Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC frozen, Alert Popup?


  • This topic is locked This topic is locked
29 replies to this topic

#1 hjtmk16

hjtmk16

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 08 September 2010 - 08:28 PM

Hi there,

My pc is freezing up intermittently and I am unable to open or use any applications. After a long while I was able to bring up my Task Manager and noticed a "Alert Popup" in my applications list. When I End Tasked it, my pc went back to normal for awhile, then froze up again.

I ran Malwarebytes Quick Scan and Full Scan. No viruses were detected.

I had to turn my pc off by the power button. After going into Safe Mode with Networking, I downloaded all the recommended tools to my desktop. When Defogger was run, it finished. But did not ask for reboot as expected. So, I manually rebooted. In Safe Mode again, I double clicked the dds.scr file. Although it states that the scan takes approx 3 minutes to complete, it never completed for me. I then tried to start the GMER Rootkit Scanner, and received the blue screen of death.

I did manage to run HijackThis. I've attached the log for your analysis.

Please take a look. I would really appreciate your help.

M

Hi there,

As requested, here are the RKUnhook and ComboFix reports. Please let me know what I should do to fix my computer. Thank you for your help!



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x93405000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7467008 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 175.21 )
0x82C1D000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x82C1D000 PnpManager 3903488 bytes
0x82C1D000 RAW 3903488 bytes
0x82C1D000 WMIxWDM 3903488 bytes
0x9780F000 C:\Windows\system32\drivers\RTKVHDA.sys 2150400 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xA0270000 Win32k 2109440 bytes
0xA0270000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8BC0B000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x832CB000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x92884000 C:\Windows\system32\DRIVERS\HSX_DP.sys 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
0x92E09000 C:\Windows\system32\DRIVERS\nvmfdx32.sys 1048576 bytes (NVIDIA Corporation, NVIDIA MCP Networking Function Driver.)
0x8BA3E000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x80466000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA400C000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x92C0C000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xA38CF000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x93B24000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x92CCE000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x98009000 C:\Windows\system32\DRIVERS\netr73.sys 524288 bytes (Ralink Technology, Corp., Ralink 802.11 USB Wireless Adapter Driver)
0x80546000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8325A000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x92986000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA3881000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x9280E000 C:\Windows\system32\DRIVERS\HSXHWBS2.sys 311296 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0x8069D000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x97B40000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80601000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80425000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x80792000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8BB7B000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x980B9000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8BA03000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA3809000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8BD1B000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x97BBF000 C:\Windows\System32\drivers\truecrypt.sys 217088 bytes (TrueCrypt Foundation, TrueCrypt Driver)
0x92D5B000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x82FD6000 ACPI_HAL 208896 bytes
0x82FD6000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8320F000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x97AFA000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x93BD1000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x97A1C000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x807D3000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x9285A000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x92D90000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8BD6B000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x80658000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xA385A000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x97A49000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x98164000 C:\Windows\System32\Drivers\dump_nvstor32.sys 147456 bytes
0x8076E000 C:\Windows\system32\DRIVERS\nvstor32.sys 147456 bytes (NVIDIA Corporation, NVIDIA® nForce™ Sata Performance Driver)
0x92F56000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x98116000 C:\Windows\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0x98091000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x80727000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8BDC5000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x97A91000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x833D6000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x80750000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0xA412F000 C:\Program Files\CyberLink\PowerDVD\000.fcl 118784 bytes (Cyberlink Corp., FCL Driver)
0x92DCD000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x8BB28000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x981A1000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8070C000 C:\Windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIA® nForce™ RAID Driver)
0x8BDAC000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x92F09000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA3842000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x980FF000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x92F34000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xA414C000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x97B88000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x97AE4000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x981BC000 C:\Windows\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0x92DEA000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x92F9C000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x98138000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 86016 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xA4108000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x92F88000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x97B2C000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8BB53000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x92DBA000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x97BAC000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA411D000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x8BD92000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x92FEB000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8040C000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8BB43000 C:\Windows\system32\DRIVERS\amdk8.sys 65536 bytes (Microsoft Corporation, Processor Device Driver)
0x83241000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x981D1000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x806FC000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8BBC8000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x92FC4000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x98192000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8BD5C000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x8067F000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x92F79000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8BBB9000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8068E000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8BBD8000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xA04B0000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x97B9E000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x97ACD000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x806EE000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x9814D000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x92CC1000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x92FDE000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x805C2000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x92FB1000 C:\Windows\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xA40F4000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x97A85000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x93BC5000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8BB66000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8BC00000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x97AC2000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x92F4B000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x92F21000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8BDE7000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x9815A000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
0x98188000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x92FD4000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x981E1000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x980F5000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x981EB000 C:\Windows\system32\DRIVERS\pnarp.sys 40960 bytes (Pure Networks, Inc., Address Resolution Protocol Driver)
0x981F5000 C:\Windows\system32\DRIVERS\purendis.sys 40960 bytes (Pure Networks, Inc., NDIS Relay Driver)
0xA40EA000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8BB71000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x8BDA3000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x97A6E000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xA4162000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x83251000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x97ADB000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA0490000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8BDF2000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80647000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x80748000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8041D000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x80650000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x97AB2000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x97ABA000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x92F2C000 C:\Windows\System32\Drivers\RootMdm.sys 32768 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0x8BD54000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0xA4100000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x97A7E000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x80405000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x97A77000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x806E7000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x92FBD000 C:\Windows\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0x980B3000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x9808B000 C:\Windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0x8BDFB000 C:\Windows\system32\DRIVERS\PS2.sys 20480 bytes (Hewlett-Packard Company, PS2 SYS)
0xA3997000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x93400000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x98089000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x040C0000 Hidden Image-->LelaNetworkLib.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 159744 bytes
0x05450000 Hidden Image-->LelaServices.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 159744 bytes
0x03E70000 Hidden Image-->LelaNetwork.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 208896 bytes
0x054E0000 Hidden Image-->Linksys EasyLink Advisor.resources.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 2297856 bytes
0x01C30000 Hidden Image-->LelaResource.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 241664 bytes
0x00AA0000 Hidden Image-->log4net.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 249856 bytes
0x04F50000 Hidden Image-->Interop.NetworkCore.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 249856 bytes
0x03EC0000 Hidden Image-->LelaNetwork.resources.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 356352 bytes
0x05720000 Hidden Image-->LelaResource.resources.dll [ EPROCESS 0x885A1BA0 ] PID: 3316, 7393280 bytes
0x00890000 Hidden Image-->HP.ActiveSupportLibrary.dll [ EPROCESS 0x85AB1B30 ] PID: 3400, 94208 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\Users\Mike\AppData\Local\temp\~DFD624.tmp::$DATA
!-->[Hidden] C:\Users\Mike\AppData\Local\temp\~DFE668.tmp::$DATA
!-->[Hidden] C:\Users\Mike\Documents\Backup-(2009-03-11).ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\Backup-(2009-04-15).ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\Backup-(2009-10-02).ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\Backup-(2010-05-03).ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\Backup-(2010-06-26).ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\BlackBerry\Backup\Backup-(2010-09-05).ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\BlackBerry\Backup\BlackBerry Curve 8330.ipd::$DATA
!-->[Hidden] C:\Users\Mike\Documents\LoaderBackup-(2010-09-03).ipd::$DATA
!-->[Hidden] C:\Windows\Prefetch\AgAppLaunch.db
!-->[Hidden] C:\Windows\Prefetch\AgGlFaultHistory.db
!-->[Hidden] C:\Windows\Prefetch\AgGlFgAppHistory.db
!-->[Hidden] C:\Windows\Prefetch\AgGlGlobalHistory.db
!-->[Hidden] C:\Windows\Prefetch\AgRobust.db
