Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3 rootkit after getting rid of Antimalware Doctor


  • This topic is locked This topic is locked
16 replies to this topic

#1 7throck

7throck

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 05 August 2010 - 10:28 AM

Hi, I think I've done everything I can on my own so I hope someone can help...

I'm running Windows 7 with Kaspersky. This all seems to have started with Antimalware Doctor which I managed to get rid of, but I've now read that it sometimes comes with this nasty TDL3 thingy.

Symptoms: IE pop ups, often seem to include words from my recent searches. Google redirects in Firefox. Problems seem exclusive to each browser. Windows updates fail. Occasional blue screens soon after start up, usually after running something aimed at fixing the problem.

Things I've tried: Kaspersky (including the TDSS killer both zip and exe), Malwarebytes, Cureit! - have tried running rkill first and have tried safe mode, full scans. Cureit! claimed to have eradicated something but made no difference to the symtoms and scans with it now come up clean, the same as with anything else I've run. Only Hitman Pro seems to come up with anything saying:

"Possible variant of the TDL3 (alias Alureon) rootkit detected
The device stack of the hard disk is referencing a hidden driver. This could affect the detection of malicious files."

I've done all the required preparation except the GMER thing as it doesn't seem to be compatible with Windows 7. DSS.txt is below and the other attached as required.

Thanks for any help!


DDS (Ver_10-03-17.01) - NTFSx86
Run by kitten at 15:44:43.54 on 05/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3582.2599 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Gizmo\gservice.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\FBackup\fbaSched.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\StarDock\ObjectDock.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\PhotoJoy\bin\PjApp.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
D:\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [FBackup Scheduler]
uRun: [GizmoDriveDelegate] RUNDLL32.EXE c:\progra~1\gizmo\GDRIVE.DLL,Remount_Startup_Images
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\users\kitten\appdata\roaming\micros~1\windows\startm~1\programs\startup\photojoy.lnk - c:\windows\installer\{15482d1c-117b-4201-8d39-985a91ed8433}\NewShortcut2_A7A7785B169C43C9B65206C336C01701.exe
StartupFolder: c:\users\kitten\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\ObjectDock.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Evernote - c:\program files\evernote\enbar.dll/2000
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~2\kasper~1\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2010-1-12 23624]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-11-3 21520]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-08-05 13:12:23 0 ----a-w- c:\users\kitten\defogger_reenable
2010-08-05 11:34:47 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-05 11:32:33 0 d-----w- c:\programdata\Hitman Pro
2010-08-05 11:32:31 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-05 01:03:31 0 d-----w- c:\users\kitten\DoctorWeb
2010-07-23 12:03:00 0 d-----w- c:\windows\pss
2010-07-20 13:04:28 0 d-----w- c:\programdata\Sun
2010-07-20 13:03:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 12:39:11 0 d-----w- c:\users\kitten\appdata\roaming\Malwarebytes
2010-07-20 12:38:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 12:38:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 12:38:56 0 d-----w- c:\programdata\Malwarebytes
2010-07-20 12:38:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 12:09:08 0 d-----w- c:\users\kitten\appdata\roaming\B70F8B047D889260107AC44082F0C258

==================== Find3M ====================

2010-07-30 00:01:20 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 00:01:20 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-17 16:52:40 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-12 11:10:56 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-12 11:10:56 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-12 11:10:56 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:51:29.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 13 August 2010 - 09:57 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 14 August 2010 - 09:24 AM

Hi Gringo,

Thank you for your help, it is very much appreciated! I have pasted the logs you requested below, didn't have any problems going through the steps. Symptoms remain the same as in my first post, mainly pop ups (using my own search terms) in IE and Google redirects in Firefox, plus Windows Update fails. Last night things were running slow for a while and I noticed heavy CPU usage on a single svchost.exe instance, but that couldn've been legitimate.

Thanks again thumbup2.gif



DDS (Ver_10-03-17.01) - NTFSx86
Run by kitten at 14:57:19.10 on 14/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3582.2251 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Gizmo\gservice.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\FBackup\fbaSched.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\StarDock\ObjectDock.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\PhotoJoy\bin\PjApp.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Desktop\dds.com
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [FBackup Scheduler]
uRun: [GizmoDriveDelegate] RUNDLL32.EXE c:\progra~1\gizmo\GDRIVE.DLL,Remount_Startup_Images
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\users\kitten\appdata\roaming\micros~1\windows\startm~1\programs\startup\photojoy.lnk - c:\windows\installer\{15482d1c-117b-4201-8d39-985a91ed8433}\NewShortcut2_A7A7785B169C43C9B65206C336C01701.exe
StartupFolder: c:\users\kitten\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\ObjectDock.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Evernote - c:\program files\evernote\enbar.dll/2000
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~2\kasper~1\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2010-1-12 23624]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-11-3 21520]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-10-20 340456]
R2 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2010-1-12 31856]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2010-1-9 285744]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-15 16472]

=============== Created Last 30 ================

2010-08-14 13:55:38 0 ----a-w- c:\users\kitten\defogger_reenable
2010-08-14 05:16:08 588 --sha-w- c:\windows\KLIF.spi
2010-08-05 11:34:47 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-05 11:32:33 0 d-----w- c:\programdata\Hitman Pro
2010-08-05 11:32:31 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-23 12:03:00 0 d-----w- c:\windows\pss
2010-07-20 13:04:28 0 d-----w- c:\programdata\Sun
2010-07-20 13:03:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 12:39:11 0 d-----w- c:\users\kitten\appdata\roaming\Malwarebytes
2010-07-20 12:38:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 12:38:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 12:38:56 0 d-----w- c:\programdata\Malwarebytes
2010-07-20 12:38:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 12:09:08 0 d-----w- c:\users\kitten\appdata\roaming\B70F8B047D889260107AC44082F0C258

==================== Find3M ====================

2010-07-30 00:01:20 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 00:01:20 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-03-17 16:52:40 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-12 11:10:56 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-12 11:10:56 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-12 11:10:56 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:59:25.73 ===============




DDS (Ver_10-03-17.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 11/01/2010 21:04:40
System Uptime: 13/08/2010 11:47:43 (27 hours ago)

Motherboard: Dell Inc. | | 0UK435
Processor: Intel® Core™2 Duo CPU T7700 @ 2.40GHz | Microprocessor | 1176/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 98 GiB total, 49.861 GiB free.
D: is FIXED (NTFS) - 135 GiB total, 126.105 GiB free.
E: is FIXED (NTFS) - 233 GiB total, 97.921 GiB free.
F: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F21028&REV_12\4&1237F73F&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F21028&REV_12\4&1237F73F&0&0AF0
Service:

Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01F21028&REV_12\4&1237F73F&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01F21028&REV_12\4&1237F73F&0&0BF0
Service:

==== System Restore Points ===================

RP46: 04/08/2010 00:58:08 - Scheduled Checkpoint
RP47: 05/08/2010 01:08:20 - Installed Microsoft Fix it 50202
RP48: 12/08/2010 20:15:25 - Scheduled Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
7-Zip 4.65
Acrobat.com
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe AIR
Adobe Anchor Service CS4
Adobe Asset Services CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Color Video Profiles CS CS4
Adobe Contribute CS4
Adobe Creative Suite 4 Master Collection
Adobe CS4 American English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Player
Adobe MotionPicture Color Files CS4
Adobe OnLocation CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe SING CS4
Adobe Soundbooth CS4
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe Version Cue CS4 Server
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced SystemCare 3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Connect
Dell Touchpad
Evernote
FBackup 4
FileZilla Client 3.3.1
Gizmo Central
HijackThis 2.0.2
Hitman Pro 3.5
Hotspot Shield 1.37
iTunes
Java Auto Updater
Java™ 6 Update 20
Junk Mail filter update
Kaspersky Anti-Virus 2010
kuler
Laptop Integrated Webcam Driver (1.04.01.1011)
Liquid Story Binder XE 4.81
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Mp3tag v2.45a
MSVCRT
NVIDIA Drivers
NVIDIA PhysX
ObjectDock
PDF Settings CS4
PeerBlock 1.0.0 (r181)
PhotoJoy
Photoshop Camera Raw
Pixel Bender Toolkit
QuickTime
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype™ 4.2
Suite Shared Configuration CS4
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981726)
VLC media player 1.0.3
Wikiquote Screensaver 2.0.0.1
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Live Writer

