 PM

Posted 17 July 2010 - 05:17 PM

Run MBRCheck.exe
  • Run MBRCheck.exe
  • when you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 July 2010 - 05:31 PM

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:




I checked and the Wave Volume was muted again and there are multiple iexplorer.exe running that I cannot see.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:55 PM

Posted 17 July 2010 - 06:01 PM

I noticed it got me to a point where it asked me to type YES and hit enter. I didn't do that because it wasn't in your instructions but I wanted to clarify that.
at what point is this as I cannot check myself

redo the instructions type yes when this comes up but let me know where so I can add them - thanks


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 July 2010 - 10:20 PM

Run MBRCheck.exe

* Run MBRCheck.exe
* when you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
* Please push the 'Y' key and then press Enter
* When program ask you Enter your choice: enter 2 and press the Enter key
* Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
* Enter 0 and press the Enter key.
* The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
---****HERE IS WHERE IT ASKS YOU TO TYPE "YES" AND HIT ENTER TO RESET THE MBR/SOMETHING ABOUT MAKING THE ACTUAL FIXES. AFTER A FEW SECONDS IT FINISHES AND TELLS YOU TO RESTART
* Restart your PC.

--------------

Added the spot above where it asks for the YES.

Trying to update Windows now to see if it will allow updates now.

Reran MBEcheck and here is the new log:

Run MBRCheck.exe

MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...


Will let you know how the security updates work on windows but right now the computer seems to be running better. I still have some issues with freeing space on my hard drive that I'm not sure how to fix but I'm not sure if thats related to this specific malware problem.


Also, in case you missed it earlier, I was never able to get the RKunhooker to run. Should I try running that now?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:55 PM

Posted 17 July 2010 - 10:32 PM

yes please do and do it in normal mode I think you were doing it in safe mode correct?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 amb22

amb22
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 17 July 2010 - 10:45 PM

Yup, thats right it was in safe mode. Good call.

Now that I'm in normal mode, I was able to run it.



