Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SysInternals Infection + Others


  • This topic is locked This topic is locked
34 replies to this topic

#1 Haertig

Haertig

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 14 July 2010 - 02:11 PM

Hello, Bleepsters!

I have been fighting repeated (or maybe continuous) infections over the last three weeks and my strength is flagging. Please help!

Panasonic CF-51
XP-Pro/SP3
Primary browser Firefox
Primary search engine Google
Avira Free, updated daily and run nightly
Malwarebytes and SUPER antispyware run occasionally
Windows Firewal
Primary internet connection wired behind DSL modem running NAT




My problems started with search redirects. Mostly innocuous to begin then getting progressively worse. Not all searches results were redirected. They seemed to be aware of the search subject.

Occasionally an audio informercial would start to play - no obvious application doing it. (An ad for Chrome started during the GMER run!)

When restoring Firefox tabs on restart, additional tabs would appear for advertising pages - these pages were blank. A restart without restoring tabs goes ok.

This progressed to a full blown SysInternals attack.

Some applications became unstable, including AcrobatPro 9 and Firefox.

A phishing virus appeared. Whenever I would try to log into on-line banking or e-bay, a page would appear asking for credit card and ATM info.



I ran rkill (and its renamed brethren). Ran Malwarebytes. Ran SuPER Antispyware and Avira. All found something to object to. I allowed them to clean up.


Things looked good for a while then the whole process started over within a couple of days except the phishing stuff continued.

Some additional symptoms were that NTVDM seems to have been clobbered and at times it would not let me disable the wireless connection or enable the wired network connection (in "Network Connections"). Device Manager said there was no driver for the NIC installed. Attempting to reinstall the driver hung up. The network connection issues seem to have been resolved with additional running of the software mentioned.

I cannot shut off the computer except by a hard shutdown (holding down power button). It also will not go to sleep when the lid is closed.

In addition to the above mentioned attempts to disinfect, I have run the stand alone linux based version of Avira and sfc/scannow (to try to get NTVDM working again) to no avail.

On an ongoing basis, Avira occasionally finds a new problem but mostly comes back clean.

Quoted below is DDS.txt and Attach.txt and ARK.txt are attached.

Thanks for any help you can give.


Gray




===============================================================================================================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:25:09.54 on Tue 07/13/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.807 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkeyman.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\system32\HDIDeviceServer.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/advanced_search?hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Hotkey] c:\windows\system32\hkeyman.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PCTVOICE] pctspk.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\truela~1.lnk - c:\program files\home diagnostics, inc\truemanager diabetes management software\TRUELauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\no14s4he.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\no14s4he.default\extensions\gamebox@toolbar\components\toolbarhomewmp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-3-1 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-3-1 20616]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-12 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-12 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-12 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-12 60936]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MSSQL$HDI;SQL Server (HDI);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-3-1 122504]
R3 GTWINSER;GTWINSER;c:\windows\system32\drivers\GTwinSER.sys [2010-6-5 66912]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-3-1 14216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\solarwinds\tftpserver\SolarWinds TFTP Server.exe [2008-7-25 61440]