==== Event Viewer Messages From Past Week ========

14/08/2010 02:21:21, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
14/08/2010 02:21:21, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error: An instance of the service is already running.
14/08/2010 02:20:21, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error: An instance of the service is already running.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/08/2010 02:19:21, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
13/08/2010 11:50:34, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070308'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
13/08/2010 11:50:33, Error: Service Control Manager [7000] - The SSDP Discovery service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
13/08/2010 11:48:38, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
13/08/2010 11:48:10, Error: volmgr [46] - Crash dump initialization failed!
11/08/2010 14:54:24, Error: Service Control Manager [7034] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 3 time(s).
11/08/2010 14:53:14, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/08/2010 14:52:00, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
11/08/2010 12:46:19, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Auto-Discovery Service service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
10/08/2010 18:22:25, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
10/08/2010 02:00:33, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR3.
09/08/2010 10:57:41, Error: Service Control Manager [7000] - The Computer Browser service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.
09/08/2010 10:57:30, Error: Service Control Manager [7000] - The Human Interface Device Access service failed to start due to the following error: The client of a component requested an operation which is not valid given the state of the component instance.

==== End Of File ===========================



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>Drivers
==============================================
0x93429000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 11509760 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 195.62 )
0x91A24000 C:\Windows\system32\DRIVERS\kl1.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x9262C000 C:\Windows\system32\DRIVERS\netw5v32.sys 4272128 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x82A4C000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x82A4C000 PnpManager 4259840 bytes
0x82A4C000 RAW 4259840 bytes
0x82A4C000 WMIxWDM 4259840 bytes
0x98210000 Win32k 2400256 bytes
0x98210000 C:\Windows\System32\win32k.sys 2400256 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8C610000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8C232000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x94247000 C:\Windows\system32\DRIVERS\VSTDPV3.SYS 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
0x93F25000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8C40E000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x94349000 C:\Windows\system32\DRIVERS\VSTCNXT3.SYS 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x83102000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xA0E31000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x978A6000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8302F000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x83214000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x82270000 C:\Windows\System32\Drivers\bthport.sys 409600 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0x9117A000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x8C39F000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x91F44000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x91018000 C:\Windows\system32\DRIVERS\klif.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wlh_x86])
0x92A95000 C:\Windows\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xA0F4F000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x91980000 C:\Windows\system32\drivers\HdAudio.sys 327680 bytes (Microsoft Corporation, High Definition Audio Function Driver)
0xA0F00000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x984C0000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x91870000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x83355000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x83293000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9783D000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x9192B000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x830C0000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x91114000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x82366000 C:\Windows\system32\DRIVERS\udfs.sys 262144 bytes (Microsoft Corporation, UDF File System Driver)
0x8C793000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8C4C5000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x9420A000 C:\Windows\system32\DRIVERS\VSTAZL3.SYS 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x97979000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x82222000 C:\Windows\system32\DRIVERS\OEM02Dev.sys 237568 bytes (Creative Technology Ltd., Video Capture Device Driver)
0x9182C000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x92AFE000 C:\Windows\system32\DRIVERS\Apfiltr.sys 229376 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0x82A15000 ACPI_HAL 225280 bytes
0x82A15000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x831BA000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x918E9000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8C555000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x91F9E000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8C759000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x919D0000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8C528000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x92A50000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
0x8C361000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x832EC000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8C598000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8C503000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x82305000 C:\Windows\system32\DRIVERS\rfcomm.sys 147456 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0x833D4000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x97956000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x92BAE000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB807D000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xA0ED2000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8C5DC000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x91083000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8C5BD000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x918CA000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x91FD7000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x984A0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x82336000 C:\Windows\system32\DRIVERS\bthpan.sys 110592 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0x823BE000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x979B4000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x823D9000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x9792B000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x91800000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x92A7C000 C:\Windows\system32\DRIVERS\sdbus.sys 102400 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x911DE000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x92AE6000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x92B8B000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x92BD0000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x92BE8000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x92600000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x910E2000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x93FDC000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x833B5000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x822DF000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8C38C000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x97893000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x91A0E000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x92B79000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x8225E000 C:\Windows\System32\Drivers\BTHUSB.sys 73728 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0x8C217000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x97944000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x979E7000 C:\Windows\System32\Drivers\adfs.SYS 69632 bytes (Adobe Systems, Inc., Adobe Drive File System Driver)
0x92A3F000 C:\Windows\system32\DRIVERS\bcm4sbxp.sys 69632 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0x8C587000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x831EE000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9196F000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x83321000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x830A7000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x82200000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8C7DA000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x97883000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x91104000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x83345000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x918BB000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x91000000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x91A00000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x910D4000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x833A7000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8C200000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x9191D000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x83285000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x82329000 C:\Windows\system32\DRIVERS\BthEnum.sys 53248 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0x92B6C000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x92B4C000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x831AD000 C:\Windows\system32\drivers\klbg.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0x91819000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x92B3F000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0xA0EF3000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x910A4000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x9116E000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x822F9000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x91077000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8333A000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x822D4000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x823A6000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x82351000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x910C9000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x92BA3000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x910F9000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x91865000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x83316000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x8235C000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x83200000 C:\Windows\system32\DRIVERS\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x9115F000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x91155000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x83000000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x9261E000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0xA0EC8000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8320A000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0xB8074000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x833CB000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8C20E000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x92B36000 C:\Windows\system32\DRIVERS\klmouflt.sys 36864 bytes (Kaspersky Lab, KLMOUFLT Mouse Device Filter [fre_wlh_x86])
0xB809E000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x98470000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8C78A000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x92B63000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x832DB000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x830B8000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x83332000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x8C7EA000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x8A481000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x832E4000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x910B1000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x910B9000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x910C1000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8C7D2000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x91070000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x822F2000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x833A0000 C:\Windows\system32\DRIVERS\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x91FF6000 C:\Windows\system32\DRIVERS\klim6.sys 28672 bytes (Kaspersky Lab, Kaspersky Lab Intermediate Network Driver)
0x91069000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x92617000 C:\Windows\system32\DRIVERS\taphss.sys 28672 bytes (AnchorFree Inc, TAP-Win32 Virtual Network Driver)
0x91FD0000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x92B59000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x91169000 C:\Windows\System32\Drivers\GizmoDrv.SYS 20480 bytes (Arainia Solutions LLC, Gizmo Drive, kernel-mode device driver)
0x92B5F000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x93F23000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 195.62 )
0x8225C000 C:\Windows\system32\DRIVERS\OEM02Vfx.sys 8192 bytes (EyePower Games Pte. Ltd., Advanced Video FX Filter
Driver (Win2K based))
0x92628000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x943FE000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
!!!!!!!!!!!Hidden driver: 0x868ADA17 ?_empty_? 1513 bytes
==============================================
>Stealth
==============================================
0x833CB000 WARNING: suspicious driver modification [atapi.sys::0x868ADA17]
0xB8034F2E Unknown thread object [ ETHREAD 0x85C5AD48 ] , 600 bytes



