Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection. GMER causes PC to lockup.


  • This topic is locked This topic is locked
4 replies to this topic

#1 housec

housec

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 02 August 2010 - 10:04 PM

Hi,
Hoping someone will be able to help me.
Current symptoms are random redirects from google search results, a large amount of outbound traffic on smtp (see netstat log attached), and the occasional bluescreen on boot.
Recently caught an infection with Malware Bytes (after noticing the activity above). My current action has been:
Scans (which have found, and cleaned(?) various bits of nefarious software), from ESET's online scan, sophos, AVG, adaware, and Malware Bytes.
Checked and my hostfile (which was modified - have rectified this), and proxy settings were modified in internet settings too (which I reset back).
This was done from a regular boot, and in safemode.

To my distress, none of this helped much, and I'm still clearly infected. Hence I stumbled across bleepingcomputer.com smile.gif

Went through the instructions prior to post, annoyingly GMER causes the system to lockup about 20 seconds into the scan. (It suspects a RootKit also, though I didn't do a full system scan as requested (though fairly certain this would also cause a lock up..))

Attached are requested DDS log, and a netstat output.
Below is secondary DDS:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Dez at 1:48:43.91 on 03/08/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_17
Microsoft Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.3069.1480 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:Windowssystem32Ati2evxx.exe
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:WindowsRtkAudioService.exe
C:Windowssystem32svchost.exe -k NetworkService
C:Windowssystem32Ati2evxx.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:Windowssystem32WLANExt.exe
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:Program FilesSonyNetwork UtilityLANUtil.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesTortoiseSVNbinTSVNCache.exe
C:Program FilesSteamsteam.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesVidalia BundlePrivoxyprivoxy.exe
C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
C:Program FilesSonyVAIO Update 3VAIOUpdt.exe
C:Program FilesAdobePhotoshop Elements 6.0PhotoshopElementsFileAgent.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:Windowssystem32svchost.exe -k bthsvcs
C:PROGRA~1WinTVEPG ServicesSystemEPGService.exe
C:Program FilesIntelWiFibinEvtEng.exe
C:Program FilesFileZilla ServerFileZilla Server.exe
C:Program FilesCommon FilesInterVideoRegMgriviRegMgr.exe
C:Program FilesLogMeInx86RaMaint.exe
C:Program FilesLogMeInx86LogMeIn.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:Program FilesMicrosoft SQL Server90DTSBinnMsDtsSrvr.exe
C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnmsftesql.exe
C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe
C:Program FilesMicrosoft SQL ServerMSSQL.2OLAPbinmsmdsrv.exe
C:Program FilesSonyNetwork UtilityNSUService.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCommon FilesIntelWirelessCommonRegSrvc.exe
C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesArcSoftMagic-i Visual EffectsuCamMonitor.exe
C:Program FilesSonyVAIO Event ServiceVESMgr.exe
C:Program FilesSonyVAIO Power ManagementSPMService.exe
C:Windowssystem32DllHost.exe
C:Program FilesSonyVAIO Event ServiceVESMgrSub.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Windowssystem32DllHost.exe
C:Program FilesCommon FilesSony SharedVAIO Entertainment PlatformVCSWVCSW.exe
C:Program FilesCommon FilesVMwareUSBvmware-usbarbitrator.exe
C:Program FilesSonyVAIO Power ManagementSPMgr.exe
C:Windowssystem32vmnat.exe
C:Program FilesCommon FilesSony SharedVAIO Entertainment PlatformVzCdbVzCdbSvc.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Windowssystem32WUDFHost.exe
C:Windowssystem32DRIVERSxaudio.exe
C:Program FilesVMwareVMware Playervmware-authd.exe
C:Windowssystem32vmnetdhcp.exe
C:Program FilesCommon FilesSony SharedVAIO Entertainment PlatformVzCdbVzFw.exe
C:Program FilesLogMeInx86LogMeInSystray.exe
C:Program FilesLogMeInx86LMIGuardian.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32svchost.exe -k WindowsMobile
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:UsersDezAppDataLocalGoogleChromeApplicationchrome.exe
C:UsersDezAppDataLocalGoogleChromeApplicationchrome.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Windowssystem32wbemwmiprvse.exe
C:UsersDezDownloadsdds.scr
C:Windowssystem32wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.club-vaio.com
uDefault_Page_URL = hxxp://www.club-vaio.com
mStart Page = hxxp://www.club-vaio.com
mDefault_Page_URL = hxxp://www.club-vaio.com
uInternet Settings,ProxyOverride = <local>
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.5126.1836swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:progra~1google~1BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 8.0acrobatAcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
uRun: [NSUFloatingUI] "c:program filessonynetwork utilityLANUtil.exe"
uRun: [MsnMsgr] "c:program fileswindows livemessengerMsnMsgr.Exe" /background
uRun: [PeerGuardian] c:program filespeerguardian2pg2.exe
uRun: [Steam] "c:program filessteamSteam.exe" -silent
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
StartupFolder: c:usersdezappdataroamingmicros~1windowsstartm~1programsstartuponenot~1.lnk - c:program filesmicrosoft officeoffice12ONENOTEM.EXE
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupautost~1.lnk - c:program fileswintvIr.exe
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupprivoxy.lnk - c:program filesvidalia bundleprivoxyprivoxy.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:program filespaltalk messengerPaltalk.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:program filesfiddler2Fiddler.exe"
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
LSP: c:program filesvmwarevmware playervsocklib.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:progra~1googlegoogle~1googledesktopnetwork3.dll c:windowssystem32avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:usersdezappdataroamingmozillafirefoxprofilesk5l60kgm.default
FF - component: c:program filesmozilla firefoxcomponentsGoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-12-6 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2010-7-25 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2010-7-25 29584]
R1 SAVRKBootTasks;Boot Tasks Driver;c:windowssystem32SAVRKBootTasks.sys [2010-8-3 18816]
R2 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-7-25 308136]
R2 EPGService;EPGService;c:progra~1wintvepg servicessystemEPGService.exe [2008-11-19 436224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-9-24 1181328]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:program fileslogmeinx86rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:windowssystem32driversLMIRfsDriver.sys [2008-10-4 47640]
R2 MsDtsServer;SQL Server Integration Services;c:program filesmicrosoft sql server90dtsbinnMsDtsSrvr.exe [2008-12-18 202592]
R2 NSUService;NSUService;c:program filessonynetwork utilityNSUService.exe [2008-6-23 229376]
R2 regi;regi;c:windowssystem32driversregi.sys [2007-4-18 11032]
R2 RtkHDMIService;RtkHDMIService;c:windowsRTKAUDIOSERVICE.EXE [2008-6-3 98304]
R2 uCamMonitor;CamMonitor;c:program filesarcsoftmagic-i visual effectsuCamMonitor.exe [2008-6-23 104960]
R2 VAIO Power Management;VAIO Power Management;c:program filessonyvaio power managementSPMService.exe [2008-6-3 411488]
R2 vmci;VMware vmci;c:windowssystem32driversvmci.sys [2010-1-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:program filescommon filesvmwareusbvmware-usbarbitrator.exe [2010-1-22 563760]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:windowssystem32driversArcSoftKsUFilter.sys [2008-6-23 17408]
R3 NETw5v32;Intel Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:windowssystem32driversNETw5v32.sys [2008-4-28 3658752]
R3 SFEP;Sony Firmware Extension Parser;c:windowssystem32driversSFEP.sys [2007-12-17 9344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-28 135664]
S3 btwl2cap;Bluetooth L2CAP Service;c:windowssystem32driversbtwl2cap.sys [2008-6-3 28464]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:program filessteamsteamappscommondragon age originsbin_shipdaupdatersvc.service.exe [2010-3-10 25832]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:program filesgooglegoogle desktop searchGoogleDesktop.exe [2008-6-23 30192]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:windowssystem32drivershcw95bda.sys [2008-11-19 560640]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:windowssystem32drivershcw95rc.sys [2008-11-19 15616]
S3 SOHCImp;VAIO Media plus Content Importer;c:program filessonyvaio media plusSOHCImp.exe [2008-6-23 104288]
S3 SOHDms;VAIO Media plus Digital Media Server;c:program filessonyvaio media plusSOHDms.exe [2008-6-23 350048]
S3 SOHDs;VAIO Media plus Device Searcher;c:program filessonyvaio media plusSOHDs.exe [2008-6-23 63328]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:program filessonyvcm intelligent analyzing managerVcmIAlzMgr.exe [2008-6-23 333088]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:program filescommon filessony sharedvcmxmlVcmXmlIfHelper.exe [2008-6-23 87328]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:windowsmicrosoft.netframeworkv4.0.30319wpfWPFFontCache_v0400.exe [2010-3-18 753504]
S4 HauppaugeTVServer;HauppaugeTVServer;c:progra~1wintvHCWTVS~1.EXE [2008-11-19 815104]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:program filesmicrosoft visual studio 8common7ideremote debuggerx86msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2010-08-03 00:40:40 93056 ----a-w- C:pxldypog.sys
2010-08-03 00:22:26 176 ----a-w- c:usersdezdefogger_reenable
2010-08-02 23:14:36 18816 ------w- c:windowssystem32SAVRKBootTasks.sys
2010-08-02 14:38:17 0 d-----w- c:program filesESET
2010-08-02 13:55:09 0 d-----w- c:program filesSophos
2010-08-02 13:32:31 0 d-sh--w- C:$RECYCLE.BIN
2010-08-02 11:58:38 98816 ----a-w- c:windowssed.exe
2010-08-02 11:58:38 77312 ----a-w- c:windowsMBR.exe
2010-08-02 11:58:38 256512 ----a-w- c:windowsPEV.exe
2010-08-02 11:58:38 161792 ----a-w- c:windowsSWREG.exe
2010-07-27 09:13:30 42980 ----a-w- c:windowssystem32oiffl
2010-07-25 10:26:26 0 d-----w- c:programdataF-Secure
2010-07-25 03:58:20 12536 ----a-w- c:windowssystem32avgrsstx.dll
2010-07-25 03:58:20 0 d-----w- c:windowssystem32driversAvg
2010-07-25 03:57:49 216400 ----a-w- c:windowssystem32driversavgldx86.sys
2010-07-25 03:28:35 0 d-----w- c:windowspss
2010-07-24 22:40:34 0 d-----w- c:usersdezappdataroamingMalwarebytes
2010-07-24 22:37:40 767488 ----a-w- c:windowssystem32driversmezrgr.sys
2010-07-24 22:37:31 150 ----a-w- C:zrpt.xml

