Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox opening new tab - ad sites


  • This topic is locked This topic is locked
25 replies to this topic

#1 nina98765

nina98765

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 18 November 2010 - 10:39 PM

Hi all,
I am new here and would like to start by thanking you for providing a great place to get help with malware problems.
In the last week or so I have been having a problem when using Firefox (I didn't try any other browser). In middle of nowhere, a new tab would open up and take me to some ad site or similar.
To try to find the problem I downloaded Microsoft Security Essentials ran it and fixed whatever it told me to. When the problem persisted I downloaded Malwarebytes' Anti-Malware and ran it and fixed all the problems found. My next try -- at the advice of a technician I know -- was to download ComboFix, I ran it and fixed all problems it found. But the problem is still persisting! That's when I came here for advice.
I followed all the instructions found here.
So here is my DDS log, and thank you very much in advance!:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Matti at 12:43:29.43 on Thu 11/18/2010
Internet Explorer: 7.0.6000.16830
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2046.750 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Matti\Downloads\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Matti\Downloads\gmer\gmer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Matti\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\matti\appdata\roaming\mozilla\firefox\profiles\4j8du9ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\users\matti\appdata\roaming\mozilla\firefox\profiles\4j8du9ll.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 MSSQL$SQLSERVER;SQL Server (SQLSERVER);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2008-2-26 29183504]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-11-17 2011944]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-15 38224]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-3-16 17792]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"c:\program files\broadcom\asfipmon\asfipmon.exe" -service --> c:\program files\broadcom\asfipmon\AsfIpMon.exe [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2010-5-2 39048]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-11-18 15:38:15 20480 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\omrzt5e-01\Facilities.dll
2010-11-18 15:38:15 1810432 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\tuwy-cqx01\AppWide.dll
2010-11-18 15:38:08 90112 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\kvo5in_v01\dsPatientFunds1.vb.dll
2010-11-18 15:38:08 81920 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\irr5qcpn01\dsPtLookups.vb.dll
2010-11-18 15:38:08 393216 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\wdicsrwe01\dsReport.vb.dll
2010-11-18 15:38:08 10981376 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\2uadmuqq01\Receivables.dll
2010-11-18 15:38:07 49152 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\sfsutwmf01\dsPatientDelete.vb.dll
2010-11-18 13:33:11 -------- d-----w- c:\users\matti\appdata\roaming\SmartDraw
2010-11-18 05:01:28 -------- d-----w- c:\program files\SmartDraw VP
2010-11-17 19:40:47 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\vig43vqv01\C1.Win.C1TrueDBGrid.dll
2010-11-17 19:40:46 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\avq4aqnj01\C1.Common.dll
2010-11-17 19:40:46 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\9jfotau101\C1.Win.C1Input.dll
2010-11-17 19:40:39 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\twmbvpuw01\C1.Win.C1List.dll
2010-11-17 19:40:38 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\g3gk26vn01\C1.Win.C1TrueDBGrid.dll
2010-11-17 19:40:38 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\qhqlhipe01\C1.Common.dll
2010-11-17 19:40:38 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\bhslkdjv01\C1.Win.C1Input.dll
2010-11-17 19:40:18 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\smk8rnlv01\C1.Win.C1List.dll
2010-11-17 19:40:18 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\-li6wzfk01\C1.Win.C1Input.dll
2010-11-17 19:40:17 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\nulogq-p01\C1.Win.C1TrueDBGrid.dll
2010-11-17 19:40:17 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\r_lgni8i01\C1.Common.dll
2010-11-17 19:39:54 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\fttnfv6p01\C1.Win.C1Input.dll
2010-11-17 19:39:53 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\4jocbra601\C1.Win.C1List.dll
2010-11-17 19:39:52 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\ss35anvq01\C1.Win.C1TrueDBGrid.dll
2010-11-17 19:39:52 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\yjreqwj201\C1.Common.dll
2010-11-17 19:39:44 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\uzxx6qg201\C1.Win.C1TrueDBGrid.dll
2010-11-17 19:39:44 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\duvhl-hq01\C1.Common.dll
2010-11-17 19:39:23 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\2zzpvjm401\C1.Win.C1TrueDBGrid.dll
2010-11-17 19:39:22 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\9tbgkfbh01\C1.Common.dll
2010-11-17 19:39:22 278528 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\bvghjgdn01\C1.C1Pdf.dll
2010-11-17 19:39:20 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\ahl8djk-01\C1.Win.C1List.dll
2010-11-17 19:39:17 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\q8nsjtnd01\C1.Win.C1Input.dll
2010-11-17 19:02:01 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{da850ee6-a2e0-4c7d-a5a7-c2ac05386c71}\mpengine.dll
2010-11-17 18:26:14 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-17 18:25:57 -------- d-----w- c:\users\matti\appdata\local\temp
2010-11-17 17:41:39 98816 ----a-w- c:\windows\sed.exe
2010-11-17 17:41:39 89088 ----a-w- c:\windows\MBR.exe
2010-11-17 17:41:39 256512 ----a-w- c:\windows\PEV.exe
2010-11-17 17:41:39 161792 ----a-w- c:\windows\SWREG.exe
2010-11-16 04:37:55 -------- d-----w- c:\users\matti\appdata\roaming\Malwarebytes
2010-11-16 04:37:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 04:37:41 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-16 04:37:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 04:37:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 14:50:06 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-10 18:48:44 0 ----a-w- c:\users\matti\appdata\local\Gxucobelisu.bin
2010-11-07 02:56:32 -------- d-----w- C:\cnhsheri
2010-11-04 02:37:59 -------- d-----w- C:\cnhsgard
2010-11-03 05:49:55 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{71e854e3-c221-4f2a-945a-510b2672f644}\mpengine.dll
2010-10-28 02:48:35 -------- d-----w- C:\acntrec
2010-10-27 02:13:42 -------- d-----w- C:\royal1
2010-10-27 02:12:03 -------- d-----w- C:\county
2010-10-27 00:50:37 -------- d-----w- C:\ZillaTube

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: ST380811 rev.3.AD -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85CB0446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85cb6504]; MOV EAX, [0x85cb6580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81C27F3B] -> \Device\Harddisk0\DR0[0x85614680]
3 nt[0x81CB07E2] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x84C27170]
5 acpi[0x804D732A] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x83E7A938]
\Driver\nvstor[0x85C95A20] -> IRP_MJ_CREATE -> 0x85CB0446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000051 -> \??\SCSI#Disk&Ven_ST380811&Prod_0AS#4&9006ed5&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:47:13.22 ===============

Attached Files


Edited by nina98765, 18 November 2010 - 10:41 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 27 November 2010 - 11:37 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 28 November 2010 - 01:07 PM

Hi, and thanks so much for your help.
I really appreciate it.

I am going to post the logs below, you said not to attach anything so I hope what I'm doing is correct.
I also wanted to let you know, my computer has been EXTREMELY slow recently.

Here is the DDS Log:
DDS (Ver_10-11-27.01) - NTFSx86
Run by Matti at 12:30:25.56 on Sun 11/28/2010
Internet Explorer: 7.0.6000.16830

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\sttray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Quicken\qw.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Business Objects\Crystal Reports 11.5\crw32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Matti\Downloads\Defogger(2).exe
C:\Users\Matti\Downloads\dds(2).scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\matti\appdata\roaming\mozilla\firefox\profiles\4j8du9ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\users\matti\appdata\roaming\mozilla\firefox\profiles\4j8du9ll.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\users\matti\appdata\roaming\mozilla\firefox\profiles\4j8du9ll.default\extensions\LogMeInClient@logmein.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R? ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor
R? ICDUSB2;Sony IC Recorder (P)
R? mrtRate;mrtRate
R? MSSQLServerADHelper100;SQL Active Directory Helper Service
R? RsFx0103;RsFx0103 Driver
R? SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS)
S? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
S? MpFilter;Microsoft Malware Protection Driver
S? MpNWMon;Microsoft Malware Protection Network Driver
S? MSSQL$SQLSERVER;SQL Server (SQLSERVER)
S? SCREAMINGBDRIVER;Screaming Bee Audio
S? tenCapture;tenCapture
S? VCSVADHWSer;Avnex Virtual Audio Device (WDM)
S? VST_DPV;VST_DPV
S? VSTHWBS2;VSTHWBS2

