Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer Hijack/Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 compoegg

compoegg

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 07 August 2010 - 02:48 AM

i know it's not recommended but i went ahead and tried a few programs to get rid of it, with no success. i see that logs are preferred NOT in code boxes so i edited that

Info:
- Windows XP Pro SP3
- Kaspersky Internet Security 2009

Symptoms:
- trying to browse or access 'My Computer' in any way crashes Explorer (including the Windows task bar/start button and all open Explorer windows). sometimes the task bar returns after 5-10 sec.
- using the 'browse' function in any application has the same results as above if you go high enough in the directory structure (above that drive's root directory)
- attempting to type anything into the address bar in Windows Explorer crashes all Explorer windows
- attempting to change the filename of files downloaded through Firefox freezes Firefox (the only exception was when i managed to change Combofix.exe to Combo-fix.exe, i'm not sure why that got through)
- similarly attempting to type in the filename to save a file in an application (e.g. MS Paint) crashes the application as soon as you begin typing
- attempting to open 'Search' in Windows Explorer (by pressing Ctrl + F in a folder for example) causes all Explorer windows to crash
- right clicking on a file and moving the cursor over "Send To" crashes the Explorer window
- slow at boot (windows welcome screen) as well as first few seconds after loading desktop

Actions Taken >> Results:
- ran Kaspersky full scan >> it found a number of problems but i could not save the logs to show you (explained above); it deleted "Backdoor.Win32.Agent.bmn" and "HackTool.Win32.Kiser.fm", but i'm not sure if these were related to the problem
- ran Malwarebytes Anti-Malware full scan >> found a bunch of things. see log below. although it does not appear so in the log, i selected all the items it found and told it to remove them

**********

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4397

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2096

8/6/2010 1:41:33 AM
mbam-log-2010-08-06 (01-41-33).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|L:\|M:\|N:\|)
Objects scanned: 388696
Time elapsed: 1 hour(s), 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\System Volume Information\_restore{979FEB2B-6B4F-498E-9F77-699DA36B7427}\RP166\A0060590.exe (Trojan.Downloader) -> No action taken.
D:\System Volume Information\_restore{979FEB2B-6B4F-498E-9F77-699DA36B7427}\RP166\A0060600.exe (Trojan.Downloader) -> No action taken.
D:\System Volume Information\_restore{979FEB2B-6B4F-498E-9F77-699DA36B7427}\RP166\A0060783.exe (Trojan.Agent.CK) -> No action taken.
F:\install files\Adobe Acrobat 8 Pro\Crack\keygen.exe (Backdoor.Bot) -> No action taken.
F:\install files\Xilisoft Audio Converter\keygen.exe (Trojan.Downloader) -> No action taken.
F:\install files\mIRC.6.35.Keygen.Patch-F4CG\keygen.exe (Backdoor.GF) -> No action taken.
F:\install files\mIRC.6.35.Keygen.Patch-F4CG\patch.exe (Backdoor.IRCBot) -> No action taken.
F:\install files\SolidWorks 2008 Office Premium SP3.0 w COSMOS\PlanetMaster Full\ibfs32.dll (Trojan.Agent) -> No action taken.
F:\install files\Sony.ACID.Pro.v6.0.Incl.Keygen-SSG\keygen.exe (Trojan.Downloader) -> No action taken.

**********

- ran Defogger
- failed to run DDS, even after disabling Kaspersky and disconnecting from internet (black window flashes and immediately disappears)
- ran Hijack This >> see log below. the only processes i do not recognize are smss.exe and lsass.exe

**********

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:27:51 PM, on 8/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AltWindowDrag.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\install files\AV\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Gadwin PrintScreen Pro] "C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe" /nosplash
O4 - HKUS\S-1-5-21-1123561945-1715567821-1417001333-1001\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'postgres')
O4 - HKUS\S-1-5-21-1123561945-1715567821-1417001333-1001\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'postgres')
O4 - HKUS\S-1-5-21-1123561945-1715567821-1417001333-1001\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'postgres')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: AltWindowDrag.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: ClipSrv - Unknown owner - C:\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 9081 bytes

**********

- attempted to end processes smss.exe and lsass.exe in Task Manager >> a window popped up saying they are critical processes and cannot be terminated
- ran GMER >> see log below