==================== Find3M ====================

2010-06-02 15:06:44 83360 ----a-w- c:windowssystem32LMIRfsClientNP.dll
2010-06-02 15:06:28 87424 ----a-w- c:windowssystem32LMIinit.dll
2010-06-02 15:06:28 29568 ----a-w- c:windowssystem32LMIport.dll
2010-05-31 16:39:45 86016 ----a-w- c:windowsinfinfstor.dat
2010-05-31 16:39:45 51200 ----a-w- c:windowsinfinfpub.dat
2010-05-31 16:39:44 143360 ----a-w- c:windowsinfinfstrng.dat
2010-05-21 13:14:28 221568 ------w- c:windowssystem32MpSigStub.exe
2008-09-16 16:51:03 665600 ----a-w- c:windowsinfdrvindex.dat
2008-01-21 02:41:56 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat

============= FINISH: 1:54:45.21 ===============

Also, pid 796 is services.exe

Hoping someone can help!

Thanks,
Chris.

Also if it helps,
Here is a RootRepeal log from a few hours ago:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/08/03 00:48
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_dumpfve.sys
Image Path: C:WindowsSystem32Driversdump_dumpfve.sys
Address: 0x95FCC000 Size: 69632 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:WindowsSystem32Driversdump_iaStor.sys
Address: 0x95EFE000 Size: 843776 File Visible: No Signed: -
Status: -

Name: mezrgr.sys
Image Path: C:WindowsSystem32Driversmezrgr.sys
Address: 0x83206000 Size: 794624 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:Windowssystem32driversrootrepeal.sys
Address: 0xBF825000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speb.sys
Image Path: C:WindowsSystem32Driversspeb.sys
Address: 0x8068B000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: Driversptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:WindowsSystem32audiodg.exe
PID: 1444 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: msgsres.dll]
Process: msnmsgr.exe (PID: 2504) Address: 0x62570000 Size: 11403264

Object: Hidden Module [Name: msgslang.14.0.8089.0726.dll]
Process: msnmsgr.exe (PID: 2504) Address: 0x66ca0000 Size: 315392

Object: Hidden Module [Name: msgrvsta.thm]
Process: msnmsgr.exe (PID: 2504) Address: 0x672d0000 Size: 20480

Object: Hidden Module [Name: en-GB.dll]
Process: chrome.exe (PID: 2564) Address: 0x67180000 Size: 172032

Object: Hidden Module [Name: en-GB.dll]
Process: chrome.exe (PID: 5992) Address: 0x67180000 Size: 172032

Object: Hidden Module [Name: en-GB.dll]
Process: chrome.exe (PID: 2716) Address: 0x67180000 Size: 172032

Object: Hidden Module [Name: en-GB.dll]
Process: chrome.exe (PID: 4864) Address: 0x67180000 Size: 172032

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8823e8f8 Size: 1800

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8652f1f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_CREATE]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_CLOSE]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_READ]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_WRITE]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_CLEANUP]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: udfsЇ慖⁤詳阮綐騆嶈騇嘠嘵ܠ, IRP_MJ_PNP]
Process: System Address: 0x882301f8 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_CREATE]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_CLOSE]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_POWER]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: a6mijn70Ѕ潉†, IRP_MJ_PNP]
Process: System Address: 0x8844b500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x915aa1f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: System Address: 0x90a821f8 Size: 121

