Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS STRIKE - I have lost hope, will you bring it back?


  • This topic is locked This topic is locked
7 replies to this topic

#1 BeatenByAtapi

BeatenByAtapi

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 02 October 2010 - 02:53 AM

Unhack me keeps identifying this as a virus:
atapi.sys
Because the virus is patching my atapi.sys all the time.
I replaced it with a virus-free now, I hope it'll be ok until.. next reboot of course.
Then the patched guys will take over.
I have a feeling that the TDSS virus striked me.

I read in another forums about these troubling files:
mouclass.sys
ftdisk.sys
I might suffer from them to, each time I delete ftdisk.sys he comes back just like atapi
I replaced them to.. until next reboot (or they are.. innocent?)

My favorite security softwares are
ESET NOD32 Antivirus
Malwarebytes' Anti-Malware
Adaware 6
Unhackme
Tuneup Utilities - For fixing registary
Combofix
I used them all of course, in safemode. Combofix tells me I have a rootkit everytime I relaunch it, even if I do it twice a row.
I also tried HitmanPro and CureIt and they turned to be totally useless.

I must note that my cdrom doesn't work for a quite long time, it's quite disturbing and perhaps a virus is the problem?

I am also using a file sharing program (emule) so it's not really mysterious where the virus came from - I usually use virustotal before I launch new files, but sometimes I fail


Now for the logs...
Sysprot (Made my system crash when treating virus)
Rootkit reveal
TDSS rootkit removing tool (Made my system crash when treating virus)
Adaware

I don't know which of the other logs you need for which programs, if you need. I am very desperate.

My computer is quite slow perhaps because of infections but I am able to function it fairly normally (expect for touching the registery keys of the virus - it instantly brings the blue screen of death and I have to choose to start computer with the defeinitions he had when he went up successfully the last time)

SYSPROTLOG

Module name: none, Service name: ... Module Base: B7EE3000 Module end: B7EFB000
When I tried to "kill" the ... service and reboot, my system couldn't start, had to use earlier definitions to start


SysProtLog - Anti rootkit program
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 920
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1024
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1036
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1288
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1392
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1532
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1644
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1832
Hidden: No
Window Visible: No

Name: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PID: 212
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PID: 240
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PID: 588
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 644
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 1916
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1000
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1244
Hidden: No
Window Visible: No

Name: C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PID: 916
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\mmc.exe
PID: 2076
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dfrgntfs.exe
PID: 312
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 2972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\dfrgntfs.exe
PID: 3592
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1668
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 1380
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 2100
Hidden: No
Window Visible: No

Name: C:\Nice Programs\Total Commander\TOTALCMD.EXE
PID: 4044
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\dfrgntfs.exe
PID: 2472
Hidden: No
Window Visible: No

Name: E:\SysProt\SysProt.exe
PID: 1352
Hidden: No
Window Visible: Yes

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3520
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\notepad.exe
PID: 3340
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\E:\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B3157000
Module End: B3162000
Hidden: No

Module Name: C:\WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: C:\WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: C:\WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: B85A8000
Module End: B85AA000
Hidden: No

Module Name: C:\WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: B84B8000
Module End: B84BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\a347bus.sys
Service Name: a347bus
Module Base: B7F7F000
Module End: B7FA7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B7F51000
Module End: B7F7F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WMILIB.SYS
Service Name: ---
Module Base: B85AA000
Module End: B85AC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Partizan.sys
Service Name: Partizan
Module Base: B8328000
Module End: B8330000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B7F40000
Module End: B7F51000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: B80A8000
Module End: B80B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: B80B8000
Module End: B80C8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\1394BUS.SYS
Service Name: ---
Module Base: B80C8000
Module End: B80D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: B8670000
Module End: B8671000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PCIIDEX.SYS
Service Name: ---
Module Base: B8330000
Module End: B8337000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: B80D8000
Module End: B80E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B7F21000
Module End: B7F40000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: B85AC000
Module End: B85AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B7EFB000
Module End: B7F21000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: B8338000
Module End: B833D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: B80E8000
Module End: B80F5000
Hidden: No