**********

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-06 21:37:59
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agncqkob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF37D61DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF37D67AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF37D81EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF37D7B9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xF37D5950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF37D9B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF37D65AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF37D5D92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF37D5F92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF37D7EAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF37DA084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xF37D60A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xF37D6110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF37D7D5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF37D9620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF37D79F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xF37D5AB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF37D63B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF37D9BA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xF37D62FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xF37D6178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF37D5E7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF37D5C5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF37D9888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF37D55D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF37D8A74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF37D5734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF37D9F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF37D53D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF37D808C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF37D66AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF37D971A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF37D9BD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF37D5B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF37D9CB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF37D9DE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF37D954C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF37D647E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF37D64F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C40 805044CC 4 Bytes JMP 6CF37D81
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [B4, 9C, 7D, F3, E0, 9D, 7D, ...] {MOV AH, 0x9c; JGE 0xfffffffffffffff7; LOOPNZ 0xffffffffffffffa3; JGE 0xfffffffffffffffb; DEC ESP; XCHG EBP, EAX; JGE 0xffffffffffffffff}
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7630A0C]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF61ED360, 0x3E57A5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[148] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[148] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[760] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[760] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 004788A0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] kernel32.dll!DeviceIoControl 7C801629 7 Bytes JMP 00478B70 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00478930 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00478A80 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] kernel32.dll!IsDebuggerPresent 7C813123 6 Bytes JMP 004F8970 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 004288B0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegCloseKey 77DD6C17 5 Bytes JMP 004285E0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegQueryValueExW 77DD6FEF 5 Bytes JMP 004289D0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 004286A0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00428880 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00428860 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegQueryValueExA 77DD7AAB 5 Bytes JMP 004289A0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegEnumKeyExW 77DD7BC9 5 Bytes JMP 004287B0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegEnumValueW 77DD7EDD 5 Bytes JMP 00428810 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegSetValueExW 77DDD757 7 Bytes JMP 00428A90 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegQueryValueW 77DDD86A 5 Bytes JMP 00428970 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00428680 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegSetValueExA 77DDEAD7 7 Bytes JMP 00428A60 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegDeleteValueA 77DDECD5 5 Bytes JMP 00428720 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegDeleteValueW 77DDEDE1 5 Bytes JMP 00428750 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00428840 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegDeleteKeyA 77DE4280 5 Bytes JMP 004286C0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegQueryInfoKeyA 77DE4312 5 Bytes JMP 004288E0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegQueryInfoKeyW 77DE49AE 5 Bytes JMP 00428910 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegEnumKeyExA 77DE5196 5 Bytes JMP 00428780 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegDeleteKeyW 77DE557B 5 Bytes JMP 004286F0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegFlushKey 77DF4CB0 5 Bytes JMP 00428610 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegEnumValueA 77DF9B8F 5 Bytes JMP 004287E0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00428660 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegQueryValueA 77DFBB5D 5 Bytes JMP 00428940 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00428640 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegSetValueA 77DFC76E 5 Bytes JMP 00428A00 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ADVAPI32.dll!RegSetValueW 77E360EE 5 Bytes JMP 00428A30 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00428BC0 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 00482A10 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)
.text C:\Program Files\MPC HomeCinema\mpc-hc.exe[3872] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 00482A40 C:\Program Files\MPC HomeCinema\mpc-hc.exe (Media Player Classic - Homecinema/mpc-hc@Sourceforge)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB6 0xFA 0x9E 0x53 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0xD6 0x90 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x32 0xE9 0x4B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB6 0xFA 0x9E 0x53 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x29 0xD6 0x90 0x99 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x32 0xE9 0x4B ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

---- EOF - GMER 1.0.15 ----

**********

- ran MBRCheck >> see log below (2 non-standard MBR's)

