Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe taking 50% or more of CPU


  • This topic is locked This topic is locked
29 replies to this topic

#1 bdeandel

bdeandel

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 06 October 2010 - 03:17 PM

Today I noticed my computer was running pretty slow and discovered that the iexplore.exe is taking 50% or more of the CPU when sitting idle. Need some help figuring out what is the cause of the problem.

sorry...didn't follow the instructions....here is the result of the scan

no gmer log....it caused my computer to reboot

DDS (Ver_10-10-05.01) - NTFSx86
Run by bdean at 8:30:40.32 on Fri 10/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2869 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:WINDOWSSystem32NovellXTAgent.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
C:WINDOWSSystem32svchost.exe -k eapsvcs
svchost.exe
C:WINDOWSSystem32svchost.exe -k dot3svc
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:WINDOWSsystem32spoolsv.exe
c:program filesidtdellxpm09b_6159v043wdmstacsv.exe
svchost.exe
C:WINDOWSsystem32dlbxcoms.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesIBMLotusNotesnsd.exe
C:Program FilesMcAfeeVirusScan EnterpriseEngineServer.exe
C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
C:Program FilesMcAfeeVirusScan EnterpriseVsTskMgr.exe
C:WINDOWSsystem32mfevtps.exe
C:Program FilesIBMLotusNotesntmulti.exe
C:Program FilesNovellZENworksnalntsrv.exe
C:Program FilesAT&T Global Network Clientnetcfgsvr.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesNovellZENworksRemoteManagementRMAgentZenRem32.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesUPHCleanuphclean.exe
C:Program FilesNovellZENworkswm.exe
C:Program FilesMcAfeeVirusScan EnterpriseMcshield.exe
c:windowsitlmtlmagent.exe
C:WINDOWSExplorer.EXE
C:Program FilesTortoiseSVNbinTSVNCache.exe
C:WINDOWSsystem32NWTRAY.EXE
C:WINDOWSsystem32dpmw32.exe
C:WINDOWSsystem32iprntctl.exe
C:WINDOWSsystem32iprntlgn.exe
C:Program FilesDellTPadApoint.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32RunDLL32.exe
C:WINDOWSsystem32AESTFltr.exe
C:WINDOWSsystem32WLTRAY.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesRoxioDrag-to-DiscDrgToDsc.exe
C:Program FilesIDTWDMsttray.exe
C:PROGRA~1PinnacleSHARED~1ProgramsUSBTipUSBTip.exe
C:Program FilesDellTPadApMsgFwd.exe
C:Program FilesMcAfeeCommon Frameworkudaterui.exe
C:Program FilesDellTPadHidFind.exe
C:Program FilesDellTPadApntex.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesNovellZENworksWMRUNDLL.EXE
C:Program FilesMcAfeeCommon FrameworkMcTray.exe
C:Program FilesNovelliFoldertrayapp.exe
C:Program FilesTechSmithSnagIt 7SnagIt32.exe
C:Program FilesTechSmithSnagIt 7TSCHelp.exe
C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsBDEANDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.wlgore.com
uInternet Connection Wizard,ShellNext = hxxp://genie.wlgore.com/
uInternet Settings,ProxyServer = 157.204.22.4:8080
uInternet Settings,ProxyOverride = *.wlgore.com;127.0.0.1;localhost;157.204.*;chipsndip;32.85.*;192.168.*;<local>
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:program filestechsmithsnagit 7SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AdvBHO: {2ed2390a-e6f6-f895-fe75-013e2d97184a} - c:program filescommon filesAdvBHO.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeevirusscan enterprisescriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.5126.1836swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:program filestechsmithsnagit 7SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [NetSP - restore settings on power failure] "c:program filesat&t global network clientNetSP.exe" -show
mRun: [NWTRAY] NWTRAY.EXE
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [NDPS] c:windowssystem32dpmw32.exe
mRun: [iPrint Tray] c:windowssystem32iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:windowssystem32iprntlgn.exe
mRun: [Apoint] c:program filesdelltpadApoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AESTFltr] %SystemRoot%system32AESTFltr.exe /NoDlg
mRun: [Broadcom Wireless Manager UI] c:windowssystem32WLTRAY.exe
mRun: [AGNS_Config] nircmd execmd c:windowsATT_Config.cmd
mRun: [PDVDDXSrv] "c:program filescyberlinkpowerdvd dxPDVDDXSrv.exe"
mRun: [RoxioDragToDisc] "c:program filesroxiodrag-to-discDrgToDsc.exe"
mRun: [ISUSPM Startup] c:progra~1common~1instal~1update~1ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [SysTrayApp] %ProgramFiles%IDTWDMsttray.exe
mRun: [ShStatEXE] "c:program filesmcafeevirusscan enterpriseSHSTAT.EXE" /STANDALONE
mRun: [USBToolTip] c:progra~1pinnacleshared~1programsusbtipUSBTip.exe
mRun: [USB2Check] RUNDLL32.EXE "c:windowssystem32PCLECoInst.dll",CheckUSBController
mRun: [Verizon_McciTrayApp] "c:program filesverizonMcciTrayApp.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Pistolstar_SSO] "c:program filespistolstarpassword power clientAPOSSO.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [UnlockerAssistant] "c:documents and settingsbdeandesktopunlocker1.8.8-portableUnlockerAssistant.exe"
mRun: [Google Quick Search Box] "c:program filesgooglequick search boxGoogleQuickSearchBox.exe" /autorun
mRun: [DLBXCATS] rundll32 c:windowssystem32spooldriversw32x863DLBXtime.dll,_RunDLLEntry@16
mRun: [McAfeeUpdaterUI] "c:program filesmcafeecommon frameworkudaterui.exe" /StartedFromRunKey
mExplorerRun: [1] nircmd execmd "%windir%system32GroupPolicy.WKSCacheUserprox.cmd GPRUN"
mExplorerRun: [2] nircmd execmd "%windir%system32GroupPolicy.WKSCacheUserRadio_Adhoc.cmd"
mExplorerRun: [3] nircmd execmd "%windir%system32GroupPolicy.WKSCacheUserScreenSaver.cmd"
StartupFolder: c:docume~1alluse~1startm~1programsstartupnovell~1.lnk - c:program filesnovellifoldertrayapp.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupsnagit~1.lnk - c:program filestechsmithsnagit 7SnagIt32.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:program filesnovellzenworksAxNalServer.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://cpc.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {656FAD09-4DE3-4C34-9600-0928C855FD7A} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255663601550
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8650EBA6-6CBB-11D2-A9E0-00E02C0159F9} - hxxp://chipsndip/CHipsNDip1/Activex/NWUsrGrp.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://128.255.26.210/activex/AxisCamControl.cab
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://e1.wlgore.com/jde/axctls/jdewebctlsU.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://aprpt01.wlgore.com/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EC747AE4-8EF6-11D0-B375-0000E20315E2} - hxxp://chipsndip/CHipsNDip1/Activex/NWSess.ocx
DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://e1.wlgore.com/jde/axctls/jdeexpimpU.cab
Filter: text/html - {b2daafc8-c3a0-4daf-973b-487b9ec4cf0e} - c:docume~1bdeanlocals~1tempmstmp
Notify: NetIdentity Notification - c:windowssystem32novellXtNotify.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:program filesnovellzenworksNalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:windowssystem32driversAVGIDSEH.sys [2010-9-13 25680]
R0 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2009-1-14 343920]
R0 NifFltr;NifFltr;c:windowssystem32driversniffltr.sys [2006-9-27 25300]
R0 vmscsi;vmscsi;c:windowssystem32driversvmscsi.sys [1980-1-1 17968]
R1 enstart_;enstart_;c:windowssystem32enstart_.sys [2009-10-15 25472]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:windowssystem32driversnipplpt.sys [2009-1-14 34592]
R2 BlankScr;HBDevice;c:windowssystem32driversblankscr.sys [2005-5-23 6899]
R2 CITMDRV;CITMDRV;c:windowssystem32driversCITMDRV.SYS [2010-3-24 10752]
R2 enstart;enstart;c:windowssystem32enstart.exe -s --> c:windowssystem32enstart.exe -s [?]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:program filesibmlotusnotesnsd.exe [2009-9-29 3397000]
R2 McAfeeEngineService;McAfee Engine Service;c:program filesmcafeevirusscan enterpriseEngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:program filesmcafeecommon frameworkFrameworkService.exe [2010-6-1 120128]
R2 McShield;McAfee McShield;c:program filesmcafeevirusscan enterpriseMcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:program filesmcafeevirusscan enterpriseVsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:windowssystem32mfevtps.exe [2009-10-24 70728]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:program filesnovellzenworksremotemanagementrmagentZenRem32.exe [2006-5-9 167936]
R2 tlmagent;IBM License Metric Tool and Tivoli Asset Discover Agent;c:windowsitlmtlmagent.exe [2010-3-24 897024]
R2 WNTHW;WNTHW;c:windowssystem32driversWNTHW.SYS [2006-1-6 9176]
R2 XTAgent;Novell XTier Agent Services;c:windowssystem32novellxtagent.exe [2007-1-10 61440]
R3 AESTAud;AE Audio Service;c:windowssystem32driversAESTAud.sys [2009-6-8 112512]
R3 cvusbdrv;Broadcom USH CV;c:windowssystem32driverscvusbdrv.sys [2008-9-16 32808]
R3 Darpan;Darpan;c:windowssystem32driversDarpan.sys [2005-5-23 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:windowssystem32driverse1y5132.sys [2008-9-15 244368]
R3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2009-1-14 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2009-1-14 43288]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:progra~1verizo~1vzacce~1SMSIVZAM5.SYS [2009-5-25 32408]
S1 mferkdk;VSCore mferkdk;??c:program filesmcafeevirusscan enterprisemferkdk.sys --> c:program filesmcafeevirusscan enterprisemferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-8 135664]
S3 mferkdet;McAfee Inc. mferkdet;c:windowssystem32driversmferkdet.sys [2009-10-24 66600]
S3 vmci;VMware VMCI Bus Driver;c:windowssystem32driversvmci.sys --> c:windowssystem32driversvmci.sys [?]
S3 vmmouse;VMware Pointing Device;c:windowssystem32driversvmmouse.sys --> c:windowssystem32driversvmmouse.sys [?]
S3 vmx_svga;vmx_svga;c:windowssystem32driversvmx_svga.sys --> c:windowssystem32driversvmx_svga.sys [?]
S3 vmxnet;VMware Ethernet Adapter Driver;c:windowssystem32driversvmxnet.sys --> c:windowssystem32driversvmxnet.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:program filesmicrosoft visual studio 8common7ideremote debuggerx86msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2010-10-06 23:39:10 298000 ----a-w- c:program filescommon filesAdvBHO.dll
2010-10-06 12:55:48 -------- d-----w- c:docume~1bdeanapplic~1AVG10
2010-10-06 12:55:08 -------- d--h--w- c:docume~1alluse~1applic~1Common Files
2010-10-06 12:53:52 -------- d-----w- c:docume~1alluse~1applic~1AVG10
2010-10-06 12:53:28 -------- d-----w- c:program filesAVG
2010-10-06 12:49:39 -------- d-----w- c:docume~1alluse~1applic~1MFAData
2010-09-24 18:07:42 -------- d-----w- c:docume~1bdeanapplic~1GARMIN
2010-09-13 20:27:24 25680 ----a-w- c:windowssystem32driversAVGIDSEH.sys
2010-09-09 20:23:48 -------- d-----w- c:docume~1bdeanlocals~1applic~1Visio
2010-09-09 20:23:46 -------- d-----w- c:docume~1bdeanapplic~1Visio
2010-09-09 20:23:28 -------- d-----w- c:program filescommon filesVisio Shared
2010-09-09 20:23:26 -------- d-----w- c:program filescommon filesWexTech Shared
2010-09-09 20:23:26 -------- d-----w- c:program filescommon filesLhspf
2010-09-09 20:23:19 -------- d-----w- c:program filesMicrosoft Visio