Module Name:
Service Name: ---
Module Base: B7EE3000
Module End: B7EFB000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\a347scsi.sys
Service Name: a347scsi
Module Base: B85AE000
Module End: B85B0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: B7ECB000
Module End: B7EE3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: B80F8000
Module End: B8101000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\CLASSPNP.SYS
Service Name: ---
Module Base: B8108000
Module End: B8115000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: B7EAB000
Module End: B7ECB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B7E99000
Module End: B7EAB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: B8118000
Module End: B8122000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B7E82000
Module End: B7E99000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B7DF5000
Module End: B7E82000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B7DC8000
Module End: B7DF5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B7DAE000
Module End: B7DC8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: B81B8000
Module End: B81C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B6AA0000
Module End: B746D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B6A8C000
Module End: B6AA0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HECI.sys
Service Name: HECI
Module Base: B81C8000
Module End: B81D3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\e1e5132.sys
Service Name: e1express
Module Base: B6A4B000
Module End: B6A8C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: B8458000
Module End: B845E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B6A27000
Module End: B6A4B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: B8460000
Module End: B8468000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B69FF000
Module End: B6A27000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: B81D8000
Module End: B81E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: B81E8000
Module End: B81F8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: B81F8000
Module End: B8206000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B69DC000
Module End: B69FF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: B8208000
Module End: B8218000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: B8218000
Module End: B8228000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: B7D51000
Module End: B7D55000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: B85FC000
Module End: B85FE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: B8470000
Module End: B8478000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: B8228000
Module End: B8235000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B7D4D000
Module End: B7D50000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B69C5000
Module End: B69DC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: B8238000
Module End: B8243000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: B8248000
Module End: B8254000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: B8478000
Module End: B847D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B69B4000
Module End: B69C5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: B8258000
Module End: B8261000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: B8480000
Module End: B8485000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: B8488000
Module End: B848D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B6984000
Module End: B69B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: B8268000
Module End: B8272000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: B8490000
Module End: B8496000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: B8498000
Module End: B849E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: B85FE000
Module End: B8600000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B6926000
Module End: B6984000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B7D31000
Module End: B7D35000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: B8288000
Module End: B8292000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: B8298000
Module End: B82A7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: B8602000
Module End: B8604000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: B432A000
Module End: B4780000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B4306000
Module End: B432A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: B82A8000
Module End: B82B7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: B84A8000
Module End: B84AD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: B8606000
Module End: B8608000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: B8762000
Module End: B8763000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: B8608000
Module End: B860A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
Service Name: ehdrv
Module Base: B4299000
Module End: B42B6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: B8348000
Module End: B834F000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: B8388000
Module End: B838E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: B860A000
Module End: B860C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: B860C000
Module End: B860E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: B8390000
Module End: B8395000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: B8398000
Module End: B83A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B7D65000
Module End: B7D68000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B4266000
Module End: B4279000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B420D000
Module End: B4266000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B41E5000
Module End: B420D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B41BF000
Module End: B41E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: B82D8000
Module End: B82E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Service Name: epfwtdir
Module Base: B41A6000
Module End: B41BF000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B4184000
Module End: B41A6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: B82E8000
Module End: B82F1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B4159000
Module End: B4184000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: B82F8000
Module End: B8307000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B40C1000
Module End: B4131000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: B8308000
Module End: B8313000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: B83A0000
Module End: B83A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: B4794000
Module End: B4797000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: B76A7000
Module End: B76B0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: B478C000
Module End: B4790000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B4784000
Module End: B4787000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\point32.sys
Service Name: Point32
Module Base: B83A8000
Module End: B83AE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B3FFD000
Module End: B4021000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: atapi
Module Base: B3FE5000
Module End: B3FFD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B8640000
Module End: B8642000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B42E2000
Module End: B42E5000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: B83B8000
Module End: B83BD000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: B87BB000
Module End: B87BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\eamon.sys
Service Name: eamon
Module Base: B3BE9000
Module End: B3CA5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
Service Name: NwlnkIpx
Module Base: B3B83000
Module End: B3B99000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
Service Name: NwlnkNb
Module Base: B7647000
Module End: B7657000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B3CDD000
Module End: B3CE1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B398E000
Module End: B39A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B3B23000
Module End: B3B32000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
Service Name: NwlnkSpx
Module Base: B39C3000
Module End: B39D1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Service Name: atksgt
Module Base: B3653000
Module End: B3696000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Service Name: lirsgt
Module Base: B83F0000
Module End: B83F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: B35FC000
Module End: B3653000
Hidden: No

Module Name: \??\E:\Nice Programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl
Service Name: {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}
Module Base: B3490000
Module End: B34BC000
Hidden: No

Module Name: \??\C:\WINDOWS\TEMP\mbr.sys
Service Name: mbr
Module Base: B8450000
Module End: B8456000
Hidden: Yes

Module Name: \??\C:\WINDOWS\TEMP\catchme.sys
Service Name: catchme
Module Base: B8400000
Module End: B8408000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: B85C6000
Module End: B85C8000
Hidden: Yes

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B321F000
Module End: B3260000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: B3A13000
Module End: B3A23000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\UnHackMeDrv.sys
Service Name: ---
Module Base: B8610000
Module End: B8612000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B308C000
Module End: B30B7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: B8468000
Module End: B846F000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: 89BF3580
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwClose
Address: B7F8D028
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwCreateKey
Address: B7F8CFE0
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwCreatePagingFile
Address: B7F80B00
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwDebugActiveProcess
Address: 89BF4100
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDuplicateObject
Address: 89BF3B30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwEnumerateKey
Address: B7F815DC
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwEnumerateValueKey
Address: B7F8D120
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwOpenFile
Address: B7F80B40
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwOpenKey
Address: B7F8CFA4
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwOpenProcess
Address: 89BF2CC0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 89BF2FC0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwProtectVirtualMemory
Address: 89BF39C0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: B7F815FC
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwQueryValueKey
Address: B7F8D076
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwSetContextThread
Address: 89BF3860
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationThread
Address: 89BF36E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSecurityObject
Address: 89BF0700
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemPowerState
Address: B7F8C550
Driver Base: B7F7F000
Driver End: B7FA7000
Driver Name: a347bus.sys