**********

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00003bfd

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 ohci1394.sys
0xF7497000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF74A7000 isapnp.sys
0xF74B7000 MountMgr.sys
0xF7328000 ftdisk.sys
0xF798B000 dmload.sys
0xF7302000 dmio.sys
0xF7707000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF72EC000 nvatabus.sys
0xF72D6000 SI3112.sys
0xF72BE000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7289000 Si3114r5.sys
0xF726F000 3112Rx47.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF724F000 fltMgr.sys
0xF74F7000 klbg.sys
0xF789B000 SiWinAcc.sys
0xF7238000 KSecDD.sys
0xF71AB000 Ntfs.sys
0xF717E000 NDIS.sys
0xF798D000 SiRemFil.sys
0xF770F000 nvcchflt.sys
0xF7164000 Mup.sys
0xF6C45000 kl1.sys
0xF7717000 \WINDOWS\system32\drivers\TDI.SYS
0xF7607000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7617000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF776F000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6B00000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7637000 \SystemRoot\system32\DRIVERS\klfltdev.sys
0xF7797000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7627000 \SystemRoot\system32\drivers\nvax.sys
0xF7647000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7923000 \SystemRoot\system32\drivers\pfc.sys
0xF7657000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7667000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6ADD000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6A5E000 \SystemRoot\system32\drivers\ctaud2k.sys
0xF6A3A000 \SystemRoot\system32\drivers\portcls.sys
0xF7677000 \SystemRoot\system32\drivers\drmk.sys
0xF6A06000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF77AF000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xF69BD000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xF7937000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF6972000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF693B000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF61ED000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF61B1000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF79BF000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xF7827000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7687000 \SystemRoot\system32\DRIVERS\serial.sys
0xF795B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF619D000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7967000 \SystemRoot\system32\drivers\nvmpu401.sys
0xF796B000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF784F000 \SystemRoot\system32\DRIVERS\klim5.sys
0xF7B98000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7697000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7983000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6186000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7727000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7887000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF79C9000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6088000 \SystemRoot\system32\DRIVERS\update.sys
0xF6C15000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79CD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF76D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF5FB5000 \SystemRoot\system32\drivers\nvapu.sys
0xF5ED3000 \SystemRoot\system32\drivers\nvmcp.sys
0xF5EC2000 \SystemRoot\system32\drivers\nvarm.sys
0xF5E78000 \SystemRoot\system32\drivers\hap17v2k.sys
0xF5D6E000 \SystemRoot\system32\drivers\ha10kx2k.sys
0xF5D3F000 \SystemRoot\system32\drivers\emupia2k.sys
0xF5D16000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xF5C7A000 \SystemRoot\system32\drivers\ctac32k.sys
0xF5B3F000 \SystemRoot\system32\COMMONFX.DLL
0xF5AB4000 \SystemRoot\system32\CTAUDFX.DLL
0xF5A26000 \SystemRoot\system32\CTSBLFX.DLL
0xF75B7000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF782F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF37C7000 \SystemRoot\system32\DRIVERS\klif.sys
0xF79F5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B63000 \SystemRoot\System32\Drivers\Null.SYS
0xF7767000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77C7000 \SystemRoot\System32\drivers\vga.sys
0xF77DF000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77EF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6074000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF376C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6166000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF3713000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF36EB000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6126000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF3651000 \SystemRoot\System32\drivers\afd.sys
0xF6116000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF6106000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3586000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3516000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF60F6000 \SystemRoot\System32\Drivers\Fips.SYS
0xF34F8000 \SystemRoot\system32\drivers\archlp.sys
0xF788F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF36C3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6156000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7807000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xF6146000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF347D000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF36AF000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF36AB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xF77E7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF3611000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3417000 \SystemRoot\System32\Drivers\dump_nvatabus.sys
0xF7A17000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF368F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF775F000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BD5000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9538000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB92F3000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9368000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7A49000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB909B000 \SystemRoot\system32\DRIVERS\srv.sys
0xF77B7000 \SystemRoot\system32\drivers\npf.sys
0xB904F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
844 C:\WINDOWS\system32\smss.exe
908 csrss.exe
928 C:\WINDOWS\system32\winlogon.exe
972 C:\WINDOWS\system32\services.exe
984 C:\WINDOWS\system32\lsass.exe
1140 C:\WINDOWS\system32\nvsvc32.exe
1208 C:\WINDOWS\system32\svchost.exe
1252 svchost.exe
1420 C:\WINDOWS\system32\svchost.exe
1508 svchost.exe
1672 svchost.exe
1736 C:\WINDOWS\system32\spoolsv.exe
1948 C:\WINDOWS\explorer.exe
2036 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
136 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
228 C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
336 C:\Program Files\Google\Update\GoogleUpdate.exe
388 pg_ctl.exe
676 postgres.exe
732 C:\WINDOWS\SOUNDMAN.EXE
744 C:\WINDOWS\system32\CtHelper.exe
760 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
768 postgres.exe
784 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
884 C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
892 postgres.exe
948 postgres.exe
1044 postgres.exe
1096 postgres.exe
1336 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1352 C:\WINDOWS\system32\rundll32.exe
1360 C:\Program Files\uTorrent\uTorrent.exe
1368 C:\Program Files\Gadwin Systems\PrintScreenPro\PrintScreenPro.exe
1396 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AltWindowDrag.exe
1528 C:\Program Files\Logitech\SetPoint\SetPoint.exe
1576 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3328 C:\WINDOWS\system32\svchost.exe
3416 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
3800 wmiprvse.exe
3848 F:\install files\AV\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (NTFS)
\\.\L: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)
\\.\M: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\N: --> \\.\PhysicalDrive7 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive2 Model Number: INTELSSDSA2MH080G1GC, Rev: 045C8820
PhysicalDrive3 Model Number: HitachiHDS721010KLA330, Rev: GKAOA70M
PhysicalDrive0 Model Number: HitachiHDS721010KLA330, Rev: GKAOA70F
PhysicalDrive1 Model Number: HitachiHDS721010KLA330, Rev: GKAOA70M
PhysicalDrive6 Model Number: ST31500341AS, Rev: CC1H
PhysicalDrive5 Model Number: ST31500341AS, Rev: CC1H
PhysicalDrive4 Model Number: ST31500341AS, Rev: CC1H
PhysicalDrive7 Model Number: ST31500341AS, Rev: CC1H