!-->[Hidden] C:\Windows\Prefetch\BUBBLES.SCR-8E3A7BBC.pf
!-->[Hidden] C:\Windows\Prefetch\WERCON.EXE-FE5CD389.pf
!-->[Hidden] C:\Windows\Prefetch\WERMGR.EXE-2A1BCBC7.pf
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x82CC57AA-->82CC57B1 [ntkrnlpa.exe]
[1336]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[1336]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[1336]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[1336]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[1336]rundll32.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->CreateServiceA, Type: IAT modification 0x00424020-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77C8151C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77C816D0-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77C81664-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77C81668-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->kernel32.dll-->OpenFile, Type: IAT modification 0x77C81514-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->RegCreateKeyA, Type: IAT modification 0x00424050-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x00424040-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x0042404C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->gdi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77B61130-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->gdi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77B6119C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->gdi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77B611BC-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->kernel32.dll-->CreateFileA, Type: IAT modification 0x004241F0-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification 0x004240E8-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->kernel32.dll-->DeleteFileA, Type: IAT modification 0x00424134-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00424100-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->kernel32.dll-->MoveFileA, Type: IAT modification 0x00424124-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->mswsock.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x6D641258-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->mswsock.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x6D641268-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->mswsock.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x6D641274-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->mswsock.dll-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x6D641254-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->mswsock.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x6D64125C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6D64123C-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->AccessCheck, Type: IAT modification 0x768E1C04-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x768E1B34-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegCreateKeyW, Type: IAT modification 0x768E1CB8-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegDeleteValueW, Type: IAT modification 0x768E1B54-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x768E1CFC-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x768E1B2C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x768E1B30-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->RegSetValueW, Type: IAT modification 0x768E1B74-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->advapi32.dll-->SetFileSecurityW, Type: IAT modification 0x768E1CC8-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x768E125C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x768E1460-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x768E13B4-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x768E13C0-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x768E130C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->shell32.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x768E13B8-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x77D51548-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x77D51528-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x77D51550-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77D511A8-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77D512B8-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77D511B0-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[1440]LinksysUpdater.exe-->user32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77D511AC-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->ws2_32.dll-->advapi32.dll-->RegCreateKeyExA, Type: IAT modification 0x4B0D1104-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->ws2_32.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x4B0D110C-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->ws2_32.dll-->advapi32.dll-->RegSetValueExA, Type: IAT modification 0x4B0D1114-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->ws2_32.dll-->advapi32.dll-->RegSetValueExW, Type: IAT modification 0x4B0D1110-->00000000 [AcGenral.dll]
[1440]LinksysUpdater.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[2540]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[2540]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[2540]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[2540]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[4876]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77B61130-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77B6119C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77B611BC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77B6111C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77B61110-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77B61174-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->gdi32.dll-->kernel32.dll-->SearchPathW, Type: IAT modification 0x77B611AC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6D64123C-->00000000 [shimeng.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x768E1D04-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x768E1B34-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegCreateKeyW, Type: IAT modification 0x768E1CB8-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegDeleteKeyW, Type: IAT modification 0x768E1B40-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegEnumKeyExW, Type: IAT modification 0x768E1B68-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegEnumKeyW, Type: IAT modification 0x768E1B38-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegEnumValueW, Type: IAT modification 0x768E1B3C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegOpenKeyExA, Type: IAT modification 0x768E1CFC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x768E1B2C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegOpenKeyW, Type: IAT modification 0x768E1BE4-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegQueryInfoKeyA, Type: IAT modification 0x768E1B64-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegQueryInfoKeyW, Type: IAT modification 0x768E1B50-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegQueryValueExA, Type: IAT modification 0x768E1CBC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x768E1B7C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegQueryValueW, Type: IAT modification 0x768E1B80-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->advapi32.dll-->RegSetValueW, Type: IAT modification 0x768E1B74-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x768E125C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateDirectoryW, Type: IAT modification 0x768E13B0-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x768E1460-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateHardLinkW, Type: IAT modification 0x768E11A4-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x768E12E8-->00000000 [AcLayers.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x768E13B4-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->FindClose, Type: IAT modification 0x768E132C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->FindFirstFileW, Type: IAT modification 0x768E1328-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->FindNextFileW, Type: IAT modification 0x768E1114-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetBinaryTypeW, Type: IAT modification 0x768E1280-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesA, Type: IAT modification 0x768E1370-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesExW, Type: IAT modification 0x768E14A4-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesW, Type: IAT modification 0x768E13BC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetLongPathNameW, Type: IAT modification 0x768E14EC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileIntW, Type: IAT modification 0x768E1390-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileSectionNamesW, Type: IAT modification 0x768E1164-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileSectionW, Type: IAT modification 0x768E1100-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileStringW, Type: IAT modification 0x768E13A0-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetShortPathNameA, Type: IAT modification 0x768E136C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetShortPathNameW, Type: IAT modification 0x768E1428-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x768E14E0-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x768E1284-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x768E1448-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x768E13C0-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x768E130C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->RemoveDirectoryW, Type: IAT modification 0x768E13AC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->ReplaceFileW, Type: IAT modification 0x768E1140-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->SearchPathW, Type: IAT modification 0x768E1384-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->SetCurrentDirectoryW, Type: IAT modification 0x768E124C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x768E13B8-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->WritePrivateProfileSectionW, Type: IAT modification 0x768E1168-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->kernel32.dll-->WritePrivateProfileStringW, Type: IAT modification 0x768E116C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x768E2320-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->user32.dll-->LoadImageW, Type: IAT modification 0x768E1890-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->user32.dll-->PrivateExtractIconsW, Type: IAT modification 0x768E1A6C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->shell32.dll-->user32.dll-->WinHelpW, Type: IAT modification 0x768E191C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x77D5154C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x77D51548-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegDeleteKeyW, Type: IAT modification 0x77D51544-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegEnumValueW, Type: IAT modification 0x77D51524-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x77D51528-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegQueryInfoKeyW, Type: IAT modification 0x77D51520-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x77D5152C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7670847D-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x766F2EF5-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x76708152-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x766F10B0-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77D511A8-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77D512B8-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x77D511B4-->00000000 [AcLayers.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77D511B0-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->FindClose, Type: IAT modification 0x77D511E4-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->FindFirstFileW, Type: IAT modification 0x77D511EC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->FindNextFileW, Type: IAT modification 0x77D511E8-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->GetPrivateProfileStringW, Type: IAT modification 0x77D51328-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77D51250-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77D5115C-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77D512FC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77D511AC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->RegisterWaitForInputIdle, Type: IAT modification 0x77D51280-->00000000 [AcLayers.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->SearchPathW, Type: IAT modification 0x77D51154-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->SetCurrentDirectoryW, Type: IAT modification 0x77D511D8-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->kernel32.dll-->WritePrivateProfileStringW, Type: IAT modification 0x77D512BC-->00000000 [AcRedir.dll]
[4876]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7671D639-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7671D65D-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7671D4D9-->00000000 [ieframe.dll]
[4876]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7671D5D3-->00000000 [ieframe.dll]
[4876]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71241480-->00000000 [shimeng.dll]
[4876]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->gdi32.dll-->PatBlt, Type: IAT modification 0x3000107C-->00000000 [AcSpecfc.dll]
[5872]WINWORD.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x30001438-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6D64123C-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71241480-->00000000 [shimeng.dll]
[5872]WINWORD.EXE-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]