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:windowssystem32spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:windowssystem32rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:windowssystem32xpsp4res.dll
2010-07-12 08:33:54 51040 ----a-w- c:windowssystem32avgfwdx.dll

============= FINISH: 8:31:58.51 ===============

EDIT: Posts merged ~BP

Problems appear to be getting worse. I am now finding that I will end up with extra iexplore.exe processes running even after I close down all my IE windows.

Attached Files


Edited by hamluis, 11 October 2010 - 10:17 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:44 AM

Posted 13 October 2010 - 07:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 14 October 2010 - 04:16 AM

Hi Shannon,

Thanks for the help. Yes I am still having problems. iexplore.exe will still run at 50% or better CPU even when there is no activity. In addition, I will find that there are more iexplore.exe processes running then I have open and they don't seem to close when I close the IE window.

As stated in my previous post I was not able to run the gmer...it causes my computer to reboot part way through...I tried it again and got the same result.

Here is the dds log:


DDS (Ver_10-10-10.03) - NTFSx86
Run by bdean at 5:11:30.34 on Thu 10/14/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2887 [GMT -4:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6159v043\wdm\stacsv.exe
svchost.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\windows\itlm\tlmagent.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Novell\iFolder\trayapp.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\BDEAN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.wlgore.com
uInternet Connection Wizard,ShellNext = hxxp://genie.wlgore.com/
uInternet Settings,ProxyServer = 157.204.22.4:8080
uInternet Settings,ProxyOverride = *.wlgore.com;127.0.0.1;localhost;157.204.*;chipsndip;32.85.*;192.168.*;<local>
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AdvBHO: {2ed2390a-e6f6-f895-fe75-013e2d97184a} - c:\documents and settings\bdean\AdvBHO.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NetSP - restore settings on power failure] "c:\program files\at&t global network client\NetSP.exe" -show
mRun: [NWTRAY] NWTRAY.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AGNS_Config] nircmd execmd c:\windows\ATT_Config.cmd
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Pistolstar_SSO] "c:\program files\pistolstar\password power client\APOSSO.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UnlockerAssistant] "c:\documents and settings\bdean\desktop\unlocker1.8.8-portable\UnlockerAssistant.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mExplorerRun: [1] nircmd execmd "%windir%\system32\GroupPolicy.WKSCache\User\prox.cmd GPRUN"
mExplorerRun: [2] nircmd execmd "%windir%\system32\GroupPolicy.WKSCache\User\Radio_Adhoc.cmd"
mExplorerRun: [3] nircmd execmd "%windir%\system32\GroupPolicy.WKSCache\User\ScreenSaver.cmd"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\novell~1.lnk - c:\program files\novell\ifolder\trayapp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 7\SnagIt32.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://cpc.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {656FAD09-4DE3-4C34-9600-0928C855FD7A} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255663601550
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8650EBA6-6CBB-11D2-A9E0-00E02C0159F9} - hxxp://chipsndip/CHipsNDip1/Activex/NWUsrGrp.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://128.255.26.210/activex/AxisCamControl.cab
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://e1.wlgore.com/jde/axctls/jdewebctlsU.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://aprpt01.wlgore.com/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EC747AE4-8EF6-11D0-B375-0000E20315E2} - hxxp://chipsndip/CHipsNDip1/Activex/NWSess.ocx
DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://e1.wlgore.com/jde/axctls/jdeexpimpU.cab
Filter: text/html - {b2daafc8-c3a0-4daf-973b-487b9ec4cf0e} - c:\docume~1\bdean\locals~1\temp\mstmp
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-14 343920]
R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [2006-9-27 25300]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [1980-1-1 17968]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2009-10-15 25472]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2009-1-14 34592]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [2010-3-24 10752]
R2 enstart;enstart;c:\windows\system32\enstart.exe -s --> c:\windows\system32\enstart.exe -s [?]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2009-9-29 3397000]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-1 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-24 70728]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]
R2 tlmagent;IBM License Metric Tool and Tivoli Asset Discover Agent;c:\windows\itlm\tlmagent.exe [2010-3-24 897024]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2006-1-6 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2007-1-10 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-8 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-9-16 32808]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-5-23 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-15 244368]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-14 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-14 43288]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-24 66600]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys --> c:\windows\system32\drivers\vmmouse.sys [?]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys --> c:\windows\system32\drivers\vmx_svga.sys [?]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys --> c:\windows\system32\drivers\vmxnet.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2010-10-11 14:42:59 -------- d-----w- C:\CoreTechnology
2010-10-11 14:11:42 -------- d-----w- c:\windows\system32\GroupPolicy.WksCache
2010-10-11 14:08:27 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-10-11 14:05:41 -------- d--h--w- c:\windows\system32\GroupPolicy.WMOriginal2
2010-10-11 12:41:23 298000 ----a-w- c:\documents and settings\bdean\AdvBHO.dll
2010-10-06 23:39:10 298000 ----a-w- c:\program files\common files\AdvBHO.dll
2010-10-06 12:55:48 -------- d-----w- c:\docume~1\bdean\applic~1\AVG10
2010-10-06 12:55:08 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-06 12:53:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-06 12:53:28 -------- d-----w- c:\program files\AVG
2010-10-06 12:49:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-09-24 18:07:42 -------- d-----w- c:\docume~1\bdean\applic~1\GARMIN

==================== Find3M ====================

2010-10-01 18:12:02 63904 ----a-w- c:\windows\Global_Variables.cmd
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-16 15:25:20 2 --shatr- c:\windows\winstart.bat

============= FINISH: 5:12:26.95 ===============

Attached Files


Edited by bdeandel, 14 October 2010 - 08:12 AM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:44 PM

Posted 16 October 2010 - 01:52 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



==============================================


Please answer the following questions:
1. Do you use proxy on this PC?
2. Did you create the policy that disables Ctrl + Alt + Del function?
3. What can you tell me about the following:
  • prox.cmd
  • Radio_Adhoc.cmd
  • ScreenSaver.cmd


==============================================


1. Please download and run the AVG remover tool here -> http://www.avg.com/kr-en/download-tools



2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 16 October 2010 - 10:52 AM

1. Do you use proxy on this PC? Yes...this is a work PC and we use a proxy
2. Did you create the policy that disables Ctrl + Alt + Del function? - no I did not
3. What can you tell me about the following:
prox.cmd
Radio_Adhoc.cmd
ScreenSaver.cmd

Not sure about any of these three programs






ComboFix 10-10-15.04 - bdean 10/16/2010 11:38:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2859 [GMT -4:00]
Running from: c:\documents and settings\BDEAN\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\BDEAN\AdvBHO.dll
c:\documents and settings\BDEAN\Recent\frmLogin.url
c:\windows\Downloaded Program Files\Temp
c:\windows\sc.exe
c:\windows\system32\Cache

----- BITS: Possible infected sites -----

hxxp://usewsus01.wlgore.com
.
((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-16 15:24 . 2010-10-16 15:24 -------- d-----w- C:\AVGTemp
2010-10-15 13:00 . 2010-10-15 13:00 298000 ----a-w- c:\program files\Common Files\AdvBHO.dll
2010-10-11 18:31 . 2010-10-11 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-11 14:42 . 2010-10-11 14:43 -------- d-----w- C:\CoreTechnology
2010-10-11 14:08 . 2010-10-16 06:47 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-10-06 12:55 . 2010-10-06 12:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-06 12:49 . 2010-10-06 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-09-24 18:07 . 2010-09-27 04:18 -------- d-----w- c:\documents and settings\BDEAN\Application Data\GARMIN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2008-10-09 87320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGNS_Config"="nircmd execmd" [X]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2009-12-04 53248]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2009-12-04 57344]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"NVHotkey"="nvHotkey.dll" [2009-01-30 90112]
"NvMediaCenter"="NvMCTray.dll" [2009-01-30 86016]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-16 729088]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-03 155648]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-01-07 124240]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"Pistolstar_SSO"="c:\program files\Pistolstar\Password Power Client\APOSSO.exe" [2010-01-07 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-06-24 126976]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2010-06-01 140608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2006-9-27 266317]
SnagIt 7.lnk - c:\program files\TechSmith\SnagIt 7\SnagIt32.exe [2009-10-15 2277376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\BDEAN\My Documents\My Pictures\lake-powell-sunset-portrait-photography.jpg
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-07-20 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-01-10 17:52 24576 ----a-w- c:\windows\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\DPMW32.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\RemoteManagement\\RMAgent\\ZenRem32.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [9/27/2006 3:46 PM 25300]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [1/1/1980 8:00 AM 17968]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [10/15/2009 2:16 PM 25472]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [1/14/2009 10:55 AM 34592]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 3:47 PM 6899]
R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [3/24/2010 10:26 AM 10752]
R2 enstart;enstart;c:\windows\system32\enstart.exe -s --> c:\windows\system32\enstart.exe -s [?]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\IBM\Lotus\Notes\nsd.exe [9/29/2009 12:29 PM 3397000]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [1/6/2010 9:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/24/2009 1:41 AM 70728]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 11:59 AM 167936]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [1/6/2006 5:37 AM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\Novell\xtagent.exe [1/10/2007 1:52 PM 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 5:01 AM 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [9/16/2008 5:19 PM 32808]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 3:11 PM 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/15/2008 6:15 PM 244368]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 9:32 AM 135664]
S2 tlmagent;IBM License Metric Tool and Tivoli Asset Discover Agent;c:\windows\itlm\tlmagent.exe [3/24/2010 10:26 AM 897024]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/24/2009 1:41 AM 66600]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys --> c:\windows\system32\DRIVERS\vmci.sys [?]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys --> c:\windows\system32\DRIVERS\vmmouse.sys [?]
S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys --> c:\windows\system32\DRIVERS\vmx_svga.sys [?]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys --> c:\windows\system32\DRIVERS\vmxnet.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:32]