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive2 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive3 Unknown MBR code
SHA1: 38B2C51FCEBEA58B171A064A7280D07340463B4C
931 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 405C4508B165A445F4F7E0C0476A897966CA65BA
931 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1397 GB \\.\PhysicalDrive6 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1397 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1397 GB \\.\PhysicalDrive4 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
1397 GB \\.\PhysicalDrive7 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

**********

- attempted to restore one of the MBR's using MBRCheck >> upon rebooting the MBR still came up as corrupt
- ran TDSSKiller (had to use the command without "-v" at the end to prevent errors) >> see log below (looks like nothing found)

**********

2010/08/06 22:10:21.0218 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/06 22:10:21.0218 ================================================================================
2010/08/06 22:10:21.0218 SystemInfo:
2010/08/06 22:10:21.0218
2010/08/06 22:10:21.0218 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 22:10:21.0218 Product type: Workstation
2010/08/06 22:10:21.0218 ComputerName: EXPERIEN-3B6706
2010/08/06 22:10:21.0218 UserName: Administrator
2010/08/06 22:10:21.0218 Windows directory: C:\WINDOWS
2010/08/06 22:10:21.0218 System windows directory: C:\WINDOWS
2010/08/06 22:10:21.0218 Processor architecture: Intel x86
2010/08/06 22:10:21.0218 Number of processors: 2
2010/08/06 22:10:21.0218 Page size: 0x1000
2010/08/06 22:10:21.0218 Boot type: Normal boot
2010/08/06 22:10:21.0234 ================================================================================
2010/08/06 22:10:21.0578 Initialize success
2010/08/06 22:10:25.0187 ================================================================================
2010/08/06 22:10:25.0187 Scan started
2010/08/06 22:10:25.0187 Mode: Manual;
2010/08/06 22:10:25.0187 ================================================================================
2010/08/06 22:10:25.0453 3112Rx47 (ec2b7c23fb561a52904571439ddbab78) C:\WINDOWS\system32\drivers\3112Rx47.sys
2010/08/06 22:10:25.0531 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 22:10:25.0578 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/06 22:10:25.0625 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 22:10:25.0656 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 22:10:25.0812 ALCXWDM (8a8909fdd548d84a3e02e04f699ee705) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/08/06 22:10:25.0921 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/08/06 22:10:25.0984 archlp (d781cb30626ff2f391bc9ec6e20801b9) C:\WINDOWS\system32\drivers\archlp.sys
2010/08/06 22:10:26.0015 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/06 22:10:26.0140 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 22:10:26.0187 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2010/08/06 22:10:26.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 22:10:26.0281 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 22:10:26.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 22:10:26.0390 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 22:10:26.0421 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 22:10:26.0453 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 22:10:26.0562 COMMONFX.DLL (ecd78c93a8ca1e280e10e24188e6568e) C:\WINDOWS\system32\COMMONFX.DLL
2010/08/06 22:10:26.0625 CT20XUT.DLL (1f62f2f4392f721025b79a0222ded357) C:\WINDOWS\system32\CT20XUT.DLL
2010/08/06 22:10:26.0671 ctac32k (89ee116ae83058dd028d13cd53f668c8) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/08/06 22:10:26.0734 ctaud2k (55935f873db712d62a0d9c9bcd002de1) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/08/06 22:10:26.0765 CTAUDFX.DLL (ccbcdd95116b993dfa523b3ecc88f73d) C:\WINDOWS\system32\CTAUDFX.DLL
2010/08/06 22:10:26.0812 ctdvda2k (6f423d0b5288d131795a05d712181ec4) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/08/06 22:10:26.0859 CTEAPSFX.DLL (3d411b5df969c0f1dd062aa147bed524) C:\WINDOWS\system32\CTEAPSFX.DLL
2010/08/06 22:10:26.0890 CTEDSPFX.DLL (fe0823d8280a51a5575ae2fd9a3732e2) C:\WINDOWS\system32\CTEDSPFX.DLL
2010/08/06 22:10:26.0937 CTEDSPIO.DLL (eaf112535481ab76a022a274f1a8f924) C:\WINDOWS\system32\CTEDSPIO.DLL
2010/08/06 22:10:26.0984 CTEDSPSY.DLL (db50923f48b8a8fd80329dae21ad316c) C:\WINDOWS\system32\CTEDSPSY.DLL
2010/08/06 22:10:27.0015 CTERFXFX.DLL (c7f3e238871c8a0473430f8f87921ec5) C:\WINDOWS\system32\CTERFXFX.DLL
2010/08/06 22:10:27.0078 CTEXFIFX.DLL (699eb23684695e169f6db2dd4a7a901a) C:\WINDOWS\system32\CTEXFIFX.DLL
2010/08/06 22:10:27.0125 CTHWIUT.DLL (d371e3c43d628be73dccf33c9e5b1d0b) C:\WINDOWS\system32\CTHWIUT.DLL
2010/08/06 22:10:27.0140 ctprxy2k (5d591099766ee0d468a45341f1bd4df9) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/08/06 22:10:27.0187 CTSBLFX.DLL (48184677fac84ada4b20b1fbbacea95d) C:\WINDOWS\system32\CTSBLFX.DLL
