Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox/IE browser hijacked


  • This topic is locked This topic is locked
22 replies to this topic

#1 CMHop

CMHop

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 September 2010 - 04:29 PM

Hi, I'm a new member here and I could use some help. In the last day, when I use Firefox or IE to do a google search, the resulting links lead my browser to various junk websites. A few of the websites I have been redirected to are called "carwarsuk.com", "isur.com/search", and "nightstreet.com". It seems like after I perform the search with google, the first link I click on will work correctly, but if I then go back to the search results page and click on a different link, then my browser gets redirected to a different website from the link I was trying to get to. I've run malwarebytes and it didn't find anything, and my system restore function doesn't seem to be working, so I don't know what to do next. I ran DDS and GMER and the logs are attached. Thanks in advance for helping me figure this out!

DDS (Ver_10-03-17.01) - NTFSx86
Run by cmhopkin at 16:12:10.33 on Sat 09/25/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3054.1888 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\IPSSVC.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Enterasys Networks\NAC Agent\NacAgtSv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Users\cmhopkin\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TpShocks] TpShocks.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~2\prdctr\LPMLCHK.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
uPolicies-explorer: RestrictWelcomeCenter = 0 (0x0)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoAutorun = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: unc.edu\dentistrymail.dent
Trusted Zone: unc.edu\www.dent
Trusted Zone: unc.edu\dentistrymail.dent
Trusted Zone: unc.edu\www.dent
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - d:\users\cmhopkin\appdata\roaming\mozilla\firefox\profiles\x5qfvcfj.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-9-19 13744]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-7-29 47680]
R2 NACAgentService;NAC Agent Service;c:\program files\enterasys networks\nac agent\NacAgtSv.exe [2010-5-25 17420168]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-3-3 58224]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-12-5 520192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-26 102448]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2008-4-23 81280]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-2-23 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 TOPAZUSB;TopazUsb.Sys Topaz Tablet USB Driver;c:\windows\system32\drivers\TopazUsb.sys [2008-7-1 33821]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-3-24 15744]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-8-24 1831024]

=============== Created Last 30 ================

2010-09-25 19:47:32 0 d-----w- c:\program files\Trend Micro
2010-09-25 16:54:52 346169925 ----a-w- c:\windows\MEMORY.DMP
2010-09-25 13:15:00 0 d-----w- C:\$RECYCLE.BIN
2010-09-25 12:36:18 77312 ----a-w- c:\windows\MBR.exe
2010-09-25 12:36:17 98816 ----a-w- c:\windows\sed.exe
2010-09-25 12:36:17 256512 ----a-w- c:\windows\PEV.exe
2010-09-25 12:36:17 161792 ----a-w- c:\windows\SWREG.exe
2010-09-15 13:45:52 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 13:45:38 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 13:45:28 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 13:42:04 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-14 23:53:58 0 d-----w- C:\VIP
2010-09-10 22:19:33 0 d-----w- d:\users\cmhopkin\appdata\roaming\uTorrent
2010-09-09 11:48:31 0 d-----w- c:\program files\MSECache
2010-09-03 02:02:52 0 d-----w- c:\programdata\FLEXnet
2010-08-29 21:37:11 0 d-----w- c:\program files\Enterasys Networks

==================== Find3M ====================

2010-09-02 15:50:36 143598 ----a-w- d:\users\cmhopkin\appdata\roaming\nvModes.dat
2010-08-24 13:26:03 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-24 13:26:03 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-24 13:26:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-24 13:22:17 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-24 13:22:17 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-08-24 13:22:17 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-24 13:22:16 7442 ----a-w- c:\windows\system32\drivers\srtspx.cat
2010-08-24 13:22:16 7442 ----a-w- c:\windows\system32\drivers\srtspl.cat
2010-08-24 13:22:16 7438 ----a-w- c:\windows\system32\drivers\srtsp.cat
2010-08-24 13:22:16 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2010-08-24 13:22:16 283184 ----a-w- c:\windows\system32\drivers\srtsp.sys
2010-08-24 13:22:16 1430 ----a-w- c:\windows\system32\drivers\srtspl.inf
2010-08-24 13:22:16 1421 ----a-w- c:\windows\system32\drivers\srtspx.inf
2010-08-24 13:22:16 1415 ----a-w- c:\windows\system32\drivers\srtsp.inf
2010-08-09 22:53:26 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-09 22:53:25 86016 ----a-w- c:\windows\inf\infstor.dat
2010-08-09 22:53:25 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-26 13:55:05 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:42:50 174 --sh--w- c:\program files\desktop.ini
2006-11-02 12:42:09 30674 ------w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:09 30674 ------w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:09 287440 ------w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:09 287440 ------w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ------w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ------w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:14:51.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 25 September 2010 - 04:38 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  1. Do not run any other tool untill instructed to do so!
  2. Do not Attach logs unless I ask you to.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.
  6. Do not run any other tool untill instructed to do so!


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 September 2010 - 04:57 PM

Thanks for responding so fast. Here is the report from RKUnHooker:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8E204000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7630848 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 156.85 )
0x8201C000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x8201C000 PnpManager 3903488 bytes
0x8201C000 RAW 3903488 bytes
0x8201C000 WMIxWDM 3903488 bytes
0x8EE05000 C:\Windows\system32\DRIVERS\NETw4v32.sys 2289664 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x9ECB0000 Win32k 2109440 bytes
0x9ECB0000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8FC6F000 C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100924.040\NAVEX15.SYS 1359872 bytes (Symantec Corporation, AV Engine)
0x8A808000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8A40A000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes
0x8F4F4000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8A60B000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804D4000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA820F000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x82601000 C:\Windows\System32\Drivers\iaStor.sys 819200 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x8F60E000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x95F0F000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8E94B000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8EC0A000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8ED09000 C:\Windows\system32\DRIVERS\rdpdr.sys 561152 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x8F6DC000 C:\Windows\System32\Drivers\bthport.sys 524288 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0x8FE06000 C:\Windows\system32\drivers\btwaudio.sys 507904 bytes (Broadcom Corporation., Bluetooth Audio Device)
0x8273A000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80602000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8040A000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0xA6C03000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8FC08000 C:\Windows\system32\drivers\btwavdt.sys 421888 bytes (Broadcom Corporation., Broadcom Bluetooth AVDT Service)
0x95E0D000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8F40B000 C:\Windows\system32\drivers\ADIHdAud.sys 368640 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0x8F08F000 C:\Windows\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xA834F000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x8F75C000 C:\Windows\System32\Drivers\SRTSP.SYS 307200 bytes (Symantec Corporation, Symantec AutoProtect)
0x8072A000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x827AB000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80681000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80493000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8F1A6000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8A7BF000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8F4B7000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x805B4000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8A540000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x8F0FE000 C:\Windows\system32\DRIVERS\SynTP.sys 241664 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0x8A77B000 C:\Windows\system32\DRIVERS\e1e6032.sys 233472 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 6 deserialized driver)
0xA6CC6000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8A918000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8A58A000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x823D5000 ACPI_HAL 208896 bytes
0x823D5000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xA83B4000 C:\Windows\System32\Drivers\RDPWD.SYS 208896 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x826EF000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8FDBB000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8F177000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x80789000 C:\Windows\system32\DRIVERS\pcmcia.sys 184320 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x8F465000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8FFB5000 C:\Windows\System32\Drivers\SYMTDI.SYS 184320 bytes (Symantec Corporation, Network Dispatch Driver)
0x8A515000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8EDB0000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x807C6000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x8F7A7000 C:\Windows\system32\DRIVERS\rfcomm.sys 167936 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0x8A98C000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806D8000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xA8328000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8F492000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8FE82000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x8A9B3000 C:\Windows\System32\DRIVERS\fvevol.sys 147456 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8ECAE000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8A710000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8FF4C000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0xA6CA7000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x826D1000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x95FBF000 C:\Windows\system32\DRIVERS\irda.sys 122880 bytes (Microsoft Corporation, IRDA Protocol Driver)
0x95E6B000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xA82F7000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x8A961000 C:\Windows\System32\DRIVERS\Apsx86.sys 114688 bytes (Lenovo., Shockproof Disk Driver)
0x8A6F5000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x95EE9000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8F7DA000 C:\Windows\system32\DRIVERS\bthpan.sys 106496 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0x8F052000 C:\Windows\system32\DRIVERS\sdbus.sys 106496 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xA6C79000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8F156000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA6CFF000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x95E88000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8EC97000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xA6D3A000 D:\Users\cmhopkin\AppData\Local\Temp\uwdyaaog.sys 94208 bytes
0xA83E7000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8FF9F000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xA6C92000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8ECF4000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8FEF0000 C:\Windows\System32\Drivers\LenovoRd.sys 81920 bytes (Lenovo, Smart Card Reader Driver)
0x8FEC1000 C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100924.040\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x8ECE0000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8F07B000 C:\Windows\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0x8FFE2000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8F0E0000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8A73A000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8A5D0000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8A9D7000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x95EBF000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x8A5BF000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8047A000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8A9E8000 C:\Windows\system32\DRIVERS\agp440.sys 65536 bytes (Microsoft Corporation, 440 NT AGP Filter)
0x82721000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8FEAA000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x95FDD000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x807B6000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8F034000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x8ED92000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8FF19000 C:\Windows\system32\DRIVERS\tvtumon.sys 65536 bytes (Lenovo, Windows Update Monitor Driver)
0x8A76C000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x95EDA000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8A97D000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x806FF000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8ECD1000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8F06C000 C:\Windows\system32\DRIVERS\rimmptsk.sys 61440 bytes (REDC, RICOH SD Driver)
0x8A57B000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8071B000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8F044000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x9EEF0000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8FDED000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8FF88000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8077B000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x80673000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x8F6CF000 C:\Windows\System32\Drivers\BTHUSB.sys 53248 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0x95E9F000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8F6C2000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8EDE4000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0xA8314000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0xA83A8000 C:\Windows\System32\DRIVERS\tssecsrv.sys 49152 bytes (Microsoft Corporation, TS Security Filter Driver)
0x8FF40000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8E9EC000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x95EAC000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8F0F3000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8F13B000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8FF7D000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8F1F2000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8FF04000 C:\Windows\System32\Drivers\SMCLIB.SYS 45056 bytes (Microsoft Corporation, Smard Card Driver Library)
0x8F1E7000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0xA839D000 C:\Windows\system32\drivers\tdtcp.sys 45056 bytes (Microsoft Corporation, TCP Transport Driver)
0x8A7B4000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x80711000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x8F7D0000 C:\Windows\system32\DRIVERS\BthEnum.sys 40960 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0x95ED0000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8EDDA000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x95FED000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8F7F4000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xA82ED000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8FF0F000 C:\Windows\System32\Drivers\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0x8FED5000 C:\Windows\System32\Drivers\tcusb.sys 40960 bytes (UPEK Inc., TouchChip USB Kernel Driver)
0xA6C70000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x8A731000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8FF29000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8FEDF000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA8200000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x82731000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x8FF96000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9EED0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8A763000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x95F04000 C:\Windows\system32\DRIVERS\tvtfilter.sys 36864 bytes (Lenovo, Rescue and Recovery filter driver)
0x8F16E000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x806C7000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8A951000 C:\Windows\System32\DRIVERS\ApsHM86.sys 32768 bytes (Lenovo., ThinkVantage Active Protection System HID Digitizer Activity Monitor Driver)
0x826C9000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8F146000 C:\Windows\system32\DRIVERS\atmeltpm.sys 32768 bytes (Atmel, Inc., Atmel TPM Driver)
0x8048B000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x95EB7000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x8FEE8000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x806D0000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8FF6D000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8FF75000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8A959000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8EDA8000 C:\Windows\system32\DRIVERS\Tvti2c.sys 32768 bytes (Lenovo (United States) Inc., SMBUS Driver)
0xA8320000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x8FF39000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8FEBA000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x80774000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80403000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8FF32000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0xA6D2F000 C:\Windows\system32\DRIVERS\PROCDD.SYS 28672 bytes (Lenovo Group Limited, IPS Helper Driver)
0x8EDA2000 C:\Windows\system32\DRIVERS\psadd.sys 24576 bytes (Lenovo (United States) Inc., SMBIOS Driver)
0x8FFF6000 C:\Windows\System32\drivers\Tppwr32v.sys 24576 bytes
0x8F14E000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8F152000 C:\Windows\system32\DRIVERS\ibmpmdrv.sys 16384 bytes (Lenovo., ThinkPad Power Management Driver)
0xA6D36000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x8FEA7000 C:\Windows\system32\DRIVERS\btwrchid.sys 12288 bytes (Broadcom Corporation., Bluetooth Remote Control HID Minidriver)
0x8070E000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x95F0D000 C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys 8192 bytes (UPEK Inc., SMI helper driver)
0x8FFFC000 C:\Windows\system32\DRIVERS\smiif32.sys 8192 bytes (Lenovo Group Limited, SMI Driver for Lenovo system)
0x8F1FD000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8F139000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
!!!!!!!!!!!Hidden driver: 0x857E2AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x8655D580 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0x826C9000 WARNING: suspicious driver modification [atapi.sys::0x857E2AEA]
0x8A40A000 WARNING: Virus alike driver modification [ndis.sys], 1093632 bytes