Function Name: ZwSuspendProcess
Address: 89BF3420
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 89BF32C0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 89BF2E50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 89BF3150
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 89BF3F50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SET_EA
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\a347scsi.sys
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: 8A202008
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_READ
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SET_EA
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_POWER
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module:
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: 8A215908
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SET_EA
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: 8A201A60
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: 8A201A60
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************
Ports:
Local Address: USER-907F5FD299:30606
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
State: LISTENING

Local Address: USER-907F5FD299:1974
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT

Local Address: USER-907F5FD299:1960
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT

Local Address: USER-907F5FD299:1958
Remote Address: LOCALHOST:30606
Type: TCP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: CLOSE_WAIT

Local Address: USER-907F5FD299:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: USER-907F5FD299.HOME:1983
Remote Address: RTA1025W.HOME:5431
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: ESTABLISHED

Local Address: USER-907F5FD299.HOME:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: USER-907F5FD299:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: USER-907F5FD299:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: USER-907F5FD299:1943
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: USER-907F5FD299:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: USER-907F5FD299:1123
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: USER-907F5FD299:1067
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: USER-907F5FD299:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: USER-907F5FD299.HOME:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: USER-907F5FD299.HOME:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: USER-907F5FD299.HOME:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: USER-907F5FD299.HOME:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: USER-907F5FD299:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: F:\Documents and Settings\Me\Favorites\משחקים\Certain Games\Lemmings\Lemmings Level Packs ₪ The Lemmings File Archive.url
Status: Hidden

Object: F:\Documents and Settings\Me\Favorites\משחקים\Certain Games\Lemmings\Lemmings Level Packs ₪ The Lemmings File Archive22.url
Status: Hidden

Object: F:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: F:\System Volume Information\tracking.log
Status: Access denied

Object: F:\System Volume Information\_restore{10A0344D-3F53-4FEA-984A-85F9EFC101F4}
Status: Access denied

Object: F:\System Volume Information\_restore{884AB70B-0DA2-492F-B66C-22E698445161}
Status: Access denied

Object: F:\סרטונים\Compilation\מצויר\[?????] COMPILATION of FINAL FANTASY VII :REFLECTIONS?03 CRISIS CORE [SQUARE ENIX PARTY 2005 ver] (704x396 DivX511).avi
Status: Hidden

Object: E:\eMule\Incoming\Documents\Small Doucment Categories\Social Networks\Facebook\[???????:Facebook???????????????].The.accidental.billionaires.the.founding.of.Facebook,.a.tale.of.sex,.money,.genius.and.betrayal.(?).Ben.Mezrich.?????.pdf
Status: Hidden

Object: E:\eMule\Incoming\Documents\X-More Documents-X\????——??(???)(Just.the.Facts.Human.Body).pdf
Status: Hidden

Object: E:\eMule\Incoming\ZIPS\Audiobook Heb - Ephraim Kishon -×?×?'×?× ×?'×? עם ×?מ×₪×?×? (2005).rar
Status: Hidden

Object: E:\eMule\Incoming\ZIPS\Harry Potter And The Deathly Hallows.heb ×?אר×? ×₪×?×?ר 7 ×?ע×?ר×?×?.[wnet.co.il].zip
Status: Hidden

Object: E:\eMule\Incoming\[????2:????].Faerietale.iso
Status: Hidden

Object: E:\eMule\Incoming\[????2:????].Faerietale.txt
Status: Hidden

Object: E:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: E:\System Volume Information\tracking.log
Status: Access denied

Object: E:\System Volume Information\_restore{10A0344D-3F53-4FEA-984A-85F9EFC101F4}
Status: Access denied

Object: E:\System Volume Information\_restore{A4E4368F-77A6-44B2-A54C-1937B7FFC76C}
Status: Access denied

Object: E:\Word Files\ New Files\ועוד\Treben, Maria - Gesundheit Aus Der Apotheke Gottes - (Schwedenbitter,Alternative Medizin,Kr?₪uter,Heilkunde,Zinnkraut,Etc Genial Gut!).pdf
Status: Hidden

Object: E:\Word Files\ New Files\נוספים\The.New.Cambridge.Modern.History,.Vol.06:The.Rise.of.Great.Britain.and.Russia,1688-1715\25(1971).pdf
Status: Hidden

Object: E:\Word Files\ New Files\נוספים\[Joe Barrett] The Image-Space Lightroom:Tips & Tricks.pdf
Status: Hidden

Object: C:\Documents and Settings\user\Favorites\משחקים\Certain Games\Lemmings\Lemmings Level Packs ₪ The Lemmings File Archive.url
Status: Hidden

Object: C:\Documents and Settings\user\Favorites\משחקים\Certain Games\Lemmings\Lemmings Level Packs ₪ The Lemmings File Archive22.url
Status: Hidden