Object: Hidden Code [Driver: usbuhci苐П牄ְ讧⣰趾, IRP_MJ_CREATE]
Process: System Address: 0x88130500 Size: 121

Object: Hidden Code [Driver: usbuhci苐П牄ְ讧⣰趾, IRP_MJ_CLOSE]
Process: System Address: 0x88130500 Size: 121

Object: Hidden Code [Driver: usbuhci苐П牄ְ讧⣰趾, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88130500 Size: 121

Object: Hidden Code [Driver: usbuhci苐П牄ְ讧⣰趾, IRP_MJ_POWER]
Process: System Address: 0x88130500 Size: 121

Object: Hidden Code [Driver: usbuhci苐П牄ְ讧⣰趾, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88130500 Size: 121

Object: Hidden Code [Driver: usbuhci苐П牄ְ讧⣰趾, IRP_MJ_PNP]
Process: System Address: 0x88130500 Size: 121

Object: Hidden Code [Driver: Smb前Q瑎牦㧐邾爐酊提눫, IRP_MJ_CREATE]
Process: System Address: 0x951671f8 Size: 121

Object: Hidden Code [Driver: Smb前Q瑎牦㧐邾爐酊提눫, IRP_MJ_CLOSE]
Process: System Address: 0x951671f8 Size: 121

Object: Hidden Code [Driver: Smb前Q瑎牦㧐邾爐酊提눫, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x951671f8 Size: 121

Object: Hidden Code [Driver: Smb前Q瑎牦㧐邾爐酊提눫, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x951671f8 Size: 121

Object: Hidden Code [Driver: Smb前Q瑎牦㧐邾爐酊提눫, IRP_MJ_CLEANUP]
Process: System Address: 0x951671f8 Size: 121

Object: Hidden Code [Driver: Smb前Q瑎牦㧐邾爐酊提눫, IRP_MJ_PNP]
Process: System Address: 0x951671f8 Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_CREATE]
Process: System Address: 0x9509d1f8 Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_CLOSE]
Process: System Address: 0x9509d1f8 Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x9509d1f8 Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x9509d1f8 Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_CLEANUP]
Process: System Address: 0x9509d1f8 Size: 121

Object: Hidden Code [Driver: netbt, IRP_MJ_PNP]
Process: System Address: 0x9509d1f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_CREATE]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_CLOSE]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_POWER]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt瑎牦臠迧簘酕І瑎湦܇$, IRP_MJ_PNP]
Process: System Address: 0x884771f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x8576e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8812c1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8812c1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8812c1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8812c1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8812c1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8812c1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_CREATE]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_CLOSE]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_READ]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_WRITE]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_QUERY_EA]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SET_EA]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SHUTDOWN]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_CLEANUP]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SET_SECURITY]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_POWER]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_SET_QUOTA]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: mrxsmb￿Ј敓摔騂ヘ騃, IRP_MJ_PNP]
Process: System Address: 0x882d8500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_CREATE]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_CLOSE]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_READ]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_WRITE]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_SHUTDOWN]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_CLEANUP]
Process: System Address: 0xb2301500 Size: 121

Object: Hidden Code [Driver: cdfsЍ䵆汳`ﶬ뤠ﶬ뤠旘蟪ﶀ뤠㍜莏, IRP_MJ_PNP]
Process: System Address: 0xb2301500 Size: 121

Hidden Services
-------------------
Service Name: mezrgr
Image Path: C:Windowssystem32driversmezrgr.sys

==EOF==


Also mezrgr gets reported by GMER before it totally locks up my machine (which then requires a hard boot - which I didn't mention earlier)

-Chris.