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.wlgore.com
uInternet Connection Wizard,ShellNext = hxxp://genie.wlgore.com/
uInternet Settings,ProxyServer = 157.204.22.4:8080
uInternet Settings,ProxyOverride = *.wlgore.com;127.0.0.1;localhost;157.204.*;chipsndip;32.85.*;192.168.*;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://cpc.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {8650EBA6-6CBB-11D2-A9E0-00E02C0159F9} - hxxp://chipsndip/CHipsNDip1/Activex/NWUsrGrp.ocx
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://e1.wlgore.com/jde/axctls/jdewebctlsU.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {EC747AE4-8EF6-11D0-B375-0000E20315E2} - hxxp://chipsndip/CHipsNDip1/Activex/NWSess.ocx
DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://e1.wlgore.com/jde/axctls/jdeexpimpU.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe
HKLM-Run-UnlockerAssistant - c:\documents and settings\BDEAN\Desktop\unlocker1.8.8-portable\UnlockerAssistant.exe
Notify-TPSvc - TPSvc.dll
SafeBoot-klmdb.sys


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\Novell\NCredMgr.dll
c:\windows\system32\PSWrapper.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-10-16 11:47:00
ComboFix-quarantined-files.txt 2010-10-16 15:47

Pre-Run: 82,590,527,488 bytes free
Post-Run: 82,728,046,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E35C71ED8B0227A016A11930C74DE24


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:44 PM

Posted 16 October 2010 - 11:11 PM

Did you informed or contacted the IT tech of the company and ask for their support? I don't usually offer help on office PC because they are usually under company policy and sometimes any changes requires the approval first of the IT department.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 17 October 2010 - 08:43 AM

I travel a lot so I am not at the home office to get help from them. It is okay for you to provide me with help.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:44 PM

Posted 17 October 2010 - 09:31 AM

Alright, did you run the AVG remover on my previous post?


Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Edited by sempai, 17 October 2010 - 09:32 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 17 October 2010 - 01:28 PM

Yes....I ran the AVG remover.