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 25 September 2010 - 05:04 PM

Greetings

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt


Note** If you recieve this error please reboot the computer
"Illegal operation attempted on a registery key that has been marked for deletion."


"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 September 2010 - 06:19 PM

It seems I've run into another problem. I ran ComboFix and it seemed to start normally. I saw the status bars to indicate that it was making a registry backup. I did not see any messages relating to Windows Recovery Console (I don't know if it matters or not, but System Restore was turned off on my computer). The ComboFix program then began the scan, and a few minutes later I received a message that rootkit files had been detected and I needed to restart the computer. The following files were listed in the message:

C:\Users\Administrator\AppData\Roaming\ntos.exe
C:\Users\Administrator\AppData\Roaming\oembios.exe
C:\Users\Administrator\AppData\Roaming\twext.exe
C:\Users\Administrator\AppData\Roaming\twex.exe
C:\Users\Administrator\AppData\Roaming\sdra64.exe
C:\Users\Administrator\AppData\Roaming\intel64.exe
C:\Users\Administrator\AppData\Roaming\wsnpoema.exe
C:\Users\Administrator\AppData\Roaming\swin32.exe
C:\Users\Administrator\AppData\Roaming\localsys64.exe
C:\Users\Administrator\AppData\Roaming\64dlls.exe
C:\Users\Administrator\AppData\Roaming\sdra73.exe
C:\Users\Administrator\AppData\Roaming\kernel32.exe

I allowed ComboFix to restart my computer, but upon restarting I was presented with a screen saying Windows cannot start normally because of a damaged/corrupted file, and it listed the file \Windows\System32\drivers\ndis.sys

I attempted to use a Vista install disc to repair the problem, but I get a message saying that the problem cannot be repaired.

So it seems I am stuck... is there anything else I can do or am I now at the point of having to format and re-install (this is what I had hoped to avoid)?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 25 September 2010 - 09:22 PM

hello

Ok lets try some simple things first while I try to research some things in case we have to do it the hard way


It sounds like you tried startup repair from the install disk is this correct?

Have you tried to boot into safe mode?

have you tried last known good configuration in the safe mode menu?

Do you have access to another vista computer if we need to pass the file from one to the other?

Do you have a jump drive if we need it?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 September 2010 - 09:55 PM

Yes, I tried to use startup repair from the install disk. I also tried to boot in safe mode, last known good config, and the mode that supposedly boots with unvalidated drivers (or something like that... but obviously it didn't work in this case). Every time I tried to boot in a different mode I got the message that Windows could not load because it was missing that particular driver.

I can pretty easily get access to another vista computer if needed, and I do have a flash drive that can be used.

Thanks for continuing to work on this.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 25 September 2010 - 10:31 PM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetboot...dows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 25 September 2010 - 11:07 PM

Okay, here is the report. It's time for me to go to bed so I'll check to see if you have another recommendation in the morning. Thanks again for your help.

Sat Sep 25 23:42:16 UTC 2010
Driver report for /mnt/sda1/ProgramData/Symantec/Cached Installs/{3C1AE512-3C37-44FA-BA42-ABB721EC5B1D}/System32/drivers

e8e745b8eee63c7cf7d34833d3b8ca7f WPSDRVnt.sys
Symantec Corporation

Driver report for /mnt/sda1/Qoobox/Quarantine/C/Windows/system32/Drivers

Driver report for /mnt/sda1/RRbackups/FR/UF/Windows/system32/drivers

0349be02f329f4f48f1d48097fd65974 1394bus.sys
Microsoft Corporation

fcb8c7210f0135e24c6580f7f649c73c acpi.sys
Microsoft Corporation

04f0fcac69c7c71a3ac4eb97fafc8303 adp94xx.sys
Adaptec

60505e0041f7751bdbb80f88bf45c2ce adpahci.sys
Adaptec

8a42779b02aec986eab64ecfc98f8bd7 adpu160m.sys
Adaptec

241c9e37f8ce45ef51c3de27515ca4e5 adpu320.sys
Adaptec

763e172a55177e478cb419f88fd0ba03 afd.sys
Microsoft Corporation

13f9e33747e6b41a3ff305c37db0d360 agp440.sys
Microsoft Corporation

9eaef5fc9b8e351afa7e78a6fae91f91 aliide.sys
Acer Laboratories

c47344bc706e5f0b9dce369516661578 amdagp.sys
Microsoft Corporation

9b78a39a4c173fdbc1321e0dd659b34c amdide.sys
Microsoft Corporation

18f29b49ad23ecee3d2a826c725c8d48 amdk7.sys
Microsoft Corporation

93ae7f7dd54ab986a6f1a1b37be7442d amdk8.sys
Microsoft Corporation

639ba7b37f25054cf5e82604e736d250 ApsHM86.sys
Lenovo

a3aee791db8c73882f4503bfaacd8c9e Apsx86.sys
Lenovo

5e2a321bd7c8b3624e41fdec3e244945 arcsas.sys
Adaptec

5d2888182fb46632511acee92fdad522 arc.sys
Adaptec

53b202abee6455406254444303e87be1 asyncmac.sys
Microsoft Corporation

2d9c903dc76a66813d350a562de40ed9 atapi.sys
Microsoft Corporation

d1c03ae69c29e239fc8000c5c0dea709 ataport.sys
Microsoft Corporation

2b8a5a8879238c3ba9a89a8e3ac4e45d battc.sys
Microsoft Corporation

9f5f8f2318dfa3974a6f6a5602733929 bdasup.sys
Microsoft Corporation

67e506b75bd5326a3ec7b70bd014dfb6 beep.sys
Microsoft Corporation

74b442b2be1260b7588c136177ceac66 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 brfiltlo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a brfiltup.sys
Brother Industries