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1720
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 173):
0x82A4C000 \SystemRoot\system32\ntkrnlpa.exe
0x82A15000 \SystemRoot\system32\halmacpi.dll
0x8A481000 \SystemRoot\system32\kdcom.dll
0x8302F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x830A7000 \SystemRoot\system32\PSHED.dll
0x830B8000 \SystemRoot\system32\BOOTVID.dll
0x830C0000 \SystemRoot\system32\CLFS.SYS
0x83102000 \SystemRoot\system32\CI.dll
0x831AD000 \SystemRoot\system32\drivers\klbg.sys
0x83214000 \SystemRoot\system32\drivers\Wdf01000.sys
0x83285000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83293000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x832DB000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x832E4000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x832EC000 \SystemRoot\system32\DRIVERS\pci.sys
0x83316000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x83321000 \SystemRoot\System32\drivers\partmgr.sys
0x83332000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8333A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x83345000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x83355000 \SystemRoot\System32\drivers\volmgrx.sys
0x833A0000 \SystemRoot\system32\DRIVERS\intelide.sys
0x833A7000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x833B5000 \SystemRoot\System32\drivers\mountmgr.sys
0x833CB000 \SystemRoot\system32\DRIVERS\atapi.sys
0x833D4000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x83200000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8320A000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x831BA000 \SystemRoot\system32\drivers\fltmgr.sys
0x831EE000 \SystemRoot\system32\drivers\fileinfo.sys
0x83000000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8C232000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8C361000 \SystemRoot\System32\Drivers\msrpc.sys
0x8C38C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8C39F000 \SystemRoot\System32\Drivers\cng.sys
0x8C200000 \SystemRoot\System32\drivers\pcw.sys
0x8C20E000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C40E000 \SystemRoot\system32\drivers\ndis.sys
0x8C4C5000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C503000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C610000 \SystemRoot\System32\drivers\tcpip.sys
0x8C759000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C78A000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8C793000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8C7D2000 \SystemRoot\System32\Drivers\spldr.sys
0x8C528000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C7DA000 \SystemRoot\System32\Drivers\mup.sys
0x8C7EA000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C555000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C587000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C598000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8C5BD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x91018000 \SystemRoot\system32\DRIVERS\klif.sys
0x91069000 \SystemRoot\System32\Drivers\Null.SYS
0x91070000 \SystemRoot\System32\Drivers\Beep.SYS
0x91077000 \SystemRoot\System32\drivers\vga.sys
0x91083000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x910A4000 \SystemRoot\System32\drivers\watchdog.sys
0x910B1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x910B9000 \SystemRoot\system32\drivers\rdpencdd.sys
0x910C1000 \SystemRoot\system32\drivers\rdprefmp.sys
0x910C9000 \SystemRoot\System32\Drivers\Msfs.SYS
0x910D4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x910E2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x910F9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x91A24000 \SystemRoot\system32\DRIVERS\kl1.sys
0x91F44000 \SystemRoot\system32\drivers\afd.sys
0x91F9E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x91FD0000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x91FD7000 \SystemRoot\system32\DRIVERS\pacer.sys
0x91FF6000 \SystemRoot\system32\DRIVERS\klim6.sys
0x91A00000 \SystemRoot\system32\DRIVERS\netbios.sys
0x91A0E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x91104000 \SystemRoot\system32\DRIVERS\termdd.sys
0x91114000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x91155000 \SystemRoot\system32\drivers\nsiproxy.sys
0x9115F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x91169000 \SystemRoot\System32\Drivers\GizmoDrv.SYS
0x9116E000 \SystemRoot\System32\drivers\discache.sys
0x9117A000 \SystemRoot\system32\drivers\csc.sys
0x911DE000 \SystemRoot\System32\Drivers\dfsc.sys
0x91000000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8C5DC000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8C217000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x93429000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x93F23000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x93F25000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x9182C000 \SystemRoot\System32\drivers\dxgmms1.sys
0x91865000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x91870000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x918BB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x918CA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x9262C000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x92A3F000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x92A50000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x92A7C000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x92A95000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x92AE6000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x92AFE000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x92B36000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x92B3F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x92B4C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x92B59000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x92B5F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x92B63000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x92B6C000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x92B79000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x92B8B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x92BA3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x92BAE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x92BD0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x92BE8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x92600000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x92617000 \SystemRoot\system32\DRIVERS\taphss.sys
0x9261E000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x92628000 \SystemRoot\system32\DRIVERS\swenum.sys
0x918E9000 \SystemRoot\system32\DRIVERS\ks.sys
0x9191D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x9192B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x9196F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x91980000 \SystemRoot\system32\drivers\HdAudio.sys
0x919D0000 \SystemRoot\system32\drivers\portcls.sys
0x91800000 \SystemRoot\system32\drivers\drmk.sys
0x9420A000 \SystemRoot\system32\DRIVERS\VSTAZL3.SYS
0x94247000 \SystemRoot\system32\DRIVERS\VSTDPV3.SYS
0x94349000 \SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
0x91819000 \SystemRoot\system32\drivers\modem.sys
0x93FDC000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x943FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x82222000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x8225C000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x8225E000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x82270000 \SystemRoot\System32\Drivers\bthport.sys
0x822D4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x822DF000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x822F2000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x822F9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x82305000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x82329000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x82336000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x82351000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x98210000 \SystemRoot\System32\win32k.sys
0x8235C000 \SystemRoot\System32\drivers\Dxapi.sys
0x82366000 \SystemRoot\system32\DRIVERS\udfs.sys
0x823A6000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98470000 \SystemRoot\System32\TSDDD.dll
0x984A0000 \SystemRoot\System32\cdd.dll
0x984C0000 \SystemRoot\System32\ATMFD.DLL
0x823BE000 \SystemRoot\system32\drivers\luafv.sys
0x823D9000 \SystemRoot\system32\drivers\WudfPf.sys
0x82200000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9783D000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x97883000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x97893000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x978A6000 \SystemRoot\system32\drivers\HTTP.sys
0x9792B000 \SystemRoot\system32\DRIVERS\bowser.sys
0x97944000 \SystemRoot\System32\drivers\mpsdrv.sys
0x97956000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x97979000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x979B4000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x979E7000 \SystemRoot\System32\Drivers\adfs.SYS
0xA0E31000 \SystemRoot\system32\drivers\peauth.sys
0xA0EC8000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA0ED2000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA0EF3000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA0F00000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA0F4F000 \SystemRoot\System32\DRIVERS\srv.sys
0xB8074000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xB807D000 \SystemRoot\system32\drivers\mrxdav.sys
0x77B70000 \Windows\System32\ntdll.dll
0x484A0000 \Windows\System32\smss.exe
0x77DB0000 \Windows\System32\apisetschema.dll
0x00810000 \Windows\System32\autochk.exe

Processes (total 54):
0 System Idle Process
4 System
396 C:\Windows\System32\smss.exe
516 csrss.exe
576 C:\Windows\System32\wininit.exe
588 csrss.exe
636 C:\Windows\System32\services.exe
652 C:\Windows\System32\lsass.exe
660 C:\Windows\System32\lsm.exe
768 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\svchost.exe
912 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\winlogon.exe
1268 C:\Windows\System32\svchost.exe
1448 C:\Windows\System32\svchost.exe
1584 C:\Windows\System32\spoolsv.exe
1616 C:\Windows\System32\svchost.exe
1708 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1732 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
1768 C:\Program Files\Bonjour\mDNSResponder.exe
1812 C:\Windows\System32\svchost.exe
1868 C:\Program Files\Gizmo\gservice.exe
1908 C:\Program Files\Hotspot Shield\bin\openvpnas.exe
1936 C:\Program Files\Hotspot Shield\bin\hsswd.exe
1968 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
2288 C:\Windows\System32\taskhost.exe
2448 C:\Program Files\FBackup\fbaSched.exe
2616 C:\Windows\System32\svchost.exe
2664 C:\Windows\System32\dwm.exe
2696 C:\Windows\explorer.exe
3036 C:\Windows\System32\svchost.exe
3212 C:\Program Files\DellTPad\Apoint.exe
3232 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
3252 C:\Program Files\Windows Sidebar\sidebar.exe
3484 C:\Program Files\DellTPad\ApMsgFwd.exe
3532 C:\Program Files\DellTPad\hidfind.exe
3608 C:\Program Files\StarDock\ObjectDock.exe
3752 C:\Windows\System32\SearchIndexer.exe
4064 C:\Program Files\DellTPad\ApntEx.exe
2068 C:\Windows\System32\conhost.exe
3068 C:\Program Files\PhotoJoy\Bin\PjApp.exe
2332 C:\Windows\System32\svchost.exe
2144 C:\Windows\System32\svchost.exe
3996 C:\Program Files\Windows Media Player\wmpnetwk.exe
2236 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
4152 C:\Windows\System32\svchost.exe
4192 C:\Windows\System32\wuauclt.exe
5336 C:\Windows\System32\audiodg.exe
5872 C:\Windows\System32\SearchProtocolHost.exe
4224 C:\Windows\System32\SearchFilterHost.exe
3016 D:\Desktop\MBRCheck.exe
4524 C:\Windows\System32\conhost.exe
4920 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000018`6a100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive1 Model Number: SAMSUNGHM250JI, Rev: HS100-11
PhysicalDrive0 Model Number: WDCWD2500BEVS-75UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: 1BB72AA843C54C64E74C9F6C9BD22FA2AFA08966
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 14 August 2010 - 09:31 AM

Hello 7throck

I would like to know if you have the windows install CD?