=============== Created Last 30 ================

2010-07-13 22:23:48 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-13 01:21:07 0 d-----w- c:\program files\AMDAT
2010-07-12 02:50:53 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-12 02:50:49 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-12 02:50:48 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-12 02:50:44 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-12 02:50:39 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-12 02:50:00 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-12 02:49:51 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-12 02:49:49 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-12 02:49:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-07-12 02:49:44 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-12 02:49:43 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-12 02:49:24 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-12 02:49:21 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-07-12 02:49:17 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-07-12 02:49:05 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-07-12 02:47:59 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-07-12 02:46:54 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-07-12 02:46:50 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-07-12 02:46:46 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-07-12 02:46:42 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-07-12 02:46:38 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-07-12 02:46:34 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-07-12 02:46:30 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-07-12 02:46:26 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-07-12 02:46:22 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-07-12 02:46:17 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-07-12 02:46:13 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-07-12 02:46:08 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-07-12 02:44:59 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-07-12 02:44:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-07-12 02:44:47 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-07-12 02:44:46 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-07-12 02:44:39 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-07-12 02:44:36 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-07-12 02:44:25 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-07-12 02:44:20 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-07-12 02:44:16 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-07-12 02:44:12 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-07-12 02:44:05 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-07-12 02:44:01 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2010-07-12 02:42:56 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-07-12 02:42:45 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-07-12 02:42:39 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-07-12 02:42:35 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-07-12 02:42:31 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-07-12 02:42:27 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-07-12 02:42:24 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-07-12 02:42:20 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-07-12 02:42:16 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-07-12 02:42:12 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-07-12 02:42:12 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-07-12 02:42:07 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-07-12 02:40:57 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2010-07-12 02:39:57 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-07-12 02:38:56 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-07-12 02:37:55 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-07-12 02:37:51 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-07-12 02:37:46 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-07-12 02:37:45 30592 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2010-07-12 02:37:41 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-07-12 02:37:40 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2010-07-12 02:37:35 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-07-12 02:37:30 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-07-12 02:37:17 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-07-12 02:37:12 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-07-12 02:37:08 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-07-12 02:37:04 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-07-12 02:37:01 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-07-12 02:35:56 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-07-12 02:34:57 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys
2010-07-12 02:33:59 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-07-12 02:32:58 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2010-07-12 02:31:58 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-07-12 02:30:48 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-12 02:30:45 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-12 02:30:44 56832 -c--a-w- c:\windows\system32\dllcache\msdvbnp.ax
2010-07-12 02:30:43 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-07-12 02:30:34 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-12 02:30:27 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-07-12 02:30:22 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-07-12 02:30:18 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-07-12 02:30:09 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-12 02:30:04 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-07-12 02:30:01 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-07-12 02:28:55 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-07-12 02:27:57 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-12 02:26:40 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-07-12 02:25:57 58592 -c--a-w- c:\windows\system32\dllcache\i740nt5.sys
2010-07-12 02:24:59 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2010-07-12 02:23:57 119296 -c--a-w- c:\windows\system32\dllcache\hpdigwia.dll
2010-07-12 02:22:57 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2010-07-12 02:21:59 45568 -c--a-w- c:\windows\system32\dllcache\esuni.dll
2010-07-12 02:20:58 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
2010-07-12 02:19:58 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2010-07-12 02:18:58 14848 -c--a-w- c:\windows\system32\dllcache\cyclom-y.sys
2010-07-12 02:17:58 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2010-07-12 02:16:59 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2010-07-12 02:15:58 3775 -c--a-w- c:\windows\system32\dllcache\adv11nt5.dll
2010-07-12 02:14:55 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-11 02:11:19 0 d-----w- C:\Driver_XP_5719_0331
2010-07-11 02:00:03 128128 ----a-w- c:\windows\system32\drivers\Rtnic.sys
2010-07-05 16:17:43 0 ----a-w- c:\program files\extra1.dat
2010-07-05 07:47:28 0 ----a-w- c:\program files\extra3.dat
2010-07-03 22:45:16 0 d-----w- c:\program files\Andrew
2010-06-28 23:15:51 0 d-----w- c:\program files\MSXML 4.0
2010-06-14 19:41:02 62876 ----a-w- C:\DrawLayer4Back.an1

==================== Find3M ====================

2010-07-13 00:34:51 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2010-06-07 02:33:23 1536 ----a-w- c:\windows\system32\TrueSoft.dat
2010-06-06 05:57:09 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-06-06 05:57:09 21361 ----a-w- c:\windows\AegisP.sys
2010-06-06 04:19:06 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-12 16:39:18 32768 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-12 16:39:18 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-12 16:39:18 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:25:44.27 ===============
===============================================================================================================

PS A couple of months ago I inadvertently installed the Gamebox toolbar from BitTorrent and would dearly love to get rid of it!


Gray

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 14 July 2010 - 10:39 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 20 July 2010 - 03:27 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 20 July 2010 - 04:18 PM

Hello Gringo!

Thanks for any help that you can give me.

The requested info is quoted below.

Since last I posted a number of things have happened. I inadvertently allowed Windows and Firefox to update. I don't know if it is related, but now both Firefox and IE will not launch. (I am having to download and post from another computer and shuttle programs and logs back and forth via e-mail.)