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee VirusScan Enterprise
McAfee AntiSpyware Enterprise Module
McAfee Agent
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java Web Start
Java™ 6 Update 16
Out of date Java installed!
Adobe Flash Player
Adobe Reader 9.3.2
Chinese Simplified Fonts Support For Adobe Reader 9
Chinese Traditional Fonts Support For Adobe Reader 9
Korean Fonts Support For Adobe Reader 9
Japanese Fonts Support For Adobe Reader 9
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise EngineServer.exe
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise Mcshield.exe
McAfee VirusScan Enterprise SHSTAT.EXE
````````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:44 PM

Posted 18 October 2010 - 09:03 AM

We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\program files\Common Files\AdvBHO.dll

DDS::
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

SecCenter::
{8decf618-9569-4340-b34a-d78d28969b66}


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 18 October 2010 - 09:29 AM

ComboFix 10-10-17.04 - BDEAN 10/18/2010 10:14:28.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.2477 [GMT -4:00]
Running from: c:\documents and settings\BDEAN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BDEAN\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\program files\Common Files\AdvBHO.dll"
.

((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-16 15:24 . 2010-10-16 15:24 -------- d-----w- C:\AVGTemp
2010-10-11 18:31 . 2010-10-11 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-10-11 14:42 . 2010-10-11 14:43 -------- d-----w- C:\CoreTechnology
2010-10-11 14:08 . 2010-10-18 04:32 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-10-06 12:55 . 2010-10-06 12:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-06 12:49 . 2010-10-06 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-09-24 18:07 . 2010-09-27 04:18 -------- d-----w- c:\documents and settings\BDEAN\Application Data\GARMIN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-16_15.44.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-18 04:32 . 2010-10-18 04:32 16384 c:\windows\Temp\Perflib_Perfdata_4ac.dat
+ 2010-10-18 14:14 . 2010-10-18 14:14 16384 c:\windows\Temp\Perflib_Perfdata_1784.dat
- 2010-10-16 06:47 . 2010-10-14 19:26 14474 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
+ 2010-10-18 04:32 . 2010-10-14 19:26 14474 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\XPSec.dat
+ 2010-10-18 04:32 . 2010-10-14 19:26 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
- 2010-10-16 06:47 . 2010-10-14 19:26 45056 c:\windows\system32\GroupPolicy\Machine\Microsoft\Windows NT\SecEdit\IPS1.dat
+ 2010-10-18 13:25 . 2010-10-18 13:25 57344 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\ef35d7c6\e9a1c930\App_Web_xpx0jznp.dll
+ 2010-10-18 13:36 . 2010-10-18 13:36 57344 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\ef35d7c6\e9a1c930\App_Web_wr5nw3qq.dll
+ 2010-10-18 13:25 . 2010-10-18 13:25 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\ef35d7c6\e9a1c930\App_Web_ewc-rsno.dll
+ 2010-10-18 13:24 . 2010-10-18 13:24 24576 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\ef35d7c6\e9a1c930\App_Code.dcu4lmva.dll
+ 2010-10-18 13:24 . 2010-10-18 13:24 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\71a9994f\4711bb89\App_Web_ecof2bmj.dll
+ 2010-10-18 13:36 . 2010-10-18 13:36 57344 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\71a9994f\4711bb89\App_Web_bvb6e1fp.dll
+ 2010-10-18 13:24 . 2010-10-18 13:24 57344 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\71a9994f\4711bb89\App_Web_63nud4st.dll
+ 2010-10-18 13:24 . 2010-10-18 13:24 24576 c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ctinterfacesite_2010\71a9994f\4711bb89\App_Code.vwx43ne9.dll
+ 2010-03-24 14:26 . 2010-10-18 04:32 16384 c:\windows\itlm\cache\comps.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 16384 c:\windows\itlm\cache\comps.dat
+ 2010-10-17 22:47 . 2010-10-17 22:47 21504 c:\windows\Installer\895b2db.msi
- 2010-03-24 14:26 . 2010-10-15 23:09 1556 c:\windows\itlm\cache\sys.dat
+ 2010-03-24 14:26 . 2010-10-18 12:49 1556 c:\windows\itlm\cache\sys.dat
+ 2010-03-24 14:26 . 2010-10-18 14:12 1704 c:\windows\itlm\cache\cmds.dat
- 2010-03-24 14:26 . 2010-10-16 15:38 1704 c:\windows\itlm\cache\cmds.dat
+ 2009-10-15 18:13 . 2010-10-18 12:20 248337 c:\windows\system32\nvModes.dat
+ 2009-10-19 13:32 . 2010-10-18 04:32 255950 c:\windows\system32\inetsrv\MetaBase.bin
+ 2010-03-24 14:26 . 2010-10-18 12:39 315392 c:\windows\itlm\cache\nativeinv.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 315392 c:\windows\itlm\cache\nativeinv.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 241664 c:\windows\itlm\cache\mods.dat
+ 2010-03-24 14:26 . 2010-10-18 04:32 241664 c:\windows\itlm\cache\mods.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 286720 c:\windows\itlm\cache\inventory.dat
+ 2010-03-24 14:26 . 2010-10-18 12:39 286720 c:\windows\itlm\cache\inventory.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 5730304 c:\windows\itlm\cache\catrel.dat
+ 2010-03-24 14:26 . 2010-10-18 04:32 5730304 c:\windows\itlm\cache\catrel.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 3739648 c:\windows\itlm\cache\catmod.dat
+ 2010-03-24 14:26 . 2010-10-18 04:32 3739648 c:\windows\itlm\cache\catmod.dat
- 2010-03-24 14:26 . 2010-10-16 13:34 1765376 c:\windows\itlm\cache\catcomp.dat
+ 2010-03-24 14:26 . 2010-10-18 04:32 1765376 c:\windows\itlm\cache\catcomp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2008-10-09 87320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGNS_Config"="nircmd execmd" [X]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2009-12-04 53248]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2009-12-04 57344]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"NVHotkey"="nvHotkey.dll" [2009-01-30 90112]
"NvMediaCenter"="NvMCTray.dll" [2009-01-30 86016]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-16 729088]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-03 155648]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-23 483420]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-01-07 124240]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"Pistolstar_SSO"="c:\program files\Pistolstar\Password Power Client\APOSSO.exe" [2010-01-07 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-06-24 126976]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2010-06-01 140608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2006-9-27 266317]
SnagIt 7.lnk - c:\program files\TechSmith\SnagIt 7\SnagIt32.exe [2009-10-15 2277376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
"DisableCAD"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\BDEAN\My Documents\My Pictures\lake-powell-sunset-portrait-photography.jpg
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-07-20 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-01-10 17:52 24576 ----a-w- c:\windows\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\DPMW32.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\RemoteManagement\\RMAgent\\ZenRem32.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [9/27/2006 3:46 PM 25300]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [1/1/1980 8:00 AM 17968]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [10/15/2009 2:16 PM 25472]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [1/14/2009 10:55 AM 34592]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 3:47 PM 6899]
R2 CITMDRV;CITMDRV;c:\windows\system32\drivers\CITMDRV.SYS [3/24/2010 10:26 AM 10752]
R2 enstart;enstart;c:\windows\system32\enstart.exe -s --> c:\windows\system32\enstart.exe -s [?]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\IBM\Lotus\Notes\nsd.exe [9/29/2009 12:29 PM 3397000]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [1/6/2010 9:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/24/2009 1:41 AM 70728]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 11:59 AM 167936]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [1/6/2006 5:37 AM 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\Novell\xtagent.exe [1/10/2007 1:52 PM 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/8/2009 5:01 AM 112512]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [9/16/2008 5:19 PM 32808]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 3:11 PM 2773]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/15/2008 6:15 PM 244368]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 9:32 AM 135664]