=============== Created Last 30 ================

2010-11-28 17:22:42 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\zt7ncl4d01\C1.Win.C1TrueDBGrid.dll
2010-11-28 17:22:41 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\vc29ssnu01\C1.Common.dll
2010-11-28 17:22:41 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\-k172pgj01\C1.Win.C1Input.dll
2010-11-28 17:22:34 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\zaatvgnl01\C1.Win.C1TrueDBGrid.dll
2010-11-28 17:22:34 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\sazdzvqk01\C1.Common.dll
2010-11-28 17:22:34 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\lp04ah7701\C1.Win.C1List.dll
2010-11-28 17:22:33 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\rt05orsa01\C1.Win.C1Input.dll
2010-11-28 17:22:10 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\vrtyqatj01\C1.Win.C1Input.dll
2010-11-28 17:22:09 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\9mb6qi0b01\C1.Win.C1TrueDBGrid.dll
2010-11-28 17:22:09 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\xp77sll501\C1.Common.dll
2010-11-28 17:22:09 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\hslxatgm01\C1.Win.C1List.dll
2010-11-28 17:21:44 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\_03ojnc601\C1.Win.C1TrueDBGrid.dll
2010-11-28 17:21:44 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\f-rzkgb801\C1.Common.dll
2010-11-28 17:21:34 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\cq51jfwy01\C1.Win.C1TrueDBGrid.dll
2010-11-28 17:21:34 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\aywmpep101\C1.Common.dll
2010-11-28 17:21:34 278528 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\u5qgi3tu01\C1.C1Pdf.dll
2010-11-28 17:21:33 647168 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\45dwsmc301\C1.Win.C1List.dll
2010-11-28 17:21:32 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\znxbu08r01\C1.Win.C1Input.dll
2010-11-28 05:10:55 909312 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\3lkiwobu01\C1.Win.C1TrueDBGrid.dll
2010-11-28 05:10:55 86016 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\wvbzecge01\C1.Common.dll
2010-11-28 05:10:54 610304 ----a-w- c:\users\matti\appdata\roaming\microsoft\visualstudio\7.1\projectassemblies\ljkkuqnc01\C1.Win.C1Input.dll
2010-11-26 18:39:37 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{cb93dad1-b9bd-4c91-997a-3123628446f9}\mpengine.dll
2010-11-25 16:18:33 -------- d-----w- c:\users\matti\appdata\local\DOSBox
2010-11-25 16:18:02 -------- d-----w- c:\program files\DOSBox-0.74
2010-11-19 04:30:25 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-18 13:33:11 -------- d-----w- c:\users\matti\appdata\roaming\SmartDraw
2010-11-17 18:26:14 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-17 18:25:57 -------- d-----w- c:\users\matti\appdata\local\temp
2010-11-17 17:41:39 98816 ----a-w- c:\windows\sed.exe
2010-11-17 17:41:39 89088 ----a-w- c:\windows\MBR.exe
2010-11-17 17:41:39 256512 ----a-w- c:\windows\PEV.exe
2010-11-17 17:41:39 161792 ----a-w- c:\windows\SWREG.exe
2010-11-16 04:37:55 -------- d-----w- c:\users\matti\appdata\roaming\Malwarebytes
2010-11-16 04:37:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 04:37:41 -------- d-----w- c:\progra~2\Malwarebytes
2010-11-16 04:37:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 04:37:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 14:50:06 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-10 18:48:44 0 ----a-w- c:\users\matti\appdata\local\Gxucobelisu.bin
2010-11-07 02:56:32 -------- d-----w- C:\cnhsheri
2010-11-04 02:37:59 -------- d-----w- C:\cnhsgard
2010-11-03 05:49:55 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{71e854e3-c221-4f2a-945a-510b2672f644}\mpengine.dll

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: ST380811 rev.3.AD -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85CE2446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ce8504]; MOV EAX, [0x85ce8580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81C27F3B] -> \Device\Harddisk0\DR0[0x85746AD8]
3 nt[0x81CB07E2] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x84C28F18]
5 acpi[0x804D732A] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x84C25030]
\Driver\nvstor[0x856431C8] -> IRP_MJ_CREATE -> 0x85CE2446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000051 -> \??\SCSI#Disk&Ven_ST380811&Prod_0AS#4&9006ed5&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:33:07.23 ===============

here is the attach file:

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office system
32 Bit HP BiDi Channel Components Installer
Active Query Builder .NET Free Edition v1.6.5.113
Active Query Builder ActiveX Component 1.9.1.12 Trial Edition
Active Query Builder Demo Application
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.2.5
ATI Catalyst Control Center Ex
Broadcom ASF Management Applications
Broadcom Management Programs
ComponentOne License Updater Add-in 1.x
ComponentOne Studio Live
ComponentOne Studio™ for .NET
ComponentOne True DBGrid for .NET
Crystal Reports
Crystal Reports for .NET Help
Crystal Reports XI Release 2
Digital Line Detect
Express Rip
FileZilla Client 3.3.5
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java™ SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft FrontPage Client - English
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Essentials
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (SQLSERVER)
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server VSS Writer
Microsoft Visual Basic .NET Standard 2003 - English
Microsoft Visual C# .NET Standard 2003 - English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Platform Installer 2.0 RC
Modem Diagnostic Tool
MorphVOX Pro
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
PowerDVD
QuickBooks Pro 99
Quicken 2008
QuickTime
Rebex FTP/SSL v3.0.3300.0 for .NET 1.1
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Service Pack 1 for SQL Server 2008 (KB968369)
SigmaTel Audio
Smart Defrag 1.20
Sql Server Customer Experience Improvement Program
Switch Sound File Converter
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb977719)
User's Guides
Visual Basic .NET Standard 2003 - English
Visual C# .NET Standard 2003 - English
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio.NET Baseline - English
Vizacc HelpMaker 7.4.4 (remove only)
VSIP Interop Assembly Redist
Windows Live OneCare safety scanner
Windows Media Player Firefox Plugin