Object: C:\Documents and Settings\user\Favorites\?????2:?????(Faerietale)???-??????[????]_VeryCD????.url
Status: Hidden

Object: C:\Sims\ISOS+Zips\[????3:?????].The.Sims.3.High.End.Loft.Stuff-ViTALiTY.iso
Status: Hidden

Object: C:\וידאו\-נותרו למיון-\Resident.Evil.Degeneration.????:??.HR-HDTV.AC3.960X528.x264.????.????.sample.avi
Status: Hidden

Object: C:\וידאו\-נותרו למיון-\[???????:??????].Physics.Of.The.Impossible.1x04.How.To.Teleport.2009.HDTV.rmvb
Status: Hidden

Object: C:\וידאו\-נותרו למיון-\[????2:????].National.Treasure.Book.of.Secrets.????.HR-HDTV.AC3.960X528.x264-????.Sample.avi
Status: Hidden




Rootkit reveal

HKU\S-1-5-21-790525478-1177238915-725345543-1003\Console 02/10/2010 04:33 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 11/03/2010 19:28 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/03/2010 19:28 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 22/09/2010 14:37 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 02/10/2010 06:16 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 22/09/2010 14:42 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Swearware\backup\winsock2 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024 18/06/2010 16:27 0 bytes Security mismatch.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40 02/10/2010 03:02 0 bytes Hidden from Windows API.



Sorry for repeating log, but after using TDSSKiller, which is probably the rootkit I have, my system crashed and I had to revert the changes