ComboFix 10-09-09.04 - Mike 2010-09-11 1:09.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3454.1962 [GMT -4:00]
Running from: c:\users\Mike\Desktop\FixAlertPopCombo.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\users\Mike\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 05:14 . 2010-09-11 05:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-05 05:12 . 2010-09-05 05:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-03 05:55 . 2010-09-03 05:55 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-09-03 05:54 . 2010-09-03 05:55 -------- d-----w- c:\program files\Roxio
2010-09-03 05:54 . 2010-09-03 05:54 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-09-03 05:51 . 2010-09-03 05:52 -------- d-----w- c:\programdata\Research In Motion
2010-09-03 05:02 . 2010-09-03 05:02 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-09-03 05:02 . 2010-09-03 05:02 764168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-09-03 04:51 . 2010-09-03 04:51 -------- d-----w- c:\users\Mike\AppData\Roaming\Blackberry Desktop
2010-09-03 04:25 . 2010-09-03 04:25 -------- d-----w- c:\programdata\FreeRIP
2010-09-03 04:25 . 2010-09-03 04:25 -------- d-----w- c:\program files\FreeRIP3
2010-08-23 01:06 . 2010-08-23 01:07 102135128 ----a-w- c:\users\Mike\AppData\Roaming\Research In Motion\BlackBerry\Updates\5D17024E-6DC2-41aa-B38E-DA95AA158934\Extractor.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 05:08 . 2008-11-30 22:30 -------- d-----w- c:\users\Mike\AppData\Roaming\DNA
2010-09-10 05:10 . 2009-05-31 14:00 1356 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
2010-09-08 04:03 . 2010-02-22 07:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-07 05:18 . 2008-11-30 22:11 -------- d-----w- c:\users\Mike\AppData\Roaming\uTorrent
2010-09-04 15:21 . 2009-03-06 05:37 -------- d-----w- c:\users\Mike\AppData\Roaming\ZoomBrowser EX
2010-09-04 15:20 . 2009-03-06 05:33 -------- d-----w- c:\users\Mike\AppData\Roaming\CameraWindowDC
2010-09-03 06:15 . 2008-10-26 18:59 92336 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-03 06:03 . 2008-12-25 05:45 -------- d-----w- c:\programdata\Roxio
2010-09-03 05:55 . 2008-12-25 05:45 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-09-03 05:52 . 2008-12-25 05:41 -------- d-----w- c:\program files\Research In Motion
2010-09-03 05:51 . 2008-12-25 05:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-09-03 04:40 . 2008-12-25 05:55 -------- d-----w- c:\users\Mike\AppData\Roaming\Research In Motion
2010-09-03 04:24 . 2010-05-03 05:19 -------- d-----w- c:\programdata\Easy CD-DA Extractor
2010-09-03 04:24 . 2010-05-03 05:19 -------- d-----w- c:\program files\Easy CD-DA Extractor 2010
2010-08-31 22:51 . 2008-11-30 22:11 -------- d-----w- c:\program files\uTorrent
2010-08-19 04:53 . 2008-06-03 21:37 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 04:52 . 2008-06-03 21:37 -------- d-----w- c:\program files\Java
2010-08-11 05:15 . 2008-06-03 21:38 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 05:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-10 05:17 . 2010-08-10 03:20 -------- d-----w- c:\users\Mike\AppData\Roaming\Vso
2010-08-10 04:53 . 2010-08-10 04:53 -------- d-----w- c:\programdata\vsosdk
2010-08-10 03:20 . 2010-08-10 03:20 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-08-10 03:20 . 2010-08-10 03:20 47360 ----a-w- c:\users\Mike\AppData\Roaming\pcouffin.sys
2010-08-10 03:20 . 2010-08-10 03:20 47360 ----a-w- c:\users\Mike\AppData\Roaming\pcouffin.sys
2010-08-10 03:20 . 2010-08-10 03:20 -------- d-----w- c:\program files\VSO
2010-08-04 01:38 . 2010-08-04 01:38 1821192 ----a-w- c:\users\Mike\AppData\Roaming\Research In Motion\BlackBerry\Updates\5D17024E-6DC2-41aa-B38E-DA95AA158934\vcredist_x86.exe
2010-08-04 01:38 . 2010-08-04 01:38 400728 ----a-w- c:\users\Mike\AppData\Roaming\Research In Motion\BlackBerry\Updates\5D17024E-6DC2-41aa-B38E-DA95AA158934\BBDesktopInstaller.exe
2010-08-04 01:38 . 2010-08-04 01:38 2959376 ----a-w- c:\users\Mike\AppData\Roaming\Research In Motion\BlackBerry\Updates\5D17024E-6DC2-41aa-B38E-DA95AA158934\dotnetfx35setup.exe
2010-08-04 01:38 . 2010-08-04 01:38 128472 ----a-w- c:\users\Mike\AppData\Roaming\Research In Motion\BlackBerry\Updates\5D17024E-6DC2-41aa-B38E-DA95AA158934\Helper.exe
2010-07-17 09:00 . 2010-05-11 02:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-29 15:47 . 2010-08-11 03:07 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-11 03:07 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-11 03:06 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-11 03:06 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-11 03:06 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-11 03:06 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-16 16:04 . 2010-08-11 03:06 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-15 06:56 . 2010-06-15 06:56 507904 ----a-r- c:\windows\system32\btwapi.dll
2008-11-10 02:21 . 2008-11-10 02:21 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BitTorrent DNA"="c:\users\Mike\Program Files\DNA\btdna.exe" [2009-10-07 323392]
"Eraser RiskMonitor"="c:\program files\East-Tec Eraser 2010\Launch.exe" [2008-11-03 44192]
"Google Update"="c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-31 135664]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2010-07-20 1686360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"DXM6Patch_981116"="c:\windows\p_981116.exe" [1998-11-30 497376]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-03-07 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 72736]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-09-12 36352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-13 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-07-23 648536]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-04-18 204800]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY
*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-162055910-3620009665-1738632388-1000Core.job
- c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-31 11:54]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-162055910-3620009665-1738632388-1000UA.job
- c:\users\Mike\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-31 11:54]