Also here is an RKUnHooker rpt:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6001 (Service Pack 1)
Number of processors #2
==============================================
>Processes
==============================================
0x8235B3C8 [124] C:WindowsSystem32spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x96091570 [356] C:WindowsSystem32SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0x82364570 [376] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x960B0358 [552] C:WindowsSystem32smss.exe (Microsoft Corporation, Windows Session Manager)
0x961A3130 [692] C:WindowsSystem32csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x85E534B8 [748] C:UsersDezAppDataLocalGoogleChromeApplicationchrome.exe (Google Inc., Google Chrome)
0x9608B810 [752] C:WindowsSystem32wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0x9CA79200 [764] C:WindowsSystem32csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x9CA94AD8 [796] C:WindowsSystem32services.exe (Microsoft Corporation, Services and Controller app)
0x9CA95568 [812] C:WindowsSystem32lsass.exe (Microsoft Corporation, Local Security Authority Process)
0x9CAAE7A8 [844] C:WindowsSystem32lsm.exe (Microsoft Corporation, Local Session Manager Service)
0x9503FCD0 [860] C:Program FilesSonyNetwork UtilityNSUService.exe (Sony Corporation, VAIO Smart Network)
0x82391D90 [976] C:Program FilesLogMeInx86LMIGuardian.exe (LogMeIn, Inc., LMIGuardian)
0x9CB41AD8 [980] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x82224D90 [1036] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x82217778 [1120] C:WindowsSystem32Ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)
0x9CADED90 [1156] C:WindowsSystem32winlogon.exe (Microsoft Corporation, Windows Logon Application)
0x8237E7C0 [1184] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x822733F0 [1268] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x8AECB708 [1320] C:WindowsSystem32taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x85CE2BA0 [1328] C:UsersDezAppDataLocalGoogleChromeApplicationchrome.exe (Google Inc., Google Chrome)
0x8222B020 [1352] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x8228C6B8 [1452] C:WindowsSystem32SLsvc.exe (Microsoft Corporation, Microsoft Software Licensing Service)
0xB17DA830 [1480] C:WindowsSystem32vmnat.exe (VMware, Inc., VMware NAT Service)
0x82296570 [1516] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xA11F3588 [1528] C:Program FilesMicrosoft SQL ServerMSSQL.2OLAPbinmsmdsrv.exe (Microsoft Corporation, Microsoft SQL Server Analysis Services)
0x8225FA98 [1632] C:WindowsRTKAUDIOSERVICE.EXE (Realtek Semiconductor, Realtek Audio Service)
0x822C9368 [1680] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB16DD988 [1776] C:Program FilesSonyVAIO Event ServiceVESMgr.exe (Sony Corporation, VAIO Event Service (Service Module))
0x92130638 [1788] C:Windowsexplorer.exe (Microsoft Corporation, Windows Explorer)
0x823C3D20 [1876] C:Program FilesLavasoftAd-AwareAAWService.exe (Lavasoft, Ad-Aware Service Application)
0x9508ED90 [1888] C:WindowsSystem32wlanext.exe (Microsoft Corporation, Windows Wireless LAN 802.11 Extensibility Framework)
0x95095D90 [1948] C:WindowsSystem32Ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)
0x9CB9F020 [2100] C:WindowsSystem32dwm.exe (Microsoft Corporation, Desktop Window Manager)
0x920BDD90 [2144] C:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe (Microsoft Corporation, SQL Server VSS Writer)
0x9CBED020 [2168] C:WindowsSystem32taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x8224D020 [2176] C:Program FilesMicrosoft SQL Server90DTSBinnMsDtsSrvr.exe (Microsoft Corporation, )
0xB16D61B0 [2260] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88429428 [2308] C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnmsftesql.exe (Microsoft Corporation, PKM executable)
0xB2A4CD90 [2344] C:Program FilesSonyVAIO Power ManagementSPMgr.exe (Sony Corporation, SPMgr.exe)
0xA1D3D570 [2372] C:Program FilesSonyNetwork UtilityLANUtil.exe (Sony Corporation, VAIO Smart Network)
0x823E2020 [2400] C:Program FilesWindows LiveMessengermsnmsgr.exe (Microsoft Corporation, Windows Live Messenger)
0x9CBCA020 [2416] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88427D90 [2424] C:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe (Microsoft Corporation, SQL Server Windows NT)
0xA1DB0330 [2452] C:Program FilesTortoiseSVNbinTSVNCache.exe (http://tortoisesvn.net, TortoiseSVN status cache)
0xA1DE9428 [2500] C:Program FilesPeerGuardian2pg2.exe (Methlabs, PeerGuardian 2)
0xA1DF0580 [2512] C:Program FilesSteamsteam.exe (Valve Corporation, Steam)
0xA1DF2C70 [2528] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe (Google Inc., GoogleToolbarNotifier)
0xA1DF4D90 [2552] C:Program FilesVidalia BundlePrivoxyprivoxy.exe (The Privoxy team - www.privoxy.org, Privoxy)
0xA1DF5838 [2564] C:Program FilesMicrosoft OfficeOffice12ONENOTEM.EXE (Microsoft Corporation, Microsoft Office OneNote Quick Launcher)
0xB2A90020 [2840] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x822788B0 [2868] C:Program FilesCommon FilesSony SharedVAIO Entertainment PlatformVzCdbVzCdbSvc.exe (Sony Corporation, VAIO Entertainment Database Service)
0x9CB607A0 [2936] C:Program FilesSonyVAIO Update 3VAIOUpdt.exe (Sony Corporation, VAIO Update)
0x864B8D90 [3040] C:UsersDezDownloadsRKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)
0x822FA020 [3064] C:Program FilesArcSoftMagic-i Visual EffectsuCamMonitor.exe (ArcSoft, Inc., MgiSvr)
0x9CA875B0 [3104] C:Program FilesCommon FilesIntelWirelessCommonRegSrvc.exe (Intel Corporation, Intel PROSet/Wireless Registry Service)
0xA115A8D8 [3136] C:WindowsSystem32wuauclt.exe (Microsoft Corporation, Windows Update)
0xB2A4B9A8 [3316] C:Program FilesSonyVAIO Power ManagementSPMService.exe (Sony Corporation, SPMService.exe)
0xB1605D90 [3388] C:Program FilesAdobePhotoshop Elements 6.0PhotoshopElementsFileAgent.exe
0xB160E560 [3436] C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)
0xB16374C0 [3452] C:Program FilesAVGAVG9avgwdsvc.exe (AVG Technologies CZ, s.r.o., AVG Watchdog Service)
0xB1613A30 [3476] C:Program FilesBonjourmDNSResponder.exe (Apple Inc., Bonjour Service)
0xB1612988 [3488] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB166A488 [3512] C:PROGRA~1WinTVEPG ServicesSystemEPGService.exe (Hauppauge Computer Works, EPGService Module)
0xB1686430 [3532] C:Program FilesIntelWiFibinEvtEng.exe (Intel Corporation, Intel PROSet/Wireless Event Log Service)
0xB162DD90 [3676] C:Program FilesFileZilla ServerFileZilla server.exe (FileZilla Project, FileZilla Server)
0xB17CE810 [3728] C:Program FilesCommon FilesSony SharedVAIO Entertainment PlatformVCSWVCSW.exe (Sony Corporation, VAIO Entertainment UPnP Client Adapter)
0xB1681368 [3768] C:Program FilesCommon FilesInterVideoRegMgriviRegMgr.exe (InterVideo, RegMgr Module)
0xB1685BC8 [3856] C:Program FilesLogMeInx86ramaint.exe (LogMeIn, Inc., LogMeIn Maintenance Service)
0xB1710318 [3868] C:WindowsSystem32dllhost.exe (Microsoft Corporation, COM Surrogate)
0xB432BD90 [4028] C:Program FilesCommon FilesVMwareUSBvmware-usbarbitrator.exe (VMware, Inc., VMware USB Arbitration Service)
0x822F53D0 [4088] C:Program FilesLogMeInx86LogMeIn.exe (LogMeIn, Inc., LogMeIn)
0xB2A946B0 [4184] C:WindowsSystem32driversXAudio.exe (Conexant Systems, Inc., Modem Audio Service)
0x920CC980 [4260] C:Program FilesVMwareVMware Playervmware-authd.exe (VMware, Inc., VMware Authorization Service)
0x920C83D8 [4336] C:WindowsSystem32vmnetdhcp.exe (VMware, Inc., VMware VMnet DHCP service)
0x920AFD90 [4424] C:WindowsSystem32wbemWmiPrvSE.exe (Microsoft Corporation, WMI Provider Host)
0x920B2980 [4432] C:Program FilesSonyVAIO Event ServiceVESMgrSub.exe (Sony Corporation, VAIO Event Service(Service Sub Module))
0x95195800 [4468] C:Program FilesCommon FilesSony SharedVAIO Entertainment PlatformVzCdbVzFw.exe (Sony Corporation, VAIO Entertainment File Import Service)
0xA1084670 [4664] C:WindowsSystem32dllhost.exe (Microsoft Corporation, COM Surrogate)
0x951EC5D8 [4836] C:Program FilesAVGAVG9avgrsx.exe (AVG Technologies CZ, s.r.o., AVG Resident Shield Service)
0xB17D5A68 [4844] C:Program FilesAVGAVG9avgchsvx.exe (AVG Technologies CZ, s.r.o., AVG Cache Server)
0xB17D7458 [4900] C:Program FilesAVGAVG9avgcsrvx.exe (AVG Technologies CZ, s.r.o., AVG Scanning Core Module - Server Part)
0x85E60020 [4912] C:Program FilesLavasoftAd-AwareAAWTray.exe (Lavasoft, Ad-Aware Tray Application)
0xB2B2BD90 [5540] C:WindowsSystem32WUDFHost.exe (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Host Process)
0xB2B16020 [5716] C:Program FilesLogMeInx86LogMeInSystray.exe (LogMeIn, Inc., LogMeIn Desktop Application)
0xB17A16B8 [5728] C:Program FilesLogMeInx86LMIGuardian.exe (LogMeIn, Inc., LMIGuardian)
0x82207880 [5780] C:WindowsSystem32wbemunsecapp.exe (Microsoft Corporation, Sink to receive asynchronous callbacks for WMI client application)
0xB2B81CE0 [5788] C:Program FilesWindows Media Playerwmpnscfg.exe (Microsoft Corporation, Windows Media Player Network Sharing Service Configuration Application)