72df06d26ae4ced2e08f428b96302b0e bridge.sys
Microsoft Corporation

b304e75cff293029eddf094246747113 brserid.sys
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b brserwdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b brusbmdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e brusbser.sys
Brother Industries

ad07c1ec6665b8b35741ab91200c6b68 bthmodem.sys
Microsoft Corporation

7add03e75beb9e6dd102c3081d29840a cdfs.sys
Microsoft Corporation

1ec25cea0de6ac4718bf89f9e1778b57 cdrom.sys
Microsoft Corporation

e5d4133f37219dbcfe102bc61072589d circlass.sys
Microsoft Corporation

4388cebb2c6a7f484ac409a90a3c9fae classpnp.sys
Microsoft Corporation

0ca25e686a4928484e9fdabd168ab629 cmdide.sys
CMD Technology

6afef0b60fa25de07c0968983ee4f60a compbatt.sys
Microsoft Corporation

e9acae97f17c99cb735a1e08859bf806 crashdmp.sys
Microsoft Corporation

741e9dff4f42d2d8477d0fc1dc0df871 crcdisk.sys
Microsoft Corporation

1f07becdca750766a96cda811ba86410 crusoe.sys
Microsoft Corporation

9e635ae5e8ad93e2b5989e2e23679f97 dfsc.sys
Microsoft Corporation

0183496303b4f8a5878d99a667f33170 diskdump.sys
Microsoft Corporation

64109e623abd6955c8fb110b592e68b7 disk.sys
Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs.sys
Adaptec

c078d2b163f090601200fa5a6ff3ce0a dumpata.sys
Microsoft Corporation

eaaafef04fbb45665c9576e525d45a12 dxapi.sys
Microsoft Corporation

f8bf50a8d862f8cc089080bec509bca6 dxgkrnl.sys
Microsoft Corporation

6d16255c9eb5683f83a472e1679ed2e4 dxg.sys
Microsoft Corporation

5425f74ac0c1dbd96a1e04f17d63f94c e1g60i32.sys
Intel Corporation

dd2cd259d83d8b72c02c5f2331ff9d68 ecache.sys
Microsoft Corporation

23b62471681a124889978f6295b3f4c6 elxstor.sys
Emulex

3c489390c2e2064563727752af8eab9e fastfat.sys
Microsoft Corporation

afe1e8b9782a0dd7fb46bbd88e43f89a fdc.sys
Microsoft Corporation

a8c0139a884861e3aae9cfe73b208a9f fileinfo.sys
Microsoft Corporation

0ae429a696aecbc5970e3cf2c62635ae filetrace.sys
Microsoft Corporation

85b7cf99d532820495d68d747fda9ebd flpydisk.sys
Microsoft Corporation

05ea53afe985443011e36dab07343b46 fltmgr.sys
Microsoft Corporation

65ea8b77b5851854f0c55c43fa51a198 fs_rec.sys
Microsoft Corporation

1400c747e2b73966b100fdce5426b7b2 fvevol.sys
Microsoft Corporation

495fa4351a96f228b4301d1e616defa0 fwpkclnt.sys
Microsoft Corporation

34582a6e6573d54a07ece5fe24a126b5 gagp30kx.sys
Microsoft Corporation

c87b1ee051c0464491c1a7b03fa0bc99 hdaudbus.sys
Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth.sys
Microsoft Corporation

04f49ddd00a26c6ca984a9b480fdaa33 hidclass.sys
Microsoft Corporation

ff3160c3a2445128c5a6d9b076da519e hidir.sys
Microsoft Corporation

175444d3a01ca45d0e1c5dc5f48df7cd hidparse.sys
Microsoft Corporation

854ca287ab7faf949617a788306d967e hidusb.sys
Microsoft Corporation

16ee7b23a009e00d835cdb79574a91a6 hpcisss.sys
Hewlett-Packard

406c027c18e98a396faa1963dad5ff70 http.sys
Microsoft Corporation

95bd3ea81ebe6b8cacafdb6cdab3586c i2omgmt.sys
Microsoft Corporation

c6b032d69650985468160fc9937cf5b4 i2omp.sys
Microsoft Corporation

22d56c8184586b7a1f6fa60be5f5a2bd i8042prt.sys
Microsoft Corporation

54155ea1b0df185878e0fc9ec3ac3a14 iastorv.sys
Intel Corporation

2d077bf86e843f901d8db709c95b49a5 iirsp.sys
Intel Corp

83aa759f3189e6370c30de5dc5590718 intelide.sys
Microsoft Corporation

224191001e78c89dfa78924c3ea595ff intelppm.sys
Microsoft Corporation

62c265c38769b864cb25b4bcf62df6c3 ipfltdrv.sys
Microsoft Corporation

b25aaf203552b7b3491139d582b39ad1 ipmidrv.sys
Microsoft Corporation

8793643a67b42cec66490b2a0cf92d68 ipnat.sys
Microsoft Corporation

e50a95179211b12946f7e035d60af560 irda.sys
Microsoft Corporation

109c0dfb82c3632fbd11949b73aeeac9 irenum.sys
Microsoft Corporation

6c70698a3e5c4376c6ab5c7c17fb0614 isapnp.sys
Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi.sys
Integrated Technology Express

06fa654504a498c30adca8bec4e87e7e iteraid.sys
Integrated Technology Express

37605e0a8cf00cbba538e753e4344c6e kbdclass.sys
Microsoft Corporation

18247836959ba67e3511b62846b9c2e0 kbdhid.sys
Microsoft Corporation

5367dc846cae9639b899bfd13b97a8c9 ksecdd.sys
Microsoft Corporation

47cb1cbb1d80517d7909d0860128e860 ks.sys
Microsoft Corporation

d1c5883087a0c3f1344d9d55a44901f6 lltdio.sys
Microsoft Corporation

c7e15e82879bf3235b559563d4185365 lsi_fc.sys
LSI Logic

ee01ebae8c9bf0fa072e0ff68718920a lsi_sas.sys
LSI Logic

912a04696e9ca30146a62afa1463dd5c lsi_scsi.sys
LSI Logic

8f5c7426567798e62a3b3614965d62cc luafv.sys
Microsoft Corporation

b271ec02e71271a2da28b3b7bc4e4f15 mcd.sys
Microsoft Corporation

0001ce609d66632fa17b84705f658879 megasas.sys
LSI Corporation

e13b5ea0f51ba5b1512ec671393d09ba modem.sys
Microsoft Corporation

0a9bb33b56e294f686abb7c1e4e2d8a8 monitor.sys
Microsoft Corporation

5bf6a1326a335c5298477754a506d263 mouclass.sys
Microsoft Corporation

93b8d4869e12cfbe663915502900876f mouhid.sys
Microsoft Corporation

bdafc88aa6b92f7842416ea6a48e1600 mountmgr.sys
Microsoft Corporation

511d011289755dd9f9a7579fb0b064e6 mpio.sys
Microsoft Corporation

22241feba9b2defa669c8cb0a8dd7d2e mpsdrv.sys
Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e mraid35x.sys
LSI Logic

ae3de84536b6799d2267443cec8edbb9 mrxdav.sys
Microsoft Corporation

67e55ced3fc143c82a8197988bfc1f9a mrxsmb10.sys
Microsoft Corporation

3268b8c3fa92bfc086355c39b45e9cc9 mrxsmb20.sys
Microsoft Corporation

c4ad205530888404e2b5fc8d9319b119 mrxsmb.sys
Microsoft Corporation

28023e86f17001f7cd9b15a5bc9ae07d msahci.sys
Microsoft Corporation

4468b0f385a86ecddaf8d3ca662ec0e7 msdsm.sys
Microsoft Corporation

a9927f4a46b816c92f461acb90cf8515 msfs.sys
Microsoft Corporation

0f400e306f385c56317357d6dea56f62 msisadrv.sys
Microsoft Corporation

f247eec28317f6c739c16de420097301 msiscsi.sys
Microsoft Corporation

d8c63d34d9c9e56c059e24ec7185cc07 mskssrv.sys
Microsoft Corporation

1d373c90d62ddb641d50e55b9e78d65e mspclock.sys
Microsoft Corporation

b572da05bf4e098d4bba3a4734fb505b mspqm.sys
Microsoft Corporation

b5614aecb05a9340aa0fb55bf561cc63 msrpc.sys
Microsoft Corporation

e384487cb84be41d09711c30ca79646c mssmbios.sys
Microsoft Corporation

7199c1eec1e4993caf96b8c0a26bd58a mstee.sys
Microsoft Corporation

6dfd1d322de55b0b7db7d21b90bec49c mup.sys
Microsoft Corporation

9bdc71790fa08f0a0b5f10462b1bd0b1 ndis.sys
Microsoft Corporation

0e186e90404980569fb449ba7519ae61 ndistapi.sys
Microsoft Corporation

d6973aa34c4d5d76c0430b181c3cd389 ndisuio.sys
Microsoft Corporation

3d14c3b3496f88890d431e8aa022a411 ndiswan.sys
Microsoft Corporation

71dab552b41936358f3b541ae5997fb3 ndproxy.sys
Microsoft Corporation

bcd093a5a6777cf626434568dc7dba78 netbios.sys
Microsoft Corporation

7c5fee5b1c5728507cd96fb4a13e7a02 netbt.sys
Microsoft Corporation

cb57feb3288cf6d5cadc6ef0e50718d9 netio.sys
Microsoft Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960.sys
IBM Corp

ecb5003f484f9ed6c608d6d6c7886cbb npfs.sys
Microsoft Corporation

609773e344a97410ce4ebf74a8914fcf nsiproxy.sys
Microsoft Corporation

b4effe29eb4f15538fd8a9681108492d ntfs.sys
Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys
N-trig Innovative Technologies

c5dbbcda07d780bda9b685df333bb41e null.sys
Microsoft Corporation

dd721f8635191132992e7ceaa3c43c84 nwifi.sys
Microsoft Corporation

790e27c3db53410b40ff9ef2fd10a1d9 ohci1394.sys
Microsoft Corporation

bfef604508a0ed1eae2a73e872555ffb pacer.sys
Microsoft Corporation

8a79fdf04a73428597e2caf9d0d67850 parport.sys
Microsoft Corporation

3b38467e7c3daed009dfe359e17f139f partmgr.sys
Microsoft Corporation

6c580025c81caf3ae9e3617c22cad00e parvdm.sys
Microsoft Corporation

fc175f5ddab666d7f4d17449a547626f pciide.sys
Microsoft Corporation

46ed71afe2c872931e87ab958be133fa pciidex.sys
Microsoft Corporation

01b94418deb235dff777cc80076354b4 pci.sys
Microsoft Corporation

b7c5a8769541900f6dfa6fe0c5e4d513 pcmcia.sys
Microsoft Corporation

6349f6ed9c623b44b52ea3c63c831a92 peauth.sys
Microsoft Corporation

2027293619dd0f047c584cf2e7df4ffd processr.sys
Microsoft Corporation

0a6db55afb7820c99aa1f3a1d270f4f6 ql2300.sys
QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx.sys
QLogic Corporation