2010-09-11 c:\windows\Tasks\User_Feed_Synchronization-{F3E484F1-6A0A-448F-ACE7-CDE53A04CBC5}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thestar.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {AF0DF270-8BA6-406E-979F-9C9D1AF80504} = 64.71.255.198
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\a9ueanu7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thestar.com/
FF - plugin: c:\users\Mike\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 01:14
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-11 01:16:11
ComboFix-quarantined-files.txt 2010-09-11 05:16
ComboFix2.txt 2010-04-30 00:45

Pre-Run: 1,245,356,032 bytes free
Post-Run: 1,225,560,064 bytes free

- - End Of File - - 14F872D0190EA906E2D45BDABACE06AA

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 12 September 2010 - 05:53 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 15 September 2010 - 07:37 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 16 September 2010 - 08:20 PM

QUOTE(m0le @ Sep 15 2010, 08:37 PM) View Post
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif


Hi Mole,

Thank you in advance for your help. My pc has been badly messed up for almost two weeks. I took a screenshot of one of the potential causes of my problems. Please take a look and let me know what I can do to get my computer working again.

Mike

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 17 September 2010 - 05:57 PM

It sounds like you are able to run some things (although it looks a long-winded fix).

Please run MBRCheck so we can see if a specific rootkit is involved here

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 17 September 2010 - 08:54 PM

QUOTE(m0le @ Sep 17 2010, 06:57 PM) View Post
It sounds like you are able to run some things (although it looks a long-winded fix).