==== End Of File ===========================

and here is the Rootkit Unhooker report:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6000
Number of processors #2
==============================================
>Drivers
==============================================
0x8BCD4000 C:\Windows\system32\DRIVERS\atikmdag.sys 7520256 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x81C00000 C:\Windows\system32\ntkrnlpa.exe 3805184 bytes (Microsoft Corporation, NT Kernel & System)
0x81C00000 PnpManager 3805184 bytes
0x81C00000 RAW 3805184 bytes
0x81C00000 WMIxWDM 3805184 bytes
0x94200000 Win32k 2097152 bytes
0x94200000 C:\Windows\System32\win32k.sys 2097152 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x820F8000 C:\Windows\System32\Drivers\Ntfs.sys 1081344 bytes (Microsoft Corporation, NT File System Driver)
0x8068B000 C:\Windows\system32\drivers\ndis.sys 1064960 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8C4FC000 C:\Windows\system32\DRIVERS\VSTDPV3.SYS 1064960 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8051F000 C:\Windows\system32\CI.dll 921600 bytes (Microsoft Corporation, Code Integrity Module)
0x9FC22000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8CD2B000 C:\Windows\System32\drivers\tcpip.sys 872448 bytes (Microsoft Corporation, TCP/IP Driver)
0x8C449000 C:\Windows\system32\DRIVERS\VSTCNXT3.SYS 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x8C72F000 C:\Windows\system32\drivers\stwrt.sys 667648 bytes (SigmaTel, Inc., NDRC)
0x8BA46000 C:\Windows\System32\drivers\dxgkrnl.sys 643072 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x9A21C000 C:\Windows\system32\drivers\spsys.sys 581632 bytes (Microsoft Corporation, security processor)
0x8C862000 C:\Windows\system32\DRIVERS\rdpdr.sys 552960 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x80204000 C:\Windows\system32\drivers\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0x8208E000 C:\Windows\System32\Drivers\ksecdd.sys 434176 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9A4C7000 C:\Windows\system32\drivers\HTTP.sys 417792 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8CFA0000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 393216 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x8CF4D000 C:\Windows\system32\drivers\csc.sys 339968 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x9A30A000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x80430000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8BC4F000 C:\Windows\system32\DRIVERS\VSTBS23.SYS 294912 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0x8CCE4000 C:\Windows\system32\drivers\afd.sys 290816 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x804CF000 C:\Windows\system32\drivers\acpi.sys 274432 bytes (Microsoft Corporation, ACPI Driver for NT)
0x807C0000 C:\Windows\system32\drivers\storport.sys 262144 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8BC97000 C:\Windows\system32\DRIVERS\USBPORT.SYS 249856 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8027F000 C:\Windows\system32\CLFS.SYS 241664 bytes (Microsoft Corporation, Common Log File System Driver)
0x8CC96000 C:\Windows\system32\DRIVERS\rdbss.sys 241664 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x9A391000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x80627000 C:\Windows\system32\drivers\NETIO.SYS 233472 bytes (Microsoft Corporation, Network I/O Subsystem)
0x82058000 C:\Windows\system32\drivers\volsnap.sys 221184 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x81FA1000 ACPI_HAL 212992 bytes
0x81FA1000 C:\Windows\system32\hal.dll 212992 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8C801000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8C625000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8078F000 C:\Windows\system32\drivers\fltmgr.sys 200704 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xA0B92000 C:\Windows\System32\Drivers\RDPWD.SYS 188416 bytes (Microsoft Corporation, RDP Terminal Stack Driver)
0x8BAE3000 C:\Windows\system32\DRIVERS\b57nd60x.sys 184320 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS6.0 Driver.)
0x8C983000 C:\Windows\system32\DRIVERS\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8C958000 C:\Windows\system32\DRIVERS\msiscsi.sys 176128 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x80660000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8BC25000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x9D0A8000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8C7D2000 C:\Windows\system32\DRIVERS\Dot4.sys 151552 bytes (Microsoft Corporation, IEEE-1284.4-1999 Driver)
0x8C402000 C:\Windows\system32\DRIVERS\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x82033000 C:\Windows\System32\drivers\ecache.sys 151552 bytes (Microsoft Corporation, Special Memory Device Cache)
0x80499000 C:\Windows\system32\drivers\pci.sys 151552 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x9A35B000 C:\Windows\System32\DRIVERS\srv2.sys 147456 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8C70C000 C:\Windows\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0x8C8FC000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x82001000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8C6DF000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x9A3CA000 C:\Windows\system32\DRIVERS\mrxsmb.sys 122880 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x95B05000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x9A415000 C:\Windows\System32\DRIVERS\srvnet.sys 110592 bytes (Microsoft Corporation, Server Network driver)
0x8BB7E000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x9A3FC000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8C680000 C:\Windows\System32\drivers\fwpkclnt.sys 102400 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8BA16000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8C427000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x8CC35000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Client MUP Surrogate Driver)
0x8C92A000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x9D012000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8C60F000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x8C66B000 C:\Windows\system32\DRIVERS\tdx.sys 86016 bytes (Microsoft Corporation, TDI Translation Driver)
0x9A3E8000 C:\Windows\System32\drivers\mpsdrv.sys 81920 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8C657000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8C8E9000 C:\Windows\system32\DRIVERS\raspptp.sys 77824 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x9A5AD000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8CCD1000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8BBA3000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x9A37F000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 73728 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8CC23000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 73728 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x82022000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x80413000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x82240000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x9A2E0000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8047A000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8B5F0000 C:\Windows\System32\Drivers\NDProxy.SYS 65536 bytes (Microsoft Corporation, NDIS Proxy)
0x82258000 C:\Windows\system32\DRIVERS\amdk8.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x9632A000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x80609000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x80618000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8BB10000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8BB1F000 C:\Windows\system32\DRIVERS\termdd.sys 61440 bytes (Microsoft Corporation, Terminal Server Driver)
0x8048A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x94C10000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8C601000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8C699000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8BA2E000 C:\Windows\system32\DRIVERS\usbehci.sys 57344 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB953A000 C:\Windows\system32\DRIVERS\dot4usb.sys 53248 bytes (Microsoft Corporation, DOT4USB filter driver)
0x8BA09000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x80423000 C:\Windows\system32\drivers\nvstor.sys 53248 bytes (NVIDIA Corporation, NVIDIA® nForce™ Sata Performance Driver)
0x8C855000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x88411000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x80512000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x8C941000 C:\Windows\system32\drivers\ScreamingBAudio.sys 49152 bytes (Screaming Bee LLC, Screaming Bee Audio Driver)
0x94994000 C:\Windows\System32\DRIVERS\tssecsrv.sys 49152 bytes (Microsoft Corporation, TS Security Filter Driver)
0x8C700000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8BB98000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x8C84A000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8C83F000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8C6A7000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8C91F000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x94890000 C:\Windows\System32\drivers\tcpipreg.sys 45056 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8C94D000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x948A6000 C:\Windows\system32\drivers\tdtcp.sys 45056 bytes (Microsoft Corporation, TCP Transport Driver)
0x88406000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x9396A000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8C7F7000 C:\Windows\system32\DRIVERS\flpydisk.sys 40960 bytes (Microsoft Corporation, Floppy Driver)
0x8C835000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8CC4C000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x939C4000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8C43F000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x8BA3C000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x8B4AC000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x80402000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8B45B000 C:\Windows\system32\DRIVERS\Dot4Prt.sys 36864 bytes (Microsoft Corporation, IEEE-1284.4 Print Class Driver)
0x8B464000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8B47F000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8B488000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0xA7BDC000 C:\Windows\system32\DRIVERS\MpNWMon.sys 36864 bytes (Microsoft Corporation, Network monitor driver)
0x8B452000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x802C2000 C:\Windows\system32\PSHED.dll 36864 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8B476000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94C00000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x82267000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x804C6000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x802BA000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0xC4AE0000 C:\Windows\system32\DRIVERS\Dot4Scan.sys 32768 bytes (Microsoft Corporation, DOT4 Scan driver)
0x88584000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x804BE000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8856C000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x885A4000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8040B000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8BBCA000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8BBD1000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x9D141000 C:\Users\Matti\AppData\Local\Temp\mbr.sys 28672 bytes
0x8BBC3000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8BC1E000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x8C9BA000 C:\Windows\system32\DRIVERS\vcsvad.sys 20480 bytes (Avnex, Avnex Ltd. Virtual Audio Device (WDM))
0x85DB3000 C:\Windows\system32\kdcom.dll 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8B4D0000 C:\Windows\system32\DRIVERS\tenCapture.sys 12288 bytes (Hajo Krabbenhöft, Personal Voice Changer Driver)
0x884E5000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x884E9000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
!!!!!!!!!!!Hidden driver: 0x85CE2292 ?_empty_? 3438 bytes
==============================================
>Stealth
==============================================
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x340, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x690, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86A8854A LDT (IN GDT of Core 1) Modification, Base+0x338, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x84E8867E LDT (IN GDT of Core 1) Modification, Base+0x848, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x868, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x85940000 LDT (IN GDT of Core 1) Modification, Base+0xC98, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x85A40000 LDT (IN GDT of Core 1) Modification, Base+0xCA8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x85B40000 LDT (IN GDT of Core 1) Modification, Base+0xCB8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0xC3410423 LDT (IN GDT of Core 1) Modification, Base+0x650, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xA60, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x2A8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xBC0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x85840000 LDT (IN GDT of Core 1) Modification, Base+0xC88, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84408532 LDT (IN GDT of Core 1) Modification, Base+0xE00, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x380, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x748, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0xC38, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86808437 LDT (IN GDT of Core 1) Modification, Base+0xD60, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x85370000 LDT (IN GDT of Core 1) Modification, Base+0x710, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x44410422 LDT (IN GDT of Core 1) Modification, Base+0xA98, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x8530855F LDT (IN GDT of Core 1) Modification, Base+0xC38, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x005B0000 LDT (IN GDT of Core 1) Modification, Base+0xCD8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x006D0001 LDT (IN GDT of Core 1) Modification, Base+0xD00, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xC3410423 LDT (IN GDT of Core 1) Modification, Base+0x008, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x86080000 LDT (IN GDT of Core 1) Modification, Base+0x0F8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x1A0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0x1F0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x85188544 LDT (IN GDT of Core 1) Modification, Base+0x210, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x4A0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x87D8850D LDT (IN GDT of Core 1) Modification, Base+0xFE0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x00910000 LDT (IN GDT of Core 1) Modification, Base+0x3B0, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x85D80080 LDT (IN GDT of Core 1) Modification, Base+0x540, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x988, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xAC0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0xAE8, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x85188533 LDT (IN GDT of Core 1) Modification, Base+0xC20, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x85A00000 LDT (IN GDT of Core 1) Modification, Base+0xD30, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x220, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xC7288533 LDT (IN GDT of Core 1) Modification, Base+0x570, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xA18, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xA40, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86F08CCE LDT (IN GDT of Core 1) Modification, Base+0xD10, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x856C0000 LDT (IN GDT of Core 1) Modification, Base+0x070, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0xC3410423 LDT (IN GDT of Core 1) Modification, Base+0x2C8, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x85608478 LDT (IN GDT of Core 1) Modification, Base+0x5D8, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0x6F8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0xB48, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x6E410407 LDT (IN GDT of Core 1) Modification, Base+0xC68, DPL_USER, Rpl : 3, Type: CallGate32, Core [1]
0x85688471 LDT (IN GDT of Core 1) Modification, Base+0xC98, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x85C08533 LDT (IN GDT of Core 1) Modification, Base+0xCC8, DPL_USER, Rpl : 3, Type: CallGate32, Core [1]
0xC3410003 LDT (IN GDT of Core 1) Modification, Base+0xEE0, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x857086C5 LDT (IN GDT of Core 1) Modification, Base+0x400, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x5E0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xED0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x200, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x2E8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x01C937F9 LDT (IN GDT of Core 1) Modification, Base+0x740, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0xAA0E0000 LDT (IN GDT of Core 1) Modification, Base+0x830, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x9B0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xC40, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86D0852A LDT (IN GDT of Core 1) Modification, Base+0xD50, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0x118, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x8510840C LDT (IN GDT of Core 1) Modification, Base+0x248, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x6F8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x8518851D LDT (IN GDT of Core 1) Modification, Base+0xF10, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0xAB108584 LDT (IN GDT of Core 1) Modification, Base+0x358, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x3D0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x730, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0x950, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xAA0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0xBF8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86A8856D LDT (IN GDT of Core 1) Modification, Base+0xEC8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xB2C88534 LDT (IN GDT of Core 1) Modification, Base+0xF68, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x85108653 LDT (IN GDT of Core 1) Modification, Base+0x020, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x84508479 LDT (IN GDT of Core 1) Modification, Base+0x480, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x8508856F LDT (IN GDT of Core 1) Modification, Base+0x640, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x760, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x6630769E LDT (IN GDT of Core 1) Modification, Base+0xA30, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xD50, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x84408CCE LDT (IN GDT of Core 1) Modification, Base+0x0F8, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x01EB9FBD LDT (IN GDT of Core 1) Modification, Base+0x620, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0xC3410002 LDT (IN GDT of Core 1) Modification, Base+0x948, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xA68, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x855CAC5D LDT (IN GDT of Core 1) Modification, Base+0x4D8, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x558, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x85408534 LDT (IN GDT of Core 1) Modification, Base+0x930, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xAD8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x01E961D3 LDT (IN GDT of Core 1) Modification, Base+0xF38, DPL_SYSTEM, Rpl : 3, Type: CallGate32, Core [1]
0x78460001 LDT (IN GDT of Core 1) Modification, Base+0x3E0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x7AA00000 LDT (IN GDT of Core 1) Modification, Base+0x608, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84608CCE LDT (IN GDT of Core 1) Modification, Base+0xFE8, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0x1A8, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x2C8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410424 LDT (IN GDT of Core 1) Modification, Base+0x660, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x85DC0000 LDT (IN GDT of Core 1) Modification, Base+0x9E8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xBA8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xBD0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x850C0000 LDT (IN GDT of Core 1) Modification, Base+0xC10, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x85D80080 LDT (IN GDT of Core 1) Modification, Base+0xF88, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x86E80000 LDT (IN GDT of Core 1) Modification, Base+0xE68, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0xEF0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86508675 LDT (IN GDT of Core 1) Modification, Base+0x0F0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86488534 LDT (IN GDT of Core 1) Modification, Base+0x0F8, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x86688675 LDT (IN GDT of Core 1) Modification, Base+0x150, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0x660, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x85280000 LDT (IN GDT of Core 1) Modification, Base+0xC30, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x86A88576 LDT (IN GDT of Core 1) Modification, Base+0x8F0, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x85488560 LDT (IN GDT of Core 1) Modification, Base+0x980, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xB88, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x110, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x86A8852D LDT (IN GDT of Core 1) Modification, Base+0x320, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x01C4D197 LDT (IN GDT of Core 1) Modification, Base+0x6F0, DPL_SYSTEM, Rpl : 3, Type: CallGate32, Core [1]