2010/08/06 22:10:27.0218 ctsfm2k (c250dd53c4d7aa0da3c587a9e4652c75) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/08/06 22:10:27.0296 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 22:10:27.0359 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 22:10:27.0406 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 22:10:27.0453 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 22:10:27.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 22:10:27.0562 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 22:10:27.0593 DrmRAudio (bbd1be3de57c680a60a3b784a60b3524) C:\WINDOWS\system32\drivers\DrmRAudio.sys
2010/08/06 22:10:27.0625 DrmRVideo (7d3f81898e13d2a33c41ad2cb33ad743) C:\WINDOWS\system32\DRIVERS\DrmRVideo.sys
2010/08/06 22:10:27.0656 emupia (6d26f3ff7af137cf0408d0fb594f0d33) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/08/06 22:10:27.0703 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 22:10:27.0734 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/06 22:10:27.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 22:10:27.0812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/06 22:10:27.0859 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/06 22:10:27.0906 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 22:10:27.0937 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 22:10:27.0968 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/08/06 22:10:28.0015 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 22:10:28.0062 ha10kx2k (80830e836310d9027a407b78ec526919) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/08/06 22:10:28.0109 hap16v2k (1754ad77e23fd49bed5a8ef8c2bb751b) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/08/06 22:10:28.0140 hap17v2k (4652d0ee3ca03f593006979230e96497) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/08/06 22:10:28.0171 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 22:10:28.0250 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 22:10:28.0328 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 22:10:28.0359 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 22:10:28.0437 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 22:10:28.0468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 22:10:28.0500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 22:10:28.0546 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 22:10:28.0578 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 22:10:28.0609 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 22:10:28.0656 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 22:10:28.0687 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 22:10:28.0718 kl1 (cd6a8fa9395460ffe7fd8881a6c67254) C:\WINDOWS\system32\drivers\kl1.sys
2010/08/06 22:10:28.0750 klbg (f9089982ed97340984e3dd60edd75490) C:\WINDOWS\system32\drivers\klbg.sys
2010/08/06 22:10:28.0781 KLFLTDEV (73eb94ad1c85b4a3c5a8b4d879f668b9) C:\WINDOWS\system32\DRIVERS\klfltdev.sys
2010/08/06 22:10:28.0812 KLIF (2627c389ba33065b2e98118ce9d71e57) C:\WINDOWS\system32\DRIVERS\klif.sys
2010/08/06 22:10:28.0843 klim5 (cd16a39c6f61c2ae0272e1f431353bf7) C:\WINDOWS\system32\DRIVERS\klim5.sys
2010/08/06 22:10:28.0875 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 22:10:28.0921 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 22:10:28.0968 LBeepKE (17638894e150efee66d97bce8f037519) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2010/08/06 22:10:29.0062 LHidFilt (75415a95c589a07d6c97baa2d4143916) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/08/06 22:10:29.0093 LHidKe (eaed22460dad9ccd9c9a58c78e717497) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2010/08/06 22:10:29.0140 LMouFilt (fcb3f81ac07b8608f921134237823b88) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/08/06 22:10:29.0171 LMouKE (d1fd76ea56cd653d7b55a0fac96ee416) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2010/08/06 22:10:29.0218 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2010/08/06 22:10:29.0281 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 22:10:29.0312 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 22:10:29.0375 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 22:10:29.0406 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 22:10:29.0484 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 22:10:29.0546 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 22:10:29.0609 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 22:10:29.0656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 22:10:29.0718 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 22:10:29.0750 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 22:10:29.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 22:10:29.0859 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/08/06 22:10:29.0890 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 22:10:29.0968 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 22:10:30.0000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 22:10:30.0046 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 22:10:30.0109 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 22:10:30.0140 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 22:10:30.0187 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 22:10:30.0234 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 22:10:30.0359 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/06 22:10:30.0453 npf (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