Please run MBRCheck so we can see if a specific rootkit is involved here

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ASUSTek Computer INC.
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: HP-Pavilion
System Product Name: KJ375AAR-ABA s3400f
Logical Drives Mask: 0x000002fc

Kernel Drivers (total 147):
0x82C45000 \SystemRoot\system32\ntkrnlpa.exe
0x82C12000 \SystemRoot\system32\hal.dll
0x80406000 \SystemRoot\system32\kdcom.dll
0x8040D000 \SystemRoot\system32\PSHED.dll
0x8041E000 \SystemRoot\system32\BOOTVID.dll
0x80426000 \SystemRoot\system32\CLFS.SYS
0x80467000 \SystemRoot\system32\CI.dll
0x80547000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805C3000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060F000 \SystemRoot\system32\drivers\acpi.sys
0x80655000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8065E000 \SystemRoot\system32\drivers\msisadrv.sys
0x80666000 \SystemRoot\system32\drivers\pci.sys
0x8068D000 \SystemRoot\System32\drivers\partmgr.sys
0x8069C000 \SystemRoot\system32\drivers\volmgr.sys
0x806AB000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F5000 \SystemRoot\system32\drivers\pciide.sys
0x806FC000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8070A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8071A000 \SystemRoot\system32\drivers\nvraid.sys
0x80735000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80756000 \SystemRoot\system32\drivers\atapi.sys
0x8075E000 \SystemRoot\system32\drivers\ataport.SYS
0x8077C000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x807A0000 \SystemRoot\system32\DRIVERS\storport.sys
0x8320C000 \SystemRoot\system32\drivers\fltmgr.sys
0x8323E000 \SystemRoot\system32\drivers\fileinfo.sys
0x8324E000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x83257000 \SystemRoot\System32\Drivers\ksecdd.sys
0x832C8000 \SystemRoot\system32\drivers\ndis.sys
0x833D3000 \SystemRoot\system32\drivers\msrpc.sys
0x8BA09000 \SystemRoot\system32\drivers\NETIO.SYS
0x8BA44000 \SystemRoot\System32\drivers\tcpip.sys
0x8BB2E000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8BC0B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BD1B000 \SystemRoot\system32\drivers\volsnap.sys
0x8BD54000 \SystemRoot\System32\Drivers\spldr.sys
0x8BD5C000 \SystemRoot\System32\Drivers\mup.sys
0x8BD6B000 \SystemRoot\System32\drivers\ecache.sys
0x8BD92000 \SystemRoot\system32\drivers\disk.sys
0x8BDA3000 \SystemRoot\system32\drivers\crcdisk.sys
0x8BDE7000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8BDF2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8BB49000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8BB59000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8BC00000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8BDFB000 \SystemRoot\system32\DRIVERS\PS2.sys
0x8BB6C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8BB77000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8BB81000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8BBBF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8BBCE000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8BBDE000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8F609000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0x8F655000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F67F000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0x8F809000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8F8BE000 \SystemRoot\system32\drivers\modem.sys
0x8F8CB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8FA03000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8FB03000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8FE0F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x9052E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x905CF000 \SystemRoot\System32\drivers\watchdog.sys
0x8FB1B000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x905DB000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x905E6000 \SystemRoot\System32\Drivers\RootMdm.sys
0x8FB4A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x905EE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8FB61000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8FE00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8FB84000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8FB98000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8FBAD000 \SystemRoot\System32\Drivers\pcouffin.sys
0x905F9000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0x8FBB9000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8FBC9000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8FBCB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8FBD5000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F958000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8FBE2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90606000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x90813000 \SystemRoot\system32\drivers\portcls.sys
0x90840000 \SystemRoot\system32\drivers\drmk.sys
0x90865000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9086E000 \SystemRoot\System32\Drivers\Null.SYS
0x90875000 \SystemRoot\System32\Drivers\Beep.SYS
0x9087C000 \SystemRoot\System32\drivers\vga.sys
0x90888000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x908A9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x908B1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x908B9000 \SystemRoot\System32\Drivers\Msfs.SYS
0x908C4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x908D2000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x908DB000 \SystemRoot\system32\DRIVERS\tdx.sys
0x908F1000 \SystemRoot\System32\DRIVERS\netbt.sys
0x90923000 \SystemRoot\system32\DRIVERS\smb.sys
0x90937000 \SystemRoot\system32\drivers\afd.sys
0x9097F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x90995000 \SystemRoot\system32\DRIVERS\netbios.sys
0x909A3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x909B6000 \SystemRoot\System32\drivers\truecrypt.sys
0x909EB000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8F98D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x909F1000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F9C9000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F781000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x9100C000 \SystemRoot\system32\DRIVERS\netr73.sys
0x9108C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9108E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9109B000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x910A5000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x910C9000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x99610000 \SystemRoot\System32\win32k.sys
0x910DE000 \SystemRoot\System32\drivers\Dxapi.sys
0x910E8000 \SystemRoot\system32\DRIVERS\monitor.sys
0x99830000 \SystemRoot\System32\TSDDD.dll
0x99850000 \SystemRoot\System32\cdd.dll
0x910F7000 \SystemRoot\system32\drivers\luafv.sys
0x91112000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x91127000 \SystemRoot\system32\drivers\spsys.sys
0x911D7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8F7A3000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x911E7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x911F1000 \SystemRoot\system32\DRIVERS\pnarp.sys
0x91000000 \SystemRoot\system32\DRIVERS\purendis.sys
0x8F9E0000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9EE0F000 \SystemRoot\system32\drivers\HTTP.sys
0x9EE7C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9EE99000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9EEB2000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9EEC7000 \SystemRoot\system32\drivers\mrxdav.sys
0x9EEE8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9EF07000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9EF40000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9EF58000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9EF7F000 \SystemRoot\System32\DRIVERS\srv.sys
0x9EFE5000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA100E000 \SystemRoot\system32\drivers\peauth.sys
0xA10EC000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA10F6000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA1102000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA110A000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA111F000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xA1131000 \??\C:\Program Files\CyberLink\PowerDVD\000.fcl
0xA114E000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x774B0000 \Windows\System32\ntdll.dll