USB has ceased to function.

The computer will not sleep and I can't shut it down except with a hard shut down.

I have run the three tools in my arsenal (Avira, AntiMalwarebytes and SUPERAntispyware) several times, and they have found something now and again, but without much apparent effect. The redirects continue, sometimes worse, sometimes better.


Thanks!


Gray


PS Where in PR are you?



DDS.txt
================================================================================
============== Running Processes ===============


C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\hasplms.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkeyman.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\HDIDeviceServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr


============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.com/advanced_search?hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Hotkey] c:\windows\system32\hkeyman.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [PCTVOICE] pctspk.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\truela~1.lnk - c:\program files\home diagnostics, inc\truemanager diabetes management software\TRUELauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL


================= FIREFOX ===================


FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\no14s4he.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\no14s4he.default\extensions\gamebox@toolbar\components\toolbarhomewmp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll


---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);


============= SERVICES / DRIVERS ===============


R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-3-1 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-3-1 20616]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-12 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-12 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-12 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-12 60936]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MSSQL$HDI;SQL Server (HDI);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-3-1 122504]
R3 GTWINSER;GTWINSER;c:\windows\system32\drivers\GTwinSER.sys [2010-6-5 66912]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-3-1 14216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\solarwinds\tftpserver\SolarWinds TFTP Server.exe [2008-7-25 61440]


=============== Created Last 30 ================


2010-07-16 00:04:56 1409 ----a-w- c:\windows\QTFont.for
2010-07-13 22:23:48 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-13 01:21:07 0 d-----w- c:\program files\AMDAT
2010-07-12 02:50:53 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-12 02:50:49 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-12 02:50:48 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-12 02:50:44 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-12 02:50:39 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-12 02:50:00 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-12 02:49:51 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-12 02:49:49 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-12 02:49:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-07-12 02:49:44 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-12 02:49:43 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-12 02:49:24 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-12 02:49:21 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-07-12 02:49:17 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-07-12 02:49:05 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-07-12 02:47:59 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-07-12 02:46:54 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-07-12 02:46:50 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-07-12 02:46:46 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-07-12 02:46:42 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-07-12 02:46:38 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-07-12 02:46:34 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-07-12 02:46:30 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-07-12 02:46:26 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-07-12 02:46:22 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-07-12 02:46:17 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-07-12 02:46:13 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-07-12 02:46:08 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-07-12 02:44:59 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-07-12 02:44:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-07-12 02:44:47 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-07-12 02:44:46 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-07-12 02:44:39 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-07-12 02:44:36 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-07-12 02:44:25 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-07-12 02:44:20 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-07-12 02:44:16 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-07-12 02:44:12 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-07-12 02:44:05 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-07-12 02:44:01 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2010-07-12 02:42:56 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-07-12 02:42:45 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-07-12 02:42:39 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-07-12 02:42:35 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-07-12 02:42:31 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-07-12 02:42:27 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-07-12 02:42:24 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-07-12 02:42:20 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-07-12 02:42:16 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-07-12 02:42:12 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-07-12 02:42:12 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-07-12 02:42:07 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-07-12 02:40:57 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2010-07-12 02:39:57 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-07-12 02:38:56 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2010-07-12 02:37:55 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-07-12 02:37:51 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-07-12 02:37:46 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-07-12 02:37:45 30592 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2010-07-12 02:37:41 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-07-12 02:37:40 59136 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2010-07-12 02:37:35 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-07-12 02:37:30 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2010-07-12 02:37:17 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-07-12 02:37:12 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-07-12 02:37:08 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-07-12 02:37:04 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-07-12 02:37:01 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-07-12 02:35:56 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-07-12 02:34:57 26153 -c--a-w- c:\windows\system32\dllcache\pcmlm56.sys
2010-07-12 02:33:59 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-07-12 02:32:58 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2010-07-12 02:31:58 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-07-12 02:30:48 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-12 02:30:45 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-12 02:30:44 56832 -c--a-w- c:\windows\system32\dllcache\msdvbnp.ax
2010-07-12 02:30:43 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-07-12 02:30:34 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-12 02:30:27 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-07-12 02:30:22 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-07-12 02:30:18 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-07-12 02:30:09 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-07-12 02:30:04 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-07-12 02:30:01 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-07-12 02:28:55 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2010-07-12 02:27:57 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-12 02:26:40 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-07-12 02:25:57 58592 -c--a-w- c:\windows\system32\dllcache\i740nt5.sys
2010-07-12 02:24:59 115807 -c--a-w- c:\windows\system32\dllcache\hsf_fsks.sys
2010-07-12 02:23:57 119296 -c--a-w- c:\windows\system32\dllcache\hpdigwia.dll
2010-07-12 02:22:57 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys
2010-07-12 02:21:59 45568 -c--a-w- c:\windows\system32\dllcache\esuni.dll
2010-07-12 02:20:58 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
2010-07-12 02:19:58 91305 -c--a-w- c:\windows\system32\dllcache\dimaint.sys
2010-07-12 02:18:58 14848 -c--a-w- c:\windows\system32\dllcache\cyclom-y.sys
2010-07-12 02:17:58 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys
2010-07-12 02:16:59 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2010-07-12 02:15:58 3775 -c--a-w- c:\windows\system32\dllcache\adv11nt5.dll
2010-07-12 02:14:55 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-11 02:11:19 0 d-----w- C:\Driver_XP_5719_0331
2010-07-11 02:00:03 128128 ----a-w- c:\windows\system32\drivers\Rtnic.sys
2010-07-05 16:17:43 0 ----a-w- c:\program files\extra1.dat
2010-07-05 07:47:28 0 ----a-w- c:\program files\extra3.dat
2010-07-03 22:45:16 0 d-----w- c:\program files\Andrew
2010-06-28 23:15:51 0 d-----w- c:\program files\MSXML 4.0