0x00448534 LDT (IN GDT of Core 1) Modification, Base+0x718, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x85D80080 LDT (IN GDT of Core 1) Modification, Base+0xA50, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xAD0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0xEE8, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x85E88CCE LDT (IN GDT of Core 1) Modification, Base+0x0F8, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0xC3410423 LDT (IN GDT of Core 1) Modification, Base+0x118, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0xC3410423 LDT (IN GDT of Core 1) Modification, Base+0x650, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x86A8855D LDT (IN GDT of Core 1) Modification, Base+0x798, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0xEC8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xC3410001 LDT (IN GDT of Core 1) Modification, Base+0xEF0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x84C80006 LDT (IN GDT of Core 1) Modification, Base+0xF08, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 1) Modification, Base+0x1B0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x45410002 LDT (IN GDT of Core 1) Modification, Base+0x390, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x340, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x690, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86A8854A LDT (IN GDT of Core 2) Modification, Base+0x338, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0x84E8867E LDT (IN GDT of Core 2) Modification, Base+0x848, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x868, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x85940000 LDT (IN GDT of Core 2) Modification, Base+0xC98, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x85A40000 LDT (IN GDT of Core 2) Modification, Base+0xCA8, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x85B40000 LDT (IN GDT of Core 2) Modification, Base+0xCB8, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0xC3410423 LDT (IN GDT of Core 2) Modification, Base+0x650, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xA60, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x2A8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xBC0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x85840000 LDT (IN GDT of Core 2) Modification, Base+0xC88, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x84408532 LDT (IN GDT of Core 2) Modification, Base+0xE00, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x380, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x748, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0xC38, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86808437 LDT (IN GDT of Core 2) Modification, Base+0xD60, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x85370000 LDT (IN GDT of Core 2) Modification, Base+0x710, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x44410422 LDT (IN GDT of Core 2) Modification, Base+0xA98, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x8530855F LDT (IN GDT of Core 2) Modification, Base+0xC38, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x005B0000 LDT (IN GDT of Core 2) Modification, Base+0xCD8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x006D0001 LDT (IN GDT of Core 2) Modification, Base+0xD00, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xC3410423 LDT (IN GDT of Core 2) Modification, Base+0x008, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x86080000 LDT (IN GDT of Core 2) Modification, Base+0x0F8, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x1A0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0x1F0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x85188544 LDT (IN GDT of Core 2) Modification, Base+0x210, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x4A0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x87D8850D LDT (IN GDT of Core 2) Modification, Base+0xFE0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x00910000 LDT (IN GDT of Core 2) Modification, Base+0x3B0, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x85D80080 LDT (IN GDT of Core 2) Modification, Base+0x540, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x988, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xAC0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0xAE8, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x85188533 LDT (IN GDT of Core 2) Modification, Base+0xC20, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x85A00000 LDT (IN GDT of Core 2) Modification, Base+0xD30, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x220, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xC7288533 LDT (IN GDT of Core 2) Modification, Base+0x570, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xA18, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xA40, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86F08CCE LDT (IN GDT of Core 2) Modification, Base+0xD10, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x856C0000 LDT (IN GDT of Core 2) Modification, Base+0x070, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0xC3410423 LDT (IN GDT of Core 2) Modification, Base+0x2C8, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x85608478 LDT (IN GDT of Core 2) Modification, Base+0x5D8, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0x6F8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0xB48, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x6E410407 LDT (IN GDT of Core 2) Modification, Base+0xC68, DPL_USER, Rpl : 3, Type: CallGate32, Core [2]
0x85688471 LDT (IN GDT of Core 2) Modification, Base+0xC98, DPL_USER, Rpl : 1, Type: CallGate32, Core [2]
0x85C08533 LDT (IN GDT of Core 2) Modification, Base+0xCC8, DPL_USER, Rpl : 3, Type: CallGate32, Core [2]
0xC3410003 LDT (IN GDT of Core 2) Modification, Base+0xEE0, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x857086C5 LDT (IN GDT of Core 2) Modification, Base+0x400, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x5E0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xED0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x200, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x2E8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x01C937F9 LDT (IN GDT of Core 2) Modification, Base+0x740, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [2]
0xAA0E0000 LDT (IN GDT of Core 2) Modification, Base+0x830, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x9B0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xC40, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86D0852A LDT (IN GDT of Core 2) Modification, Base+0xD50, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0x118, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x8510840C LDT (IN GDT of Core 2) Modification, Base+0x248, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x6F8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x8518851D LDT (IN GDT of Core 2) Modification, Base+0xF10, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [2]
0xAB108584 LDT (IN GDT of Core 2) Modification, Base+0x358, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x3D0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x730, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0x950, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xAA0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0xBF8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86A8856D LDT (IN GDT of Core 2) Modification, Base+0xEC8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xB2C88534 LDT (IN GDT of Core 2) Modification, Base+0xF68, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x85108653 LDT (IN GDT of Core 2) Modification, Base+0x020, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x84508479 LDT (IN GDT of Core 2) Modification, Base+0x480, DPL_USER, Rpl : 1, Type: CallGate32, Core [2]
0x8508856F LDT (IN GDT of Core 2) Modification, Base+0x640, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x760, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x6630769E LDT (IN GDT of Core 2) Modification, Base+0xA30, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xD50, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x84408CCE LDT (IN GDT of Core 2) Modification, Base+0x0F8, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0x01EB9FBD LDT (IN GDT of Core 2) Modification, Base+0x620, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [2]
0xC3410002 LDT (IN GDT of Core 2) Modification, Base+0x948, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xA68, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x855CAC5D LDT (IN GDT of Core 2) Modification, Base+0x4D8, DPL_USER, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x558, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x85408534 LDT (IN GDT of Core 2) Modification, Base+0x930, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xAD8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x01E961D3 LDT (IN GDT of Core 2) Modification, Base+0xF38, DPL_SYSTEM, Rpl : 3, Type: CallGate32, Core [2]
0x78460001 LDT (IN GDT of Core 2) Modification, Base+0x3E0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x7AA00000 LDT (IN GDT of Core 2) Modification, Base+0x608, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x84608CCE LDT (IN GDT of Core 2) Modification, Base+0xFE8, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0x1A8, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x2C8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410424 LDT (IN GDT of Core 2) Modification, Base+0x660, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x85DC0000 LDT (IN GDT of Core 2) Modification, Base+0x9E8, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xBA8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xBD0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x850C0000 LDT (IN GDT of Core 2) Modification, Base+0xC10, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x85D80080 LDT (IN GDT of Core 2) Modification, Base+0xF88, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x86E80000 LDT (IN GDT of Core 2) Modification, Base+0xE68, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0xEF0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86508675 LDT (IN GDT of Core 2) Modification, Base+0x0F0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86488534 LDT (IN GDT of Core 2) Modification, Base+0x0F8, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x86688675 LDT (IN GDT of Core 2) Modification, Base+0x150, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0x660, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x85280000 LDT (IN GDT of Core 2) Modification, Base+0xC30, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x86A88576 LDT (IN GDT of Core 2) Modification, Base+0x8F0, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0x85488560 LDT (IN GDT of Core 2) Modification, Base+0x980, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xB88, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x110, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x86A8852D LDT (IN GDT of Core 2) Modification, Base+0x320, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x01C4D197 LDT (IN GDT of Core 2) Modification, Base+0x6F0, DPL_SYSTEM, Rpl : 3, Type: CallGate32, Core [2]
0x00448534 LDT (IN GDT of Core 2) Modification, Base+0x718, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [2]
0x85D80080 LDT (IN GDT of Core 2) Modification, Base+0xA50, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xAD0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0xEE8, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x85E88CCE LDT (IN GDT of Core 2) Modification, Base+0x0F8, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [2]
0xC3410423 LDT (IN GDT of Core 2) Modification, Base+0x118, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0xC3410423 LDT (IN GDT of Core 2) Modification, Base+0x650, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [2]
0x86A8855D LDT (IN GDT of Core 2) Modification, Base+0x798, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0xEC8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0xC3410001 LDT (IN GDT of Core 2) Modification, Base+0xEF0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x84C80006 LDT (IN GDT of Core 2) Modification, Base+0xF08, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x69460405 LDT (IN GDT of Core 2) Modification, Base+0x1B0, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [2]
0x45410002 LDT (IN GDT of Core 2) Modification, Base+0x390, DPL_USER, Rpl : 2, Type: CallGate32, Core [2]
0x80423000 WARNING: suspicious driver modification [nvstor.sys::0x85CE2292]
0x09C10000 Hidden Image-->crdb_adoplus.dll [ EPROCESS 0x85619D90 ] PID: 5568, 1036288 bytes
0x03540000 Hidden Image-->CLI.Component.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 1060864 bytes
0x04310000 Hidden Image-->CLI.Aspect.DeviceTV2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 1085440 bytes
0x04420000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 1101824 bytes
0x04790000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 1101824 bytes
0x03830000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 167936 bytes
0x03B00000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 176128 bytes
0x03DA0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 192512 bytes
0x03750000 Hidden Image-->CLI.Caste.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 233472 bytes
0x03AC0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 233472 bytes
0x00BA0000 Hidden Image-->LOG.Foundation.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x035D0000 Hidden Image-->ATICCCom.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x03620000 Hidden Image-->DEM.OS.I0602.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x03630000 Hidden Image-->DEM.Foundation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x037C0000 Hidden Image-->DEM.Graphics.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x037B0000 Hidden Image-->DEM.OS.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x03ED0000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x047A0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x04790000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x047B0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x047E0000 Hidden Image-->CLI.Aspect.DeviceProperty2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x04800000 Hidden Image-->CLI.Aspect.DeviceProperty2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x04880000 Hidden Image-->CLI.Aspect.OverDrive2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 28672 bytes
0x00B60000 Hidden Image-->LOG.Foundation.Shared.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 28672 bytes
0x03560000 Hidden Image-->ATICCCom.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 28672 bytes
0x00AA0000 Hidden Image-->LOG.Foundation.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x013A0000 Hidden Image-->ATICCCom.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x01410000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x03E20000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x04170000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x04A30000 Hidden Image-->CLI.Aspect.DeviceProperty2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x04BD0000 Hidden Image-->CLI.Aspect.OverDrive2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 28672 bytes
0x03C00000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x86915B28 ] PID: 2268, 307200 bytes
0x04530000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 323584 bytes
0x04580000 Hidden Image-->CLI.Aspect.DeviceDFP2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 331776 bytes
0x045E0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 356352 bytes
0x00B00000 Hidden Image-->CLI.Implementation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x00BC0000 Hidden Image-->CLI.Foundation.XManifestation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x035E0000 Hidden Image-->AEM.Foundation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x03610000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x03D70000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x03F20000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04190000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04180000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x041B0000 Hidden Image-->CLI.Aspect.DeviceLCD2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x041A0000 Hidden Image-->CLI.Aspect.DeviceLCD2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x042F0000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04700000 Hidden Image-->CLI.Aspect.OverDrive2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x046F0000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04720000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04750000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04990000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x04BB0000 Hidden Image-->APM.Foundation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 36864 bytes
0x00A10000 Hidden Image-->CLI.Implementation.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 36864 bytes
0x012F0000 Hidden Image-->CLI.Foundation.XManifestation.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 36864 bytes
0x03680000 Hidden Image-->AEM.Foundation.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 36864 bytes
0x03670000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 36864 bytes
0x036A0000 Hidden Image-->APM.Foundation.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 36864 bytes
0x00A30000 Hidden Image-->CLI.Implementation.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x00AB0000 Hidden Image-->CLI.Foundation.XManifestation.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x00BE0000 Hidden Image-->CLI.Component.Dashboard.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x013C0000 Hidden Image-->AEM.Foundation.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x013D0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04150000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04A70000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04A80000 Hidden Image-->CLI.Aspect.DeviceLCD2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04AB0000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04B90000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04B70000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04BB0000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04BA0000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x04BC0000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 36864 bytes
0x03F30000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 397312 bytes
0x040E0000 Hidden Image-->CLI.Aspect.DeviceLCD2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 405504 bytes
0x034D0000 Hidden Image-->CLI.Component.Systemtray.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 430080 bytes
0x00B20000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x013B0000 Hidden Image-->CLI.Component.Runtime.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x04690000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x03F30000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x04150000 Hidden Image-->CLI.Aspect.DeviceCRT2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x041C0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x04300000 Hidden Image-->CLI.Aspect.DeviceCV2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x04760000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x04770000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 45056 bytes
0x00A30000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 45056 bytes
0x01470000 Hidden Image-->CLI.Component.Runtime.Shared.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 45056 bytes
0x00A50000 Hidden Image-->LOG.Foundation.dll [ EPROCESS 0x869598B0 ] PID: 3364, 45056 bytes
0x01390000 Hidden Image-->CLI.Component.Runtime.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 45056 bytes
0x04A90000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 45056 bytes
0x04AA0000 Hidden Image-->CLI.Aspect.DeviceCV2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 45056 bytes
0x04B20000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 45056 bytes
0x03D30000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 454656 bytes
0x03FE0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 479232 bytes
0x04060000 Hidden Image-->CLI.Aspect.DeviceCRT2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 487424 bytes
0x048A0000 Hidden Image-->CLI.Aspect.OverDrive2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 503808 bytes
0x00B50000 Hidden Image-->LOG.Foundation.Service.dll [ EPROCESS 0x86915B28 ] PID: 2268, 53248 bytes
0x037A0000 Hidden Image-->DEM.Graphics.I0601.dll [ EPROCESS 0x86915B28 ] PID: 2268, 53248 bytes
0x03F00000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 53248 bytes
0x04680000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 53248 bytes
0x046B0000 Hidden Image-->CLI.Aspect.DeviceDFP2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 53248 bytes
0x046C0000 Hidden Image-->CLI.Aspect.DeviceDFP2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 53248 bytes
0x00A40000 Hidden Image-->LOG.Foundation.Service.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 53248 bytes
0x01350000 Hidden Image-->CLI.Component.Client.Shared.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 53248 bytes
0x00A60000 Hidden Image-->LOG.Foundation.Service.dll [ EPROCESS 0x869598B0 ] PID: 3364, 53248 bytes
0x00B10000 Hidden Image-->CLI.Component.Client.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 53248 bytes
0x04B30000 Hidden Image-->CLI.Aspect.DeviceDFP2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 53248 bytes
0x04640000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 602112 bytes
0x03600000 Hidden Image-->CLI.Caste.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x03820000 Hidden Image-->ATIDEMOS.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x03EE0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x03EF0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x03F40000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x04160000 Hidden Image-->CLI.Aspect.DeviceCRT2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x04740000 Hidden Image-->CLI.Aspect.PowerPlay3.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x04710000 Hidden Image-->CLI.Aspect.PowerPlayDPPE.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x04780000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 61440 bytes
0x01460000 Hidden Image-->CLI.Caste.Graphics.Shared.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 61440 bytes
0x013B0000 Hidden Image-->CLI.Caste.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 61440 bytes
0x03970000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 61440 bytes
0x04160000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 61440 bytes
0x04A20000 Hidden Image-->CLI.Aspect.DeviceCRT2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 61440 bytes
0x04B60000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 61440 bytes
0x04270000 Hidden Image-->CLI.Aspect.DeviceCV2.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 626688 bytes
0x046E0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 667648 bytes
0x03D90000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x04430000 Hidden Image-->CLI.Aspect.DeviceTV2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x042D0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x04410000 Hidden Image-->CLI.Aspect.DeviceCV2.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x04460000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x046D0000 Hidden Image-->CLI.Aspect.OverDrive3.Graphics.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x04830000 Hidden Image-->CLI.Aspect.DeviceTV2.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x04850000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.dll [ EPROCESS 0x86915B28 ] PID: 2268, 69632 bytes
0x04B00000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 69632 bytes
0x04AE0000 Hidden Image-->CLI.Aspect.DeviceTV2.Graphics.Shared.dll [ EPROCESS 0x869598B0 ] PID: 3364, 69632 bytes
0x041C0000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 708608 bytes
0x00B30000 Hidden Image-->CLI.Foundation.dll [ EPROCESS 0x86915B28 ] PID: 2268, 77824 bytes
0x00B40000 Hidden Image-->CLI.Foundation.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 77824 bytes
0x00A80000 Hidden Image-->CLI.Foundation.dll [ EPROCESS 0x869598B0 ] PID: 3364, 77824 bytes
0x013F0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 77824 bytes
0x01390000 Hidden Image-->CLI.Component.Runtime.dll [ EPROCESS 0x86915B28 ] PID: 2268, 94208 bytes
0x03540000 Hidden Image-->CLI.Component.Runtime.dll [ EPROCESS 0x83FDC020 ] PID: 1672, 94208 bytes
0x00BF0000 Hidden Image-->CLI.Component.Runtime.dll [ EPROCESS 0x869598B0 ] PID: 3364, 94208 bytes
0x03650000 Hidden Image-->CLI.Aspect.Welcome.Local.Dashboard.dll [ EPROCESS 0x869598B0 ] PID: 3364, 94208 bytes