9f5e0e1926014d17486901c88eca2db7 qwavedrv.sys
Microsoft Corporation

147d7f9c556d259924351feb0de606c3 rasacd.sys
Microsoft Corporation

a214adbaf4cb47dd2728859ef31f26b0 rasl2tp.sys
Microsoft Corporation

3e9d9b048107b40d87b97df2e48e0744 raspppoe.sys
Microsoft Corporation

ecfffaec0c1ecd8dbc77f39070ea1db1 raspptp.sys
Microsoft Corporation

6e1c5d0457622f9ee35f683110e93d14 rdbss.sys
Microsoft Corporation

89e59be9a564262a3fb6c4f4f1cd9899 rdpcdd.sys
Microsoft Corporation

fbc0bacd9c3d7f6956853f64a66e252d rdpdr.sys
Microsoft Corporation

9d91fe5286f748862ecffa05f8a0710c rdpencdd.sys
Microsoft Corporation

e1c18f4097a5abcec941dc4b2f99db7e rdpwd.sys
Microsoft Corporation

fdeb76bed9c0a75329ca426623297158 rmcast.sys
Microsoft Corporation

8f5db387ff2f57ad9107b7eb78a6d34b rndismp.sys
Microsoft Corporation

75e8a6bfa7374aba833ae92bf41ae4e6 rootmdm.sys
Microsoft Corporation

9c508f4074a39e8b4b31d27198146fad rspndr.sys
Microsoft Corporation

3ce8f073a557e172b330109436984e30 sbp2port.sys
Microsoft Corporation

6f5ca34ae885645acf8a20d564db976c scsiport.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

ce9ec966638ef0b10b864ddedf62a099 serenum.sys
Microsoft Corporation

6d663022db3e7058907784ae14b69898 serial.sys
Microsoft Corporation

8af3d28a879bf75db53a0ee7a4289624 sermouse.sys
Microsoft Corporation

3efa810bdca87f6ecc24f9832243fe86 sffdisk.sys
Microsoft Corporation

e95d451f7ea3e583aec75f3b3ee42dc5 sffp_mmc.sys
Microsoft Corporation

3d0ea348784b7ac9ea9bd9f317980979 sffp_sd.sys
Microsoft Corporation

46ed8e91793b2e6f848015445a0ac188 sfloppy.sys
Microsoft Corporation

1d76624a09a054f682d746b924e2dbc3 sisagp.sys
Microsoft Corporation

43cb7aa756c7db280d01da9b676cfde2 sisraid2.sys
Microsoft Corporation

a99c6c8b0baa970d8aa59ddc50b57f94 sisraid4.sys
Silicon Integrated Systems

031e6bcd53c9b2b9ace111eafec347b6 smb.sys
Microsoft Corporation

a7d7ea1771d2ed6f39a8063e79b6c3e8 smclib.sys
Microsoft Corporation

7aebdeef071fe28b0eef2cdd69102bff spldr.sys
Microsoft Corporation

f713e67c329ce82ff1e1ebb497887427 spsys.sys
Microsoft Corporation

805fac010405ad3f82ef8df0bb035d81 srv2.sys
Microsoft Corporation

f63a0a58aafe34d7a1a0a74abccdd9c0 srvnet.sys
Microsoft Corporation

3d7c04aba41ac96ba7e9d123ec8f7fa3 srv.sys
Microsoft Corporation

39ad2c7b9c05c1ccd12480890dba4eb5 storport.sys
Microsoft Corporation

264232ef4283f123438c60d49e52d596 stream.sys
Microsoft Corporation

7ba58ecf0c0a9a69d44b3dca62becf56 swenum.sys
Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx.sys
LSI Logic

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi.sys
LSI Logic

8072af52b5fd103bbba387a1e49f62cb sym_u3.sys
LSI Logic

d1e06d0b79fdbf6e86ff7be04ff33651 SynTP.sys
Synaptics

1239fd18895040d97b7cdbc19bc2075e tape.sys
Microsoft Corporation

d4a2e4a4b011f3a883af77315a5ae76b tcpipreg.sys
Microsoft Corporation

82e266bee5f0167e41c6ecfdd2a79c02 tcpip.sys
Microsoft Corporation

77937eff009ac696b90e09f671f9d0a4 tdi.sys
Microsoft Corporation

5dcf5e267be67a1ae926f2df77fbcc56 tdpipe.sys
Microsoft Corporation

389c63e32b3cefed425b61ed92d3f021 tdtcp.sys
Microsoft Corporation

d09276b1fab033ce1d40dcbdf303d10f tdx.sys
Microsoft Corporation

a048056f5e1a96a9bf3071b91741a5aa termdd.sys
Microsoft Corporation

dcf0f056a2e4f52287264f5ab29cf206 tssecsrv.sys
Microsoft Corporation

caecc0120ac49e3d2f758b9169872d38 tunmp.sys
Microsoft Corporation

119b8184e106baedc83fce5ddf3950da tunnel.sys
Microsoft Corporation

7d33c4db2ce363c8518d2dfcf533941f uagp35.sys
Microsoft Corporation

8b5088058fa1d1cd897a2113ccff6c58 udfs.sys
Microsoft Corporation

b0acfdc9e4af279e9116c03e014b2b27 uliagpkx.sys
Microsoft Corporation

9224bb254f591de4ca8d572a5f0d635c uliahci.sys
ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2.sys
Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata.sys
Promise Technology

32cff9f809ae9aed85464492bf3e32d2 umbus.sys
Microsoft Corporation

88bd96a1baeed33ee8bdf9499c07a841 umpass.sys
Microsoft Corporation

d173f7b936c8f579bcc4f78da861929c usb8023.sys
Microsoft Corporation

b0b0c4970bd60e6e2b0fd33b2960490d usbcamd2.sys
Microsoft Corporation

bf85eaab7b889e4b621111e0372cb147 usbcamd.sys
Microsoft Corporation

8bd3ae150d97ba4e633c6c5c51b41ae1 usbccgp.sys
Microsoft Corporation

e9476e6c486e76bc4898074768fb7131 usbcir.sys
Microsoft Corporation

790fdac6d0c762df9047c3c625a6ff6c usbd.sys
Microsoft Corporation

cebe90821810e76320155beba722fcf9 usbehci.sys
Microsoft Corporation

cc6b28e4ce39951357963119ce47b143 usbhub.sys
Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci.sys
Microsoft Corporation

65ad9c60dbfa2f0ea582e691cba03f0c usbport.sys
Microsoft Corporation

b51e52acf758be00ef3a58ea452fe360 usbprint.sys
Microsoft Corporation

814d653efc4d48be3b04a307eceff56f usbuhci.sys
Microsoft Corporation

87b06e1f30b749a114f74622d013f8d4 vgapnp.sys
Microsoft Corporation

2e93ac0a1d8c79d019db6c51f036636c vga.sys
Microsoft Corporation

5d7159def58a800d5781ba3a879627bc viaagp.sys
Microsoft Corporation

c4f3a691b5bad343e6249bd8c2d45dee viac7.sys
Microsoft Corporation

aadf5587a4063f52c2c3fed7887426fc viaide.sys
VIA Technologies

c048d2c33d27441a0cdcaae2651eb03d videoprt.sys
Microsoft Corporation

69503668ac66c77c6cd7af86fbdf8c43 volmgr.sys
Microsoft Corporation

98f5ffe6316bd74e9e2c97206c190196 volmgrx.sys
Microsoft Corporation

d8b4a53dd2769f226b3eb374374987c9 volsnap.sys
Microsoft Corporation

587253e09325e6bf226b299774b728a9 vsmraid.sys
VIA Technologies

48dfee8f1af7c8235d4e626f0c4fe031 wacompen.sys
Microsoft Corporation

55201897378cca7af8b5efd874374a26 wanarp.sys
Microsoft Corporation

6c8b7df75ecf4a7dd668bec58e268329 watchdog.sys
Microsoft Corporation

b6f0a7ad6d4bd325fbcd8bac96cd8d96 wdf01000.sys
Microsoft Corporation

b4fc6dd9167b058e6dbe6cb14acfa2cb wdfldr.sys
Microsoft Corporation

78fe9542363f297b18c027b2d7e7c07f wd.sys
Microsoft Corporation

2e7255d172df0b8283cdfb7b433b864e wmiacpi.sys
Microsoft Corporation

c546864eed786304762d030febf6b411 wmilib.sys
Microsoft Corporation

e3a3cb253c0ec2494d4a61f5e43a389c ws2ifsl.sys
Microsoft Corporation

13b5f255e90624a5ba0441d39cfb6be2 wudfpf.sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 wudfrd.sys
Microsoft Corporation

Driver report for /mnt/sda1/System Volume Information/SystemRestore/FRStaging/ProgramData/Symantec/Cached Installs/{3C1AE512-3C37-44FA-BA42-ABB721EC5B1D}/System32/drivers

e8e745b8eee63c7cf7d34833d3b8ca7f WPSDRVnt.sys
Symantec Corporation

Driver report for /mnt/sda1/System Volume Information/SystemRestore/FRStaging/Windows/System32/drivers