==================== Find3M ====================


2010-07-20 20:20:22 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2010-06-07 02:33:23 1536 ----a-w- c:\windows\system32\TrueSoft.dat
2010-06-06 05:57:09 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-06-06 05:57:09 21361 ----a-w- c:\windows\AegisP.sys
2010-06-06 04:19:06 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys


============= FINISH: 13:35:02.19 ===============
===============================================================================






Attach.txt
==============================================================================
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT


DDS (Ver_10-03-17.01)


Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/5/2010 9:27:42 PM
System Uptime: 7/20/2010 1:17:57 PM (0 hours ago)


Motherboard: Matsubleepa Electric Industrial Co.,Ltd. | | CF51-1
Processor: Intel® Pentium® M processor 1.70GHz | IC1 | 1695/400mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 75 GiB total, 16.633 GiB free.
D: is CDROM ()


==== Disabled Device Manager Items =============


==== System Restore Points ===================


RP1: 6/5/2010 9:40:53 PM - System Checkpoint
RP2: 6/6/2010 12:53:32 AM - Installed Driver Detective.
RP3: 6/6/2010 1:12:32 AM - Software Distribution Service 3.0
RP4: 6/6/2010 7:14:12 PM - Software Distribution Service 3.0
RP5: 6/7/2010 7:49:11 PM - System Checkpoint
RP6: 6/8/2010 5:12:37 PM - Removed Google Earth.
RP7: 6/9/2010 2:30:20 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP8: 6/9/2010 2:36:05 PM - Installed DeLorme Topo USA 8.0.
RP9: 6/10/2010 3:23:20 PM - Installed Adobe Presenter 7.
RP10: 6/10/2010 3:34:32 PM - Removed Adobe Acrobat 8 Professional - English, Français, Deutsch
RP11: 6/10/2010 3:40:02 PM - Installed Adobe Acrobat 9 Pro Extended - English, Français, Deutsch.
RP12: 6/11/2010 4:49:34 PM - System Checkpoint
RP13: 6/12/2010 4:50:03 PM - System Checkpoint
RP14: 6/13/2010 6:08:39 PM - System Checkpoint
RP15: 6/14/2010 12:30:53 PM - Unsigned driver install
RP16: 6/14/2010 12:45:47 PM - Removed DeLorme Topo USA 8.0.
RP17: 6/14/2010 12:51:20 PM - Installed DeLorme Topo USA 8.0.
RP18: 6/18/2010 3:15:52 AM - System Checkpoint
RP19: 6/20/2010 3:56:42 PM - System Checkpoint
RP20: 6/25/2010 2:49:08 PM - System Checkpoint
RP21: 6/26/2010 4:07:08 PM - System Checkpoint
RP22: 6/27/2010 4:27:16 PM - System Checkpoint
RP23: 6/28/2010 4:15:31 PM - Software Distribution Service 3.0
RP24: 6/29/2010 4:55:36 PM - System Checkpoint
RP25: 7/2/2010 6:13:15 PM - System Checkpoint
RP26: 7/4/2010 9:25:03 PM - System Checkpoint
RP27: 7/5/2010 10:26:47 PM - System Checkpoint
RP28: 7/6/2010 10:34:50 PM - System Checkpoint
RP29: 7/7/2010 11:34:51 PM - System Checkpoint
RP30: 7/8/2010 3:52:40 PM - Configured NETGEAR WG511v2 wireless PC card
RP31: 7/9/2010 4:48:40 PM - System Checkpoint
RP32: 7/10/2010 6:21:41 PM - System Checkpoint
RP33: 7/11/2010 10:39:40 PM - System Checkpoint
RP34: 7/13/2010 12:04:06 AM - System Checkpoint
RP35: 7/14/2010 12:38:36 AM - System Checkpoint
RP36: 7/15/2010 1:06:06 AM - System Checkpoint
RP37: 7/16/2010 5:31:15 AM - System Checkpoint