2010/10/02 04:40:50.0406 TDSS rootkit removing tool 2.4.3.0 Sep 27 2010 15:28:54
2010/10/02 04:40:50.0406 ================================================================================
2010/10/02 04:40:50.0406 SystemInfo:
2010/10/02 04:40:50.0406
2010/10/02 04:40:50.0406 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/02 04:40:50.0406 Product type: Workstation
2010/10/02 04:40:50.0406 ComputerName: USER-907F5FD299
2010/10/02 04:40:50.0406 UserName: Administrator
2010/10/02 04:40:50.0406 Windows directory: C:\WINDOWS
2010/10/02 04:40:50.0406 System windows directory: C:\WINDOWS
2010/10/02 04:40:50.0406 Processor architecture: Intel x86
2010/10/02 04:40:50.0406 Number of processors: 2
2010/10/02 04:40:50.0406 Page size: 0x1000
2010/10/02 04:40:50.0406 Boot type: Safe boot
2010/10/02 04:40:50.0406 ================================================================================
2010/10/02 04:40:52.0031 Initialize success
2010/10/02 04:40:55.0781 ================================================================================
2010/10/02 04:40:55.0781 Scan started
2010/10/02 04:40:55.0781 Mode: Manual;
2010/10/02 04:40:55.0781 ================================================================================
2010/10/02 04:41:07.0906 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
2010/10/02 04:41:08.0125 a347scsi (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\a347scsi.sys
2010/10/02 04:41:08.0750 ACPI (26a773e6c500277c5a817fab68cd0bb9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/02 04:41:09.0015 ACPIEC (ea755aa1a97ed90d446e1a43ae3fb619) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/02 04:41:09.0453 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/02 04:41:09.0734 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/02 04:41:10.0937 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/02 04:41:11.0734 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/02 04:41:11.0968 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/02 04:41:11.0968 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/10/02 04:41:11.0968 atapi - detected Locked file (1)
2010/10/02 04:41:12.0421 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2010/10/02 04:41:12.0718 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/02 04:41:12.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/02 04:41:13.0156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/02 04:41:13.0406 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/02 04:41:13.0609 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/02 04:41:13.0984 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/02 04:41:14.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/02 04:41:14.0421 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/02 04:41:15.0640 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/02 04:41:16.0031 dmboot (759a1336055e6b614b2462d0f45d6278) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/02 04:41:16.0437 dmio (8ca1a6932d84b2c23d5d488d23d3b01d) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/02 04:41:16.0656 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/02 04:41:16.0875 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/02 04:41:17.0265 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/02 04:41:17.0546 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/10/02 04:41:17.0843 eamon (e31464ce787e3a0ffea55baa591897f0) C:\WINDOWS\system32\DRIVERS\eamon.sys
2010/10/02 04:41:18.0093 ehdrv (2c95a7a87e4272c1fff9baf579677db3) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2010/10/02 04:41:18.0312 epfwtdir (4699a50183b792d994be657c68f18e9e) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
2010/10/02 04:41:18.0593 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/02 04:41:18.0828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/02 04:41:19.0031 Fips (11bb3067883475f2ecbb77c01181e2d5) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/02 04:41:19.0250 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/02 04:41:19.0468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/02 04:41:19.0703 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/02 04:41:19.0921 Ftdisk (edf3126968525a17de8b382aec99cdcc) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/02 04:41:20.0156 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/02 04:41:20.0406 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/02 04:41:20.0609 HECI (cc2c8c23417cc7ddf5eddb17e60a14db) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/10/02 04:41:20.0828 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/02 04:41:21.0281 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/02 04:41:21.0937 i8042prt (97eef4179f7ec9138254c944bb0e1ef8) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/02 04:41:22.0156 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/02 04:41:23.0609 IntcAzAudAddService (e37589414437a60797e94c0f57c546db) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/02 04:41:25.0015 intelppm (f2fcd248738a7f5fb2857341832591a6) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/02 04:41:25.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/02 04:41:25.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/02 04:41:25.0656 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/02 04:41:25.0890 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/02 04:41:26.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/02 04:41:26.0343 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/02 04:41:26.0562 isapnp (e058a0e262c184f4d47a7677291ac81e) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/02 04:41:26.0796 Kbdclass (e05fd8a6f54f4fd6f628b48c0ccee2a4) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/02 04:41:27.0000 kbdhid (9c5f0cb2a0fd3180ab17b5d3566f5033) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/02 04:41:27.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/02 04:41:27.0500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/02 04:41:27.0937 lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
2010/10/02 04:41:28.0156 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/02 04:41:28.0375 Modem (c8088f5ceae5784a8b4addd9355ef247) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/02 04:41:28.0593 Mouclass (57c0574c8b9a26092ec301f88861919c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/02 04:41:28.0812 mouhid (67d4fcccf487a1d4277ab31151e33d42) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/02 04:41:29.0015 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/02 04:41:29.0453 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/02 04:41:29.0796 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/02 04:41:30.0109 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/02 04:41:30.0312 MSHUSBVideo (5119ffc2a6b51089cdb0efdc75808c97) C:\WINDOWS\system32\Drivers\nx6000.sys
2010/10/02 04:41:30.0531 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/02 04:41:30.0734 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/02 04:41:30.0937 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/02 04:41:31.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/02 04:41:31.0328 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/02 04:41:31.0546 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/02 04:41:31.0781 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/02 04:41:32.0031 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/02 04:41:32.0250 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/02 04:41:32.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/02 04:41:32.0656 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/02 04:41:32.0859 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/02 04:41:33.0078 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/02 04:41:33.0281 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/02 04:41:33.0515 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/02 04:41:33.0781 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/02 04:41:34.0015 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/02 04:41:34.0343 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/02 04:41:34.0703 NuidFltr (20623a75f3c6c1076ebba64dd8c4bc02) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/10/02 04:41:34.0890 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/02 04:41:37.0484 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/02 04:41:40.0062 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/02 04:41:40.0265 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/02 04:41:40.0484 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/10/02 04:41:40.0703 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/10/02 04:41:40.0906 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/10/02 04:41:41.0125 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/02 04:41:41.0375 ovt519 (4cdadec3dc1300ee1d313ea5494e6472) C:\WINDOWS\system32\Drivers\ov519vid.sys
2010/10/02 04:41:41.0640 Parport (bd549622b39da6ef5ba31cb01b2179d3) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/02 04:41:41.0859 Partizan (6ddcf3f801ec15fe698f6a215cf30a1f) C:\WINDOWS\system32\drivers\Partizan.sys
2010/10/02 04:41:42.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/02 04:41:42.0250 ParVdm (ad8f8e81709e222076678a501bd6d1e1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/02 04:41:42.0437 PCI (40f8158057494d56d22038e4536c5395) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/02 04:41:42.0843 PCIIde (6683c158d30ded5dbfd5733ce066be9a) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/02 04:41:43.0078 Pcmcia (5f8c49e11d221e6a9c7f016758bd9c92) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/02 04:41:44.0468 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/10/02 04:41:44.0703 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/02 04:41:44.0906 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/02 04:41:45.0125 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/02 04:41:45.0328 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/02 04:41:46.0468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/02 04:41:46.0671 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/02 04:41:46.0890 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/02 04:41:47.0078 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/02 04:41:47.0328 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/02 04:41:47.0562 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/02 04:41:47.0796 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/02 04:41:48.0093 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/02 04:41:48.0328 redbook (62d088cfdf90670dc22cdf236424e9ab) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/02 04:41:48.0562 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\system32\Drivers\regguard.sys