0349be02f329f4f48f1d48097fd65974 1394bus(8655).sys
Microsoft Corporation

82b296ae1892fe3dbee00c9cf92f8ac7 acpi.sys
Microsoft Corporation

a51ea92451897824c5c7474a160af773 ADIHdAud(8656).sys
Analog Devices

04f0fcac69c7c71a3ac4eb97fafc8303 adp94xx(8657).sys
Adaptec

60505e0041f7751bdbb80f88bf45c2ce adpahci(8658).sys
Adaptec

8a42779b02aec986eab64ecfc98f8bd7 adpu160m(8659).sys
Adaptec

241c9e37f8ce45ef51c3de27515ca4e5 adpu320(8660).sys
Adaptec

13f9e33747e6b41a3ff305c37db0d360 AGP440(8661).sys
Microsoft Corporation

9eaef5fc9b8e351afa7e78a6fae91f91 aliide(8662).sys
Acer Laboratories

c47344bc706e5f0b9dce369516661578 AMDAGP(8663).SYS
Microsoft Corporation

9b78a39a4c173fdbc1321e0dd659b34c amdide(8664).sys
Microsoft Corporation

18f29b49ad23ecee3d2a826c725c8d48 amdk7(8665).sys
Microsoft Corporation

93ae7f7dd54ab986a6f1a1b37be7442d amdk8(8666).sys
Microsoft Corporation

639ba7b37f25054cf5e82604e736d250 ApsHM86(8667).sys
Lenovo

a3aee791db8c73882f4503bfaacd8c9e ApsX86(8668).sys
Lenovo

5d2888182fb46632511acee92fdad522 arc(8669).sys
Adaptec

5e2a321bd7c8b3624e41fdec3e244945 arcsas(8670).sys
Adaptec

53b202abee6455406254444303e87be1 asyncmac(8671).sys
Microsoft Corporation

1f05b78ab91c9075565a9d8a4b880bc4 atapi.sys
Microsoft Corporation

64b0052340b8ec28fa8a56b708ae71cc ataport.sys
Microsoft Corporation

ab0e8983beb0b036485e0e97e23b69ad athr(8672).sys
tH`vVS_VERSION_INFOaa?b<StringFileInfoBZCompanyNameAtherosCommunications,Inc..FileDescriptionAtherosExtensibleWirelessLANdevicedriverVFileVersion...builtby:WinDDKtInternalNameATHR.SYSLegalCopyrightCopyright©-AtherosCommunications,Inc.:tOriginalFilenameATHR.SYSProductNameDriverforAtherosCB/CB/MB/MBNetworkAdapternProductVersion...DVarFileInfo$Translationt*

dbf0d7e2df33b469eb55406fea759350 atmeltpm(8673).sys
tH``VS_VERSION_INFO?bzStringFileInfoVBbCompanyNameAtmel,Inc.JFileDescriptionAtmelTPMDriverTFileVersion...builtby:WinDDK:rInternalNameAtmelTpm.SYSj#LegalCopyrightCopyrightAtmel,Inc.,-BrOriginalFilenameAtmelTpm.SYSBProductNameAtmelTPMDrivertProductVersion...DVarFileInfo$Translationt*

2b8a5a8879238c3ba9a89a8e3ac4e45d battc(8674).sys
Microsoft Corporation

9f5f8f2318dfa3974a6f6a5602733929 bdasup(8675).sys
Microsoft Corporation

67e506b75bd5326a3ec7b70bd014dfb6 beep(8676).sys
Microsoft Corporation

d4df28447741fd3d953526e33a617397 blbdrive(8677).sys
Microsoft Corporation

74b442b2be1260b7588c136177ceac66 bowser(8678).sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo(8679).sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp(8680).sys
Brother Industries

b304e75cff293029eddf094246747113 BrSerId(8681).sys
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm(8682).sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm(8683).sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer(8684).sys
Brother Industries

6d39c954799b63ba866910234cf7d726 bthenum.sys
Microsoft Corporation

ad07c1ec6665b8b35741ab91200c6b68 bthmodem(8685).sys
Microsoft Corporation

5904efa25f829bf84ea6fb045134a1d8 bthpan(8686).sys
Microsoft Corporation

5a3abaa2f8eece7aefb942773766e3db bthport.sys
Microsoft Corporation

94e2941280e3756a5e0bcb467865c43a BTHUSB.SYS
Microsoft Corporation

636f45a8500c1438cfa7dee15fc5c184 btwaudio(8687).sys
Broadcom Corporation

bf9256ff01b093a5d90bb7a35ec90410 btwavdt(8688).sys
Broadcom Corporation

0ab8c1ac177afb27309e1072faf34a37 btwrchid(8689).sys
Broadcom Corporation

7add03e75beb9e6dd102c3081d29840a cdfs(8690).sys
Microsoft Corporation

6b4bffb9becd728097024276430db314 cdrom.sys
Microsoft Corporation

e5d4133f37219dbcfe102bc61072589d circlass(8691).sys
Microsoft Corporation

99afc3795b58cc478fbbbcdc658fcb56 CmBatt(8692).sys
Microsoft Corporation

0ca25e686a4928484e9fdabd168ab629 cmdide(8693).sys
CMD Technology

c586875ece5318c6309ed1ab79d0e55f COH_Mon.sys
Symantec Corporation

6afef0b60fa25de07c0968983ee4f60a compbatt(8694).sys
Microsoft Corporation

741e9dff4f42d2d8477d0fc1dc0df871 crcdisk(8695).sys
Microsoft Corporation

1f07becdca750766a96cda811ba86410 crusoe(8696).sys
Microsoft Corporation

5d4aefc3386920236a548271f8f1af6a disk.sys
Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs(8697).sys
Adaptec

80bf3ba09f6f2523c8f6b7cc6dbf7bd5 Dot4Prt.sys
Microsoft Corporation

a84d8a9006b1ae515cc7b6b3586c295a Dot4Scan.sys
Microsoft Corporation

4f59c172c094e1a1d46463a8dc061cbd Dot4.sys
Microsoft Corporation

c55004ca6b419b6695970dfe849b122f Dot4usb.sys
Microsoft Corporation

7be5a3c671a2cb56e94403bfc2020a0d drmk(8698).sys
Microsoft Corporation

97fef831ab90bee128c9af390e243f80 drmkaud(8699).sys
Microsoft Corporation

7680c2c92271a3e156a816c9fe9ae01c dumpfve(8700).sys
Microsoft Corporation

eaaafef04fbb45665c9576e525d45a12 dxapi(8701).sys
Microsoft Corporation

e4563be48ef4e8d8ad3edd92bb01ad9a e1e6032(8702).sys
Intel Corporation

5425f74ac0c1dbd96a1e04f17d63f94c E1G60I32(8703).sys
Intel Corporation

23b62471681a124889978f6295b3f4c6 elxstor(8704).sys
Emulex

3db974f3935483555d7148663f726c61 errdev(8705).sys
Microsoft Corporation

afe1e8b9782a0dd7fb46bbd88e43f89a fdc(8711).sys
Microsoft Corporation

a8c0139a884861e3aae9cfe73b208a9f fileinfo(8712).sys
Microsoft Corporation

85b7cf99d532820495d68d747fda9ebd flpydisk(8713).sys
Microsoft Corporation

65ea8b77b5851854f0c55c43fa51a198 fs_rec(8714).sys
Microsoft Corporation

34582a6e6573d54a07ece5fe24a126b5 GAGP30KX(8715).SYS
Microsoft Corporation

062452b7ffd68c8c042a6261fe8dff4a hdaudbus.sys
Microsoft Corporation

cb04c744be0a61b1d648faed182c3b59 HdAudio(8718).sys
Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth(8719).sys
Microsoft Corporation

5961cadb7cad938368d2028725ef771d hidclass.sys
Microsoft Corporation

ff3160c3a2445128c5a6d9b076da519e hidir(8720).sys
Microsoft Corporation

175444d3a01ca45d0e1c5dc5f48df7cd hidparse(8721).sys
Microsoft Corporation

cca4b519b17e23a00b826c55716809cc hidusb.sys
Microsoft Corporation

16ee7b23a009e00d835cdb79574a91a6 HpCISSs(8722).sys
Hewlett-Packard

5a77ac34a0ffb70ce8b35b524fede9ba HSX_CNXT(8724).sys
Conexant

7bc42c65b5c6281777c1a7605b253ba8 HSX_DPV(8725).sys
Conexant

9ebf2d102ccbb6bcdfbf1b7922f8ba2e HSXHWAZL(8726).sys
Conexant

95bd3ea81ebe6b8cacafdb6cdab3586c i2omgmt(8727).sys
Microsoft Corporation

c6b032d69650985468160fc9937cf5b4 i2omp(8728).sys
Microsoft Corporation

22d56c8184586b7a1f6fa60be5f5a2bd i8042prt(8729).sys
Microsoft Corporation

e5a0034847537eaee3c00349d5c34c5f iaStor(8730).sys
Intel Corporation

54155ea1b0df185878e0fc9ec3ac3a14 iaStorV(8731).sys
Intel Corporation

931af21653dd91cd85270a2b31f87eeb ibmpmdrv(8732).sys
Lenovo

2d077bf86e843f901d8db709c95b49a5 iirsp(8733).sys
Intel Corp

83aa759f3189e6370c30de5dc5590718 intelide(8734).sys
Microsoft Corporation

224191001e78c89dfa78924c3ea595ff intelppm(8735).sys
Microsoft Corporation

62c265c38769b864cb25b4bcf62df6c3 ipfltdrv(8736).sys
Microsoft Corporation

b25aaf203552b7b3491139d582b39ad1 IPMIDrv(8737).sys
Microsoft Corporation

8793643a67b42cec66490b2a0cf92d68 ipnat(8738).sys
Microsoft Corporation

e50a95179211b12946f7e035d60af560 irda(8739).sys
Microsoft Corporation

109c0dfb82c3632fbd11949b73aeeac9 irenum(8740).sys
Microsoft Corporation

6c70698a3e5c4376c6ab5c7c17fb0614 isapnp(8741).sys
Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi(8742).sys
Integrated Technology Express