RP38: 7/19/2010 3:51:46 PM - Software Distribution Service 3.0


==== Installed Programs ======================


2000 TIGER Political Boundaries Update
2000 U.S. Census Database
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe Acrobat 9.2.0 - CPSID_50026
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Presenter 7
AM-Pro
Apple Software Update
ATI Display Driver
Avanquest update
Avira AntiVir Personal - Free Antivirus
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
DeLorme Topo USA 8.0
Driver Detective
DWGSee DWG Viewer
EASEUS Todo Backup 1.1
Eudora
Expert MININEC Broadcast Professional
FMCommander
Gemplus Smart Card Reader Tools
Google Earth
Google Update Helper
Google Updater
HASP Device Driver
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
Hotkey Driver for Panasonic PC
hp deskjet 6127
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
J2SE Runtime Environment 5.0 Update 10
Land Cover
MacComm 4.2.0.8
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (HDI)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIWA
mLogView
mMHouse
Motorola Driver Installation
Motorola Phone Tools
Motorola PTP LINKPlanner version 2.3.3.2299
Mozilla Firefox (3.6.6)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
mZConfig
NEC-Win Pro
Northwest Quadrant VMap Mapping Files
Notebook Hardware Control 2.0 Pre-Release-06 Bugfix
Panasonic V.92 MDC Modem Drivers
Probe 3
QuickTime
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
SoftV92 Data Fax Modem with SmartCP
SolarWinds TFTP Server
SpeedFan (remove only)
Star Envelope Printer Pro v4.01
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
The KMPlayer (remove only)
TIGER Major Lakes, Rivers, and Roads
Topo USA 5.0
Topo USA 5.0 DVD Data
TRUEmanager Diabetes Management Software
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
V-Soft NGDC 30 arc second terrain
V-Tower Data
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows Presentation Foundation
WinZip 11.1
XML Paper Specification Shared Components Pack 1.0
ZipItFree 1.95


==== Event Viewer Messages From Past Week ========


7/20/2010 2:54:13 AM, error: VolSnap [10] - The shadow copy of volume C: took too long to install.
7/20/2010 12:33:01 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
7/20/2010 11:30:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/20/2010 11:30:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip
7/20/2010 11:30:26 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2010 11:30:26 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2010 11:30:26 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2010 11:30:26 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/20/2010 11:30:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/20/2010 1:09:16 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
7/19/2010 11:05:32 AM, error: System Error [1003] - Error code 0000000a, parameter1 ffffff94, parameter2 00000002, parameter3 00000000, parameter4 804fd682.
7/17/2010 3:43:47 AM, error: VolSnap [5] - The shadow copy of volume C: could not be created due to insufficient non-paged memory pool for a bitmap structure.