S2 tlmagent;IBM License Metric Tool and Tivoli Asset Discover Agent;c:\windows\itlm\tlmagent.exe [3/24/2010 10:26 AM 897024]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/24/2009 1:41 AM 66600]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys --> c:\windows\system32\DRIVERS\vmci.sys [?]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys --> c:\windows\system32\DRIVERS\vmmouse.sys [?]
S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys --> c:\windows\system32\DRIVERS\vmx_svga.sys [?]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys --> c:\windows\system32\DRIVERS\vmxnet.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:32]

2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://intranet.wlgore.com
uInternet Connection Wizard,ShellNext = hxxp://genie.wlgore.com/
uInternet Settings,ProxyServer = 157.204.22.4:8080
uInternet Settings,ProxyOverride = *.wlgore.com;127.0.0.1;localhost;157.204.*;chipsndip;32.85.*;192.168.*;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://cpc.on.intercall.com/confmgr/installs/ICWMInstall.cab
DPF: {8650EBA6-6CBB-11D2-A9E0-00E02C0159F9} - hxxp://chipsndip/CHipsNDip1/Activex/NWUsrGrp.ocx
DPF: {B1D21FC5-A742-4261-86F2-C7B7F1A31C5D} - hxxp://e1.wlgore.com/jde/axctls/jdewebctlsU.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {EC747AE4-8EF6-11D0-B375-0000E20315E2} - hxxp://chipsndip/CHipsNDip1/Activex/NWSess.ocx
DPF: {F9E542CE-C16A-47FA-B7A8-D88E5F1C5719} - hxxp://e1.wlgore.com/jde/axctls/jdeexpimpU.cab
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
c:\windows\system32\NLS\ENGLISH\NWSHLXNR.DLL
c:\windows\system32\NLS\ENGLISH\NOVNPNTR.DLL
c:\windows\system32\Novell\NCredMgr.dll
c:\windows\system32\PSWrapper.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'Explorer.exe'(5608)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-18 10:25:15
ComboFix-quarantined-files.txt 2010-10-18 14:25
ComboFix2.txt 2010-10-16 15:47

Pre-Run: 82,639,167,488 bytes free
Post-Run: 82,670,534,656 bytes free

- - End Of File - - 9958FA83D8E5565B773623771363F687


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:44 PM

Posted 18 October 2010 - 09:34 AM

How's the PC running?


1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel > Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 19 October 2010 - 10:29 PM

The computer is running much much better.

Installed the newest Java update...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 19, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 19, 2010 15:23:45
Records in database: 4186104
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
V:\

Scan statistics:
Objects scanned: 188522
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 04:44:52

No threats found. Scanned area is clean.

Selected area has been scanned.

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:44 PM

Posted 20 October 2010 - 04:49 AM

How's the computer running?


Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note: Just ignore if you get the below warning.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 bdeandel

bdeandel
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 20 October 2010 - 07:49 AM

Here is the results of the scan:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB5D6E000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6254592 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 179.47 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6070272 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 179.47 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAB300000 C:\WINDOWS\system32\drivers\sthda.sys 1486848 bytes (IDT, Inc., IDT PC Audio)
0xB5B95000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 1290240 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xAB191000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 987136 bytes (Conexant Systems, Inc., HSF_DP driver)
0xAAD37000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 851968 bytes
0xB7E1D000 iaStor.sys 851968 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xAB0DE000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB7CC1000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA82EA000 C:\WINDOWS\system32\NetWare\nwfs.sys 507904 bytes (Novell, Inc., Novell NetWare Redirector)
0xB5AD9000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xAAE07000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB59C4000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAAFDA000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA821B000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xB7C28000 mfehidk.sys 335872 bytes (McAfee, Inc., McAfee Link Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA7424000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB5D1C000 C:\WINDOWS\system32\DRIVERS\e1y5132.sys 253952 bytes (Intel Corporation, Intel® Gigabit Network Connection NDIS 5.1 deserialized driver)
0xB5AA2000 C:\WINDOWS\system32\DRIVERS\agnfilt.sys 225280 bytes (AT&T, Net Firewall)
0xAB282000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB5A4A000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB5996000 C:\WINDOWS\system32\DRIVERS\MarvinBus.sys 188416 bytes (Pinnacle Systems GmbH, Pinnacle Marvin Discrete Bus Enumerator)
0xB5B54000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 184320 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xA838E000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7C94000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB7DC0000 dac2w2k.sys 180224 bytes (Mylex Corporation, Mylex Disk Array Controller Driver)
0x9D66F000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAAE77000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB5CD0000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAAF8C000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA83BB000 C:\WINDOWS\system32\NetWare\srvloc.sys 163840 bytes (Novell, Inc., SLP Driver)
0xB7F05000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAAFB4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAB2DC000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB5CF8000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB73B9000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAAEA2000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134528 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7DA0000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xAB2C0000 C:\WINDOWS\system32\drivers\AESTAud.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver)
0xB7C7A000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB7DEC000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xB7E05000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA853B000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 98304 bytes (Roxio, Drive Letter Access Component)
0xB7EED000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xA850E000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 94208 bytes (Roxio, Drive Letter Access Component)
0xB7D61000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB5A8B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8525000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 90112 bytes (Roxio, Drive Letter Access Component)