2010/08/06 22:10:30.0515 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 22:10:30.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 22:10:30.0656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 22:10:30.0828 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/06 22:10:30.0906 nvatabus (83f0275a21d9772b51cef57e35afae61) C:\WINDOWS\system32\DRIVERS\nvatabus.sys
2010/08/06 22:10:30.0937 nvax (f3d3015e52f2732042197d4edcaac2cb) C:\WINDOWS\system32\drivers\nvax.sys
2010/08/06 22:10:30.0953 nvcchflt (fb7213bc5279c1af5e4e9ca05d944f2c) C:\WINDOWS\system32\DRIVERS\nvcchflt.sys
2010/08/06 22:10:30.0984 NVENETFD (97724affdd7a5a47c3bc07ccd1b88745) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/08/06 22:10:31.0015 nvmpu401 (d509ef6e99d1b55887fdc0cb61fd5a42) C:\WINDOWS\system32\drivers\nvmpu401.sys
2010/08/06 22:10:31.0046 nvnetbus (82c2b3a89b9edfa6287c5aba1a4e6a99) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/08/06 22:10:31.0078 nvnforce (6d6fd2b7035d415621acaf1e555c8b90) C:\WINDOWS\system32\drivers\nvapu.sys
2010/08/06 22:10:31.0125 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 22:10:31.0156 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 22:10:31.0187 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/06 22:10:31.0218 ossrv (edade835fc1ae61f8020bce483719d31) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/08/06 22:10:31.0265 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/06 22:10:31.0312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 22:10:31.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 22:10:31.0375 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 22:10:31.0468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/06 22:10:31.0578 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/08/06 22:10:31.0625 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 22:10:31.0671 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 22:10:31.0828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 22:10:31.0859 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 22:10:31.0906 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 22:10:31.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 22:10:31.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 22:10:32.0015 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 22:10:32.0078 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 22:10:32.0125 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/06 22:10:32.0171 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 22:10:32.0218 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/06 22:10:32.0265 SI3112 (20655e752703cbf3a70aa164806a0d72) C:\WINDOWS\system32\DRIVERS\SI3112.sys
2010/08/06 22:10:32.0281 si3114r5 (87d406c592327ded095ff314427a4fa7) C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
2010/08/06 22:10:32.0312 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
2010/08/06 22:10:32.0375 SiRemFil (41a59f484188be629087ba391ff60d74) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
2010/08/06 22:10:32.0437 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 22:10:32.0468 sptd (e8b705f9abe446aaf7a315ef8b4aea5a) C:\WINDOWS\system32\Drivers\sptd.sys
2010/08/06 22:10:32.0531 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 22:10:32.0578 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 22:10:32.0609 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 22:10:32.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 22:10:32.0781 Tcpip (accf5a9a1ffaa490f33dba1c632b95e1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 22:10:32.0859 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 22:10:32.0937 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 22:10:32.0984 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/06 22:10:33.0015 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/06 22:10:33.0062 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 22:10:33.0093 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 22:10:33.0140 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/06 22:10:33.0171 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/06 22:10:33.0203 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 22:10:33.0234 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 22:10:33.0296 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 22:10:33.0343 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 22:10:33.0390 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/06 22:10:33.0437 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 22:10:33.0515 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys
2010/08/06 22:10:33.0546 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys
2010/08/06 22:10:33.0578 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys
2010/08/06 22:10:33.0609 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys
2010/08/06 22:10:33.0640 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys
2010/08/06 22:10:33.0687 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/06 22:10:33.0718 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/06 22:10:33.0781 yukonwxp (d57a909f1a9114d5d18a2eacb1afecd5) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2010/08/06 22:10:33.0843 ================================================================================
2010/08/06 22:10:33.0843 Scan finished
2010/08/06 22:10:33.0843 ================================================================================
2010/08/06 22:11:06.0437 Deinitialize success