==== End Of File ===========================
================================================================================






RKUnhooker Report
================================================================================
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB93DE000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 2211840 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF081000 C:\WINDOWS\System32\ati3duag.dll 2158592 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9652000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 856064 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBA6E5000 vmodem.sys 688128 bytes (PCTEL, INC., HSP Modem Modem Device Driver)
0xB0417000 C:\WINDOWS\system32\drivers\hardlock.sys 589824 bytes (Aladdin Knowledge Systems Ltd., Hardlock Device Driver for Windows NT)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF290000 C:\WINDOWS\System32\ativvaxx.dll 520192 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xBA78D000 vpctcom.sys 471040 bytes (PCtel, Inc., HSP Modem Virtual Control Device)
0xB0ECA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9213000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB0597000 C:\WINDOWS\system32\drivers\aksfridge.sys 368640 bytes (Aladdin Knowledge Systems Ltd., Ancillary Function Driver)
0xB0FD1000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB0263000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9335000 C:\WINDOWS\system32\drivers\STAC97.sys 278528 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xB030A000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB0E41000 C:\WINDOWS\system32\DRIVERS\akshasp.sys 241664 bytes (Aladdin Knowledge Systems Ltd., AKSHASP Device Driver)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 229376 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xB9299000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB93B0000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 188416 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB0864000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7406000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAF66E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB0F3A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB0FA9000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7494000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB0EA4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB03F3000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9311000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB961A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9379000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAFE58000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB0F87000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB0E0E000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xB0F65000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xF745C000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB92F1000 C:\WINDOWS\system32\DRIVERS\ptserial.sys 131072 bytes (PCTEL, INC., HSP Modem Serial Device Driver for NT 5.0)
0xB95FA000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 131072 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB91F6000 C:\WINDOWS\system32\DRIVERS\EuDisk.sys 118784 bytes (CHENGDU YIWO Tech Development Co., Ltd, EuDisk Bus Enumerator)
0xBA6CB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF747C000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB0DF6000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7433000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB92DA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0CA1000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xB0827000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB939C000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB963E000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EE000 ACPI_HAL 81152 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB102A000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF744A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB0E30000 C:\WINDOWS\system32\DRIVERS\GTwinSER.sys 69632 bytes (Gemplus, Serial Smart Card Reader Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB92C9000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA049000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7557000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7607000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7577000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7667000 vvoice.sys 65536 bytes (PCtel, Inc., HSP Modem device driver)
0xF7697000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7537000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7547000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB0A19000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA66B000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7617000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7657000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7587000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7527000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7507000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7677000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA63B000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7567000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7517000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA6AB000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA099000 C:\WINDOWS\system32\drivers\nhcDriver.sys 40960 bytes (pBUS-167 Software - http://www.pbus-167.com, Notebook Hardware Control Device Driver)
0xBA6BB000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA64B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAF6B9000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA62B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF776F000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF77B7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7757000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7707000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7717000 eubakup.sys 24576 bytes (CHENGDU YIWO Tech Development Co., Ltd, Disk Backup Driver)
0xF775F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7767000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77C7000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xB105D000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF774F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77A7000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF781F000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Cisco Systems, Inc., IEEE 802.1X Protocol Driver)
0xF77AF000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF777F000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7787000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7777000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB104D000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA5BB000 C:\WINDOWS\system32\DRIVERS\aksusb.sys 16384 bytes (Aladdin Knowledge Systems Ltd., Aladdin USB Key Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA21C000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF78A7000 eufs.sys 16384 bytes (CHENGDU YIWO Tech Development Co., Ltd, File System Filter Driver)
0xF793F000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB0CCE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA228000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA210000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF791F000 C:\WINDOWS\system32\DRIVERS\AKSCLASS.SYS 12288 bytes (Aladdin Knowledge Systems Ltd., Aladdin Class Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB10D1000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\HOTKEY.SYS 12288 bytes (Matsubleepa Electric Industrial Co.,Ltd., Panasonic PC Hotkey Driver)
0xB055B000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA214000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA5DB000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB0CCA000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF79ED000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF79E5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79B9000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79E3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79E7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79C7000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79E9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF798F000 speedfan.sys 8192 bytes
0xF79E1000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79DB000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A62000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7A66000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A51000 giveio.sys 4096 bytes
0xF7A68000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x89053A32 Unknown page with executable code, 1486 bytes
0x890488DC Unknown page with executable code, 1828 bytes
0x8903477D Unknown page with executable code, 2179 bytes
0x8A1D9453 Unknown page with executable code, 2989 bytes
0x890653F6 Unknown page with executable code, 3082 bytes
0x8901D15D Unknown page with executable code, 3747 bytes
0x8906610C Unknown page with executable code, 3828 bytes
0x890D951C Unknown thread object [ ETHREAD 0x8A21C020 ] , 600 bytes
0x890056A3 Unknown thread object [ ETHREAD 0x8A187AD8 ] , 600 bytes
==========================================================================================