0xB7D78000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0x9F85E000 C:\WINDOWS\system32\drivers\mfeavfk.sys 86016 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xA8459000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB5B81000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xB5D5A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAB033000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7D4E000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7D8E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0x9D89A000 C:\WINDOWS\system32\drivers\mfeapfk.sys 69632 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB5A7A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xAB679000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB8288000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB8228000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xB81A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xABAF7000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xABDB2000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB8298000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB7BB8000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 61440 bytes (REDC, RICOH SD Driver)
0xB742C000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB188B000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB81B8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB8108000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xB80D8000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xABB37000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xB8168000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB7BA8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB8258000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB7B98000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB8148000 ql12160.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xB8138000 ql1280.sys 49152 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xB69EE000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xAB649000 C:\WINDOWS\system32\DRIVERS\usbccid.sys 49152 bytes (Microsoft Corporation, USB CCID Driver)
0xB81D8000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xB8208000 agpCPQ.sys 45056 bytes (Microsoft Corporation, CompatNT AGP Filter)
0xB81E8000 alim1541.sys 45056 bytes (Microsoft Corporation, ALi M1541 NT AGP Filter)
0xB81F8000 amdagp.sys 45056 bytes (Advanced Micro Devices, Inc., AMD Win2000 AGP Filter)
0xAB659000 C:\WINDOWS\System32\Drivers\cvusbdrv.sys 45056 bytes (Broadcom Corporation, Broadcom Credential Vault USB Driver)
0xAAF3C000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 45056 bytes (Roxio, Device Driver Manager)
0xABAC7000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB8278000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xAB6B9000 C:\WINDOWS\system32\NetWare\nwdns.sys 45056 bytes (Novell, Inc., DNS Service)
0xB8268000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB8198000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xB80A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB63A5000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB81C8000 Nicm.sys 40960 bytes (Novell, Inc., Novell InterService Communication Driver)
0xB8128000 ql1080.sys 40960 bytes (QLogic Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xB80F8000 ql1240.sys 40960 bytes (Microsoft Corporation, QLogic ISP PCI Adapters)
0xB8188000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xB69CE000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xAB699000 C:\WINDOWS\system32\drivers\bcmwlnpf.sys 36864 bytes (CACE Technologies, npf)
0xB8158000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xAB669000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB7B88000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0x9ED8E000 C:\WINDOWS\system32\drivers\mfebopk.sys 36864 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xB69DE000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xABB17000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xABAD7000 C:\WINDOWS\system32\drivers\nipplpt.sys 36864 bytes
0x9CB22000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB8178000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB80E8000 ql10wnt.sys 36864 bytes (Microsoft Corporation, Miniport Driver for QLogic ISP PCI Adapters)
0xB8118000 ultra.sys 36864 bytes (Promise Technology, Inc., Promise Ultra66 Miniport Driver)
0xABB27000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8438000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xABA32000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB8358000 symc8xx.sys 32768 bytes (LSI Logic, Symbios 8XX SCSI Miniport Driver)
0xB8368000 sym_u3.sys 32768 bytes (LSI Logic, Symbios Ultra3 SCSI Miniport Driver)
0xAB7C0000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8418000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB8340000 asc.sys 28672 bytes (Advanced System Products, Inc., AdvanSys SCSI Controller Driver)
0xB83B0000 C:\WINDOWS\System32\drivers\CITMDRV.SYS 28672 bytes
0xB8478000 C:\WINDOWS\System32\DLA\DLABMFSM.SYS 28672 bytes (Roxio, Drive Letter Access Component)
0xB8480000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Roxio, Drive Letter Access Component)
0xABA2A000 C:\WINDOWS\system32\enstart_.sys 28672 bytes (Guidance Software Inc., EnCase Driver)
0xABA4A000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8390000 hpn.sys 28672 bytes (Microsoft Corporation, NetRAID-4M Miniport Driver)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB8388000 perc2.sys 28672 bytes (Microsoft Corporation, PERC 2 Miniport Driver)
0xB84A0000 C:\WINDOWS\system32\NetWare\resmgr.sys 28672 bytes (Novell, Inc., Novell NetWare Resource Manager)
0xB8458000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xB8490000 C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS 28672 bytes (Smith Micro Inc., Smith Micro NDIS 5.0 Protocol Driver)
0xB8360000 sym_hi.sys 28672 bytes (LSI Logic, Symbios Hi-Perf SCSI Miniport Driver)
0xB8370000 ABP480N5.SYS 24576 bytes (Microsoft Corporation, AdvanSys SCSI Controller Driver)
0xB8378000 asc3350p.sys 24576 bytes (Microsoft Corporation, AdvanSys SCSI Card Driver)
0xABA52000 C:\WINDOWS\System32\Drivers\DLARTL_M.SYS 24576 bytes (Roxio, Shared Driver Component)
0xB8430000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB8428000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB8410000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xABA42000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB8498000 C:\WINDOWS\system32\DRIVERS\agnwifi.sys 20480 bytes (AT&T, Wi-Fi Driver)
0xB8470000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 20480 bytes (Roxio, Drive Letter Access Component)
0xB8380000 dpti2o.sys 20480 bytes (Microsoft Corporation, DPT SmartRAID miniport)
0xB8350000 i2omp.sys 20480 bytes (Microsoft Corporation, I2O Miniport Driver)
0xB8348000 mraid35x.sys 20480 bytes (American Megatrends Inc., MegaRAID RAID Controller Driver for Windows Whistler 32)
0xABA3A000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xAB7F0000 C:\WINDOWS\system32\NetWare\nwdhcp.sys 20480 bytes (Novell, Inc., DHCP Service)
0xB83A0000 C:\WINDOWS\system32\NetWare\nwslp.sys 20480 bytes (Novell, Inc., SLP Svc Provider)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8448000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8450000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB8338000 sparrow.sys 20480 bytes (Adaptec, Inc., Adaptec AIC-6x60 series SCSI miniport)
0xB8440000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xABF30000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB84CC000 aha154x.sys 16384 bytes (Microsoft Corporation, Adaptec AHA-154x series SCSI miniport)
0xB84DC000 asc3550.sys 16384 bytes (Advanced System Products, Inc., AdvanSys Ultra-Wide PCI SCSI Driver)
0xB84C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB84E4000 cbidf2k.sys 16384 bytes (Microsoft Corporation, CardBus/PCMCIA IDE Miniport Driver)
0xB7ADB000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB84C8000 cpqarray.sys 16384 bytes (Microsoft Corporation, Compaq Drive Array Controllers SCSI Miniport Driver)
0xB84D4000 dac960nt.sys 16384 bytes (Microsoft Corporation, Mylex Disk Array Controller Driver)
0xB84E0000 ini910u.sys 16384 bytes (Microsoft Corporation, INITIO ini910u SCSI miniport)
0xAAEDC000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xA8207000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xB7B60000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB0E56000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB84EC000 nwfilter.sys 16384 bytes