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF113000 C:\WINDOWS\System32\ati3duag.dll 2924544 bytes (ATI Technologies Inc. , ati3duag.dll)
0xF7811000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2363392 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF7594000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 2211840 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2066816 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2066816 bytes
0x804D7000 RAW 2066816 bytes
0x804D7000 WMIxWDM 2066816 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF3DD000 C:\WINDOWS\System32\ativvaxx.dll 1515520 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF73BD000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 999424 bytes (Conexant Systems, Inc., HSF_DP driver)
0xEF0A8000 C:\WINDOWS\system32\drivers\fwdrv.sys 901120 bytes (Kerio Technologies, -)
0xF730C000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 724992 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF83C2000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB804B000 C:\WINDOWS\system32\NetWare\nwfs.sys 475136 bytes (Novell, Inc., Novell NetWare Redirector)
0xEEF11000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7216000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xBF057000 C:\WINDOWS\System32\ati2cqag.dll 368640 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xEF03C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB7E23000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBF0B1000 C:\WINDOWS\System32\atikvmag.dll 327680 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 282624 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB7ECA000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF7554000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xF74B1000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 245760 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF7274000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF8537000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB80BF000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8395000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF72E0000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 180224 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB6ACA000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEEF81000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF77D4000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 167936 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB780B000 C:\WINDOWS\system32\drivers\mfehidk.sys 163840 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xEEFEE000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF84C3000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xEF016000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB8114000 C:\WINDOWS\system32\NetWare\srvloc.sys 155648 bytes (Novell, Inc., SLP Driver)
0xF7530000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF77B0000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF750D000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEEFCC000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D0000 ACPI_HAL 131840 bytes
0x806D0000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74ED000 C:\WINDOWS\system32\drivers\aeaudio.sys 131072 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)
0xF848B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF84E9000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF8508000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF8379000 Apsx86.sys 114688 bytes (Lenovo., Shockproof Disk Driver)
0xF835F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF84AB000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEEE31000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8462000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB831A000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB772E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF72CC000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF77FD000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEF095000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF844F000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF101000 C:\WINDOWS\System32\atiok3x2.dll 73728 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8479000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8526000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF87A6000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8886000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB7793000 C:\WINDOWS\system32\drivers\mfeavfk.sys 65536 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF86D6000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF8866000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8846000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB81AA000 C:\WINDOWS\system32\drivers\mfeapfk.sys 61440 bytes (McAfee, Inc., Access Protection Filter Driver)
0xF8896000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF8796000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7AB2000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF86E6000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF86A6000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8856000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8686000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8726000 C:\WINDOWS\system32\drivers\mfetdik.sys 49152 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF8766000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8876000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8676000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF86C6000 sbp2port.sys 45056 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0xF8666000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF88D6000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8292000 C:\WINDOWS\system32\NetWare\nwdns.sys 40960 bytes (Novell, Inc., DNS Service)
0xF8756000 C:\WINDOWS\System32\drivers\sdcplh.sys 40960 bytes (-, SDCPLH)
0xF88A6000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8696000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8826000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7A52000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8736000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF86F6000 nicm.sys 36864 bytes (Novell, Inc., Novell InterService Communication Driver)
0xB7038000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF86B6000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF88F6000 ApsHM86.sys 32768 bytes (Lenovo., ThinkVantage Active Protection System HID Digitizer Activity Monitor Driver)
0xF89BE000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF8A46000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8A6E000 C:\WINDOWS\System32\drivers\Smapint.sys 32768 bytes (Microsoft Corporation, SMAPI I/O)
0xF89B6000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF89D6000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB8338000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xF890E000 C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
0xF89DE000 C:\WINDOWS\system32\DRIVERS\nscirda.sys 28672 bytes (National Semiconductor Corporation, NSC Fast Infrared Driver.)
0xF88E6000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF898E000 C:\WINDOWS\system32\NetWare\resmgr.sys 28672 bytes (Novell, Inc., Novell NetWare Resource Manager)
0xF89E6000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF89C6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF89CE000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8A0E000 C:\WINDOWS\system32\DRIVERS\psadd.sys 24576 bytes (Lenovo (United States) Inc., SMBIOS Driver)
0xF8A66000 C:\WINDOWS\System32\drivers\TDSMAPI.SYS 24576 bytes
0xF8A4E000 C:\WINDOWS\System32\drivers\TSMAPIP.SYS 24576 bytes
0xF89AE000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF8A36000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF896E000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Cisco Systems, Inc., IEEE 802.1X Protocol Driver)
0xF8A3E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF8916000 C:\WINDOWS\system32\NetWare\nwslp.sys 20480 bytes (Novell, Inc., SLP Svc Provider)
0xF88EE000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF89FE000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF89EE000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF8A06000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF89F6000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8A5E000 C:\WINDOWS\System32\Drivers\TPHKDRV.SYS 20480 bytes (IBM Corporation, ThinkPad Hotkey Driver)
0xF8A56000 C:\WINDOWS\System32\drivers\Tppwrif.sys 20480 bytes
0xF8956000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF8A7E000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF8337000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF8333000 C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys 16384 bytes (Lenovo., ThinkPad Power Management Driver)
0xB7E8A000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xF8302000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB8490000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF833B000 C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys 16384 bytes (National Semiconductor Corp., TPM Device Driver)
0xB7F47000 C:\WINDOWS\system32\NetWare\nwdhcp.sys 16384 bytes
0xF8A8A000 nwfilter.sys 16384 bytes
0xF8B5A000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8A86000 TPDiskPM.sys 16384 bytes (Lenovo, Ltd. and IBM Corporation, ThinkPad SATA Power Management Driver)
0xF8A82000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF72C0000 C:\WINDOWS\System32\drivers\ANC.SYS 12288 bytes (IBM Corp., IBM Access Connections - ANC)
