Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pop up nullmx and geasszw worms


  • This topic is locked This topic is locked
37 replies to this topic

#1 HannahPethen

HannahPethen

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 25 November 2010 - 02:38 PM

At first the current Spyware Doctor kept producing pop ups asking if it should allow or block incoming data, 95% of the time these were nullmx type files. Although I told it to block them, they continue to come and the computer now seems to be infected as it freezes if you turn it on in 'normal' mode and you can't use any of the icons. None of my exiting anti-virus including Spyware Dr and Malwarebytes can remove it.


I have managed to access the computer in safe mode. There may be several pieces of malware, but I have noticed one called geasszw.sys, which hides in c:\windows\system32\drivers. I have tried to delete this in administrator mode and have tried to give myself the rights to the file in order to remove it, but it refuses to go and says 'cannot read from the source file or disc' when attempted in Windows Explorer and ' a device attached to the system is not functioning' when attempted to delete in command prompt. I have not been sucessful in removing it in either way.

I have run the scans recommened in the guide. The DDS text log provided the following and the DDS attach log is attached:

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
Run by john at 18:18:32.83 on 23/11/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1982.1436 [GMT 0:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Windows\System32\svchost.exe"
"C:\Windows\System32\svchost.exe"
"C:\Windows\System32\svchost.exe"
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRAM FILES\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\john\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-22 218592]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-6-22 233136]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-6-22 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-6-22 59664]
S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-22 198608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-22 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-22 1142224]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-22 21504]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-6-22 63360]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-6-22 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-23 15:56:12 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{31250762-9f82-42b0-9e90-ca0fd105170f}\mpengine.dll
2010-11-11 14:15:47 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-10-29 09:10:00 -------- d-----w- C:\89da4af04d5300954313
2010-10-27 16:38:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-27 16:38:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-27 16:38:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-27 16:27:36 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 16:27:32 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 16:27:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 16:21:28 -------- d-----w- c:\users\john\appdata\roaming\GlarySoft
2010-10-27 16:08:11 -------- d-----w- c:\program files\Glary Utilities

==================== Find3M ====================

2010-10-19 10:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll

============= FINISH: 18:20:29.29 ===============

I had no problems with DDS, DeFogger or GMER.

Please find attached the other logs.

Thanks in advance

Hannah
Attached File  DDSAttachreport.txt   5.26KB   1 downloadsAttached File  DDSAttachreport.txt   5.26KB   1 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:32 AM

Posted 03 December 2010 - 03:14 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 03 December 2010 - 04:03 PM

Thanks for getting back to me, I appreciate you may be busy. I havn't yet resolved the problem and nothing has been done to the computer since my last post. The problem is still the same. Here is the DDS log:


DDS (Ver_10-11-27.01) - NTFSx86 NETWORK
Run by john at 17:34:23.43 on 03/12/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1982.1386 [GMT 0:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Windows\System32\svchost.exe"
"C:\Windows\System32\svchost.exe"
"C:\Windows\System32\svchost.exe"
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\john\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-22 218592]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-6-22 233136]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-6-22 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-6-22 59664]
S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-22 198608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-22 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-22 1142224]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-22 21504]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-6-22 63360]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-6-22 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-25 18:32:22 94848 ----a-w- C:\kxldypog.sys
2010-11-23 21:26:39 -------- d-----w- c:\users\john\appdata\local\temp
2010-11-23 21:19:35 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-23 19:46:13 98816 ----a-w- c:\windows\sed.exe
2010-11-23 19:46:13 89088 ----a-w- c:\windows\MBR.exe
2010-11-23 19:46:13 256512 ----a-w- c:\windows\PEV.exe
2010-11-23 19:46:13 161792 ----a-w- c:\windows\SWREG.exe
2010-11-23 15:56:12 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{31250762-9f82-42b0-9e90-ca0fd105170f}\mpengine.dll
2010-11-11 14:15:47 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

==================== Find3M ====================

2010-10-19 10:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll

============= FINISH: 17:36:25.41 ==========]

The DDS attach log and the GMER log are attched as indicated in the general instructions for the forum.

Hannah

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 03 December 2010 - 08:14 PM

You have a rootkit.

Please run RKill

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now please run Combofix and let's see what we're up against

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 04 December 2010 - 04:42 PM

Thanks for this. I have run RKill and Combofix. The RKill seemed to work fine. Here is the log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/12/2010 at 21:04:09.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 04/12/2010 at 21:04:12.