0xAAEE4000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xB84D0000 symc810.sys 16384 bytes (Symbios Logic Inc., Symbios Logic Inc. SCSI Miniport Driver)
0xB84C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xB84D8000 amsint.sys 12288 bytes (Microsoft Corporation, AMD SCSI/NET Controller)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAB9A5000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAAEE8000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xABC92000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xAAED8000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7ACB000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB84F0000 NifFltr.sys 12288 bytes
0xA849E000 C:\WINDOWS\system32\NetWare\NWHOST.sys 12288 bytes (Novell, Inc., Novell Client HostFile Service Provider)
0xABC86000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB84E8000 vmscsi.sys 12288 bytes (VMware, Inc., VMware SCSI Controller Driver)
0xB7AD7000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xB85AC000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0xB863E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xAF2C4000 C:\WINDOWS\System32\Drivers\BlankScr.SYS 8192 bytes (Novell Inc., Screen Blanking Driver)
0xB85B8000 cd20xrnt.sys 8192 bytes (Microsoft Corporation, IBM Portable CD-ROM Drive Miniport)
0xB85AE000 cmdide.sys 8192 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0xB85D8000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Roxio, Shared Driver Component)
0xB8614000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Roxio, Drive Letter Access Component)
0xB85B6000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB863C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85B4000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB8640000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB0BFD000 C:\WINDOWS\system32\NetWare\NWSNS.sys 8192 bytes (Novell, Inc., Novell Client Simple Naming Services)
0xB85BA000 perc2hib.sys 8192 bytes (Microsoft Corporation, PERC 2 Hibernate Driver)
0xB8642000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB85FE000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xB8600000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB85B0000 toside.sys 8192 bytes (Microsoft Corporation, Toshiba PCI IDE Controller)
0xB85DE000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 8192 bytes
0xB864A000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85B2000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xB85AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB8644000 C:\WINDOWS\system32\DRIVERS\WNTHW.SYS 8192 bytes
0xB869F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB869E000 C:\WINDOWS\system32\Drivers\Darpan.sys 4096 bytes (Novell, Inc., ZENworks Remote Management driver)
0xB87BB000 C:\WINDOWS\System32\DLA\DLADResM.SYS 4096 bytes (Roxio, Drive Letter Access Component)
0xB8776000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xABCBB000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x0DFB0000 Hidden Image-->Camstar.WebClient.FormsBuilder.FormsBuilderCore.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 102400 bytes
0x0E130000 Hidden Image-->CrystalDecisions.Enterprise.InfoStore.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 102400 bytes
0x0F690000 Hidden Image-->InSiteXMLClient.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 102400 bytes
0x0DBD0000 Hidden Image-->CppCodeProvider.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 110592 bytes
0x0F7D0000 Hidden Image-->ZedGraph.Web.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 110592 bytes
0x10770000 Hidden Image-->CrystalDecisions.ReportSource.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 110592 bytes
0x10D90000 Hidden Image-->Infragistics2.Excel.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 110592 bytes
0x104F0000 Hidden Image-->System.Workflow.Activities.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 1150976 bytes
0x0F080000 Hidden Image-->SMdiagnostics.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 118784 bytes
0x0F3B0000 Hidden Image-->Camstar.MfgAuditTrail.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 118784 bytes
0x7A4D0000 Hidden Image-->System.Runtime.Serialization.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 1196032 bytes
0x0F1D0000 Hidden Image-->System.EnterpriseServices.Wrapper.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 126976 bytes
0x0F7F0000 Hidden Image-->System.Data.Services.Design.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 126976 bytes
0x0FAC0000 Hidden Image-->System.Web.Extensions.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 1290240 bytes
0x10EA0000 Hidden Image-->App_Web_qtc0u25y.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 135168 bytes
0x0F050000 Hidden Image-->System.IdentityModel.Selectors.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 135168 bytes
0x10E10000 Hidden Image-->App_Web_g08p5_bu.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 135168 bytes
0x0E330000 Hidden Image-->CrystalDecisions.ReportAppServer.CommonControls.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 143360 bytes
0x7AA10000 Hidden Image-->System.ServiceModel.Web.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 143360 bytes
0x7B170000 Hidden Image-->System.Windows.dll [ EPROCESS 0x88875170 ] PID: 7840, 1470464 bytes
0x0FDB0000 Hidden Image-->System.Xml.Linq.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 151552 bytes
0x7B080000 Hidden Image-->System.Windows.Browser.dll [ EPROCESS 0x88875170 ] PID: 7840, 151552 bytes
0x79520000 Hidden Image-->mscorlib.dll [ EPROCESS 0x88875170 ] PID: 7840, 1601536 bytes
0x107A0000 Hidden Image-->System.Workflow.ComponentModel.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 1634304 bytes
0x0E2D0000 Hidden Image-->CrystalDecisions.ReportAppServer.Controllers.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 167936 bytes
0x0E7A0000 Hidden Image-->Infragistics2.WebUI.UltraWebGrid.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 1740800 bytes
0x130F0000 Hidden Image-->App_Web_hcfphna-.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 200704 bytes
0x13AD0000 Hidden Image-->App_Web_6rgz8qjx.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 200704 bytes
0x0FFB0000 Hidden Image-->Infragistics2.WebUI.WebCombo.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 208896 bytes
0x13390000 Hidden Image-->App_Web_zmjfid1a.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 208896 bytes
0x0E290000 Hidden Image-->CrystalDecisions.ReportAppServer.DataDefModel.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 233472 bytes
0x7A300000 Hidden Image-->System.Net.dll [ EPROCESS 0x88875170 ] PID: 7840, 233472 bytes
0x79EE0000 Hidden Image-->System.Core.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 2375680 bytes
0x0E400000 Hidden Image-->Camstar.WebClient.FormsBuilder.WebControls.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 241664 bytes
0x7A190000 Hidden Image-->system.dll [ EPROCESS 0x88875170 ] PID: 7840, 241664 bytes
0x132C0000 Hidden Image-->App_Web_fhmqqtmc.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 249856 bytes
0x10BC0000 Hidden Image-->Infragistics2.WebUI.WebDateChooser.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 266240 bytes
0x0DC20000 Hidden Image-->App_Licenses.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x0E170000 Hidden Image-->CrystalDecisions.ReportAppServer.ObjectFactory.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x0E3E0000 Hidden Image-->RpcTransactionServiceService.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x0F270000 Hidden Image-->Camstar.Exceptions.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x0F470000 Hidden Image-->Camstar.WebClient.FrameworkCache.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x0F5E0000 Hidden Image-->Camstar.WebClient.WebExceptions.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x0F620000 Hidden Image-->Camstar.WebClient.WebUtility.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 28672 bytes