2010/10/02 04:41:48.0796 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/10/02 04:41:49.0046 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/02 04:41:49.0265 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/02 04:41:49.0468 Serial (c4e811de8388c98eb5701a6dd2b14b33) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/02 04:41:49.0703 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/02 04:41:50.0093 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/02 04:41:50.0500 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/02 04:41:50.0718 sr (ec70007bab7c42ccd340a068f87873a6) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/02 04:41:51.0031 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/02 04:41:51.0328 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/02 04:41:51.0515 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/02 04:41:51.0828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/02 04:41:52.0890 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/02 04:41:53.0203 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/02 04:41:53.0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/02 04:41:53.0796 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/02 04:41:54.0000 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/02 04:41:54.0390 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) E:\Nice Programs\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2010/10/02 04:41:54.0609 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/02 04:41:55.0093 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/02 04:41:55.0406 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/02 04:41:55.0609 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/02 04:41:55.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/02 04:41:56.0015 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/02 04:41:56.0234 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/02 04:41:56.0421 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/02 04:41:56.0640 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/10/02 04:41:56.0875 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/02 04:41:57.0265 VolSnap (77c942f961eca976ca12b12e36f3505a) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/02 04:41:57.0515 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/02 04:41:57.0828 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/10/02 04:41:58.0343 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/02 04:41:58.0656 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/02 04:41:58.0890 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/02 04:41:59.0109 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/02 04:41:59.0453 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (74ec37b9eaf9fca015b933a526825c7a) E:\Nice Programs\PowerDVD10\PowerDVD10\NavFilter\000.fcl
2010/10/02 04:41:59.0593 ================================================================================
2010/10/02 04:41:59.0593 Scan finished
2010/10/02 04:41:59.0593 ================================================================================
2010/10/02 04:41:59.0609 Detected object count: 1
2010/10/02 04:42:10.0406 Locked file(atapi) - User select action: Skip
2010/10/02 04:42:16.0875 ================================================================================
2010/10/02 04:42:16.0875 Scan started
2010/10/02 04:42:16.0875 Mode: Manual;
2010/10/02 04:42:16.0875 ================================================================================
2010/10/02 04:42:17.0265 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
2010/10/02 04:42:17.0453 a347scsi (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\a347scsi.sys
2010/10/02 04:42:18.0062 ACPI (26a773e6c500277c5a817fab68cd0bb9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/02 04:42:18.0296 ACPIEC (ea755aa1a97ed90d446e1a43ae3fb619) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/02 04:42:18.0718 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/02 04:42:18.0953 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/02 04:42:20.0109 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/02 04:42:20.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/02 04:42:21.0125 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/02 04:42:21.0125 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/10/02 04:42:21.0140 atapi - detected Locked file (1)
2010/10/02 04:42:21.0593 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2010/10/02 04:42:21.0796 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/02 04:42:21.0984 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/02 04:42:22.0187 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/02 04:42:22.0421 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/02 04:42:22.0625 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/02 04:42:23.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/02 04:42:23.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/02 04:42:23.0421 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/02 04:42:24.0609 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/02 04:42:25.0000 dmboot (759a1336055e6b614b2462d0f45d6278) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/02 04:42:25.0218 dmio (8ca1a6932d84b2c23d5d488d23d3b01d) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/02 04:42:25.0406 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/02 04:42:25.0640 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/02 04:42:26.0015 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/02 04:42:26.0281 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/10/02 04:42:26.0515 eamon (e31464ce787e3a0ffea55baa591897f0) C:\WINDOWS\system32\DRIVERS\eamon.sys
2010/10/02 04:42:26.0734 ehdrv (2c95a7a87e4272c1fff9baf579677db3) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
2010/10/02 04:42:26.0968 epfwtdir (4699a50183b792d994be657c68f18e9e) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
2010/10/02 04:42:27.0218 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/02 04:42:27.0234 Scan interrupted by user!
2010/10/02 04:42:27.0234 Scan interrupted by user!
2010/10/02 04:42:27.0234 ================================================================================
2010/10/02 04:42:27.0234 Scan finished
2010/10/02 04:42:27.0234 ================================================================================
2010/10/02 04:42:27.0250 Detected object count: 1
2010/10/02 04:42:46.0859 Locked file(atapi) - User select action: Skip
2010/10/02 04:42:52.0546 ================================================================================
2010/10/02 04:42:52.0546 Scan started
2010/10/02 04:42:52.0546 Mode: Manual;
2010/10/02 04:42:52.0546 ================================================================================
2010/10/02 04:42:53.0250 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
2010/10/02 04:42:53.0421 a347scsi (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\a347scsi.sys
2010/10/02 04:42:54.0046 ACPI (26a773e6c500277c5a817fab68cd0bb9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/02 04:42:54.0265 ACPIEC (ea755aa1a97ed90d446e1a43ae3fb619) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/02 04:42:54.0687 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/02 04:42:54.0921 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/02 04:42:56.0062 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/02 04:42:56.0843 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/02 04:42:57.0078 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/02 04:42:57.0078 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/10/02 04:42:57.0093 atapi - detected Locked file (1)
2010/10/02 04:42:57.0531 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2010/10/02 04:42:57.0734 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/02 04:42:57.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/02 04:42:58.0140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/02 04:42:58.0375 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/02 04:42:58.0578 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/02 04:42:58.0953 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/02 04:42:59.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/02 04:42:59.0375 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/02 04:42:59.0578 Scan interrupted by user!
2010/10/02 04:42:59.0578 ================================================================================
2010/10/02 04:42:59.0578 Scan finished
2010/10/02 04:42:59.0578 ================================================================================
2010/10/02 04:42:59.0609 Detected object count: 1
2010/10/02 04:43:18.0906 Locked file(atapi) - User select action: Skip
2010/10/02 04:43:21.0890 ================================================================================
2010/10/02 04:43:21.0890 Scan started
2010/10/02 04:43:21.0890 Mode: Manual;
2010/10/02 04:43:21.0890 ================================================================================
2010/10/02 04:43:21.0953 ================================================================================
2010/10/02 04:43:21.0953 Scan finished
2010/10/02 04:43:21.0953 ================================================================================
2010/10/02 04:43:27.0078 ================================================================================
2010/10/02 04:43:27.0078 Scan started
2010/10/02 04:43:27.0078 Mode: Manual;
2010/10/02 04:43:27.0078 ================================================================================
2010/10/02 04:43:27.0453 a347bus (1f61cacacb521215f39061789147968c) C:\WINDOWS\system32\DRIVERS\a347bus.sys
2010/10/02 04:43:27.0640 a347scsi (113e4b318bbaa7483ca4e582a4d63f49) C:\WINDOWS\system32\Drivers\a347scsi.sys
2010/10/02 04:43:28.0234 ACPI (26a773e6c500277c5a817fab68cd0bb9) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/02 04:43:28.0453 ACPIEC (ea755aa1a97ed90d446e1a43ae3fb619) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/02 04:43:28.0875 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/02 04:43:29.0109 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/02 04:43:30.0265 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/02 04:43:31.0078 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/02 04:43:31.0312 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/02 04:43:31.0312 Suspicious file (NoAccess): C:\WINDOWS\system32\DRIVERS\atapi.sys. md5: 9f3a2f5aa6875c72bf062c712cfa2674
2010/10/02 04:43:31.0312 atapi - detected Locked file (1)
2010/10/02 04:43:31.0781 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2010/10/02 04:43:31.0984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/02 04:43:32.0187 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/02 04:43:32.0390 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/02 04:43:32.0625 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/02 04:43:32.0625 Scan interrupted by user!
2010/10/02 04:43:32.0625 ================================================================================
2010/10/02 04:43:32.0625 Scan finished
2010/10/02 04:43:32.0625 ================================================================================
2010/10/02 04:43:32.0656 Detected object count: 1
2010/10/02 04:43:40.0546 HKLM\SYSTEM\ControlSet002\services\atapi - will be deleted after reboot
2010/10/02 04:43:40.0546 HKLM\SYSTEM\ControlSet003\services\atapi - will be deleted after reboot
2010/10/02 04:43:40.0562 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be deleted after reboot
2010/10/02 04:43:40.0562 Locked file(atapi) - User select action: Delete
2010/10/02 04:43:57.0421 Deinitialize success