0xB2B83D90 [5868] C:WindowsSystem32svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0xB2A124E0 [5952] C:Program FilesWindows Media Playerwmpnetwk.exe (Microsoft Corporation, Windows Media Player Network Sharing Service)
0x8576FA90 [4] System
0x822A7328 [1412] C:WindowsSystem32audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
==============================================
>Drivers
==============================================
0x8FE0E000 C:Windowssystem32DRIVERSatikmdag.sys 5025792 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82C4B000 C:Windowssystem32ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x82C4B000 PnpManager 3903488 bytes
0x82C4B000 RAW 3903488 bytes
0x82C4B000 WMIxWDM 3903488 bytes
0x8F805000 C:Windowssystem32DRIVERSNETw5v32.sys 3698688 bytes (Intel Corporation, Intel Wireless WiFi Link Driver)
0x9120C000 C:Windowssystem32driversRTKVHDA.sys 2121728 bytes (Realtek Semiconductor Corp., Realtek High Definition Audio Function Driver)
0x9D8B0000 Win32k 2105344 bytes
0x9D8B0000 C:WindowsSystem32win32k.sys 2105344 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x83A06000 C:WindowsSystem32DriversNtfs.sys 1110016 bytes (Microsoft Corporation, NT File System Driver)
0x83803000 C:Windowssystem32driversndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x9144F000 C:Windowssystem32DRIVERSHSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x91C08000 C:WindowsSystem32driverstcpip.sys 954368 bytes (Microsoft Corporation, TCP/IP Driver)
0x804C5000 C:Windowssystem32CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xB18FE000 C:Windowssystem32driverspeauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0xB180E000 C:Windowssystem32Driversvmx86.sys 847872 bytes (VMware, Inc., VMware kernel driver)
0x8F600000 C:WindowsSystem32Driversdump_iaStor.sys 843776 bytes
0x83201000 C:Windowssystem32DRIVERSiaStor.sys 843776 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x80711000 C:WindowsSystem32Driversmezrgr.sys 794624 bytes
0x91607000 C:Windowssystem32DRIVERSHSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xA220E000 C:Windowssystem32driversspsys.sys 716800 bytes (Microsoft Corporation, security processor)
0x902D9000 C:WindowsSystem32driversdxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x90609000 C:Windowssystem32DRIVERSrdpdr.sys 561152 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x8060A000 C:Windowssystem32driversWdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8332A000 C:WindowsSystem32Driversksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xA2322000 C:Windowssystem32driversHTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8040B000 C:Windowssystem32mcupdate_GenuineIntel.dll 393216 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x91552000 C:Windowssystem32driverscsc.sys 368640 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x833B0000 C:WindowsSystem32DRIVERSsrv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x8FB8C000 C:Windowssystem32DRIVERSyk60x86.sys 311296 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0x805A5000 C:WindowsSystem32driversvolmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x91D68000 C:Windowssystem32driversafd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80693000 C:Windowssystem32driversacpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80484000 C:Windowssystem32CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x83973000 C:Windowssystem32DRIVERSstorport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x903A2000 C:Windowssystem32DRIVERSUSBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x91412000 C:Windowssystem32DRIVERSHSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x9178D000 C:Windowssystem32DRIVERSrdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x95F1B000 C:Windowssystem32DRIVERSudfs.sys 241664 bytes (Microsoft Corporation, UDF File System Driver)
0x83939000 C:Windowssystem32driversNETIO.SYS 237568 bytes (Microsoft Corporation, Network I/O Subsystem)
0x95F8D000 C:Windowssystem32DRIVERSmrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x83B15000 C:Windowssystem32driversvolsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x907A4000 C:WindowsSystem32Driversavgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0x906EB000 C:Windowssystem32DRIVERSusbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x82C18000 ACPI_HAL 208896 bytes
0x82C18000 C:Windowssystem32hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x832CF000 C:Windowssystem32driversfltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x91D36000 C:WindowsSystem32DRIVERSnetbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8F79E000 C:Windowssystem32DRIVERSmsiscsi.sys 188416 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x90752000 C:Windowssystem32driversportcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8F737000 C:Windowssystem32DRIVERSApfiltr.sys 180224 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0x8390E000 C:Windowssystem32driversmsrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x906A4000 C:Windowssystem32DRIVERSks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0xA22DB000 C:Windowssystem32DRIVERSnwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x83B65000 C:WindowsSystem32driversecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806EA000 C:Windowssystem32driverspci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8F6CE000 C:WindowsSystem32DRIVERSsrv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x9077F000 C:Windowssystem32driversdrmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x83B8C000 C:WindowsSystem32DRIVERSfvevol.sys 147456 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x839B4000 C:Windowssystem32DRIVERSndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x90730000 C:Windowssystem32driversRtHDMIV.sys 139264 bytes (Realtek Semiconductor Corp., Realtek High Definition Audio Function Driver)
0x83BC1000 C:Windowssystem32driversCLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x916E1000 C:WindowsSystem32Driversusbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)
0x8F77D000 C:Windowssystem32DRIVERSVIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0xA23DA000 C:Windowssystem32DRIVERSmrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA238F000 C:WindowsSystem32DRIVERSsrvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x91CF1000 C:WindowsSystem32driversfwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8F70A000 C:Windowssystem32DRIVERSrimsptsk.sys 106496 bytes (REDC, RICOH MS Driver)
0xA23AC000 C:Windowssystem32DRIVERSbowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x9170B000 C:Windowssystem32DRIVERScdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x95FC6000 C:Windowssystem32DRIVERSmrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x917D5000 C:WindowsSystem32Driversdfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8F7D7000 C:Windowssystem32DRIVERSrasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x916C8000 C:Windowssystem32DRIVERSusbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x91DB9000 C:Windowssystem32DRIVERSpacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x91D0C000 C:Windowssystem32DRIVERStdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xA23C5000 C:WindowsSystem32driversmpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8339B000 C:Windowssystem32DRIVERSrassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x95E00000 C:Windowssystem32DRIVERSWUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x839E6000 C:Windowssystem32DRIVERSraspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x91D22000 C:Windowssystem32DRIVERSsmb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8F724000 C:Windowssystem32DRIVERSi8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0xA230F000 C:Windowssystem32DRIVERSrspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x91DDD000 C:Windowssystem32DRIVERSwanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x90385000 C:Windowssystem32DRIVERSHDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x95E27000 C:Windowssystem32DRIVERSipfltdrv.sys 73728 bytes (Microsoft Corporation, IP FILTER DRIVER)
0x917EC000 C:Windowssystem32DRIVERSUSBSTOR.SYS 73728 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x95E15000 C:Windowssystem32DRIVERSWUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xB18DD000 C:WindowsSystem32Driversadfs.SYS 69632 bytes (Adobe Systems, Inc., Adobe Drive File System Driver)
0x83BB0000 C:Windowssystem32driversdisk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x95F63000 C:WindowsSystem32Driversdump_dumpfve.sys 69632 bytes
0x9071F000 C:WindowsSystem32DriversNDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8046B000 C:Windowssystem32PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x903EF000 C:Windowssystem32DRIVERSrisdptsk.sys 69632 bytes (REDC, RICOH SD/MMC Driver)