0x10070000 Hidden Image-->System.Data.Entity.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 2887680 bytes
0x0DC50000 Hidden Image-->System.Data.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 2961408 bytes
0x0FD60000 Hidden Image-->System.Data.Services.Client.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 307200 bytes
0x0F8C0000 Hidden Image-->ZedGraph.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 315392 bytes
0x10720000 Hidden Image-->Infragistics2.WebUI.WebDataInput.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 315392 bytes
0x0E180000 Hidden Image-->CrystalDecisions.ReportAppServer.ReportDefModel.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 323584 bytes
0x10C70000 Hidden Image-->CrystalDecisions.Web.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 331776 bytes
0x7AA80000 Hidden Image-->System.Xml.dll [ EPROCESS 0x88875170 ] PID: 7840, 331776 bytes
0x0F3D0000 Hidden Image-->Camstar.Utility.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x0DFA0000 Hidden Image-->stdole.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x0E0C0000 Hidden Image-->CrystalDecisions.ReportAppServer.XmlSerialize.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x0EA20000 Hidden Image-->Camstar.Util.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x0F230000 Hidden Image-->Camstar.Collections.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x0F250000 Hidden Image-->Camstar.CommonWebControls.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x0F5C0000 Hidden Image-->Camstar.WebClient.FrameworkManager.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 36864 bytes
0x7B0B0000 Hidden Image-->System.Windows.Browser.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 380928 bytes
0x0E0D0000 Hidden Image-->CrystalDecisions.CrystalReports.Engine.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 389120 bytes
0x0F0F0000 Hidden Image-->Microsoft.Transactions.Bridge.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 405504 bytes
0x7A460000 Hidden Image-->System.Runtime.Serialization.dll [ EPROCESS 0x88875170 ] PID: 7840, 421888 bytes
0x7B2E0000 Hidden Image-->System.Windows.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 4460544 bytes
0x0F160000 Hidden Image-->System.IdentityModel.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 446464 bytes
0x0E150000 Hidden Image-->CrystalDecisions.ReportAppServer.CubeDefModel.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0E160000 Hidden Image-->CrystalDecisions.KeyCode.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0E1D0000 Hidden Image-->CrystalDecisions.ReportAppServer.CommonObjectModel.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0E310000 Hidden Image-->CrystalDecisions.Enterprise.PluginManager.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0F260000 Hidden Image-->Camstar.Constants.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0F2A0000 Hidden Image-->Camstar.TagBuilder.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0FF50000 Hidden Image-->Microsoft.Build.Framework.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 45056 bytes
0x0E4D0000 Hidden Image-->Infragistics2.WebUI.Shared.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 471040 bytes
0x0DFF0000 Hidden Image-->System.Data.OracleClient.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 499712 bytes
0x0F3F0000 Hidden Image-->Camstar.WebClient.Core.WebUtil.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 53248 bytes
0x0F460000 Hidden Image-->Camstar.WebClient.FormsBuilder.WebCompositeControls.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 53248 bytes
0x0F480000 Hidden Image-->Camstar.WebClient.FrameworkControls.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 53248 bytes
0x13310000 Hidden Image-->App_Web_ctuserandctfields.ascx.4ed4227b.ofdnyiwp.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 53248 bytes
0x0E560000 Hidden Image-->Camstar.WebClient.WebServicesProxy.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 544768 bytes
0x79E50000 Hidden Image-->System.Core.dll [ EPROCESS 0x88875170 ] PID: 7840, 544768 bytes
0x10340000 Hidden Image-->System.Workflow.Runtime.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 552960 bytes
0xA78046E8 Unknown thread object [ ETHREAD 0x8A29B8B8 ] , 600 bytes
0xA6B706E8 Unknown thread object [ ETHREAD 0x89BF1B30 ] , 600 bytes
0xA566B6E8 Unknown thread object [ ETHREAD 0x896845A8 ] , 600 bytes
0xA02046E8 Unknown thread object [ ETHREAD 0x88F8D020 ] , 600 bytes
0xA3F276E8 Unknown thread object [ ETHREAD 0x89580020 ] , 600 bytes
0xA1CC36E8 Unknown thread object [ ETHREAD 0x88DA3DA8 ] , 600 bytes
0x9F8736E8 Unknown thread object [ ETHREAD 0x8A1E3598 ] , 600 bytes
0x0DC30000 Hidden Image-->App_Code.buhimgwu.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 61440 bytes
0x0E070000 Hidden Image-->CrystalDecisions.Enterprise.Framework.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 61440 bytes
0x0E080000 Hidden Image-->CrystalDecisions.ReportAppServer.CommLayer.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 61440 bytes
0x0E0B0000 Hidden Image-->CrystalDecisions.ReportAppServer.DataSetConversion.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 61440 bytes
0x0F5B0000 Hidden Image-->Camstar.WebClient.FrameworkForm.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 61440 bytes
0x0F5D0000 Hidden Image-->Camstar.WebClient.WebConstants.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 61440 bytes
0x796B0000 Hidden Image-->mscorlib.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 6197248 bytes
0x7A340000 Hidden Image-->System.Net.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 659456 bytes
0x0F810000 Hidden Image-->Northwoods.GoWeb.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 667648 bytes
0x103D0000 Hidden Image-->Microsoft.Build.Tasks.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 667648 bytes
0x7A1D0000 Hidden Image-->System.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 671744 bytes
0x0FC00000 Hidden Image-->System.Core.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 675840 bytes
0x0FCB0000 Hidden Image-->System.Data.Linq.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 692224 bytes
0x0F630000 Hidden Image-->Camstar.WebClient.WebExportImport.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 69632 bytes
0x0E1E0000 Hidden Image-->CrystalDecisions.Shared.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 700416 bytes
0x0EAC0000 Hidden Image-->Infragistics2.WebUI.UltraWebNavigator.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 733184 bytes
0x0E090000 Hidden Image-->CrystalDecisions.ReportAppServer.ClientDoc.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 77824 bytes
0x0F490000 Hidden Image-->Camstar.WebClient.FormsBuilder.WebForm.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 77824 bytes
0x0F440000 Hidden Image-->Camstar.WebClient.FormsBuilder.WebCanvasControls.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 77824 bytes
0x7AAE0000 Hidden Image-->System.Xml.ni.dll [ EPROCESS 0x88875170 ] PID: 7840, 847872 bytes
0x0F400000 Hidden Image-->Camstar.WebClient.Core.WebConst.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 86016 bytes
0x0F7B0000 Hidden Image-->System.Web.Abstractions.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 86016 bytes
0x0FF30000 Hidden Image-->Microsoft.Build.Utilities.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 86016 bytes
0x7A9F0000 Hidden Image-->System.ServiceModel.Web.dll [ EPROCESS 0x88875170 ] PID: 7840, 86016 bytes
0x0DFD0000 Hidden Image-->Camstar.WebClient.FormsBuilder.WebGridControls.DLL [ EPROCESS 0x88A3E020 ] PID: 4956, 94208 bytes
0x10C10000 Hidden Image-->CrystalDecisions.Enterprise.Desktop.Report.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 94208 bytes
0x10D70000 Hidden Image-->Infragistics2.WebUI.UltraWebGrid.ExcelExport.v6.2.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 94208 bytes
0x0F2C0000 Hidden Image-->System.Runtime.Serialization.dll [ EPROCESS 0x88A3E020 ] PID: 4956, 978944 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users