0xF8A76000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF8A7A000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xEF1C4000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8B3A000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xF8B5E000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xB820A000 C:\WINDOWS\system32\NetWare\NWHOST.sys 12288 bytes
0xF8B3E000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB8488000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF8B6A000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8BB2000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8BB4000 C:\WINDOWS\SYSTEM32\EGATHDRV.SYS 8192 bytes (IBM Corporation, IBM eGatherer Kernel Module)
0xF8BA4000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8BAC000 C:\WINDOWS\system32\Drivers\IBMBLDID.sys 8192 bytes
0xF8B66000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8BA8000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8BD6000 C:\WINDOWS\SYSTEM32\Drivers\PMEMNT.SYS 8192 bytes (Microsoft Corporation, Physical Memory Driver)
0xF8BAA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8B9A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8B96000 C:\WINDOWS\System32\DRIVERS\TPInput.sys 8192 bytes (Lenovo, Ltd. and IBM Corporation., ThinkPad SATA Power Management Driver)
0xF8B98000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8B68000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8CFB000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8D29000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8D52000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8C2F000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF8C2E000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x05BB0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 102400 bytes
0x010D0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 110592 bytes
0x03C50000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 110592 bytes
0x03CB0000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 110592 bytes
0x06730000 Hidden Image-->CLI.Aspect.WorkstationConfig.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 110592 bytes
0x062D0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 126976 bytes
WARNING: Virus alike driver modification [dne2000.sys]
0x061F0000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 143360 bytes
0x05F00000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 1511424 bytes
0x05BD0000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 1683456 bytes
0x06700000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 176128 bytes
0x05E70000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 192512 bytes
WARNING: Virus alike driver modification [tsbvcap.sys]
0x06290000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 217088 bytes
0x04950000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 241664 bytes
WARNING: Virus alike driver modification [cinemst2.sys]
0x011A0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 28672 bytes
0x011E0000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 28672 bytes
0x04040000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x01100000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x01120000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x03D10000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x03CF0000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x03D60000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x03D90000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x04010000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x03FB0000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x03FF0000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x04050000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x049C0000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x04A00000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x049F0000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x04EA0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x04D80000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x04ED0000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x050B0000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x055D0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x055C0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x05610000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x05D90000 Hidden Image-->atixclib.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x06080000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x06090000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x061D0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 28672 bytes
0x011F0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0xFF2BC520 ] PID: 3556, 307200 bytes
0x01160000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0xFF171DA0 ] PID: 2092, 307200 bytes
WARNING: Virus alike driver modification [atmepvc.sys]
0x05E20000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 315392 bytes
0x064E0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 331776 bytes
0x06540000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 339968 bytes
WARNING: Virus alike driver modification [rawwan.sys]
0x04060000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0xFF171DA0 ] PID: 2092, 348160 bytes
0x03BD0000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 36864 bytes
0x03D70000 Hidden Image-->AEM.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x01260000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x03D40000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x049A0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x04FF0000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x05020000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x05220000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x05200000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x05270000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x052F0000 Hidden Image-->CLI.Aspect.WorkstationConfig.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x053B0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x053E0000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x055E0000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 36864 bytes
0x05EA0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 372736 bytes
0x040E0000 Hidden Image-->System.Management.dll [ EPROCESS 0xFF171DA0 ] PID: 2092, 380928 bytes
0x05530000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 405504 bytes
0x05DB0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 413696 bytes
0x06380000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 413696 bytes
0x06220000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 446464 bytes
0x01100000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 45056 bytes
0x01170000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 45056 bytes
0x051C0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x010D0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x010F0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x011C0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x03D20000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x03FD0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x05000000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x05260000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x05210000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x052E0000 Hidden Image-->CLI.Aspect.WorkstationConfig.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x05390000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 45056 bytes
0x05830000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 479232 bytes
0x062F0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 487424 bytes
0x05B30000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 495616 bytes
0x03BB0000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 53248 bytes
0x03CE0000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x03D30000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x04030000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x04EE0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x051F0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x05240000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x052C0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x055A0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x05600000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x05D70000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 53248 bytes
0x065A0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 593920 bytes
0x01110000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x04990000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x051D0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x05250000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x052A0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x05330000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x05380000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
0x053A0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 61440 bytes
WARNING: Virus alike driver modification [enum1394.sys]
0x06640000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 675840 bytes
0x01180000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0xFF2BC520 ] PID: 3556, 69632 bytes
0x01130000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 69632 bytes
0x04A10000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 69632 bytes
0x05070000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 69632 bytes
0x05310000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 69632 bytes
0x04EB0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 77824 bytes
0x05050000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 86016 bytes
0x061B0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 86016 bytes
0x063F0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0xFF171DA0 ] PID: 2092, 929792 bytes


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:55 PM

Posted 17 July 2010 - 10:51 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users