06fa654504a498c30adca8bec4e87e7e iteraid(8743).sys
Integrated Technology Express

37605e0a8cf00cbba538e753e4344c6e kbdclass(8744).sys
Microsoft Corporation

18247836959ba67e3511b62846b9c2e0 kbdhid(8745).sys
Microsoft Corporation

007c3a7e6a864ab2b8c52df717a7254c LenovoRd(8746).sys
Lenovo

d1c5883087a0c3f1344d9d55a44901f6 lltdio(8747).sys
Microsoft Corporation

c7e15e82879bf3235b559563d4185365 lsi_fc(8748).sys
LSI Logic

ee01ebae8c9bf0fa072e0ff68718920a lsi_sas(8749).sys
LSI Logic

912a04696e9ca30146a62afa1463dd5c lsi_scsi(8750).sys
LSI Logic

8f5c7426567798e62a3b3614965d62cc luafv(8751).sys
Microsoft Corporation

c7dd7d9739785bd3a6b8499eec1dee7e mbamswissarmy.sys
Malwarebytes Corporation

67b48a903430c6d4fb58cbaca1866601 mbam.sys
Malwarebytes Corporation

b271ec02e71271a2da28b3b7bc4e4f15 mcd(8752).sys
Microsoft Corporation

0cea2d0d3fa284b85ed5b68365114f76 mdmxsdk(8753).sys
Conexant

0001ce609d66632fa17b84705f658879 megasas(8754).sys
LSI Corporation

c252f32cd9a49dbfc25ecf26ebd51a99 MegaSR(8755).sys
LSI Corporation

e13b5ea0f51ba5b1512ec671393d09ba modem(8756).sys
Microsoft Corporation

0a9bb33b56e294f686abb7c1e4e2d8a8 monitor.sys
Microsoft Corporation

5bf6a1326a335c5298477754a506d263 mouclass(8757).sys
Microsoft Corporation

93b8d4869e12cfbe663915502900876f mouhid(8758).sys
Microsoft Corporation

bdafc88aa6b92f7842416ea6a48e1600 mountmgr(8759).sys
Microsoft Corporation

511d011289755dd9f9a7579fb0b064e6 mpio(8760).sys
Microsoft Corporation

22241feba9b2defa669c8cb0a8dd7d2e mpsdrv(8761).sys
Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e Mraid35x(8762).sys
LSI Logic

28023e86f17001f7cd9b15a5bc9ae07d msahci(8763).sys
Microsoft Corporation

4468b0f385a86ecddaf8d3ca662ec0e7 msdsm(8764).sys
Microsoft Corporation

a9927f4a46b816c92f461acb90cf8515 msfs(8765).sys
Microsoft Corporation

0f400e306f385c56317357d6dea56f62 msisadrv(8766).sys
Microsoft Corporation

232fa340531d940aac623b121a595034 msiscsi.sys
Microsoft Corporation

d8c63d34d9c9e56c059e24ec7185cc07 mskssrv(8767).sys
Microsoft Corporation

1d373c90d62ddb641d50e55b9e78d65e mspclock(8768).sys
Microsoft Corporation

b572da05bf4e098d4bba3a4734fb505b mspqm(8769).sys
Microsoft Corporation

e384487cb84be41d09711c30ca79646c mssmbios(8770).sys
Microsoft Corporation

7199c1eec1e4993caf96b8c0a26bd58a mstee(8771).sys
Microsoft Corporation

0e186e90404980569fb449ba7519ae61 ndistapi(8772).sys
Microsoft Corporation

d6973aa34c4d5d76c0430b181c3cd389 ndisuio(8773).sys
Microsoft Corporation

71dab552b41936358f3b541ae5997fb3 ndproxy(8774).sys
Microsoft Corporation

bcd093a5a6777cf626434568dc7dba78 netbios(8775).sys
Microsoft Corporation

0f366d06511a76a0428b418c91ca0e31 NETw4v32.sys
Intel Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960(8776).sys
IBM Corp

6d8d2e5652fc2442c810c5d8be784148 nscirda(8777).sys
tH`nVS_VERSION_INFOv?aStringFileInfoBf#CompanyNameNationalSemiconductorCorporationFileDescriptionNSCFastInfraredDriver.n'FileVersion,,,(longhorn_rtm.-)bInternalNamenscirda.sysLegalCopyright-NationalSemiconductorMicrosoftCorp.@bOriginalFilenamenscirda.sysTProductNameNSCFastInfraredDriver.bProductVersion,,,DVarFileInfo$Translation$|

609773e344a97410ce4ebf74a8914fcf nsiproxy(8778).sys
Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys
N-trig Innovative Technologies

c5dbbcda07d780bda9b685df333bb41e null(8779).sys
Microsoft Corporation

18bbdf913916b71bd54575bdb6eeac0b NV_AGP(8780).SYS
Microsoft Corporation

d2ae473f2a825209fc77b47dc298075a nvlddmkm(8781).sys
NVIDIA Corporation

2edf9e7751554b42cbb60116de727101 nvraid(8782).sys
NVIDIA Corporation

abed0c09758d1d97db0042dbb2688177 nvstor(8783).sys
NVIDIA Corporation

6f310e890d46e246e0e261a63d9b36b4 ohci1394.sys
Microsoft Corporation

8a79fdf04a73428597e2caf9d0d67850 parport(8784).sys
Microsoft Corporation

6c580025c81caf3ae9e3617c22cad00e parvdm(8785).sys
Microsoft Corporation

fc175f5ddab666d7f4d17449a547626f pciide(8786).sys
Microsoft Corporation

6429d10c5d149ac9eb2d95052a390cff pciidex.sys
Microsoft Corporation

941dc1d19e7e8620f40bbc206981efdb pci.sys
Microsoft Corporation

3bb2244f343b610c29c98035504c9b75 pcmcia.sys
Microsoft Corporation

6349f6ed9c623b44b52ea3c63c831a92 PEAuth(8787).sys
Microsoft Corporation

218286724ec530ff252648369e05b090 portcls.sys
Microsoft Corporation

1d80309fed4babf8ea9e7b84a394348b PROCDD(8788).SYS
Lenovo

2027293619dd0f047c584cf2e7df4ffd processr(8789).sys
Microsoft Corporation

aac08defb15aaab00b30341c716efa35 psadd(8790).sys
Lenovo

d86b4a68565e444d76457f14172c875a pxhelp20(8791).sys
Sonic Solutions

0a6db55afb7820c99aa1f3a1d270f4f6 ql2300(8792).sys
QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx(8793).sys
QLogic Corporation

9f5e0e1926014d17486901c88eca2db7 qwavedrv(8794).sys
Microsoft Corporation

147d7f9c556d259924351feb0de606c3 rasacd(8795).sys
Microsoft Corporation

a214adbaf4cb47dd2728859ef31f26b0 rasl2tp(8796).sys
Microsoft Corporation

ecfffaec0c1ecd8dbc77f39070ea1db1 raspptp(8797).sys
Microsoft Corporation

89e59be9a564262a3fb6c4f4f1cd9899 RDPCDD(8798).sys
Microsoft Corporation

943b18305eae3935598a9b4a3d560b4c rdpdr.sys
Microsoft Corporation

9d91fe5286f748862ecffa05f8a0710c RDPENCDD(8799).sys
Microsoft Corporation

6482707f9f4da0ecbab43b2e0398a101 rfcomm.sys
Microsoft Corporation

355aac141b214bef1dbc1483afd9bd50 rimmptsk(8800).sys
Ricoh Company

a4216c71dd4f60b26418ccfd99cd0815 rimsptsk(8801).sys
Ricoh Company

d231b577024aa324af13a42f3a807d10 rixdptsk(8802).sys
Ricoh Company

75e8a6bfa7374aba833ae92bf41ae4e6 rootmdm(8803).sys
Microsoft Corporation

9c508f4074a39e8b4b31d27198146fad rspndr(8804).sys
Microsoft Corporation

3ce8f073a557e172b330109436984e30 sbp2port(8805).sys
Microsoft Corporation

6f5ca34ae885645acf8a20d564db976c scsiport(8806).sys
Microsoft Corporation

8f36b54688c31eed4580129040c6a3d3 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv(8807).sys
Macrovision Corporation

ce9ec966638ef0b10b864ddedf62a099 serenum(8808).sys
Microsoft Corporation

6d663022db3e7058907784ae14b69898 serial(8809).sys
Microsoft Corporation

8af3d28a879bf75db53a0ee7a4289624 sermouse(8810).sys
Microsoft Corporation

3efa810bdca87f6ecc24f9832243fe86 sffdisk(8811).sys
Microsoft Corporation

e95d451f7ea3e583aec75f3b3ee42dc5 sffp_mmc(8812).sys
Microsoft Corporation

3d0ea348784b7ac9ea9bd9f317980979 sffp_sd(8813).sys
Microsoft Corporation

46ed8e91793b2e6f848015445a0ac188 sfloppy(8814).sys
Microsoft Corporation

1d76624a09a054f682d746b924e2dbc3 SISAGP(8815).SYS
Microsoft Corporation

43cb7aa756c7db280d01da9b676cfde2 sisraid2(8816).sys
Microsoft Corporation

a99c6c8b0baa970d8aa59ddc50b57f94 sisraid4(8817).sys
Silicon Integrated Systems

a7d7ea1771d2ed6f39a8063e79b6c3e8 smclib(8818).sys
Microsoft Corporation

63de2c8974f5d528fbc3d6978fd8ad6a smiif32(8819).sys
Lenovo

7aebdeef071fe28b0eef2cdd69102bff spldr(8820).sys
Microsoft Corporation

0ddb7fba32be09d8057063c0cee24137 srtspl.sys
Symantec Corporation

5a293729e1f9fce3a2106d1f5dc5e98a srtsp.sys
Symantec Corporation

a99719dfb61b61aa5026341bbb733c0a srtspx.sys
Symantec Corporation

7ba58ecf0c0a9a69d44b3dca62becf56 swenum(8821).sys
Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx(8824).sys
LSI Logic