Again, thank you so much!
Nina

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 28 November 2010 - 02:43 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 28 November 2010 - 10:07 PM

Hi,
I tried to run ComboFix. It is telling me I have Norton Internet Security running, but I uninstalled it a very long time ago. So I let it run even so. It restarted and brought me to a plain desktop. I started it again, and it looked like it was running, but I left it (because last time I ran it, before I came to this message board, it took a very long time. See the log I attached with my first post). When I came back, my computer was locked (it locks automatically after not being used for 5 minutes), and when I logged in I was back to my regular desktop. So it looks like the ComboFix didn't finish.

I can run it again but just wanted to check with you if that is what I should do. And should I set my computer not to lock after inactivity, while it is running?

Also I keep getting a message that "Host Process from Windows Services stopped working and was closed." (this has been ongoing for as long as I'm having the redirecting problem and the very slow computer.)

Thank you SO SO much for your help.
Nina

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 28 November 2010 - 10:13 PM

Hello

I can run it again but just wanted to check with you if that is what I should do.
first let me see the report that is here

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\ComboFix.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo

And should I set my computer not to lock after inactivity, while it is running?
yes we need our tools to run unhindered

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 28 November 2010 - 11:13 PM

I tried to run C:\ComboFix.txt but got a message that Windows could not find it. Seems like it didn't finish last time?

?