Processes (total 64):
0 System Idle Process
4 System
504 C:\Windows\System32\smss.exe
580 csrss.exe
632 C:\Windows\System32\wininit.exe
644 csrss.exe
676 C:\Windows\System32\services.exe
696 C:\Windows\System32\lsass.exe
704 C:\Windows\System32\lsm.exe
788 C:\Windows\System32\winlogon.exe
888 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\nvvsvc.exe
984 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1112 C:\Windows\System32\svchost.exe
1136 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\svchost.exe
1276 C:\Windows\System32\audiodg.exe
1300 C:\Windows\System32\svchost.exe
1324 C:\Windows\System32\SLsvc.exe
1356 C:\Windows\System32\svchost.exe
1504 C:\Windows\System32\svchost.exe
1532 C:\Windows\System32\rundll32.exe
1804 C:\Windows\System32\spoolsv.exe
1828 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1840 C:\Windows\System32\svchost.exe
448 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
552 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1496 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1560 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
1580 C:\Windows\System32\svchost.exe
760 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
1464 C:\Program Files\Spyware Terminator\sp_rsser.exe
1900 C:\Windows\System32\svchost.exe
2060 C:\Windows\System32\java.exe
2068 C:\Windows\System32\svchost.exe
2092 C:\Windows\System32\SearchIndexer.exe
2256 C:\Windows\System32\drivers\XAudio.exe
2312 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
2324 WUDFHost.exe
3992 C:\Windows\System32\taskeng.exe
1148 C:\Windows\System32\taskeng.exe
3228 C:\Windows\System32\dwm.exe
2948 C:\Windows\explorer.exe
2012 C:\Windows\RtHDVCpl.exe
3928 C:\Windows\System32\rundll32.exe
3972 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
3700 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
4044 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4084 C:\Program Files\Windows Sidebar\sidebar.exe
2280 C:\Windows\ehome\ehtray.exe
1284 C:\Windows\ehome\ehmsas.exe
2220 C:\Program Files\Windows Sidebar\sidebar.exe
1340 C:\Program Files\East-Tec Eraser 2010\etRiskMon.exe
2772 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
484 C:\Program Files\Java\jre6\bin\javaw.exe
3848 C:\Windows\System32\taskmgr.exe
924 C:\Windows\System32\conime.exe
4456 C:\Program Files\Internet Explorer\ieuser.exe
4528 C:\Program Files\Internet Explorer\iexplore.exe
5900 C:\Windows\System32\Macromed\Flash\FlashUtil10b.exe
5640 <unknown>
5840 <unknown>
5604 C:\Users\Mike\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000072`1b73fe00 (NTFS)

PhysicalDrive0 Model Number: ST3500620AS, Rev: HP21

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: CEFD837A02A1F4445A136688B10013AE4399C2CF


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 17 September 2010 - 09:11 PM

You have had your Master Boot Record rewritten by malware allowing it control.

1. Put your Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.
8. Type Bootrec.exe /FixMbr

Now rerun MBRCheck and post the new log
Posted Image
m0le is a proud member of UNITE

#7 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 17 September 2010 - 11:46 PM

QUOTE(m0le @ Sep 17 2010, 10:11 PM) View Post
You have had your Master Boot Record rewritten by malware allowing it control.

1. Put your Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.
8. Type Bootrec.exe /FixMbr

Now rerun MBRCheck and post the new log


Hi again,

My pc didn't come with a Vista install disk. When I first got it, I made three Recovery Disks. I did your Step #1 with disk 1. I put in the disk, then Shut Down my computer. When I started it up, I get the following:

1. Says "Windows is loading files ...."
2. HP System Recovery screen comes up. Gives to options: Run Sys Recovery by disks or Run by hard drive. I select "disks" option.
3. HP Recovery Manager screen comes up. It says, "Use this option to recover computer to original factory condition". Obviously I don't want to do this. There is an "Advanced Options" button. Clicking it, brings up six radio button options:
a. Computer Checkup
b. Microsoft Startup Repair Tool
c. Microsoft System Restore
d. File Backup Program
e. System Recovery
f. Factory Reset

I didn't get asked about selecting language, time, etc. And I wasn't given option to repair my o/s. (as outlined in your instructions).

Please advise on how I should proceed. Thx.
Mike





#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 18 September 2010 - 03:30 AM

QUOTE
3. HP Recovery Manager screen comes up. It says, "Use this option to recover computer to original factory condition". Obviously I don't want to do this. There is an "Advanced Options" button. Clicking it, brings up six radio button options:
a. Computer Checkup
b. Microsoft Startup Repair Tool
c. Microsoft System Restore
d. File Backup Program
e. System Recovery
f. Factory Reset


Choose option e here. Post me the next options when you can
Posted Image
m0le is a proud member of UNITE

#9 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 18 September 2010 - 07:36 PM

QUOTE(m0le @ Sep 18 2010, 04:30 AM) View Post
QUOTE
3. HP Recovery Manager screen comes up. It says, "Use this option to recover computer to original factory condition". Obviously I don't want to do this. There is an "Advanced Options" button. Clicking it, brings up six radio button options:
a. Computer Checkup
b. Microsoft Startup Repair Tool
c. Microsoft System Restore
d. File Backup Program
e. System Recovery
f. Factory Reset


Choose option e here. Post me the next options when you can


Option E opens up "System Recovery" screen which states:
"This process will reinstall the original factory shipped software. All user created files will be lost. All files created after purchase and all programs installed after purchase will be lost. Do you want to back up your data before recovery begins?"
1. Back up files first
2. Recover without backing up your files.

Neither of these options are good for me, since my hd is only 500G and is basically full right now. I don't have the storage space to do a backup.

When the pc boots up and I press & hold F8, I get a number of choices:

a. Repair your computer. *tried this already did not do anything. at least it did not give me option to repair my operating system.
b. Safe Modes
c. Enable boot logging. *this creates ntblog.txt which creates list of drivers loaded during setup
d. Enable low res video.
e. Last known good configuration.
f. Directing Services Restore Mode. *starts Windows in Directory Services Repair mode (for Windows Domain Controllers only)
g. Debugging mode. *enables Windows kernal debugger
h. Disable auto restart on system failure
i. Disable driver signature enforcement.