51b57cda977170ac608d839dbfa1d3ee symdns.sys
Symantec Corporation

a54ff04bd6e75dc4d8cb6f3e352635e0 SYMEVENT.SYS
Symantec Corporation

a131d8360b01044517aa44529e2137d6 symfw.sys
Symantec Corporation

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi(8822).sys
LSI Logic

2b77868f02dae02103380b824431b798 symids.sys
Symantec Corporation

7d3addfe63e5227bd2dbd5692bafb688 symndisv.sys
Symantec Corporation

394b2368212114d538316812af60fddd symredrv.sys
Symantec Corporation

d46676bb414c7531bdffe637a33f5033 symtdi.sys
Symantec Corporation

8072af52b5fd103bbba387a1e49f62cb sym_u3(8823).sys
LSI Logic

d7dc30b8b41e7a913c3fccc0631e72ec SynTP.sys
Synaptics

1239fd18895040d97b7cdbc19bc2075e tape(8825).sys
Microsoft Corporation

07d174a992ab0ea6001f390de1afa27b tcusb(8826).sys
tHVS_VERSION_INFOtctcbStringFileInfoenCompanyNameUPEKInc.`FileDescriptionTouchChipUSBKernelDrivertFileVersion...,InternalNametcusbh"LegalCopyrightCopyright©-UPEKInc.<nLegalTrademarksTouchChip<nOriginalFilenametcusb.sysXProductNameTouchChipUSBKernelDriverProductVersion..NSpecialBuildwin.x-rel(_wxp)DVarFileInfo$Translationt

77937eff009ac696b90e09f671f9d0a4 tdi(8827).sys
Microsoft Corporation

5dcf5e267be67a1ae926f2df77fbcc56 tdpipe(8828).sys
Microsoft Corporation

389c63e32b3cefed425b61ed92d3f021 tdtcp(8829).sys
Microsoft Corporation

3cad38910468eab9a6479e2f01db43c7 termdd.sys
Microsoft Corporation

2c4af6504326a8030ac10565acfebc52 TopazUsb.sys
tHwVS_VERSION_INFO?aStringFileInfobCommentsLCompanyNameDaveStevensSoftwarej!FileDescriptionWDMdriverforTopazUSBTablets(FileVersion.:rInternalNameTopazUsb.sysv)LegalCopyrightCopyright©DaveStevensSoftware(LegalTrademarksBrOriginalFilenameTopazUsb.sysPrivateBuildBProductNameTopazUsbDriver,ProductVersion.SpecialBuildDVarFileInfo$TranslationtbDHLP

cb258c2f726f1be73c507022be33ebb3 tpm(8830).sys
Microsoft Corporation

1bd5719ef160e0ab739cd0ff3ba5e298 TPPWR32V(8831).SYS

dcf0f056a2e4f52287264f5ab29cf206 tssecsrv(8832).sys
Microsoft Corporation

caecc0120ac49e3d2f758b9169872d38 TUNMP(8833).SYS
Microsoft Corporation

49258a02a1e8d304ed88b0f1c56b1738 tvtfilter.sys
Lenovo

8ab24d4b7da715c2c80455137910e792 tvti2c(8834).sys
Lenovo

14b8d6bde06d621e2e469e42c7f34a4d tvtumon(8835).sys
Lenovo

7d33c4db2ce363c8518d2dfcf533941f UAGP35(8836).SYS
Microsoft Corporation

b0acfdc9e4af279e9116c03e014b2b27 ULIAGPKX(8837).SYS
Microsoft Corporation

9224bb254f591de4ca8d572a5f0d635c uliahci(8838).sys
ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2(8840).sys
Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata(8839).sys
Promise Technology

32cff9f809ae9aed85464492bf3e32d2 umbus(8841).sys
Microsoft Corporation

88bd96a1baeed33ee8bdf9499c07a841 umpass(8842).sys
Microsoft Corporation

8bd3ae150d97ba4e633c6c5c51b41ae1 usbccgp(8843).sys
Microsoft Corporation

e0b8489aeda9ea33361037be6a8cf1ca usbccid(8844).sys
Microsoft Corporation

e9476e6c486e76bc4898074768fb7131 usbcir(8845).sys
Microsoft Corporation

790fdac6d0c762df9047c3c625a6ff6c usbd(8846).sys
Microsoft Corporation

79e96c23a97ce7b8f14d310da2db0c9b usbehci.sys
Microsoft Corporation

4673bbcb006af60e7abddbe7a130ba42 usbhub.sys
Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci(8847).sys
Microsoft Corporation

a1c100a87d981ad0774fbc0b4b82e913 usbport.sys
Microsoft Corporation

b51e52acf758be00ef3a58ea452fe360 usbprint(8848).sys
Microsoft Corporation

be3da31c191bc222d9ad503c5224f2ad USBSTOR.SYS
Microsoft Corporation

814d653efc4d48be3b04a307eceff56f usbuhci(8849).sys
Microsoft Corporation

2e93ac0a1d8c79d019db6c51f036636c vga(8850).sys
Microsoft Corporation

87b06e1f30b749a114f74622d013f8d4 vgapnp(8851).sys
Microsoft Corporation

5d7159def58a800d5781ba3a879627bc VIAAGP(8852).SYS
Microsoft Corporation

c4f3a691b5bad343e6249bd8c2d45dee viac7(8853).sys
Microsoft Corporation

aadf5587a4063f52c2c3fed7887426fc viaide(8854).sys
VIA Technologies

c048d2c33d27441a0cdcaae2651eb03d videoprt(8855).sys
Microsoft Corporation

6e237c0a8e248ddb6811c05834c8a15f vmx_svga(8856).sys
VMware

69503668ac66c77c6cd7af86fbdf8c43 volmgr(8857).sys
Microsoft Corporation

147281c01fcb1df9252de2a10d5e7093 volsnap.sys
Microsoft Corporation

587253e09325e6bf226b299774b728a9 vsmraid(8858).sys
VIA Technologies

46d67209550973257601a533e2ac5785 VSTAZL3(8859).SYS
Conexant

5c7bdcf5864db00323fe2d90fa26a8a2 VSTCNXT3(8860).SYS
Conexant

ec36f1d542ed4252390d446bf6d4dfd0 VSTDPV3(8862).SYS
Conexant

48dfee8f1af7c8235d4e626f0c4fe031 wacompen(8866).sys
Microsoft Corporation

55201897378cca7af8b5efd874374a26 wanarp(8867).sys
Microsoft Corporation

78fe9542363f297b18c027b2d7e7c07f wd(8868).sys
Microsoft Corporation

2e7255d172df0b8283cdfb7b433b864e wmiacpi(8869).sys
Microsoft Corporation

c546864eed786304762d030febf6b411 wmilib(8870).sys
Microsoft Corporation

e3a3cb253c0ec2494d4a61f5e43a389c ws2ifsl(8871).sys
Microsoft Corporation

13b5f255e90624a5ba0441d39cfb6be2 WUDFPf(8872).sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 WUDFRd(8873).sys
Microsoft Corporation

88af537264f2b818da15479ceeaf5d7c XAudio(8875).sys
Conexant



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 25 September 2010 - 11:27 PM

  • Boot the computer with the USB drive again.
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:
    ndis.sys
  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt
Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review

Edited by gringo_pr, 25 September 2010 - 11:27 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 September 2010 - 07:26 AM

Alright, here is filefind.txt:

Search results for ndis.sys

f6a71631014ce20141122ea1b921e80f /mnt/sda1/ComboFix/ndis.sys
515.5K Apr 11 2009

9bdc71790fa08f0a0b5f10462b1bd0b1 /mnt/sda1/RRbackups/FR/UF/Windows/system32/drivers/ndis.sys
517.1K Jan 21 2008

1357274d1883f68300aeadd15d7bbb42 /mnt/sda1/System Volume Information/SystemRestore/FRStaging/Windows/winsxs/x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864/ndis.sys
515.5K Apr 11 2009

f2bbf8be1bd57adc7e2b2fbef3d9a318 /mnt/sda1/Windows/System32/drivers/ndis.sys
517.1K Jan 21 2008

9bdc71790fa08f0a0b5f10462b1bd0b1 /mnt/sda1/Windows/winsxs/x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18/ndis.sys
517.1K Jan 21 2008

f6a71631014ce20141122ea1b921e80f /mnt/sda1/Windows/winsxs/x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6002.18005_none_a9b2a4d31930d864/ndis.sys
515.5K Apr 11 2009



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 26 September 2010 - 02:34 PM

Hello

Looks like it is in place but it is infected. here is where it can get tricky.

I can't get on my computer till tomorrow to make you detailed instructions but if you are ok with simple instructions here is what i want to do

using the system tree on the left navigate to and right click and copy this file /mnt/sda1/Windows/winsxs/x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18/ndis.sys
and paste it to this location
/mnt/sda1/Windows/System32/[b]drivers

You will see on the right side a system tree just navagate to the first file and right click on it and select copy the navigate to the drivers folder and right click anyware and select paste

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 September 2010 - 02:55 PM

Okay, I was able to to copy and paste the ndis.sys file as you instructed. When I pasted the file I received a message that ndis.sys was already in that folder, and I told it to overwrite the existing copy.

I'll wait for you to advise me on the next step (trying to boot Windows again?).