Should I set my computer not to lock/hibernate, and run ComboFix again?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 28 November 2010 - 11:19 PM

yes please do - Thanks
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 29 November 2010 - 09:59 AM

Hi, as always thanks so much for your help.
I ran ComboFix successfully and this is the log:

ComboFix 10-11-28.01 - Matti 11/29/2010 9:31.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2046.1392 [GMT -5:00]
Running from: c:\users\Matti\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Matti\AppData\Roaming\Adobe\plugs

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-29 14:42 . 2010-11-29 14:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-29 03:36 . 2010-11-29 03:36 647168 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\lzxkri6y01\C1.Win.C1List.dll
2010-11-29 03:36 . 2010-11-29 03:36 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\fxgmst3h01\C1.Win.C1TrueDBGrid.dll
2010-11-29 03:36 . 2010-11-29 03:36 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\lzs6zlzl01\C1.Common.dll
2010-11-29 03:36 . 2010-11-29 03:36 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\l_uteekn01\C1.Win.C1Input.dll
2010-11-29 03:35 . 2010-11-29 03:35 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\sxhkmm9p01\C1.Win.C1TrueDBGrid.dll
2010-11-29 03:35 . 2010-11-29 03:35 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\4gs8yfg301\C1.Common.dll
2010-11-29 03:35 . 2010-11-29 03:35 278528 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\0hbeipvs01\C1.C1Pdf.dll
2010-11-29 03:35 . 2010-11-29 03:35 647168 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\4o85oz_i01\C1.Win.C1List.dll
2010-11-29 03:35 . 2010-11-29 03:35 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\qgyzfsls01\C1.Win.C1Input.dll
2010-11-29 03:28 . 2010-11-29 03:28 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\uguj7dfv01\C1.Win.C1TrueDBGrid.dll
2010-11-29 03:28 . 2010-11-29 03:28 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\ushtwpsb01\C1.Common.dll
2010-11-29 03:28 . 2010-11-29 03:28 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\zlp4sctz01\C1.Win.C1Input.dll
2010-11-28 17:45 . 2010-11-28 17:47 -------- d-----w- c:\program files\7-Zip
2010-11-26 18:39 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CB93DAD1-B9BD-4C91-997A-3123628446F9}\mpengine.dll
2010-11-25 16:18 . 2010-11-25 16:18 -------- d-----w- c:\users\Matti\AppData\Local\DOSBox
2010-11-25 16:18 . 2010-11-25 17:22 -------- d-----w- c:\program files\DOSBox-0.74
2010-11-19 04:30 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-18 13:33 . 2010-11-18 13:35 -------- d-----w- c:\users\Matti\AppData\Roaming\SmartDraw
2010-11-17 18:25 . 2010-11-29 14:42 -------- d-----w- c:\users\Matti\AppData\Local\temp
2010-11-16 04:37 . 2010-11-16 04:37 -------- d-----w- c:\users\Matti\AppData\Roaming\Malwarebytes
2010-11-16 04:37 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 04:37 . 2010-11-16 04:37 -------- d-----w- c:\programdata\Malwarebytes
2010-11-16 04:37 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 04:37 . 2010-11-16 04:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 14:50 . 2010-11-12 14:50 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-10 18:48 . 2010-11-12 14:35 0 ----a-w- c:\users\Matti\AppData\Local\Gxucobelisu.bin
2010-11-07 02:56 . 2010-11-07 02:57 -------- d-----w- C:\cnhsheri
2010-11-04 02:37 . 2010-11-04 02:39 -------- d-----w- C:\cnhsgard
2010-11-03 05:49 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{71E854E3-C221-4F2A-945A-510B2672F644}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 02:47 . 2010-11-07 02:49 10153228 ----a-w- C:\cnhsheri.zip
2010-11-04 02:18 . 2010-11-03 02:04 9359172 ----a-w- C:\cnhsgard.zip
2010-10-28 02:38 . 2010-10-28 02:43 17528046 ----a-w- C:\1.zip
2010-10-27 02:02 . 2010-10-27 02:03 11019677 ----a-w- C:\2ac.zip
2010-10-19 15:41 . 2010-02-21 04:07 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 18:04 . 2010-10-13 17:50 678826 ----a-w- C:\pa.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-13 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [x]
R2 mrtRate;mrtRate; [x]
R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 Normandy;Normandy SR2; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S2 MSSQL$SQLSERVER;SQL Server (SQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-27 29183504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-10 17792]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\AutoSmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-12 13:22]

2010-11-17 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-12 13:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matti\AppData\Roaming\Mozilla\Firefox\Profiles\4j8du9ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Matti\AppData\Roaming\Mozilla\Firefox\Profiles\4j8du9ll.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\users\Matti\AppData\Roaming\Mozilla\Firefox\Profiles\4j8du9ll.default\extensions\LogMeInClient@logmein.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 09:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: ST380811 rev.3.AD -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85DDA446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85de0504]; MOV EAX, [0x85de0580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81C27F3B] -> \Device\Harddisk0\DR0[0x8583D950]
3 nt[0x81CB07E2] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x84C26978]
5 acpi[0x804D732A] -> ntkrnlpa!IofCallDriver[0x81C27F3B] -> [0x83E679D0]
\Driver\nvstor[0x85DBEB20] -> IRP_MJ_CREATE -> 0x85DDA446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000052 -> \??\SCSI#Disk&Ven_ST380811&Prod_0AS#4&9006ed5&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-11-29 09:46:58
ComboFix-quarantined-files.txt 2010-11-29 14:46
ComboFix2.txt 2010-11-17 18:25

Pre-Run: 24,399,417,344 bytes free
Post-Run: 24,385,445,888 bytes free

- - End Of File - - E50D16D942B79E06275F14FA5A01BB22

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 29 November 2010 - 12:00 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 29 November 2010 - 01:24 PM

Hi, I ran the tool, rebooted when asked, and here is the report. Thank you.