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 5 for Windows 7, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.


After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. report from MBRcheck
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 14 August 2010 - 03:43 PM

Hi Gringo,

Things didn't go too well, Im afraid. Igot through the first step, but then got a blue screen when I restarted. Trying again I sent a long time at the welcome screen. I then ran MBRCheck again like you said and the log is below. Combofix asked to restart, I selected OK and on restart it ran with a blue window against a black screen for a bit but then that blue screened too. I wrote down the details of both blue screens if they will help.

Oh and, yes, I do have the Windows CD.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1720
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 173):
0x82A3C000 \SystemRoot\system32\ntkrnlpa.exe
0x82A05000 \SystemRoot\system32\halmacpi.dll
0x89CCC000 \SystemRoot\system32\kdcom.dll
0x8302F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x830A7000 \SystemRoot\system32\PSHED.dll
0x830B8000 \SystemRoot\system32\BOOTVID.dll
0x830C0000 \SystemRoot\system32\CLFS.SYS
0x83102000 \SystemRoot\system32\CI.dll
0x831AD000 \SystemRoot\system32\drivers\klbg.sys
0x83234000 \SystemRoot\system32\drivers\Wdf01000.sys
0x832A5000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x832B3000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x832FB000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x83304000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8330C000 \SystemRoot\system32\DRIVERS\pci.sys
0x83336000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x83341000 \SystemRoot\System32\drivers\partmgr.sys
0x83352000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8335A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x83365000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x83375000 \SystemRoot\System32\drivers\volmgrx.sys
0x833C0000 \SystemRoot\system32\DRIVERS\intelide.sys
0x833C7000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x833D5000 \SystemRoot\System32\drivers\mountmgr.sys
0x833EB000 \SystemRoot\system32\DRIVERS\atapi.sys
0x83200000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x83223000 \SystemRoot\system32\DRIVERS\msahci.sys
0x833F4000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x831BA000 \SystemRoot\system32\drivers\fltmgr.sys
0x831EE000 \SystemRoot\system32\drivers\fileinfo.sys
0x83000000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8C23F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8C36E000 \SystemRoot\System32\Drivers\msrpc.sys
0x8C399000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8C425000 \SystemRoot\System32\Drivers\cng.sys
0x8C482000 \SystemRoot\System32\drivers\pcw.sys
0x8C490000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C499000 \SystemRoot\system32\drivers\ndis.sys
0x8C550000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C58E000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C626000 \SystemRoot\System32\drivers\tcpip.sys
0x8C76F000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C7A0000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8C7A9000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8C7E8000 \SystemRoot\System32\Drivers\spldr.sys
0x8C5B3000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C7F0000 \SystemRoot\System32\Drivers\mup.sys
0x8C600000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C3AC000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C608000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C400000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8C5E0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x9143F000 \SystemRoot\system32\DRIVERS\klif.sys
0x91490000 \SystemRoot\System32\Drivers\Null.SYS
0x91497000 \SystemRoot\System32\Drivers\Beep.SYS
0x9149E000 \SystemRoot\System32\drivers\vga.sys
0x914AA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x914CB000 \SystemRoot\System32\drivers\watchdog.sys
0x914D8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x914E0000 \SystemRoot\system32\drivers\rdpencdd.sys
0x914E8000 \SystemRoot\system32\drivers\rdprefmp.sys
0x914F0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x914FB000 \SystemRoot\System32\Drivers\Npfs.SYS
0x91509000 \SystemRoot\system32\DRIVERS\tdx.sys
0x91520000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x9180F000 \SystemRoot\system32\DRIVERS\kl1.sys
0x91D2F000 \SystemRoot\system32\drivers\afd.sys
0x91D89000 \SystemRoot\System32\DRIVERS\netbt.sys
0x91DBB000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x91DC2000 \SystemRoot\system32\DRIVERS\pacer.sys
0x91DE1000 \SystemRoot\system32\DRIVERS\klim6.sys
0x91DE8000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9152B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9153E000 \SystemRoot\system32\DRIVERS\termdd.sys
0x9154E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x91DF6000 \SystemRoot\system32\drivers\nsiproxy.sys
0x91800000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x9180A000 \SystemRoot\System32\Drivers\GizmoDrv.SYS
0x9158F000 \SystemRoot\System32\drivers\discache.sys
0x9159B000 \SystemRoot\system32\drivers\csc.sys
0x91400000 \SystemRoot\System32\Drivers\dfsc.sys
0x91418000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8C3DE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x91426000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x93436000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x93F30000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x93F32000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8C200000 \SystemRoot\System32\drivers\dxgmms1.sys
0x93FE9000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x90C21000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x90C6C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x90C7B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x92C32000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x93045000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x93056000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x93082000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x9309B000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x930EC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x93104000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x9313C000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x93145000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x93152000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x9315F000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x93165000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x93169000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x93172000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x9317F000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x93191000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x931A9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x931B4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x931D6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x92C00000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x92C17000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x931EE000 \SystemRoot\system32\DRIVERS\taphss.sys
0x931F5000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x92C2E000 \SystemRoot\system32\DRIVERS\swenum.sys
0x90C9A000 \SystemRoot\system32\DRIVERS\ks.sys
0x90CCE000 \SystemRoot\system32\DRIVERS\umbus.sys
0x90CDC000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x90D20000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90D31000 \SystemRoot\system32\drivers\HdAudio.sys
0x90D81000 \SystemRoot\system32\drivers\portcls.sys
0x90DB0000 \SystemRoot\system32\drivers\drmk.sys
0x92603000 \SystemRoot\system32\DRIVERS\VSTAZL3.SYS
0x92640000 \SystemRoot\system32\DRIVERS\VSTDPV3.SYS
0x92742000 \SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
0x90DC9000 \SystemRoot\system32\drivers\modem.sys
0x90DD6000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x927F7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x82019000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x82053000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x82055000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x82067000 \SystemRoot\System32\Drivers\bthport.sys
0x820CB000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x820EF000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x820FC000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x82117000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x82122000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x82135000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8213C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x82155000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x97E60000 \SystemRoot\System32\win32k.sys
0x82160000 \SystemRoot\System32\drivers\Dxapi.sys
0x8216A000 \SystemRoot\system32\DRIVERS\monitor.sys
0x980C0000 \SystemRoot\System32\TSDDD.dll
0x980F0000 \SystemRoot\System32\cdd.dll
0x98110000 \SystemRoot\System32\ATMFD.DLL
0x82175000 \SystemRoot\system32\drivers\luafv.sys
0x82190000 \SystemRoot\system32\drivers\WudfPf.sys
0x821AA000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x821BA000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x82000000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x90DED000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9D20E000 \SystemRoot\system32\drivers\HTTP.sys
0x9D293000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9D2AC000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9D2BE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9D2E1000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9D31C000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9D34F000 \SystemRoot\System32\Drivers\adfs.SYS
0x9D360000 \SystemRoot\system32\drivers\peauth.sys
0x9D200000 \SystemRoot\System32\Drivers\secdrv.SYS
0x90C00000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9D337000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9E602000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9E651000 \SystemRoot\System32\DRIVERS\srv.sys
0x9E6A2000 \??\C:\Program Files\PeerBlock\pbfilter.sys
0x9E6A9000 \SystemRoot\system32\drivers\spsys.sys
0x9E713000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x779D0000 \Windows\System32\ntdll.dll
0x47BA0000 \Windows\System32\smss.exe
0x77C10000 \Windows\System32\apisetschema.dll
0x006A0000 \Windows\System32\autochk.exe