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 AM

Posted 26 September 2010 - 02:58 PM

yes lets try it to boot to windows


Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 CMHop

CMHop
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 26 September 2010 - 03:55 PM

Okay, it seems like we're making progress. I rebooted Windows and it loaded up normally. Once my desktop came up the Combofix window immediately appeared and it went through its 50-step process. When it completed I guess it restarted the computer again, and once again, Windows loaded correctly. I'm now back on the "sick" computer and it seems to be functioning correctly. I have done several google searches using Firefox and IE and so far I am not getting redirected to any junk websites. Below is the Combofix report:

ComboFix 10-09-25.05 - cmhopkin 09/26/2010 16:12:57.2.2 - x86
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.3054.2350 [GMT -4:00]
Running from: d:\users\cmhopkin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Administrator\AppData\Roaming\64dlls.exe
c:\users\Administrator\AppData\Roaming\intel64.exe
c:\users\Administrator\AppData\Roaming\Kernel32.exe
c:\users\Administrator\AppData\Roaming\localsys64.exe
c:\users\Administrator\AppData\Roaming\ntos.exe
c:\users\Administrator\AppData\Roaming\oembios.exe
c:\users\Administrator\AppData\Roaming\sdra64.exe
c:\users\Administrator\AppData\Roaming\sdra73.exe
c:\users\Administrator\AppData\Roaming\swin32.exe
c:\users\Administrator\AppData\Roaming\twex.exe
c:\users\Administrator\AppData\Roaming\twext.exe
c:\users\Administrator\AppData\Roaming\wsnpoema.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.0.6001.18000_none_a7c72bc71c0f0d18\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2010-08-26 to 2010-09-26 )))))))))))))))))))))))))))))))
.

2010-09-26 20:22 . 2010-09-26 20:31 -------- d-----w- d:\users\cmhopkin\AppData\Local\temp
2010-09-26 20:22 . 2010-09-26 20:22 -------- d-----w- d:\users\virgie\AppData\Local\temp
2010-09-26 20:22 . 2010-09-26 20:22 -------- d-----w- d:\users\TEMP\AppData\Local\temp
2010-09-26 20:22 . 2010-09-26 20:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-09-25 19:47 . 2010-09-25 19:47 -------- d-----w- c:\program files\Trend Micro
2010-09-15 13:45 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 13:45 . 2010-08-17 14:11 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 13:45 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 13:42 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-14 23:53 . 2010-09-25 16:11 -------- d-----w- C:\VIP
2010-09-10 22:19 . 2010-09-25 16:19 -------- d-----w- d:\users\cmhopkin\AppData\Roaming\uTorrent
2010-09-10 11:40 . 2008-04-05 01:01 272896 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp5r1.DLL
2010-09-09 11:48 . 2010-09-09 11:48 -------- d-----w- c:\program files\MSECache
2010-09-03 22:09 . 2010-09-03 22:09 -------- d-----w- d:\users\cmhopkin\AppData\Local\Microsoft Help
2010-08-29 21:37 . 2010-08-29 21:37 -------- d-----w- c:\program files\Enterasys Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 16:19 . 2010-07-26 19:32 -------- d-----w- d:\users\virgie\AppData\Roaming\Thunderbird
2010-09-25 16:19 . 2010-07-28 00:50 -------- d-----w- d:\users\cmhopkin\AppData\Roaming\vlc
2010-09-25 16:19 . 2010-07-27 14:49 -------- d-----w- d:\users\cmhopkin\AppData\Roaming\Thunderbird
2010-09-25 16:19 . 2010-07-28 00:50 -------- d-----w- d:\users\cmhopkin\AppData\Roaming\dvdcss
2010-09-25 16:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-09-25 16:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-09-25 16:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-25 16:17 . 2010-07-26 13:55 -------- d-----w- c:\program files\Windows Portable Devices
2010-09-25 16:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-09-25 16:17 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-09-25 16:11 . 2010-07-30 23:06 -------- d-----w- c:\program files\Winamp
2010-09-25 16:11 . 2008-03-24 20:21 -------- d-----w- c:\program files\UNC
2010-09-25 16:11 . 2008-04-22 21:59 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2010-09-25 16:11 . 2008-04-22 22:47 -------- d-----w- c:\program files\Symantec
2010-09-25 16:11 . 2008-04-22 22:47 -------- d-----w- c:\program files\Symantec AntiVirus
2010-09-25 16:11 . 2008-03-24 19:45 -------- d-----w- c:\program files\Office 2003 Installation Source
2010-09-25 16:11 . 2008-04-22 21:57 -------- d-----w- c:\program files\NetWaiting
2010-09-25 16:11 . 2008-03-24 20:40 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-25 16:10 . 2008-04-25 18:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-25 16:10 . 2008-03-24 20:28 -------- d-----w- c:\program files\Microsoft Works
2010-09-25 16:10 . 2010-08-10 02:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-25 16:10 . 2008-04-22 22:01 -------- d-----w- c:\program files\Lenovo
2010-09-25 16:10 . 2008-07-01 18:17 -------- d-----w- c:\program files\Electronic Patient Record
2010-09-25 16:10 . 2008-04-22 21:58 -------- d-----w- c:\program files\Digital Line Detect
2010-09-25 16:10 . 2008-04-22 22:47 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-25 16:10 . 2008-04-22 22:10 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-09-25 16:10 . 2008-04-22 22:13 -------- d-----w- c:\program files\Common Files\Lenovo
2010-09-25 16:10 . 2010-08-06 14:53 -------- d-----w- c:\program files\BurnAware Free
2010-09-02 15:50 . 2010-07-27 14:49 143598 ----a-w- d:\users\cmhopkin\AppData\Roaming\nvModes.dat
2010-08-24 13:26 . 2010-07-26 19:53 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-24 13:26 . 2010-07-26 19:53 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-24 13:26 . 2010-07-26 19:53 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-24 13:22 . 2010-08-24 13:22 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2010-08-24 13:22 . 2010-08-24 13:22 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-08-24 13:22 . 2010-08-24 13:22 107848 ----a-w- c:\windows\system32\SymVPN.dll
2010-08-24 13:22 . 2010-08-24 13:22 7442 ----a-w- c:\windows\system32\drivers\srtspx.cat
2010-08-24 13:22 . 2010-08-24 13:22 7442 ----a-w- c:\windows\system32\drivers\srtspl.cat
2010-08-24 13:22 . 2010-08-24 13:22 7438 ----a-w- c:\windows\system32\drivers\srtsp.cat
2010-08-24 13:22 . 2010-08-24 13:22 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys
2010-08-24 13:22 . 2010-08-24 13:22 283184 ----a-w- c:\windows\system32\drivers\srtsp.sys
2010-08-24 13:22 . 2010-08-24 13:22 1430 ----a-w- c:\windows\system32\drivers\srtspl.inf
2010-08-24 13:22 . 2010-08-24 13:22 1421 ----a-w- c:\windows\system32\drivers\srtspx.inf
2010-08-24 13:22 . 2010-08-24 13:22 1415 ----a-w- c:\windows\system32\drivers\srtsp.inf
2010-08-10 02:37 . 2010-08-10 02:37 -------- d-----w- d:\users\cmhopkin\AppData\Roaming\Malwarebytes
2010-08-09 22:58 . 2010-08-09 22:58 -------- d-----w- c:\program files\HP
2010-08-09 22:52 . 2010-08-09 22:52 -------- d-----w- c:\program files\Hewlett-Packard
2010-07-29 12:43 . 2008-03-24 20:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-28 22:14 . 2008-04-22 21:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-28 22:13 . 2010-07-28 22:13 -------- d-----w- c:\program files\Amazon
2010-07-28 03:39 . 2008-02-15 19:10 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-27 21:21 . 2010-07-27 21:21 0 ------w- c:\windows\nsreg.dat
2010-07-27 20:54 . 2010-07-27 20:54 102824 ----a-w- d:\users\cmhopkin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-26 15:39 . 2008-06-12 01:54 118272 ------w- c:\windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-08-14 48904]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 66928]
"TpShocks"="TpShocks.exe" [2007-11-22 181536]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-01-11 558368]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2008-01-11 214576]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-03-26 59680]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-02-26 992816]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-01-11 144728]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-01-11 124248]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8501792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-07 1282048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-24 115560]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2003-04-02 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictWelcomeCenter"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 19:54 89600 ------w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-11 04:43 67488 ------w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1205809463-255938501-11539462-16204]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1602049871-2701741802-2030094252-500]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2010-02-23 23888]
R3 TOPAZUSB;TopazUsb.Sys Topaz Tablet USB Driver;c:\windows\system32\DRIVERS\TOPAZUSB.sys [2002-10-09 33821]
R3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys [2006-07-01 15744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-10-16 19504]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
S1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-02-03 47680]
S2 NACAgentService;NAC Agent Service;c:\program files\Enterasys Networks\NAC Agent\NacAgtSv.exe [2010-05-25 17420168]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2007-12-14 58224]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-12-05 520192]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-15 102448]
S3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [2007-06-08 81280]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: unc.edu\dentistrymail.dent
Trusted Zone: unc.edu\www.dent
Trusted Zone: unc.edu\dentistrymail.dent
Trusted Zone: unc.edu\www.dent
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(664)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'Explorer.exe'(996)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\TpShocks.exe
c:\windows\System32\rundll32.exe
c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Microsoft Office\Office12\OUTLOOK.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Mozilla Thunderbird\thunderbird.exe
.
**************************************************************************
.
Completion time: 2010-09-26 16:37:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-26 20:37
ComboFix2.txt 2010-09-25 13:24

Pre-Run: 52,532,133,888 bytes free
Post-Run: 52,535,595,008 bytes free

- - End Of File - - A87159AA336E6FFE72F64D51D9871858





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users