0x83301000 C:Windowssystem32driversfileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0xA22CB000 C:Windowssystem32DRIVERSlltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x805EF000 C:WindowsSystem32driversmountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8FBD8000 C:Windowssystem32DRIVERSohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x90692000 C:Windowssystem32DRIVERStermdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x95FDE000 C:Windowssystem32Driversvmci.sys 65536 bytes (VMware, Inc., VMware kernel driver)
0x8F76E000 C:Windowssystem32DRIVERSintelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x83311000 C:Windowssystem32DRIVERSLbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0x95F7E000 C:Windowssystem32DRIVERSmonitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x83B56000 C:WindowsSystem32Driversmup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x807D3000 C:WindowsSystem32driverspartmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x839D7000 C:Windowssystem32DRIVERSraspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x903E0000 C:Windowssystem32DRIVERSusbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x807EF000 C:Windowssystem32driversvolmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8FBE8000 C:Windowssystem32DRIVERS1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x9DAF0000 C:WindowsSystem32cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x91DCF000 C:Windowssystem32DRIVERSnetbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x91776000 C:WindowsSystem32DriversNpfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0xA22BD000 C:Windowssystem32DRIVERSvmnetbridge.sys 57344 bytes (VMware, Inc., VMware bridge driver (32-bit))
0x95F56000 C:WindowsSystem32Driverscrashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x916BB000 C:Windowssystem32driversmodem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x906D8000 C:Windowssystem32DRIVERSumbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x90378000 C:WindowsSystem32driverswatchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x80686000 C:Windowssystem32driversWDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB19E8000 C:WindowsSystem32driverstcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x9174F000 C:WindowsSystem32driversvga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8FE00000 C:Windowssystem32DRIVERSkbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8F763000 C:Windowssystem32DRIVERSmouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x9176B000 C:WindowsSystem32DriversMsfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8F7EE000 C:Windowssystem32DRIVERSndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8F7CC000 C:Windowssystem32DRIVERSTDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8F6F6000 C:Windowssystem32DRIVERStunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x90397000 C:Windowssystem32DRIVERSusbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x807E5000 C:Windowssystem32DRIVERSBATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x95F74000 C:WindowsSystem32driversDxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0xA2200000 C:Windowssystem32drivershcmon.sys 40960 bytes (VMware, Inc., VMware USB monitor)
0xB18F0000 C:Windowssystem32driversLMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0x906CE000 C:Windowssystem32DRIVERSmssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA2305000 C:Windowssystem32DRIVERSndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x91DF0000 C:Windowssystem32driversnsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x83320000 C:WindowsSystem32DriversPxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB19DE000 C:WindowsSystem32Driverssecdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x91702000 C:Windowssystem32DRIVERSArcSoftKsUFilter.sys 36864 bytes (ArcSoft, Inc., -)
0x83BE2000 C:Windowssystem32driverscrcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x91728000 C:WindowsSystem32DriversFs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x95E39000 C:WindowsSystem32DriversNormandy.SYS 36864 bytes (RKU Driver)
0x91784000 C:WindowsSystem32DRIVERSrasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9DAD0000 C:WindowsSystem32TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8F701000 C:Windowssystem32DRIVERStunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x806D9000 C:Windowssystem32driversWMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x91DB0000 C:Windowssystem32driversws2ifsl.sys 36864 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0x8047C000 C:Windowssystem32BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x80403000 C:Windowssystem32kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x806E2000 C:Windowssystem32driversmsisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x9175B000 C:WindowsSystem32DRIVERSRDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x91763000 C:Windowssystem32driversrdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x83B4E000 C:WindowsSystem32Driversspldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0xB1800000 C:Windowssystem32DRIVERSxaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x91738000 C:WindowsSystem32DriversBeep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x91748000 C:Windowssystem32DRIVERSHIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x91731000 C:WindowsSystem32DriversNull.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x91C00000 C:WindowsSystem32Driversavgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0x9173F000 C:Windowssystem32DRIVERSGEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB1808000 C:Program FilesPeerGuardian2pgfilter.sys 24576 bytes
0x8F7F9000 C:Windowssystem32DRIVERShamachi.sys 20480 bytes (LogMeIn, Inc., Hamachi Virtual Network Interface Driver)
0x91723000 C:Windowssystem32SAVRKBootTasks.sys 20480 bytes (Sophos Plc, Sophos boot tasks for Windows 2000)
0x8FBF6000 C:Windowssystem32driversVMkbd.sys 20480 bytes (VMware, Inc., VMware keyboard filter driver (32-bit))
0xB19F4000 C:Windowssystem32driversvmnetuserif.sys 20480 bytes (VMware, Inc., VMware network application interface driver (32-bit))
0x8F800000 C:Windowssystem32DRIVERSCmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB18FA000 C:Windowssystem32DRIVERSmdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xB19F9000 C:Program FilesVMwareVMware Playervstor2-ws60.sys 16384 bytes (VMware, Inc., VMware Virtual Storage Volume Driver)
0x807E2000 C:Windowssystem32DRIVERScompbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8FBFB000 C:Windowssystem32DRIVERSSFEP.sys 12288 bytes (Sony Corporation, Sony Firmware Extension Parser driver)
0x906E8000 C:Windowssystem32DRIVERSVMNET.SYS 12288 bytes (VMware, Inc., VMware virtual network driver (32-bit))
0x906E5000 C:Windowssystem32DRIVERSvmnetadapter.sys 12288 bytes (VMware, Inc., VMware virtual network adapter driver (32-bit))
0xB18EE000 C:Program FilesLogMeInx86RaInfo.sys 8192 bytes (LogMeIn, Inc., RemotelyAnywhere Kernel Information Provider)
0xB19DC000 C:Windowssystem32driversregi.sys 8192 bytes (InterVideo, regi driver)
0x906A2000 C:Windowssystem32DRIVERSswenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x916DF000 C:Windowssystem32DRIVERSUSBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x91DFA000 C:Windowssystem32DRIVERSDMICall.sys 4096 bytes (Sony Corporation, Windows 2000 DMI Call Kernel Driver)
0x8F804000 C:Windowssystem32DRIVERSlmimirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)
0x882A6A38 unknown_irp_handler 1480 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:Windowssystem32driversmezrgr.sys]
0x00E90000 Hidden Image-->Microsoft.VisualStudio.Diagnostics.ServiceModelSink.dll [ EPROCESS 0xB2A4B9A8 ] PID: 3316, 45056 bytes
0x00D90000 Hidden Image-->SPMDrv.dll [ EPROCESS 0xB2A4CD90 ] PID: 2344, 45056 bytes
0x00F80000 Hidden Image-->Microsoft.VisualStudio.Diagnostics.ServiceModelSink.dll [ EPROCESS 0xB2A4CD90 ] PID: 2344, 45056 bytes
0x04E00000 Hidden Image-->msvcm80.dll [ EPROCESS 0xA11F3588 ] PID: 1528, 507904 bytes
0x00A80000 Hidden Image-->SPMDam.dll [ EPROCESS 0xB2A4B9A8 ] PID: 3316, 53248 bytes
0x008A0000 Hidden Image-->SPMDam.dll [ EPROCESS 0xB2A4CD90 ] PID: 2344, 53248 bytes
0x00810000 Hidden Image-->SPMCommon.dll [ EPROCESS 0xB2A4B9A8 ] PID: 3316, 94208 bytes
0x00870000 Hidden Image-->SPMCommon.dll [ EPROCESS 0xB2A4CD90 ] PID: 2344, 94208 bytes
==============================================
>Hooks
==============================================
Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
ntkrnlpa.exe+0x000B4EEA, Type: Inline - RelativeJump 0x82CFFEEA-->82CFFEF1 [ntkrnlpa.exe]
[748]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Inline - RelativeCall 0x7771887E-->00000000 [shell32.dll]
[748]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Inline - RelativeCall 0x777188FE-->00000000 [shell32.dll]
[748]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x77718A3E-->00000000 [shell32.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