Please advise.
Mike



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 18 September 2010 - 07:49 PM

The system recovery option is more like the factory reset option.

What happens when you choose Repair Your Computer (option a)?
Posted Image
m0le is a proud member of UNITE

#11 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 18 September 2010 - 10:22 PM

QUOTE(m0le @ Sep 18 2010, 08:49 PM) View Post
The system recovery option is more like the factory reset option.

What happens when you choose Repair Your Computer (option a)?



It opens up dialog box with:

1. Startup Repair *auto fix probs preventing Windows from starting. ran it. didn't find any probs to fix.
2. System Restore *already discussed
3. Windows Complete PC Restore *restores entire computer from backup image. I don't have one.
4. Windows Memory Diagnostic Tool *checks pc for memory hardware errors. ran it. found nothing.
5. Command Prompt
6. Recovery Manager *same as discussed earlier

#12 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 18 September 2010 - 11:54 PM

QUOTE(hjtmk16 @ Sep 18 2010, 11:22 PM) View Post
QUOTE(m0le @ Sep 18 2010, 08:49 PM) View Post
The system recovery option is more like the factory reset option.

What happens when you choose Repair Your Computer (option a)?



It opens up dialog box with:

1. Startup Repair *auto fix probs preventing Windows from starting. ran it. didn't find any probs to fix.
2. System Restore *already discussed
3. Windows Complete PC Restore *restores entire computer from backup image. I don't have one.
4. Windows Memory Diagnostic Tool *checks pc for memory hardware errors. ran it. found nothing.
5. Command Prompt
6. Recovery Manager *same as discussed earlier


UPDATE: #6. Recovery Manager *when I selected this, it says "Note: This program will NOT reinstall hardware drivers or the Windows Vista operating system"

so it seems repairing Vista separately is not possible with my pc.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 19 September 2010 - 03:22 AM

We can try with the MBRCheck program - though this is not the most effective way.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#14 hjtmk16

hjtmk16
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 19 September 2010 - 09:58 PM

QUOTE(m0le @ Sep 19 2010, 04:22 AM) View Post
We can try with the MBRCheck program - though this is not the most effective way.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread



I've got MAJOR problems!!!!! This MBRCheck program has screwed up the loading of Windows. I get:

Windows Boot Manager

Windows failed to start. A recent hardware or software change might be the reason. To fix this problem:
1. Insert your Windows disk installation disk and restart computer.
2. Choose your language settings and click Next.
3. Click "Repair your computer".

What do I do now???

The only way I can get Vista to load is holding down F8, then selecting "Directory Services Restore Mode".
It is INCREDIBLY SLOW to load. This is VERY frustrating! Now my pc is completely unusable.

Here is the info you asked for:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ASUSTek Computer INC.
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: HP-Pavilion
System Product Name: KJ375AAR-ABA s3400f
Logical Drives Mask: 0x000002fc