Lavasoft Ad-aware Professional Build 6.181
Logfile created on :יום שלישי 28 ספטמבר 2010 21:52:42
Using reference-file :1R200 12.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


28-09-2010 21:52:42 - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 28-09-2010 19:42:28
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:42:34
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:42:35
BasePriority : Normal
FileSize : 108 KB
FileVersion : 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
ProductVersion : 5.1.2600.5755
CompanyName : Microsoft Corporation
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:06:23
Last modified : 09/02/2009 11:25:36

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:42:35
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.5512 (xpsp.080413-2113)
ProductVersion : 5.1.2600.5512
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:06:23
Last modified : 14/04/2008 02:17:49

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:42:35
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:06:23
Last modified : 14/04/2008 02:17:58

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 28-09-2010 19:42:35
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:06:23
Last modified : 14/04/2008 02:17:58

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:42:36
BasePriority : Normal
FileSize : 57 KB
FileVersion : 5.1.2600.6024 (xpsp_sp3_gdr.100817-1626)
ProductVersion : 5.1.2600.6024
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:45:10
Last modified : 17/08/2010 13:17:06

#:8 [ekrn.exe]
FilePath : C:\Program Files\ESET\ESET NOD32 Antivirus\
ThreadCreationTime : 28-09-2010 19:42:47
BasePriority : Normal
FileSize : 714 KB
FileVersion : 4.0.437.0
ProductVersion : 4.0.437.0
Copyright : Copyright © ESET 1992-2009. All rights reserved.
CompanyName : ESET
FileDescription : ESET Service
InternalName : ekrn.exe
OriginalFilename : ekrn.exe
ProductName : ESET Smart Security
Created on : 14/05/2009 13:47:54
Last accessed : 28/09/2010 19:25:16
Last modified : 14/05/2009 13:47:54

#:9 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 28-09-2010 19:42:47
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 19/06/2003 21:25:00
Last accessed : 28/09/2010 19:06:23
Last modified : 19/06/2003 21:25:00

#:10 [mscams32.exe]
FilePath : C:\Program Files\Microsoft LifeCam\
ThreadCreationTime : 28-09-2010 19:42:47
BasePriority : Normal
FileSize : 136 KB
FileVersion : 3.22.270.0
ProductVersion : 3.22.270.0
Copyright : Copyright © Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : MsCamSvc.exe
InternalName : MsCamSvc.exe
OriginalFilename : MsCamSvc.exe
ProductName : Microsoft LifeCam
Created on : 20/05/2010 12:27:24
Last accessed : 28/09/2010 19:06:23
Last modified : 20/05/2010 12:27:24

#:11 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:42:55
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.5512 (xpsp.080413-2111)
ProductVersion : 5.1.2600.5512
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:06:23
Last modified : 14/04/2008 02:17:58