MBRCheck.exe result:
MBRCheck, version 1.2.3
2010, AD

Command-line:
Windows Version: Windows Vista Ultimate Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Sony Corporation
System Product Name: VGN-FW11ZU
Logical Drives Mask: 0x0000005c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`bd700000 (NTFS)

Size Device Name MBR Status
--------------------------------------------
279 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!
Press ENTER to exit...


Merged 3 posts. ~ OB

Oh also, forgot to mention. Although Windows firewall claims to be active, I cannot view settings: "Due to an unidentified problem, Windows cannot display Windows Firewall settings".
So suspect firewall is also compromised.

(Also sorry, didn't realise I could edit posts...)

-C

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 04 August 2010 - 11:54 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 07 August 2010 - 10:42 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

There are definitely signs of infection.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
Now let's try running GMER again.
Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

Edited by PropagandaPanda, 07 August 2010 - 10:43 PM.
typo


#3 housec

housec
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 08 August 2010 - 12:55 PM

Hi Panda, thanks for the help.

Ok so combo fix ran ok, and have the log for that. (will paste below).
GMER did not run however... well it started too, and then froze again. Laptop needed to be powered off.
I have a screenshot (well actually a photo of the screen, but amounts to same thing... ;) ) - attached

Oh and the changes to my pc since my last post are an iTunes update, and installed starcraft 2... tongue.gif

Combofix log:


ComboFix 10-08-07.02 - Dez 08/08/2010 15:20:48.3.2 - x86
Microsoft Windows Vista Ultimate 6.0.6001.1.1252.44.1033.18.3069.1439 [GMT 1:00]
Running from: c:\users\Dez\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-08 14:41 . 2010-08-08 14:41 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2010-08-08 14:41 . 2010-08-08 14:41 -------- d-----w- c:\users\TEMP.Vaio1\AppData\Local\temp
2010-08-08 14:41 . 2010-08-08 14:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-08 14:41 . 2010-08-08 14:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-08 14:13 . 2010-08-08 14:13 -------- d-----w- c:\users\Dez\AppData\Roaming\AVG9
2010-08-06 13:46 . 2010-08-06 14:27 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-08-06 13:46 . 2010-08-06 14:27 -------- d-----w- c:\program files\StarCraft II
2010-08-05 21:26 . 2010-08-05 21:26 -------- d-----w- c:\program files\iPod
2010-08-05 21:26 . 2010-08-05 21:27 -------- d-----w- c:\program files\iTunes
2010-08-05 21:13 . 2010-08-05 21:13 -------- d-----w- c:\program files\QuickTime
2010-08-05 21:07 . 2010-08-05 21:07 -------- d-----w- c:\program files\Apple Software Update
2010-08-05 20:59 . 2010-08-08 12:29 -------- d-----w- c:\program files\Bonjour
2010-08-04 14:22 . 2010-08-04 15:19 -------- d-----w- C:\Python27
2010-08-03 00:40 . 2010-08-03 00:40 93056 ----a-w- C:\pxldypog.sys
2010-08-02 23:14 . 2010-05-26 09:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-08-02 14:38 . 2010-08-02 14:38 -------- d-----w- c:\program files\ESET
2010-08-02 13:55 . 2010-08-02 13:55 -------- d-----w- c:\program files\Sophos
2010-08-02 13:32 . 2010-08-08 14:41 -------- d-----w- c:\users\Dez\AppData\Local\temp
2010-07-25 10:26 . 2010-07-25 10:26 -------- d-----w- c:\programdata\F-Secure
2010-07-25 03:58 . 2010-08-08 12:34 -------- d-----w- c:\windows\system32\drivers\Avg
2010-07-25 03:58 . 2010-07-25 03:58 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-25 03:57 . 2010-07-25 03:57 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-25 03:57 . 2010-07-25 03:57 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-24 22:40 . 2010-07-24 22:40 -------- d-----w- c:\users\Dez\AppData\Roaming\Malwarebytes
2010-07-24 22:39 . 2010-07-24 22:39 120 ----a-w- c:\users\Dez\AppData\Local\Lmepeyudafawi.dat
2010-07-24 22:39 . 2010-07-24 22:39 0 ----a-w- c:\users\Dez\AppData\Local\Elupogujagedeyo.bin
2010-07-24 22:37 . 2010-08-08 14:41 767488 ----a-w- c:\windows\system32\drivers\mezrgr.sys
2010-07-24 22:37 . 2010-07-24 23:11 -------- d-----w- c:\users\Dez\AppData\Local\ajtkuudtv