2010/11/29 13:16:44.0212 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/11/29 13:16:44.0212 ================================================================================
2010/11/29 13:16:44.0212 SystemInfo:
2010/11/29 13:16:44.0212
2010/11/29 13:16:44.0212 OS Version: 6.0.6000 ServicePack: 0.0
2010/11/29 13:16:44.0213 Product type: Workstation
2010/11/29 13:16:44.0213 ComputerName: MATTI-PC
2010/11/29 13:16:44.0213 UserName: Matti
2010/11/29 13:16:44.0213 Windows directory: C:\Windows
2010/11/29 13:16:44.0213 System windows directory: C:\Windows
2010/11/29 13:16:44.0214 Processor architecture: Intel x86
2010/11/29 13:16:44.0214 Number of processors: 2
2010/11/29 13:16:44.0214 Page size: 0x1000
2010/11/29 13:16:44.0214 Boot type: Normal boot
2010/11/29 13:16:44.0214 ================================================================================
2010/11/29 13:16:44.0669 Initialize success
2010/11/29 13:16:54.0879 ================================================================================
2010/11/29 13:16:54.0880 Scan started
2010/11/29 13:16:54.0880 Mode: Manual;
2010/11/29 13:16:54.0880 ================================================================================
2010/11/29 13:16:55.0932 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2010/11/29 13:16:56.0018 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/11/29 13:16:56.0080 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/11/29 13:16:56.0137 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/11/29 13:16:56.0196 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/11/29 13:16:56.0271 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2010/11/29 13:16:56.0334 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
2010/11/29 13:16:56.0399 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/11/29 13:16:56.0453 aliide (5c42a992e68724d2cd3ddb4fc3b0409f) C:\Windows\system32\drivers\aliide.sys
2010/11/29 13:16:56.0513 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
2010/11/29 13:16:56.0568 amdide (849dfacdde533da5d1810f0caf84eb19) C:\Windows\system32\drivers\amdide.sys
2010/11/29 13:16:56.0619 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/11/29 13:16:56.0681 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
2010/11/29 13:16:56.0782 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/11/29 13:16:56.0846 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/11/29 13:16:57.0082 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/11/29 13:16:57.0177 atapi (9e7e85ec61d1c9c3171cc08427108863) C:\Windows\system32\drivers\atapi.sys
2010/11/29 13:16:57.0315 b57nd60x (8e287eb3a52fd30c999482c576f4a61b) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/11/29 13:16:57.0499 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2010/11/29 13:16:57.0684 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2010/11/29 13:16:57.0758 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/11/29 13:16:57.0815 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/11/29 13:16:57.0880 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/11/29 13:16:57.0942 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/11/29 13:16:57.0980 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/11/29 13:16:58.0047 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/11/29 13:16:58.0097 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/11/29 13:16:58.0351 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2010/11/29 13:16:58.0433 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2010/11/29 13:16:58.0497 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/11/29 13:16:58.0563 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2010/11/29 13:16:58.0660 cmdide (de11a06e187756ecb86cfa82dac40ff7) C:\Windows\system32\drivers\cmdide.sys
2010/11/29 13:16:58.0737 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2010/11/29 13:16:58.0792 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/11/29 13:16:58.0854 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/11/29 13:16:58.0945 CSC (ee95a5f89766f199557e5900ce6b2d7d) C:\Windows\system32\drivers\csc.sys
2010/11/29 13:16:59.0044 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2010/11/29 13:16:59.0200 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2010/11/29 13:16:59.0349 Dot4 (57b2d433a08b95e4f1b53a919937f3e5) C:\Windows\system32\DRIVERS\Dot4.sys
2010/11/29 13:16:59.0419 Dot4Print (d93fa484bb62fbe7e5ef335c5415d3cf) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2010/11/29 13:16:59.0481 Dot4Scan (8455e3fb3738ef33f0c6073a3efa013e) C:\Windows\system32\DRIVERS\Dot4Scan.sys
2010/11/29 13:16:59.0534 dot4usb (599742c4260fb3e8edb3be148b8ce856) C:\Windows\system32\DRIVERS\dot4usb.sys
2010/11/29 13:16:59.0618 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2010/11/29 13:16:59.0746 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
2010/11/29 13:16:59.0840 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
2010/11/29 13:16:59.0889 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/11/29 13:16:59.0964 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2010/11/29 13:17:00.0064 eeCtrl (e89cc1363cb7f5320ae3b41c1333d0c3) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/11/29 13:17:00.0214 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/11/29 13:17:00.0344 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2010/11/29 13:17:00.0410 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/11/29 13:17:00.0542 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2010/11/29 13:17:00.0603 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2010/11/29 13:17:00.0682 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/11/29 13:17:00.0726 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2010/11/29 13:17:00.0844 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2010/11/29 13:17:00.0903 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/11/29 13:17:00.0993 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/11/29 13:17:01.0045 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/11/29 13:17:01.0092 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/11/29 13:17:01.0176 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/11/29 13:17:01.0247 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
2010/11/29 13:17:01.0324 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/11/29 13:17:01.0383 HTTP (f31d27ccf514549a17e79bebe01b40b6) C:\Windows\system32\drivers\HTTP.sys
2010/11/29 13:17:01.0448 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/11/29 13:17:01.0539 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/11/29 13:17:01.0610 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/11/29 13:17:01.0705 ICDUSB2 (60b044a221cf76cc6077b0c3e9136cff) C:\Windows\system32\Drivers\ICDUSB2.sys
2010/11/29 13:17:01.0786 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/11/29 13:17:01.0879 intelide (1b16626beae3a52e611fc681cd796f86) C:\Windows\system32\drivers\intelide.sys
2010/11/29 13:17:01.0940 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2010/11/29 13:17:02.0013 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/11/29 13:17:02.0162 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/11/29 13:17:02.0236 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2010/11/29 13:17:02.0285 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2010/11/29 13:17:02.0337 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
2010/11/29 13:17:02.0396 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/11/29 13:17:02.0440 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/11/29 13:17:02.0494 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/11/29 13:17:02.0566 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/11/29 13:17:02.0641 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/11/29 13:17:02.0727 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2010/11/29 13:17:02.0891 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2010/11/29 13:17:03.0008 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/11/29 13:17:03.0072 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/11/29 13:17:03.0168 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/11/29 13:17:03.0238 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2010/11/29 13:17:03.0357 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/11/29 13:17:03.0422 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2010/11/29 13:17:03.0494 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2010/11/29 13:17:03.0549 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2010/11/29 13:17:03.0608 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
2010/11/29 13:17:03.0667 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2010/11/29 13:17:03.0751 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/11/29 13:17:03.0842 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/11/29 13:17:03.0969 MpNWMon (aeb186afff5d9cfed823c15d846aac3b) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/11/29 13:17:04.0065 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2010/11/29 13:17:04.0142 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/11/29 13:17:04.0271 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2010/11/29 13:17:04.0337 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/11/29 13:17:04.0383 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/11/29 13:17:04.0440 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/11/29 13:17:04.0510 msahci (0d1c042188ffe61a702a9df5944de5ba) C:\Windows\system32\drivers\msahci.sys
2010/11/29 13:17:04.0576 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/11/29 13:17:04.0651 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2010/11/29 13:17:04.0696 msisadrv (207df26dbb2537c20276da0e15892274) C:\Windows\system32\drivers\msisadrv.sys
2010/11/29 13:17:04.0830 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2010/11/29 13:17:04.0888 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/11/29 13:17:04.0966 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2010/11/29 13:17:05.0037 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2010/11/29 13:17:05.0084 mssmbios (7dbaa028f625aa46b95dda4fbe4b602b) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/11/29 13:17:05.0279 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2010/11/29 13:17:05.0327 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2010/11/29 13:17:05.0405 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
2010/11/29 13:17:05.0477 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
2010/11/29 13:17:05.0612 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/11/29 13:17:05.0704 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/11/29 13:17:05.0789 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/11/29 13:17:05.0881 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2010/11/29 13:17:06.0010 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2010/11/29 13:17:06.0083 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2010/11/29 13:17:06.0207 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/11/29 13:17:06.0424 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2010/11/29 13:17:06.0497 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2010/11/29 13:17:06.0636 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2010/11/29 13:17:06.0774 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/11/29 13:17:06.0826 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2010/11/29 13:17:06.0854 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/11/29 13:17:06.0925 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys
2010/11/29 13:17:07.0005 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
2010/11/29 13:17:07.0314 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/11/29 13:17:07.0476 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\DRIVERS\parport.sys
2010/11/29 13:17:07.0530 partmgr (84be786f33fdbd8765e05df3b7f5b9e6) C:\Windows\system32\drivers\partmgr.sys
2010/11/29 13:17:07.0600 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\DRIVERS\parvdm.sys
2010/11/29 13:17:07.0672 pci (bdd96f9cf34d58958aff1be6ef4c8020) C:\Windows\system32\drivers\pci.sys
2010/11/29 13:17:07.0729 pciide (54d23dc5b5072311116826fdb7f6e83e) C:\Windows\system32\drivers\pciide.sys
2010/11/29 13:17:07.0788 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/11/29 13:17:07.0880 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/11/29 13:17:08.0191 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
2010/11/29 13:17:08.0250 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/11/29 13:17:08.0399 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2010/11/29 13:17:08.0502 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/11/29 13:17:08.0605 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/11/29 13:17:08.0704 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2010/11/29 13:17:08.0843 R300 (8766b8f65459c37e20d525645e30e466) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/11/29 13:17:08.0983 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2010/11/29 13:17:09.0080 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/11/29 13:17:09.0178 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/11/29 13:17:09.0225 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2010/11/29 13:17:09.0361 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/11/29 13:17:09.0432 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\DRIVERS\rdpdr.sys
2010/11/29 13:17:09.0520 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2010/11/29 13:17:09.0607 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
2010/11/29 13:17:09.0798 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\Windows\system32\DRIVERS\RsFx0103.sys
2010/11/29 13:17:09.0888 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2010/11/29 13:17:09.0982 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/11/29 13:17:10.0149 SCREAMINGBDRIVER (a643d6df1b7546256b11fb5d6b5d1375) C:\Windows\system32\drivers\ScreamingBAudio.sys
2010/11/29 13:17:10.0234 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/11/29 13:17:10.0350 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2010/11/29 13:17:10.0407 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\DRIVERS\serial.sys
2010/11/29 13:17:10.0452 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2010/11/29 13:17:10.0573 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/11/29 13:17:10.0634 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/11/29 13:17:10.0683 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/11/29 13:17:10.0728 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/11/29 13:17:10.0843 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
2010/11/29 13:17:10.0901 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/11/29 13:17:10.0975 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/11/29 13:17:11.0071 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
2010/11/29 13:17:11.0174 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2010/11/29 13:17:11.0358 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2010/11/29 13:17:11.0443 srv2 (e8c4d5bca3c7b5c2a040052aa467b5bf) C:\Windows\system32\DRIVERS\srv2.sys
2010/11/29 13:17:11.0533 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2010/11/29 13:17:11.0662 STHDA (9cea131b5eb0ea653f6b3ea80b54956d) C:\Windows\system32\drivers\stwrt.sys
2010/11/29 13:17:11.0794 swenum (3b80b4383c9bce13279c8482734b32b2) C:\Windows\system32\DRIVERS\swenum.sys
2010/11/29 13:17:11.0860 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/11/29 13:17:11.0951 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/11/29 13:17:11.0993 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/11/29 13:17:12.0142 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
2010/11/29 13:17:12.0259 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
2010/11/29 13:17:12.0360 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2010/11/29 13:17:12.0402 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2010/11/29 13:17:12.0459 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2010/11/29 13:17:12.0507 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2010/11/29 13:17:12.0590 tenCapture (4333a34011814af753004419f42797aa) C:\Windows\system32\DRIVERS\tenCapture.sys
2010/11/29 13:17:12.0682 TermDD (849ed71967d45f15c3e0abfc633fdf2a) C:\Windows\system32\DRIVERS\termdd.sys
2010/11/29 13:17:12.0826 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/11/29 13:17:12.0901 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2010/11/29 13:17:12.0942 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2010/11/29 13:17:13.0036 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/11/29 13:17:13.0088 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2010/11/29 13:17:13.0205 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
2010/11/29 13:17:13.0269 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/11/29 13:17:13.0330 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/11/29 13:17:13.0420 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/11/29 13:17:13.0480 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2010/11/29 13:17:13.0597 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/11/29 13:17:13.0673 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/11/29 13:17:13.0757 usbehci (15be5995d255f4067be57831d7a019e0) C:\Windows\system32\DRIVERS\usbehci.sys
2010/11/29 13:17:13.0851 usbhub (3af9f47f37b44ca50de50732c6a52c38) C:\Windows\system32\DRIVERS\usbhub.sys
2010/11/29 13:17:13.0902 usbohci (6ca4bc03835c0658ba0d5235e147939d) C:\Windows\system32\DRIVERS\usbohci.sys
2010/11/29 13:17:13.0983 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
2010/11/29 13:17:14.0055 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/11/29 13:17:14.0104 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/11/29 13:17:14.0209 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\Windows\system32\DRIVERS\vcsvad.sys
2010/11/29 13:17:14.0300 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/11/29 13:17:14.0381 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2010/11/29 13:17:14.0435 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
2010/11/29 13:17:14.0505 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/11/29 13:17:14.0564 viaide (c0ace9d0f5a5ee0b00f58345947a57fc) C:\Windows\system32\drivers\viaide.sys
2010/11/29 13:17:14.0629 volmgr (fd16fac15f9f165ac19a618e7b391f5c) C:\Windows\system32\drivers\volmgr.sys
2010/11/29 13:17:14.0680 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
2010/11/29 13:17:14.0800 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
2010/11/29 13:17:14.0873 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/11/29 13:17:15.0002 VSTHWBS2 (c466021d31ff6c0a6069d12299d80c0b) C:\Windows\system32\DRIVERS\VSTBS23.SYS
2010/11/29 13:17:15.0085 VST_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2010/11/29 13:17:15.0281 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/11/29 13:17:15.0339 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/29 13:17:15.0381 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/29 13:17:15.0547 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/11/29 13:17:15.0625 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2010/11/29 13:17:15.0794 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2010/11/29 13:17:16.0111 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2010/11/29 13:17:16.0255 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/11/29 13:17:16.0326 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2010/11/29 13:17:16.0503 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/11/29 13:17:16.0595 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/29 13:17:16.0606 ================================================================================
2010/11/29 13:17:16.0606 Scan finished
2010/11/29 13:17:16.0606 ================================================================================
2010/11/29 13:17:16.0638 Detected object count: 1
2010/11/29 13:17:23.0741 \HardDisk0 - will be cured after reboot
2010/11/29 13:17:23.0777 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/29 13:18:20.0617 Deinitialize success