Processes (total 56):
0 System Idle Process
4 System
396 C:\Windows\System32\smss.exe
508 csrss.exe
560 C:\Windows\System32\wininit.exe
580 csrss.exe
628 C:\Windows\System32\services.exe
644 C:\Windows\System32\lsass.exe
652 C:\Windows\System32\lsm.exe
764 C:\Windows\System32\svchost.exe
848 C:\Windows\System32\svchost.exe
912 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1100 C:\Windows\System32\winlogon.exe
1172 C:\Windows\System32\svchost.exe
1324 C:\Windows\System32\svchost.exe
1548 C:\Windows\System32\spoolsv.exe
1596 C:\Windows\System32\svchost.exe
1692 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1716 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
1752 C:\Program Files\Bonjour\mDNSResponder.exe
1804 C:\Windows\System32\svchost.exe
1844 C:\Program Files\Gizmo\gservice.exe
1880 C:\Program Files\Hotspot Shield\bin\openvpnas.exe
1912 C:\Program Files\Hotspot Shield\bin\hsswd.exe
1944 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
2448 C:\Windows\System32\svchost.exe
2504 C:\Windows\System32\taskhost.exe
2572 C:\Windows\System32\dwm.exe
2596 C:\Windows\explorer.exe
2784 C:\Windows\System32\svchost.exe
2804 C:\Windows\System32\taskeng.exe
2892 C:\Program Files\FBackup\fbaSched.exe
3156 C:\Program Files\DellTPad\Apoint.exe
3176 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
3184 C:\Program Files\Windows Sidebar\sidebar.exe
3192 C:\Program Files\PeerBlock\peerblock.exe
3320 C:\Windows\System32\SearchIndexer.exe
3360 C:\Program Files\DellTPad\ApMsgFwd.exe
3412 C:\Program Files\DellTPad\hidfind.exe
3424 C:\Program Files\StarDock\ObjectDock.exe
3928 C:\Program Files\DellTPad\ApntEx.exe
3960 C:\Windows\System32\conhost.exe
924 C:\Program Files\PhotoJoy\Bin\PjApp.exe
2356 C:\Program Files\Windows Media Player\wmpnetwk.exe
808 C:\Windows\System32\svchost.exe
2728 WmiPrvSE.exe
2824 C:\Windows\System32\sppsvc.exe
2300 C:\Windows\System32\svchost.exe
2528 C:\Windows\System32\wuauclt.exe
3480 C:\Windows\System32\SearchProtocolHost.exe
2884 C:\Windows\System32\SearchFilterHost.exe
3468 D:\Desktop\MBRCheck.exe
1388 C:\Windows\System32\conhost.exe
2756 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000018`6a100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive1 Model Number: SAMSUNGHM250JI, Rev: HS100-11
PhysicalDrive0 Model Number: WDCWD2500BEVS-75UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: 1BB72AA843C54C64E74C9F6C9BD22FA2AFA08966
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 14 August 2010 - 04:31 PM

Fix MBR Win 7
    1.Start your computer from the Windows Installation DVD
    2.Press a key when prompted to continue
    3.Choose your language, time, keyboard and click Next:
    4.Next, click "Repair your Computer":
    5.Now, from the System Recovery Options dialog, select the "Operating System" you want to repair, then click Next:
    6.From the "Choose a Recovery Tool" dialog menu, select "Command Prompt":
    7.Type the following into the "Command Prompt Window": and press enter after each line
      bootrec.exe /fixmbr
      bootrec.exe /fixboot
    8.Remove the Installation DVD and restart your PC.

Rerun MBRCheck
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

please let me have the new MBRcheck report

Note** If the computer did not boot to the CD please see this page to change the boot order

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 14 August 2010 - 07:55 PM

No problems this time thumbup2.gif

Here's the report...

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1720
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 186):
0x82A3E000 \SystemRoot\system32\ntkrnlpa.exe
0x82A07000 \SystemRoot\system32\halmacpi.dll
0x80B9C000 \SystemRoot\system32\kdcom.dll
0x8BE2B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8BEA3000 \SystemRoot\system32\PSHED.dll
0x8BEB4000 \SystemRoot\system32\BOOTVID.dll
0x8BEBC000 \SystemRoot\system32\CLFS.SYS
0x8BEFE000 \SystemRoot\system32\CI.dll
0x8BFA9000 \SystemRoot\system32\drivers\klbg.sys
0x8C001000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8C072000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8C080000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8C0C8000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x8C0D1000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8C0D9000 \SystemRoot\system32\DRIVERS\pci.sys
0x8C103000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8C10E000 \SystemRoot\System32\drivers\partmgr.sys
0x8C11F000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8C127000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8C132000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8C142000 \SystemRoot\System32\drivers\volmgrx.sys
0x8C18D000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8C194000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8C1A2000 \SystemRoot\System32\drivers\mountmgr.sys
0x8C1B8000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8C1C1000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8C1E4000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8C1EE000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8BFB6000 \SystemRoot\system32\drivers\fltmgr.sys
0x8BFEA000 \SystemRoot\system32\drivers\fileinfo.sys
0x8BE00000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8C21F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8C34E000 \SystemRoot\System32\Drivers\msrpc.sys
0x8C379000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8C38C000 \SystemRoot\System32\Drivers\cng.sys
0x8C3E9000 \SystemRoot\System32\drivers\pcw.sys
0x8C3F7000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C42B000 \SystemRoot\system32\drivers\ndis.sys
0x8C4E2000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C520000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C621000 \SystemRoot\System32\drivers\tcpip.sys
0x8C76A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C79B000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8C7A4000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8C7E3000 \SystemRoot\System32\Drivers\spldr.sys
0x8C545000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C7EB000 \SystemRoot\System32\Drivers\mup.sys
0x8C600000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C572000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C608000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C5A4000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8C5D6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x90628000 \SystemRoot\system32\DRIVERS\klif.sys
0x90679000 \SystemRoot\System32\Drivers\Null.SYS
0x90680000 \SystemRoot\System32\Drivers\Beep.SYS
0x90687000 \SystemRoot\System32\drivers\vga.sys
0x90693000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x906B4000 \SystemRoot\System32\drivers\watchdog.sys
0x906C1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x906C9000 \SystemRoot\system32\drivers\rdpencdd.sys
0x906D1000 \SystemRoot\system32\drivers\rdprefmp.sys
0x906D9000 \SystemRoot\System32\Drivers\Msfs.SYS
0x906E4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x906F2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x90709000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x91810000 \SystemRoot\system32\DRIVERS\kl1.sys
0x91D30000 \SystemRoot\system32\drivers\afd.sys
0x91D8A000 \SystemRoot\System32\DRIVERS\netbt.sys
0x91DBC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x91DC3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x91DE2000 \SystemRoot\system32\DRIVERS\klim6.sys
0x91DE9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x90714000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x91800000 \SystemRoot\system32\DRIVERS\termdd.sys
0x90727000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x90768000 \SystemRoot\system32\drivers\nsiproxy.sys
0x90772000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x91DF7000 \SystemRoot\System32\Drivers\GizmoDrv.SYS
0x9077C000 \SystemRoot\System32\drivers\discache.sys
0x90788000 \SystemRoot\system32\drivers\csc.sys
0x90600000 \SystemRoot\System32\Drivers\dfsc.sys
0x90618000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8C400000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x907EC000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x92608000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x93102000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x93104000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x931BB000 \SystemRoot\System32\drivers\dxgmms1.sys
0x931F4000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x91E1F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x91E6A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x91E79000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x9343E000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x93851000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x93862000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x9388E000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x938A7000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x938F8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x93910000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x93948000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x93951000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x9395E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x9396B000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x93971000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x93975000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x9397E000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x9398B000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x9399D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x939B5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x939C0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x939E2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x93400000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x93417000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x9342E000 \SystemRoot\system32\DRIVERS\taphss.sys
0x91E98000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x93435000 \SystemRoot\system32\DRIVERS\swenum.sys
0x91EA2000 \SystemRoot\system32\DRIVERS\ks.sys
0x91ED6000 \SystemRoot\system32\DRIVERS\umbus.sys
0x91EE4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x91F28000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x91F39000 \SystemRoot\system32\drivers\HdAudio.sys
0x91F89000 \SystemRoot\system32\drivers\portcls.sys
0x91FB8000 \SystemRoot\system32\drivers\drmk.sys
0x97A1A000 \SystemRoot\system32\DRIVERS\VSTAZL3.SYS
0x97A57000 \SystemRoot\system32\DRIVERS\VSTDPV3.SYS
0x98A06000 \SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
0x98ABB000 \SystemRoot\system32\drivers\modem.sys
0x98AC8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x98ADF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9A580000 \SystemRoot\System32\win32k.sys
0x98AEE000 \SystemRoot\System32\drivers\Dxapi.sys
0x98AF8000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x98B32000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x98B34000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x98B46000 \SystemRoot\System32\Drivers\bthport.sys
0x98BAA000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x98BCE000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x98BDB000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x98AE1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x97B59000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x98BF6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x97B6C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x97B78000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x97B83000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9A7E0000 \SystemRoot\System32\TSDDD.dll
0x9A420000 \SystemRoot\System32\cdd.dll
0x9A440000 \SystemRoot\System32\ATMFD.DLL
0x97B8E000 \SystemRoot\system32\drivers\luafv.sys
0x97BA9000 \SystemRoot\system32\drivers\WudfPf.sys
0x97BC3000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9860A000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x98650000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x98660000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x98673000 \SystemRoot\system32\drivers\HTTP.sys
0x986F8000 \SystemRoot\system32\DRIVERS\bowser.sys
0x98711000 \SystemRoot\System32\drivers\mpsdrv.sys
0x98723000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x98746000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x98781000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x987B4000 \SystemRoot\System32\Drivers\adfs.SYS
0x9F02E000 \SystemRoot\system32\drivers\peauth.sys
0x9F0C5000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9F0CF000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9F0F0000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9F0FD000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9F14C000 \SystemRoot\System32\DRIVERS\srv.sys
0xC220A000 \SystemRoot\system32\drivers\spsys.sys
0xC2274000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77230000 \Windows\System32\ntdll.dll
0x48370000 \Windows\System32\smss.exe
0x77470000 \Windows\System32\apisetschema.dll
0x00190000 \Windows\System32\autochk.exe
0x77440000 \Windows\System32\sechost.dll
0x77420000 \Windows\System32\imm32.dll
0x773D0000 \Windows\System32\gdi32.dll
0x771A0000 \Windows\System32\clbcatq.dll
0x770C0000 \Windows\System32\kernel32.dll
0x76F60000 \Windows\System32\ole32.dll
0x77370000 \Windows\System32\shlwapi.dll
0x76E60000 \Windows\System32\wininet.dll
0x76DC0000 \Windows\System32\usp10.dll
0x76BC0000 \Windows\System32\iertutil.dll
0x76B90000 \Windows\System32\imagehlp.dll
0x76B30000 \Windows\System32\difxapi.dll
0x76A80000 \Windows\System32\rpcrt4.dll
0x76A70000 \Windows\System32\lpk.dll