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 14:42 . 2008-11-20 19:52 -------- d-----w- c:\users\Dez\AppData\Roaming\Skype
2010-08-08 12:51 . 2009-07-21 11:33 -------- d-----w- c:\users\Dez\AppData\Roaming\skypePM
2010-08-08 12:31 . 2008-12-13 18:22 -------- d-----w- c:\program files\Steam
2010-08-08 12:30 . 2010-05-03 22:57 -------- d-----w- c:\programdata\VMware
2010-08-08 12:30 . 2008-10-04 11:20 -------- d-----w- c:\program files\LogMeIn
2010-08-07 02:31 . 2008-06-03 17:00 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-06 14:27 . 2010-08-06 14:27 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-06 14:12 . 2010-04-20 19:02 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-05 21:26 . 2008-12-20 20:53 -------- d-----w- c:\program files\Common Files\Apple
2010-08-05 10:40 . 2008-10-05 14:57 -------- d-----w- c:\users\Dez\AppData\Roaming\uTorrent
2010-08-02 11:46 . 2009-12-06 12:09 -------- d-----w- c:\programdata\avg9
2010-08-01 18:16 . 2010-06-06 15:46 -------- d-----w- c:\program files\Kalypso
2010-07-26 07:18 . 2010-07-26 07:18 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-25 04:33 . 2008-09-02 17:32 1356 ----a-w- c:\users\Dez\AppData\Local\d3d9caps.dat
2010-07-25 03:39 . 2009-06-16 18:45 -------- d-----w- c:\users\Dez\AppData\Roaming\Ighop
2010-07-24 23:22 . 2008-10-12 12:38 -------- d-----w- c:\users\Dez\AppData\Roaming\Vidalia
2010-07-24 22:57 . 2009-12-06 12:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-23 23:01 . 2008-10-12 12:39 -------- d-----w- c:\users\Dez\AppData\Roaming\tor
2010-07-21 15:30 . 2010-07-21 15:30 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-04 08:03 . 2010-07-04 08:03 2286080 ----a-w- c:\windows\system32\python27.dll
2010-07-03 17:58 . 2010-04-17 17:58 -------- d-----w- c:\program files\Diablo II
2010-06-26 02:02 . 2008-06-23 11:54 -------- d-----w- c:\program files\Microsoft.NET
2010-06-10 23:09 . 2008-06-23 11:53 -------- d-----w- c:\programdata\Microsoft Help
2010-06-10 19:03 . 2008-10-04 11:25 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-10 00:02 . 2010-06-10 00:02 -------- d-----w- c:\program files\Hair Pro 2010 Trial
2010-06-02 15:06 . 2008-10-04 11:21 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-02 15:06 . 2008-10-04 11:21 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-02 15:06 . 2008-10-04 11:20 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-05-21 13:14 . 2009-10-02 18:39 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-11-28 23:32 . 2009-11-28 23:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-05-30 262144]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-11 1238352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\Dez\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2008-11-19 110647]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-05-16 00:20 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Dez^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\users\Dez\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 07:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AML]
2008-03-26 22:48 1093632 ----a-w- c:\program files\Sony\VAIO Launcher\AML.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPGServiceTool]
2008-04-17 18:20 688128 ----a-w- c:\progra~1\WinTV\EPG Services\System\EPGClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-07 21:25 133104 ----atw- c:\users\Dez\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMacro]
2005-04-24 20:43 572928 ----a-w- c:\program files\Journal Macro\JMacro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-24 17:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 14:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MarketingTools]
2008-06-23 12:15 36864 ----a-w- c:\program files\Sony\Marketing Tools\MarketingTools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-02-04 16:57 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-15 23:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2008-09-03 01:18 4013511 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2010-01-22 20:56 64048 ----a-w- c:\program files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 135664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1181328]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-12-12 28464]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [2010-03-10 25832]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-28 30192]
R3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\Drivers\hcw95bda.sys [2008-04-17 560640]
R3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\DRIVERS\hcw95rc.sys [2008-04-17 15616]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\CA32.tmp [x]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 2808664]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-09-23 64288]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-25 216400]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-25 308136]
S2 EPGService;EPGService;c:\progra~1\WinTV\EPG Services\System\EPGService.exe [2008-04-09 436224]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2008-12-18 202592]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-05-30 229376]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2008-01-31 17408]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
*Deregistered* - mezrgr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-08-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:33]

2010-08-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:33]

2010-08-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:33]

2010-08-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:33]

2010-08-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:33]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 21:55]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 21:55]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-780444440-153971938-31893976-1000Core.job
- c:\users\Dez\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-07 21:25]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-780444440-153971938-31893976-1000UA.job
- c:\users\Dez\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-07 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.club-vaio.com
mStart Page = hxxp://www.club-vaio.com
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab
FF - ProfilePath - c:\users\Dez\AppData\Roaming\Mozilla\Firefox\Profiles\k5l60kgm.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 15:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\CA32.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mezrgr]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-780444440-153971938-31893976-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CB845235-4A96-63D6-109E-827D70214F43}*]
"mabfcflacpjnkchihkbkgofdaa"=hex:6b,61,64,6b,6c,69,62,66,6b,63,66,66,6c,65,6d,
66,6f,6a,68,65,62,61,00,65
"nahfekmdlgpdkoibemjbenllbaoi"=hex:6b,61,64,6b,6c,69,62,66,6b,63,66,66,6c,65,
6d,66,6f,6a,68,65,62,61,00,77

[HKEY_USERS\S-1-5-21-780444440-153971938-31893976-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F3A471EC-EE4D-ACC1-2A9E-509E87FD6804}*]
@Allowed: (Read) (RestrictedCode)
"jajldkfpkjhflkimihfc"=hex:62,61,65,66,00,00
"jajldkfpkjhflkimihbc"=hex:62,61,65,66,00,00
"iajkhnmnmkfielhigi"=hex:6b,61,6d,66,70,66,62,65,61,6b,65,63,6c,6d,64,68,63,64,
6f,6b,61,66,00,00

[HKEY_USERS\S-1-5-21-780444440-153971938-31893976-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:8d,2f,20,85,c0,7d,2c,f0,d1,92,03,fc,c7,41,3d,fd,33,68,b5,d7,51,
0e,da,b2,8b,3e,38,8d,ed,b9,32,f3,f0,17,4a,f2,7c,e8,f7,7e,f1,ac,10,15,44,14,\
"rkeysecu"=hex:55,b2,6d,bb,83,84,25,49,f7,0d,1b,ee,b4,11,97,20

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(7076)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-08-08 15:49:48
ComboFix-quarantined-files.txt 2010-08-08 14:49
ComboFix2.txt 2010-08-02 13:32

Pre-Run: 11,331,502,080 bytes free
Post-Run: 11,356,327,936 bytes free

- - End Of File - - F8AC48A3A2CB4E6F6D7A18180EF7FDB1



-C

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 08 August 2010 - 08:31 PM

Hello.

Backdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/336806/unknown-infection-gmer-causes-pc-to-lockup/

    Collect::
    C:\pxldypog.sys
    c:\windows\system32\drivers\mezrgr.sys

    File::
    c:\users\Dez\AppData\Local\Lmepeyudafawi.dat
    c:\users\Dez\AppData\Local\Elupogujagedeyo.bin

    Folder::
    c:\users\Dez\AppData\Local\ajtkuudtv

    Driver::
    mezrgr
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Please then follow up with a fresh RootRepeal log. Tell me if the symptoms are still present at this time.

With Regards,
The Panda

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 21 August 2010 - 10:25 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users