Kernel Drivers (total 143):
0x82C16000 \SystemRoot\system32\ntkrnlpa.exe
0x82FCF000 \SystemRoot\system32\hal.dll
0x80407000 \SystemRoot\system32\kdcom.dll
0x8040E000 \SystemRoot\system32\PSHED.dll
0x8041F000 \SystemRoot\system32\BOOTVID.dll
0x80427000 \SystemRoot\system32\CLFS.SYS
0x80468000 \SystemRoot\system32\CI.dll
0x80548000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805C4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060A000 \SystemRoot\system32\drivers\acpi.sys
0x80650000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80659000 \SystemRoot\system32\drivers\msisadrv.sys
0x80661000 \SystemRoot\system32\drivers\pci.sys
0x80688000 \SystemRoot\System32\drivers\partmgr.sys
0x80697000 \SystemRoot\system32\drivers\volmgr.sys
0x806A6000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F0000 \SystemRoot\system32\drivers\pciide.sys
0x806F7000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80705000 \SystemRoot\System32\drivers\mountmgr.sys
0x80715000 \SystemRoot\system32\drivers\nvraid.sys
0x80730000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80751000 \SystemRoot\system32\drivers\atapi.sys
0x80759000 \SystemRoot\system32\drivers\ataport.SYS
0x80777000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x8079B000 \SystemRoot\system32\DRIVERS\storport.sys
0x83205000 \SystemRoot\system32\drivers\fltmgr.sys
0x83237000 \SystemRoot\system32\drivers\fileinfo.sys
0x83247000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x83250000 \SystemRoot\System32\Drivers\ksecdd.sys
0x832C1000 \SystemRoot\system32\drivers\ndis.sys
0x833CC000 \SystemRoot\system32\drivers\msrpc.sys
0x8BA0C000 \SystemRoot\system32\drivers\NETIO.SYS
0x8BA47000 \SystemRoot\System32\drivers\tcpip.sys
0x8BB31000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8BC01000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BD11000 \SystemRoot\system32\drivers\volsnap.sys
0x8BD52000 \SystemRoot\System32\Drivers\mup.sys
0x8BD61000 \SystemRoot\System32\drivers\ecache.sys
0x8BD88000 \SystemRoot\system32\drivers\disk.sys
0x8BD99000 \SystemRoot\system32\drivers\crcdisk.sys
0x8BDDD000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8BDE8000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8BB4C000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8BB5C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8BDF1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8BD4A000 \SystemRoot\system32\DRIVERS\PS2.sys
0x8BB6F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8BB7A000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8BB84000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8BBC2000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8BBD1000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8BBE1000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8F206000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0x8F252000 \SystemRoot\system32\DRIVERS\ks.sys
0x8F27C000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0x8F40E000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8F4C3000 \SystemRoot\system32\drivers\modem.sys
0x8F4D0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8F800000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8F900000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8FA0D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x9012C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x901CD000 \SystemRoot\System32\drivers\watchdog.sys
0x8F918000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x901D9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x901E4000 \SystemRoot\System32\Drivers\RootMdm.sys
0x8F947000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x901EC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F95E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8F981000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F990000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8F9A4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8FA00000 \SystemRoot\System32\Drivers\pcouffin.sys
0x901F7000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0x8F9B9000 \SystemRoot\system32\DRIVERS\termdd.sys
0x901FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F9C9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F9D3000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F55D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x90203000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x90410000 \SystemRoot\system32\drivers\portcls.sys
0x9043D000 \SystemRoot\system32\drivers\drmk.sys
0x90462000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90473000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9047C000 \SystemRoot\System32\Drivers\Null.SYS
0x90483000 \SystemRoot\System32\Drivers\Beep.SYS
0x9048A000 \SystemRoot\System32\drivers\vga.sys
0x90496000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x904B7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x904BF000 \SystemRoot\system32\drivers\rdpencdd.sys
0x904C7000 \SystemRoot\System32\Drivers\Msfs.SYS
0x904D2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x904E0000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x904E9000 \SystemRoot\system32\DRIVERS\tdx.sys
0x904FF000 \SystemRoot\System32\DRIVERS\netbt.sys
0x90531000 \SystemRoot\system32\DRIVERS\smb.sys
0x90545000 \SystemRoot\system32\drivers\afd.sys
0x9058D000 \SystemRoot\system32\DRIVERS\pacer.sys
0x905A3000 \SystemRoot\system32\DRIVERS\netbios.sys
0x905B1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F37E000 \SystemRoot\system32\DRIVERS\netr73.sys
0x905C4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x905C6000 \SystemRoot\System32\drivers\truecrypt.sys
0x8F9E0000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8F592000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F9E6000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F5CE000 \SystemRoot\System32\Drivers\dfsc.sys
0x807DC000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8F5E5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8F9F0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8F400000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8BDA2000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x98E90000 \SystemRoot\System32\win32k.sys
0x8BDC6000 \SystemRoot\System32\drivers\Dxapi.sys
0x8BBEF000 \SystemRoot\system32\DRIVERS\monitor.sys
0x990B0000 \SystemRoot\System32\TSDDD.dll
0x990D0000 \SystemRoot\System32\cdd.dll
0x805D1000 \SystemRoot\system32\drivers\luafv.sys
0x9EA04000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x9EA29000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9EA53000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9EA5D000 \SystemRoot\system32\DRIVERS\pnarp.sys
0x9EA67000 \SystemRoot\system32\DRIVERS\purendis.sys
0x9EA84000 \SystemRoot\system32\drivers\HTTP.sys
0x9EAF1000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9EB0E000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9EB27000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9EB3C000 \SystemRoot\system32\drivers\mrxdav.sys
0x9EB5D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9EB7C000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9EBB5000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9EBCD000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA0604000 \SystemRoot\System32\DRIVERS\srv.sys
0xA066A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA066E000 \SystemRoot\system32\drivers\peauth.sys
0xA074C000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA0756000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA0762000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA0777000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xA0789000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA0791000 \??\C:\Program Files\CyberLink\PowerDVD\000.fcl
0xA07AE000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77C10000 \Windows\System32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
412 C:\Windows\System32\smss.exe
472 csrss.exe
520 csrss.exe
528 C:\Windows\System32\wininit.exe
568 C:\Windows\System32\winlogon.exe
608 C:\Windows\System32\services.exe
620 C:\Windows\System32\lsass.exe
628 C:\Windows\System32\lsm.exe
776 C:\Windows\System32\svchost.exe
840 C:\Windows\System32\nvvsvc.exe
872 C:\Windows\System32\svchost.exe
924 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1032 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\audiodg.exe
1144 C:\Windows\System32\svchost.exe
1216 C:\Windows\System32\svchost.exe
1356 C:\Windows\System32\rundll32.exe
1392 C:\Windows\System32\svchost.exe
1724 C:\Windows\System32\spoolsv.exe
1764 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1836 C:\Windows\System32\svchost.exe
1944 C:\Windows\System32\taskeng.exe
244 C:\Windows\explorer.exe
1868 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1580 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1876 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1336 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
968 C:\Windows\System32\svchost.exe
1364 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2072 C:\Program Files\Spyware Terminator\sp_rsser.exe
2168 C:\Windows\System32\svchost.exe
2216 C:\Windows\System32\svchost.exe
2248 C:\Windows\System32\SearchIndexer.exe
2652 WUDFHost.exe
2692 C:\Windows\System32\drivers\XAudio.exe
2792 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
2884 C:\Windows\System32\taskmgr.exe
3184 C:\Windows\System32\taskeng.exe
3348 C:\Program Files\Java\jre6\bin\javaw.exe
3680 C:\Windows\System32\java.exe
3864 C:\Windows\System32\mobsync.exe
1864 C:\Windows\System32\dwm.exe
2956 C:\Program Files\Internet Explorer\iexplore.exe
2324 C:\Windows\System32\conime.exe
1664 C:\Windows\System32\SearchProtocolHost.exe
3160 C:\Windows\System32\SearchFilterHost.exe
712 C:\Users\Mike\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000072`1b73fe00 (NTFS)

PhysicalDrive0 Model Number: ST3500620AS, Rev: HP21

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:23 PM

Posted 20 September 2010 - 09:41 AM

We need to burn a Vista recovery disk.

Download the recovery disk for your Vista from NeoSmart here.

Straightforward instructions (if you need them)


1. Boot up with the Vista install disc

2. You should see a screen that says "Windows is loading files"

3. After a few minutes you will get a language option. Select your language and hit next.

4. On the install screen select "Repair your computer"

5. Windows will find your copy of Vista on the machine

6. Select your copy of Vista and click next

7. Choose Startup repair and answer any questions that are asked. It may reboot the PC.

Let me know when you have completed this and of any improvements or errors you encounter.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users