Processes (total 55):
0 System Idle Process
4 System
396 C:\Windows\System32\smss.exe
516 csrss.exe
580 C:\Windows\System32\wininit.exe
592 csrss.exe
640 C:\Windows\System32\services.exe
656 C:\Windows\System32\lsass.exe
664 C:\Windows\System32\lsm.exe
776 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
952 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1048 C:\Windows\System32\winlogon.exe
1116 C:\Windows\System32\audiodg.exe
1220 C:\Windows\System32\svchost.exe
1360 C:\Windows\System32\svchost.exe
1568 C:\Windows\System32\spoolsv.exe
1640 C:\Windows\System32\svchost.exe
1744 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1768 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
1804 C:\Program Files\Bonjour\mDNSResponder.exe
1852 C:\Windows\System32\svchost.exe
1896 C:\Program Files\Gizmo\gservice.exe
1928 C:\Program Files\Hotspot Shield\bin\openvpnas.exe
1956 C:\Program Files\Hotspot Shield\bin\hsswd.exe
2028 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
2160 C:\Windows\System32\svchost.exe
2228 C:\Windows\System32\taskhost.exe
2356 C:\Windows\explorer.exe
2520 C:\Windows\System32\taskeng.exe
2552 C:\Windows\System32\dwm.exe
2584 C:\Program Files\FBackup\fbaSched.exe
2948 C:\Windows\System32\svchost.exe
3108 C:\Program Files\DellTPad\Apoint.exe
3120 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
3152 C:\Program Files\Windows Sidebar\sidebar.exe
3268 C:\Program Files\DellTPad\ApMsgFwd.exe
3384 C:\Program Files\DellTPad\hidfind.exe
3420 C:\Program Files\DellTPad\ApntEx.exe
3460 C:\Windows\System32\conhost.exe
3532 C:\Windows\System32\SearchIndexer.exe
3580 C:\Program Files\StarDock\ObjectDock.exe
3920 C:\Program Files\Windows Media Player\wmpnetwk.exe
4016 C:\Program Files\PhotoJoy\Bin\PjApp.exe
3564 WmiPrvSE.exe
3908 C:\Windows\System32\SearchProtocolHost.exe
2384 C:\Windows\System32\SearchFilterHost.exe
1444 C:\Windows\System32\svchost.exe
3852 C:\Windows\System32\sppsvc.exe

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 14 August 2010 - 09:33 PM

I would like you to rerun combofix and the last MBR check is not complete I need to see it


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 15 August 2010 - 06:50 AM

Sorry about that, I'm not sure what happened. New MBRcheck below and Combofix, which worked no problem this time. Seems like progress so I'm very happy!