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 29 November 2010 - 02:46 PM

Hello

Do you know whaT these are?
cnhsheri.zip
cnhsgard.zip
1.zip
2ac.zip
pa.zip


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\users\Matti\AppData\Local\Gxucobelisu.bin


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 01 December 2010 - 09:43 AM

Hi,
All the .zip files that you mentioned are fine. I created them.
I did not follow any of the instructions in your most recent post yet. My computer has been behaving beautifully for the last 2 days. I am not getting the Firefox opening tabs problem, I am not getting the Host Services shutting down problem, and the speed is normal. I waited to reply to see if the problems would come up, but they have not.
Do you still think I should take further steps, or should I just leave things as they are?
Thank you!

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:23 PM

Posted 01 December 2010 - 12:27 PM

Hello

yes the main infection has been removed and now it is time to sweep up and lock the doors.
please follow my instructions untill I give the all clean.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 nina98765

nina98765
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 02 December 2010 - 12:52 AM

Hi, I followed the instructions and ran ComboFix. Here is the log. Thank you so much, everything seems to be fine.

ComboFix 10-12-01.01 - Matti 12/02/2010 0:35.4.2 - x86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2046.965 [GMT -5:00]
Running from: c:\users\Matti\Downloads\ComboFix.exe
Command switches used :: c:\users\Matti\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
SP: Microsoft Security Essentials *disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDE}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Matti\AppData\Local\Gxucobelisu.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Matti\AppData\Local\Gxucobelisu.bin

.
((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.

2010-12-02 05:46 . 2010-12-02 05:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-02 03:28 . 2010-12-02 03:28 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\6mvstmng01\C1.Win.C1TrueDBGrid.dll
2010-12-02 03:28 . 2010-12-02 03:28 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\c305qeg901\C1.Common.dll
2010-12-02 03:28 . 2010-12-02 03:28 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\7tqoxzfn01\C1.Win.C1Input.dll
2010-12-02 03:13 . 2010-12-02 03:15 -------- d-----w- C:\elm
2010-12-01 19:24 . 2010-12-01 19:24 10969088 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\lpibhuoe01\Receivables.dll
2010-12-01 18:23 . 2010-12-01 18:23 10964992 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\ryp_hhxu01\Receivables.dll
2010-12-01 18:23 . 2010-12-01 18:23 10964992 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\qmwnnvy801\Receivables.dll
2010-12-01 18:16 . 2010-12-01 18:16 10960896 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\8vpqoeay01\Receivables.dll
2010-12-01 18:15 . 2010-12-01 18:15 10960896 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\-grglbzl01\Receivables.dll
2010-12-01 18:10 . 2010-12-01 18:10 10960896 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\kavuru4p01\Receivables.dll
2010-12-01 18:08 . 2010-12-01 18:08 10960896 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\wjb9pkmj01\Receivables.dll
2010-12-01 16:49 . 2010-12-01 16:49 647168 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\55aqupop01\C1.Win.C1List.dll
2010-12-01 16:49 . 2010-12-01 16:49 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\n2aosl5g01\C1.Win.C1Input.dll
2010-12-01 16:49 . 2010-12-01 16:49 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\nubsjrzz01\C1.Win.C1TrueDBGrid.dll
2010-12-01 16:49 . 2010-12-01 16:49 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\ydjyyptd01\C1.Common.dll
2010-12-01 03:20 . 2010-12-01 03:20 647168 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\9qunyt1k01\C1.Win.C1List.dll
2010-12-01 03:20 . 2010-12-01 03:20 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\xsgwsup501\C1.Win.C1TrueDBGrid.dll
2010-12-01 03:20 . 2010-12-01 03:20 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\a43bobw301\C1.Common.dll
2010-12-01 03:20 . 2010-12-01 03:20 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\hxnkikps01\C1.Win.C1Input.dll
2010-12-01 03:10 . 2010-12-01 03:10 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\8xnekp2j01\C1.Common.dll
2010-12-01 03:10 . 2010-12-01 03:10 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\ydqdzzuq01\C1.Win.C1TrueDBGrid.dll
2010-12-01 03:10 . 2010-12-01 03:10 909312 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\s2hx6yzq01\C1.Win.C1TrueDBGrid.dll
2010-12-01 03:10 . 2010-12-01 03:10 647168 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\rln4kaqs01\C1.Win.C1List.dll
2010-12-01 03:10 . 2010-12-01 03:10 278528 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\av6qr2qe01\C1.C1Pdf.dll
2010-12-01 03:09 . 2010-12-01 03:09 86016 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\lgxeonte01\C1.Common.dll
2010-12-01 03:09 . 2010-12-01 03:09 610304 ----a-w- c:\users\Matti\AppData\Roaming\Microsoft\VisualStudio\7.1\ProjectAssemblies\e_gcrxvg01\C1.Win.C1Input.dll
2010-11-30 19:29 . 2010-12-01 01:09 -------- d-----w- C:\Jeff
2010-11-30 18:37 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90CE2511-F3FC-4846-9F0F-0BDE960896CF}\mpengine.dll
2010-11-28 17:45 . 2010-11-28 17:47 -------- d-----w- c:\program files\7-Zip
2010-11-25 16:18 . 2010-11-25 16:18 -------- d-----w- c:\users\Matti\AppData\Local\DOSBox
2010-11-25 16:18 . 2010-11-25 17:22 -------- d-----w- c:\program files\DOSBox-0.74
2010-11-19 04:30 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-18 13:33 . 2010-11-18 13:35 -------- d-----w- c:\users\Matti\AppData\Roaming\SmartDraw
2010-11-17 18:25 . 2010-12-02 05:47 -------- d-----w- c:\users\Matti\AppData\Local\temp
2010-11-16 04:37 . 2010-11-16 04:37 -------- d-----w- c:\users\Matti\AppData\Roaming\Malwarebytes
2010-11-16 04:37 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 04:37 . 2010-11-16 04:37 -------- d-----w- c:\programdata\Malwarebytes
2010-11-16 04:37 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 04:37 . 2010-11-16 04:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-12 14:50 . 2010-11-12 14:50 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-07 02:56 . 2010-11-07 02:57 -------- d-----w- C:\cnhsheri
2010-11-04 02:37 . 2010-11-04 02:39 -------- d-----w- C:\cnhsgard
2010-11-03 05:49 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{71E854E3-C221-4F2A-945A-510B2672F644}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 03:07 . 2010-12-02 03:09 6582861 ----a-w- C:\elm.zip
2010-11-07 02:47 . 2010-11-07 02:49 10153228 ----a-w- C:\cnhsheri.zip
2010-11-04 02:18 . 2010-11-03 02:04 9359172 ----a-w- C:\cnhsgard.zip
2010-10-28 02:38 . 2010-10-28 02:43 17528046 ----a-w- C:\1.zip
2010-10-27 02:02 . 2010-10-27 02:03 11019677 ----a-w- C:\2ac.zip
2010-10-19 20:51 . 2010-02-21 04:07 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 18:04 . 2010-10-13 17:50 678826 ----a-w- C:\pa.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-13 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [x]
R2 mrtRate;mrtRate; [x]
R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048]
R3 Normandy;Normandy SR2; [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S2 MSSQL$SQLSERVER;SQL Server (SQLSERVER);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-27 29183504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-11-26 34384]
S3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-10 17792]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\AutoSmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-12 13:22]

2010-11-29 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-08-12 13:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matti\AppData\Roaming\Mozilla\Firefox\Profiles\4j8du9ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Matti\AppData\Roaming\Mozilla\Firefox\Profiles\4j8du9ll.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - c:\users\Matti\AppData\Roaming\Mozilla\Firefox\Profiles\4j8du9ll.default\extensions\LogMeInClient@logmein.com
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-02 00:46
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-02 00:50:29
ComboFix-quarantined-files.txt 2010-12-02 05:50
ComboFix2.txt 2010-11-29 14:47
ComboFix3.txt 2010-11-17 18:25

Pre-Run: 17,216,462,848 bytes free
Post-Run: 17,227,599,872 bytes free

- - End Of File - - 3C110164ECDEECAC05313EFD70A3B2C2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users