MBR Check
===========================================================================================
MBRCheck, version 1.1.1


© 2010, AD




\\.\C: --> \\.\PhysicalDrive0




Size Device Name MBR Status


--------------------------------------------


149 GB \\.\PhysicalDrive0 MBR Code Faked!






Found non-standard or infected MBR.


Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...
============================================================================================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 20 July 2010 - 09:22 PM

Hello Haertig

Sorry for not replying sooner but wanted to check with one of the readings on one of your reports and we need to check it further please do the following

Re-run MBRCheck again.
When prompted, enter Y
Then enter 1 to dump the MBR to physical disk
Name the dumped file as Dump.dat

Enter -1 to exit

A log file named "dump.dat" will be located in the same folder as MBRCheck was saved, please zip it up and attach in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 21 July 2010 - 01:48 PM

Gringo -

Here you go.


Thanks!


Gray

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 21 July 2010 - 02:32 PM

You did not attach it


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 21 July 2010 - 02:56 PM

Hey Gringo,

Well I certainly tried to!

Let's see if I can do a better job this time.

Thanks for your patience!


Gray

PS OK. Now I see why you wanted me to Zipu-up a 512 Byte file - the attachment system won't accept a .dat file. Note to self: Stop thinking and just follow instructions!

Attached Files

  • Attached File  Dump.zip   480bytes   4 downloads


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 21 July 2010 - 10:08 PM

hello

sorry this is takeing longer than normal but I am having some poeple check out that file and they have not gotten back to me yet


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 22 July 2010 - 03:19 PM


Hey Gringo,

I am going to be out of the office from Thursday afternoon (PDT) to sometime Monday, so if you don't hear from me right away, I'll be back!


Gray

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 22 July 2010 - 03:32 PM

Hello

They have not gotten back to me so it looks like it will be monday then


7/26
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 26 July 2010 - 02:55 PM


Hey Gringo,

Tought I'd let you know that I'm back in the office.


Gray

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 26 July 2010 - 05:02 PM

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.


After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. report from MBRcheck
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 26 July 2010 - 06:37 PM

Hello Gingo!

Combofix seems to be hung up.

It downloaded and installed the recovery console successfully and then went on to the -

Scanning for infected.....
...may easily double

screen. It has been there for 20 minutes and I haven't gotten any of the Completed_Stage_xx messages nor has the clock been changed.

There is no disk action. Are there any processes I should look for in Task Manager?

I don't seem to be able to quit Combofix with Task Manager.


Thanks!


Gray



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:44 PM

Posted 26 July 2010 - 06:48 PM

Hello

Ok shut it down and rerun it and make sure that the antivirus is not running


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Haertig

Haertig
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 26 July 2010 - 07:19 PM

Hey Gringo!

Before running Combofix again, I reran MBR. It indicated that the MBR was faked. I reran it and cleaned it up again. Then reran it a third time and it indicated the MBR was OK. I rebooted and ran MBR again, and it again said the MBR was faked. So I attempted to fix it several times, but never got an MBR OK message again, irrespective of whether I rebooted or not.

Reran Combofix. It does the registry key back up and I get to the -

Scanning for infected....

screen. There is a couple of minutes of intense disk action and then just occasional disk action. After 10 minutes there are no Completed_Stage_xx messages and the clock remains normal. Haven't seen any disk acion in a while.


Thanks!


Gray




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users