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1720
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 174):
0x82A19000 \SystemRoot\system32\ntkrnlpa.exe
0x82E29000 \SystemRoot\system32\halmacpi.dll
0x80BAE000 \SystemRoot\system32\kdcom.dll
0x8BE1F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8BE97000 \SystemRoot\system32\PSHED.dll
0x8BEA8000 \SystemRoot\system32\BOOTVID.dll
0x8BEB0000 \SystemRoot\system32\CLFS.SYS
0x8BEF2000 \SystemRoot\system32\CI.dll
0x8BF9D000 \SystemRoot\system32\drivers\klbg.sys
0x8C00A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8C07B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8C089000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8C0D1000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x8C0DA000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8C0E2000 \SystemRoot\system32\DRIVERS\pci.sys
0x8C10C000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8C117000 \SystemRoot\System32\drivers\partmgr.sys
0x8C128000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8C130000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8C13B000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8C14B000 \SystemRoot\System32\drivers\volmgrx.sys
0x8C196000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8C19D000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8C1AB000 \SystemRoot\System32\drivers\mountmgr.sys
0x8C1C1000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8C1CA000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8C1ED000 \SystemRoot\system32\DRIVERS\msahci.sys
0x8C1F7000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8BFAA000 \SystemRoot\system32\drivers\fltmgr.sys
0x8BFDE000 \SystemRoot\system32\drivers\fileinfo.sys
0x8C000000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8C21E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8C34D000 \SystemRoot\System32\Drivers\msrpc.sys
0x8C378000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8C38B000 \SystemRoot\System32\Drivers\cng.sys
0x8C3E8000 \SystemRoot\System32\drivers\pcw.sys
0x8C3F6000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C434000 \SystemRoot\system32\drivers\ndis.sys
0x8C4EB000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C529000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C632000 \SystemRoot\System32\drivers\tcpip.sys
0x8C77B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C7AC000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x8C7B5000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8C7F4000 \SystemRoot\System32\Drivers\spldr.sys
0x8C600000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C54E000 \SystemRoot\System32\Drivers\mup.sys
0x8C55E000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C566000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C598000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C5A9000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8C5DB000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x91C36000 \SystemRoot\system32\DRIVERS\klif.sys
0x91C87000 \SystemRoot\System32\Drivers\Null.SYS
0x91C8E000 \SystemRoot\System32\Drivers\Beep.SYS
0x91C95000 \SystemRoot\System32\drivers\vga.sys
0x91CA1000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x91CC2000 \SystemRoot\System32\drivers\watchdog.sys
0x91CCF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x91CD7000 \SystemRoot\system32\drivers\rdpencdd.sys
0x91CDF000 \SystemRoot\system32\drivers\rdprefmp.sys
0x91CE7000 \SystemRoot\System32\Drivers\Msfs.SYS
0x91CF2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x91D00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x91D17000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x91E28000 \SystemRoot\system32\DRIVERS\kl1.sys
0x92348000 \SystemRoot\system32\drivers\afd.sys
0x923A2000 \SystemRoot\System32\DRIVERS\netbt.sys
0x923D4000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x923DB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x91E00000 \SystemRoot\system32\DRIVERS\klim6.sys
0x91E07000 \SystemRoot\system32\DRIVERS\netbios.sys
0x91E15000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x91D22000 \SystemRoot\system32\DRIVERS\termdd.sys
0x91D32000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x91D73000 \SystemRoot\system32\drivers\nsiproxy.sys
0x91D7D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x923FA000 \SystemRoot\System32\Drivers\GizmoDrv.SYS
0x91D87000 \SystemRoot\System32\drivers\discache.sys
0x91D93000 \SystemRoot\system32\drivers\csc.sys
0x91C00000 \SystemRoot\System32\Drivers\dfsc.sys
0x91C18000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8C400000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8C421000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x9341F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x93F19000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x93F1B000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x9583C000 \SystemRoot\System32\drivers\dxgmms1.sys
0x95875000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x95880000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x958CB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x958DA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x95E2F000 \SystemRoot\system32\DRIVERS\netw5v32.sys
0x96242000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0x96253000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x9627F000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x96298000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x962E9000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x96301000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x96339000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x96342000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x9634F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x9635C000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x96362000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x96366000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x9636F000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x9637C000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x9638E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x963A6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x963B1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x963D3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x95E00000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x95E17000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x963EB000 \SystemRoot\system32\DRIVERS\taphss.sys
0x963F2000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x963FC000 \SystemRoot\system32\DRIVERS\swenum.sys
0x958F9000 \SystemRoot\system32\DRIVERS\ks.sys
0x9592D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x9593B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x9597F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x95990000 \SystemRoot\system32\drivers\HdAudio.sys
0x95800000 \SystemRoot\system32\drivers\portcls.sys
0x959E0000 \SystemRoot\system32\drivers\drmk.sys
0x9962D000 \SystemRoot\system32\DRIVERS\VSTAZL3.SYS
0x9966A000 \SystemRoot\system32\DRIVERS\VSTDPV3.SYS
0x99815000 \SystemRoot\system32\DRIVERS\VSTCNXT3.SYS
0x998CA000 \SystemRoot\system32\drivers\modem.sys
0x99C10000 \SystemRoot\System32\win32k.sys
0x998D7000 \SystemRoot\System32\drivers\Dxapi.sys
0x998E1000 \SystemRoot\system32\DRIVERS\monitor.sys
0x998EC000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x99903000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x99912000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x9994C000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x99E70000 \SystemRoot\System32\TSDDD.dll
0x99EA0000 \SystemRoot\System32\cdd.dll
0x9994E000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x99960000 \SystemRoot\System32\Drivers\bthport.sys
0x99EC0000 \SystemRoot\System32\ATMFD.DLL
0x999C4000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x999E8000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x9976C000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x999F5000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x99800000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x99905000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x99787000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x99793000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x9979E000 \SystemRoot\system32\drivers\luafv.sys
0x997B9000 \SystemRoot\system32\drivers\WudfPf.sys
0x997D3000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9BE2B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9BE71000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9BE81000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9BE94000 \SystemRoot\system32\drivers\HTTP.sys
0x9BF19000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9BF32000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9BF44000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9BF67000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9BFA2000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9BFD5000 \SystemRoot\System32\Drivers\adfs.SYS
0x9F827000 \SystemRoot\system32\drivers\peauth.sys
0x9F8BE000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9F8C8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9F8E9000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9F8F6000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9F945000 \SystemRoot\System32\DRIVERS\srv.sys
0x9F996000 \??\C:\Program Files\PeerBlock\pbfilter.sys
0xBFC13000 \SystemRoot\system32\drivers\spsys.sys
0xBFC7D000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x76E80000 \Windows\System32\ntdll.dll
0x48550000 \Windows\System32\smss.exe
0x770C0000 \Windows\System32\apisetschema.dll
0x00120000 \Windows\System32\autochk.exe
0x77070000 \Windows\System32\ws2_32.dll

Processes (total 60):
0 System Idle Process
4 System
396 C:\Windows\System32\smss.exe
512 csrss.exe
576 C:\Windows\System32\wininit.exe
588 csrss.exe
636 C:\Windows\System32\services.exe
652 C:\Windows\System32\lsass.exe
660 C:\Windows\System32\lsm.exe
792 C:\Windows\System32\svchost.exe
876 C:\Windows\System32\svchost.exe
928 C:\Windows\System32\svchost.exe
976 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
1048 C:\Windows\System32\winlogon.exe
1112 C:\Windows\System32\audiodg.exe
1240 C:\Windows\System32\svchost.exe
1360 C:\Windows\System32\svchost.exe
1576 C:\Windows\System32\spoolsv.exe
1624 C:\Windows\System32\svchost.exe
1720 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1752 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
1780 C:\Program Files\Bonjour\mDNSResponder.exe
1812 C:\Windows\System32\svchost.exe
1880 C:\Program Files\Gizmo\gservice.exe
1912 C:\Program Files\Hotspot Shield\bin\openvpnas.exe
1936 C:\Program Files\Hotspot Shield\bin\hsswd.exe
2008 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
2184 C:\Windows\System32\taskhost.exe
2276 C:\Windows\System32\svchost.exe
2448 C:\Windows\explorer.exe
2492 C:\Windows\System32\taskeng.exe
2500 C:\Windows\System32\dwm.exe
2588 C:\Program Files\FBackup\fbaSched.exe
2932 C:\Windows\System32\svchost.exe
3184 C:\Program Files\DellTPad\Apoint.exe
3220 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
3244 C:\Program Files\Windows Sidebar\sidebar.exe
3276 C:\Program Files\DellTPad\ApMsgFwd.exe
3348 C:\Program Files\DellTPad\hidfind.exe
3364 C:\Program Files\DellTPad\ApntEx.exe
3392 C:\Windows\System32\conhost.exe
3432 C:\Program Files\PeerBlock\peerblock.exe
3876 C:\Program Files\StarDock\ObjectDock.exe
3912 C:\Windows\System32\SearchIndexer.exe
2428 C:\Program Files\Windows Media Player\wmpnetwk.exe
1984 C:\Program Files\PhotoJoy\Bin\PjApp.exe
2672 WmiPrvSE.exe
3340 C:\Windows\System32\SearchProtocolHost.exe
3640 C:\Windows\System32\SearchFilterHost.exe
2456 C:\Windows\System32\svchost.exe
3020 C:\Windows\System32\sppsvc.exe
1040 C:\Windows\System32\svchost.exe
3180 taskhost.exe
3740 WmiPrvSE.exe
2312 C:\Windows\System32\wuauclt.exe
1704 C:\Windows\servicing\TrustedInstaller.exe
1736 D:\Desktop\MBRCheck.exe
1016 C:\Windows\System32\conhost.exe
2680 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000018`6a100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive1 Model Number: SAMSUNGHM250JI, Rev: HS100-11
PhysicalDrive0 Model Number: WDCWD2500BEVS-75UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive1 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!