#:12 [rthdcpl.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 28-09-2010 19:42:56
BasePriority : Normal
FileSize : 15754 KB
FileVersion : 2.1.3.2
ProductVersion : 2.1.3.2
Copyright : Copyright © 2004 Realtek Semiconductor Corp.
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek HD Audio Control Panel
OriginalFilename : RTHDCPL.EXE
ProductName : Realtek HD Audio Sound Effect Manager
Created on : 11/03/2010 17:15:18
Last accessed : 28/09/2010 19:49:50
Last modified : 17/09/2007 07:08:42

#:13 [ipoint.exe]
FilePath : C:\Program Files\Microsoft IntelliPoint\
ThreadCreationTime : 28-09-2010 19:42:57
BasePriority : Normal
FileSize : 1433 KB
FileVersion : 7.10.344.0
ProductVersion : 7.1
CompanyName : Microsoft Corporation
FileDescription : IPoint.exe
InternalName : IPoint.exe
OriginalFilename : IPoint.exe
ProductName : Microsoft IntelliPoint
Created on : 11/11/2009 14:23:06
Last accessed : 28/09/2010 19:49:50
Last modified : 11/11/2009 14:23:06

#:14 [itype.exe]
FilePath : C:\Program Files\Microsoft IntelliType Pro\
ThreadCreationTime : 28-09-2010 19:42:57
BasePriority : Normal
FileSize : 1469 KB
FileVersion : 7.10.344.0
ProductVersion : 7.1
CompanyName : Microsoft Corporation
FileDescription : IType.exe
InternalName : IType.exe
OriginalFilename : IType.exe
ProductName : Microsoft IntelliType Pro
Created on : 11/11/2009 15:04:14
Last accessed : 28/09/2010 19:49:50
Last modified : 11/11/2009 15:04:14

#:15 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 28-09-2010 19:44:02
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834)
ProductVersion : 7.4.7600.226
CompanyName : Microsoft Corporation
FileDescription : Windows Update
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 11/03/2010 16:56:16
Last accessed : 28/09/2010 19:06:23
Last modified : 06/08/2009 17:24:06

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 28-09-2010 19:45:28
BasePriority : Normal
FileSize : 1174 KB
FileVersion : 6.00.2900.5512 (xpsp.080413-2105)
ProductVersion : 6.00.2900.5512
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 02/03/2006 12:00:00
Last accessed : 28/09/2010 19:49:33
Last modified : 14/04/2008 02:17:43

#:17 [ad-aware.exe]
FilePath : F:\Nice Programs\Ad-aware 6\
ThreadCreationTime : 28-09-2010 19:52:39
BasePriority : Normal
FileSize : 724 KB
FileVersion : 6.0.1.183
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 22/03/2009 03:00:16
Last accessed : 28/09/2010 19:52:39
Last modified : 12/07/2003 20:01:58

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

21:54:34 Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:01:52:234
Objects scanned :38773
Objects identified :0
Objects ignored :0
New objects :0




I fought the stupid (or smart) virus for couple of hours so I am taking a small nap.



BC AdBot (Login to Remove)

 


#2 BeatenByAtapi

BeatenByAtapi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 02 October 2010 - 02:58 AM

Ahhh I have also used RKill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as user on 10/02/2010 at 9:56:28.


Services Stopped:


Processes terminated by Rkill or while it was running:


E:\rkill.exe


Rkill completed on 10/02/2010 at 9:56:31.


Renaming RKill.exe didn't help much (or renaming combofix.exe).
Also used TFC.exe to clean all temproary files.


#3 BeatenByAtapi

BeatenByAtapi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 02 October 2010 - 03:20 AM

Gmer.exe gives me a critical error when launched;(
Tried to turn off the antivirus while launching it, didn't help;(

Computer runs very slow now..

Edited by BeatenByAtapi, 02 October 2010 - 03:55 AM.


#4 BeatenByAtapi

BeatenByAtapi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 02 October 2010 - 08:12 AM

Do you need Hijacker's report?

Edited by BeatenByAtapi, 02 October 2010 - 08:13 AM.


#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:03 AM

Posted 08 October 2010 - 03:18 PM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#6 BeatenByAtapi

BeatenByAtapi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 08 October 2010 - 04:18 PM

Ah, I used Defrogger, did all the same stuff that failed me over again, and it seems to have worked. My Atapi.sys stopped getting patched, and didn't get patched after I have restarted my computer (TDSS Killer doesn't show virus alert anymore, just like Unhackme and SysProt). Seems like the clone drive made the virus difficult to remove. Thanks for your response, I know, it takes you 5 days to respond every massage on this forum. You don't have to apologize every time.

My CD-ROM still isn't working but he loves to blink with the light and make weird sounds each time I restart comp so I think I just have to switch it.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:03 PM

Posted 12 October 2010 - 11:43 AM

Hi, please let me know if you still need help here. smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,079 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:03 PM

Posted 17 October 2010 - 07:05 AM

Since this issue seems to be resolved, this topic will now be closed.

If you are the original topic starter and you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users