**********

- failed to run Combofix (renamed file to Combo-fix upon downloading. any other filename would freeze Firefox) >> Combofix creates restore point and then hangs on "Please wait - Combofix is preparing to run" screen; same behavior in 'Safe Mode'
- ran another scan using Malwarebytes Anti-Malware, this time a quick scan >> blue screen of death at some point in the scan
- tried again, this time it ran ok >> scan came up clean, see log below

**********

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4401

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.2096

8/6/2010 11:25:41 PM
mbam-log-2010-08-06 (23-25-41).txt

Scan type: Quick scan
Objects scanned: 144400
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**********

- noticed another weird process in Task Manager, this one called csrss.exe >> again it could not be removed
- noticed that Adobe Acrobat (Acrobat.exe) is always running in Task Manager even though i have not opened it >> ending this process does not change any of the problematic behaviors
- ran ESET OnlineScan >> it found a few things and deleted them; see log below

**********

C:\WINDOWS\system32\cmdow.exe Win32/CMDOW.143 application cleaned by deleting - quarantined
F:\install files\eac-0.99pb5.exe Win32/Adware.ADON application deleted - quarantined
F:\install files\Adobe Illustrator CS4 (Multilingual) [RH]\AI_CS4_[RH]\Adobe Illustrator CS4\Keygen\CS4MCLG.EXE probably a variant of Win32/Spy.Agent trojan cleaned by deleting - quarantined
F:\install files\Test Drive Unlimited Cracks, MegaPack, & Instructions\Test.Drive.Unlimited.PROPER-ViTALiTY-CrackOnly\ViTALiTY\TestDriveUnlimited.exe probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined

**********

this has not solved the problem, however. any help would be greatly appreciated! cool.gif

Edited by compoegg, 07 August 2010 - 03:01 AM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:00 AM

Posted 15 August 2010 - 09:43 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 compoegg

compoegg
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:00 AM

Posted 16 August 2010 - 10:39 PM

sorry for not updating, but i ended up reinstalling windows. there are some hardware problems that remain which i am working through now

thanks for replying

Edited by compoegg, 16 August 2010 - 10:41 PM.


#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:00 AM

Posted 17 August 2010 - 05:10 AM

Thanks for letting me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users