ComboFix 10-08-14.02 - kitten 15/08/2010 12:33:56.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.3582.2362 [GMT 1:00]
Running from: d:\desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\kitten\AppData\Roaming\B70F8B047D889260107AC44082F0C258
c:\users\kitten\AppData\Roaming\B70F8B047D889260107AC44082F0C258\enemies-names.txt
c:\users\kitten\AppData\Roaming\B70F8B047D889260107AC44082F0C258\local.ini
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-15 11:42 . 2010-08-15 11:43 -------- d-----w- c:\users\kitten\AppData\Local\temp
2010-08-15 11:42 . 2010-08-15 11:42 -------- d-----w- c:\users\pirates\AppData\Local\temp
2010-08-15 11:42 . 2010-08-15 11:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-15 11:32 . 2010-08-15 11:33 -------- d-----w- C:\32788R22FWJFW
2010-08-05 11:34 . 2010-08-05 14:36 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-05 11:32 . 2010-08-05 11:32 -------- d-----w- c:\programdata\Hitman Pro
2010-08-05 11:32 . 2010-08-05 11:32 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-05 00:02 . 2010-08-05 00:02 -------- d-----w- c:\users\kitten\AppData\Local\ElevatedDiagnostics
2010-08-04 00:14 . 2010-08-04 00:14 0 ----a-w- c:\windows\nsreg.dat
2010-08-04 00:13 . 2010-08-04 00:13 -------- d-----w- c:\users\kitten\AppData\Local\Mozilla
2010-07-20 13:04 . 2010-07-20 13:04 -------- d-----w- c:\program files\Common Files\Java
2010-07-20 13:03 . 2010-04-12 16:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 12:39 . 2010-07-20 12:39 -------- d-----w- c:\users\kitten\AppData\Roaming\Malwarebytes
2010-07-20 12:38 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 12:38 . 2010-07-20 12:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 12:38 . 2010-07-20 12:38 -------- d-----w- c:\programdata\Malwarebytes
2010-07-20 12:38 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-19 12:24 . 2010-07-19 12:24 -------- d-----w- c:\users\kitten\AppData\Roaming\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 11:30 . 2010-03-15 20:35 -------- d-----w- c:\program files\PeerBlock
2010-08-15 11:26 . 2010-01-31 16:26 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-14 02:47 . 2010-01-12 12:19 -------- d-----w- c:\users\kitten\AppData\Roaming\Skype
2010-08-09 12:50 . 2010-01-30 23:37 -------- d-----w- c:\users\kitten\AppData\Roaming\vlc
2010-08-05 14:26 . 2010-01-12 00:08 -------- d-----w- c:\users\kitten\AppData\Roaming\uTorrent
2010-08-05 00:31 . 2010-01-11 21:45 -------- d-----w- c:\program files\Citrix
2010-08-01 14:49 . 2010-01-12 17:50 -------- d-----w- c:\programdata\FLEXnet
2010-07-30 00:01 . 2010-01-31 16:26 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 00:01 . 2010-01-31 16:26 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-23 22:35 . 2010-06-01 20:18 -------- d-----w- c:\users\kitten\AppData\Roaming\Muniyv
2010-07-23 20:37 . 2010-05-17 23:22 -------- d-----w- c:\users\kitten\AppData\Roaming\Meawce
2010-07-23 12:24 . 2010-01-12 00:36 -------- d-----w- c:\program files\Advanced SystemCare
2010-07-20 13:03 . 2010-01-11 22:47 -------- d-----w- c:\program files\Java
2010-06-15 12:48 . 2010-06-15 12:48 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-15 12:48 . 2010-06-15 12:48 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-03-15 22:07 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1529432]
"GizmoDriveDelegate"="c:\progra~1\GIZMO\GDRIVE.DLL" [2010-01-12 390752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-10-20 340456]

c:\users\kitten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PhotoJoy.lnk - c:\windows\Installer\{15482D1C-117B-4201-8D39-985A91ED8433}\NewShortcut2_A7A7785B169C43C9B65206C336C01701.exe [2010-1-19 32038]
Stardock ObjectDock.lnk - c:\program files\StarDock\ObjectDock.exe [2010-1-17 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~2\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-11 22:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 02:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 07:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GizmoDriveDelegate]
2010-01-12 01:03 390752 ----a-w- c:\progra~1\Gizmo\gdrive.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-05-09 17:01 36864 ----a-w- c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoJoy]
2009-04-26 13:00 918840 ----a-w- c:\program files\PhotoJoy\Bin\PhotoJoy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 10:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S1 GizmoDrv;Gizmo Device Driver; [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [2010-01-12 31856]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-01-08 285744]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-14 c:\windows\Tasks\fba_CRONE.job
- c:\program files\FBackup\fbaSchedStarter.exe [2010-01-24 11:32]

2010-08-14 c:\windows\Tasks\fba_MAIDEN.job
- c:\program files\FBackup\fbaSchedStarter.exe [2010-01-24 11:32]

2010-08-14 c:\windows\Tasks\fba_MOTHER.job
- c:\program files\FBackup\fbaSchedStarter.exe [2010-01-24 11:32]

2010-08-14 c:\windows\Tasks\fba_theFAERIE.job
- c:\program files\FBackup\fbaSchedStarter.exe [2010-01-24 11:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\enbar.dll/2000
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FBackup Scheduler - (no file)
MSConfigStartUp-{936437B9-7866-5DD2-CA31-C88EC7532817} - c:\users\kitten\AppData\Roaming\Muniyv\yfzou.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-08-15 12:45:48
ComboFix-quarantined-files.txt 2010-08-15 11:45

Pre-Run: 53,356,859,392 bytes free
Post-Run: 56,428,568,576 bytes free

- - End Of File - - 3C937E722C34B22A6BC43456A0AFE8AF


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 15 August 2010 - 12:45 PM

Hello

These logs look very good, tell me how are things working.

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 15 August 2010 - 02:38 PM

All done. MBAM came up clean, which it has done throughout anyway...the logs for that and Hijackthis are below. I haven't had any pop ups yet, that was the main symptom. Haven't tried Windows Update yet because I wasn't sure if that would interfere with what we're doing. I can now get onto the Windows Update website now though.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4433

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

15/08/2010 20:11:18
mbam-log-2010-08-15 (20-11-18).txt

Scan type: Quick scan
Objects scanned: 139962
Time elapsed: 21 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:33:00, on 15/08/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\FBackup\fbaSched.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\StarDock\ObjectDock.exe
C:\Program Files\PhotoJoy\bin\PjApp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [GizmoDriveDelegate] RUNDLL32.EXE C:\PROGRA~1\GIZMO\GDRIVE.DLL,Remount_Startup_Images
O4 - Startup: PhotoJoy.lnk = ?
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\StarDock\ObjectDock.exe
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\enbar.dll/2000
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\enbar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\enbar.dll (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~2\KASPER~1\mzvkbd3.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo Central - Arainia Solutions - C:\Program Files\Gizmo\gservice.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6981 bytes


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 15 August 2010 - 03:28 PM

Greetings

You can do updates now if you want

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
      O4 - Startup: PhotoJoy.lnk = ?
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Report from ESET
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 16 August 2010 - 06:35 AM

Hi Gringo,

Everything worked fine. Windows even updated, no problems, and still no pop ups...yay! Here is the ESET log:




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=29dd59da7374ed439cca4fe03232c9b1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-16 03:35:33
# local_time=2010-08-16 04:35:33 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 17077 17077 0 0
# compatibility_mode=1280 16777215 100 0 16966166 16966166 0 0
# compatibility_mode=5893 16776573 100 94 7372614 34384129 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=278288
# found=6
# cleaned=0
# scan_time=11997
C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application 00000000000000000000000000000000 I
C:\Setup Files\Programs\Installed\HSS-1.37-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application 00000000000000000000000000000000 I
D:\My Documents\Light\Laughs\Felix\felix2.exe Win32/Joke.ScreenMate application 00000000000000000000000000000000 I
D:\My Documents\Light\Records\EM\Old Outlook Express\Deleted Items.dbx Win32/Mytob.BK worm 00000000000000000000000000000000 I
D:\My Documents\Light\Records\EM\Old Outlook Express\Hotmail - <my name> - Deleted Items (2).dbx JS/Redir.AH trojan 00000000000000000000000000000000 I
D:\My Documents\Light\Records\EM\Old Outlook Express\Sent Items.dbx probably a variant of Win32/TrojanDownloader.Agent.IPGQQOF trojan 00000000000000000000000000000000 I


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:11 PM

Posted 16 August 2010 - 12:04 PM

Hello

Glad things are working better.


These seem to be ok
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Setup Files\Programs\Installed\HSS-1.37-install-anchorfree-76-conduit.exe
D:\My Documents\Light\Laughs\Felix\felix2.exe

These are old emails that are infected (if you don't need them get rid of them)
D:\My Documents\Light\Records\EM\Old Outlook Express\Deleted Items.dbx
D:\My Documents\Light\Records\EM\Old Outlook Express\Hotmail - <my name> - Deleted Items (2).dbx
D:\My Documents\Light\Records\EM\Old Outlook Express\Sent Items.dbx

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

please read this great article by miekiemoes How to prevent Malware:

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 7throck

7throck
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 16 August 2010 - 01:55 PM

Just finished working through all your suggestions. Everything is working great. I'm so relieved!

Thank you so much for all your help. thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users