I then ran combofix. Twice while it was running the scan, the dialogue box said 'access denied' and advised me to run as administrator command prompt to gain access. Here is the combofix log:

ComboFix 10-12-03.03 - john 04/12/2010 21:11:23.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1982.1462 [GMT 0:00]
Running from: c:\users\john\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\geasszw.sys . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_geasszw
-------\Service_geasszw


((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))
.

2010-12-04 21:19 . 2010-12-04 21:26 -------- d-----w- c:\users\john\AppData\Local\temp
2010-12-04 21:19 . 2010-12-04 21:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-25 18:32 . 2010-11-25 18:32 94848 ----a-w- C:\kxldypog.sys
2010-11-23 20:19 . 2010-11-23 20:19 -------- d-----w- c:\users\Administrator
2010-11-23 15:56 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{31250762-9F82-42B0-9E90-CA0FD105170F}\mpengine.dll
2010-11-11 14:15 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 21:28 . 2010-10-14 16:46 842240 ----a-w- c:\windows\system32\drivers\geasszw.sys
2010-10-19 10:41 . 2009-10-13 12:33 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-10-16 08:43 . 2010-10-10 20:21 0 ----a-w- c:\users\john\AppData\Local\Lsepag.bin
2010-09-13 15:27 . 2010-09-13 15:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-13 13:56 . 2010-10-14 19:09 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 18:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 18:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 18:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 18:52 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 18:52 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 18:52 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 18:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 18:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 19:07 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 19:07 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 19:07 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 19:07 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 19:07 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
R1 lbmmjpcv;lbmmjpcv;c:\windows\system32\drivers\lbmmjpcv.sys [x]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-07-19 198608]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2010-04-08 63360]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
*Deregistered* - geasszw

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 16:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-10-27 20:55]

2010-11-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-04 12:01]

2010-12-04 c:\windows\Tasks\User_Feed_Synchronization-{3B2F4999-56A4-4DBF-BF13-AC05972B3087}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\geasszw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-12-04 21:33:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-04 21:33
ComboFix2.txt 2010-11-23 21:26
ComboFix3.txt 2010-11-23 20:17

Pre-Run: 31,056,273,408 bytes free
Post-Run: 30,974,246,912 bytes free

- - End Of File - - B9918DB7F72B5E37C5C245A2654556B4

Thank you for your help, it is much appreciated, but I don't think we have suceeded in removing the problem yet. When Combofix re-started the computer it didn't start in 'safe mode', which is what I am working in now in order to have access to everything. The re-started computer was hopelessly slow and after a few minutes I got the 'blue screen of death' which we have had before with this virus.Hopefully the logs will give you more info.

Thanks again

Hannah

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 04 December 2010 - 06:23 PM

Combofix's log shows that we didn't quite succeed.

Please run it again, as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
C:\kxldypog.sys
c:\windows\system32\drivers\geasszw.sys
c:\users\john\AppData\Local\Lsepag.bin
c:\windows\system32\drivers\lbmmjpcv.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\geasszw]

Driver::
lbmmjpcv
geasszw


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 05 December 2010 - 07:32 PM

Hi

I have run the updated combofix with the CfScript. Twice as I ran the programe the message appeared 'Access Denied. You require administrator privilages. Use administrator command prompt to access'. This occurred even though I was in 'administrator' profile at the time. Combofix log below:

ComboFix 10-12-04.02 - Administrator 05/12/2010 23:53:31.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1982.1404 [GMT 0:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"C:\kxldypog.sys"
"c:\users\john\AppData\Local\Lsepag.bin"
"c:\windows\system32\drivers\geasszw.sys"
"c:\windows\system32\drivers\lbmmjpcv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\geasszw.sys . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEASSZW
-------\Service_geasszw


((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))
.

2010-12-06 00:00 . 2010-12-06 00:20 -------- d-----w- c:\users\ADMINI~1\AppData\Local\temp
2010-12-06 00:00 . 2010-12-06 00:00 -------- d-----w- c:\users\john\AppData\Local\temp
2010-12-06 00:00 . 2010-12-06 00:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-23 20:19 . 2010-11-23 20:19 -------- d-sh--we c:\users\ADMINI~1\AppData\Local\Temporary Internet Files
2010-11-23 20:19 . 2010-11-23 20:19 -------- d-sh--we c:\users\ADMINI~1\AppData\Local\History
2010-11-23 20:19 . 2010-11-23 20:19 -------- d-sh--we c:\users\ADMINI~1\AppData\Local\Application Data
2010-11-23 20:19 . 2010-11-23 20:20 -------- d-----w- c:\users\ADMINI~1\AppData\Local\Microsoft
2010-11-23 20:19 . 2010-02-27 13:42 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\Trusteer
2010-11-23 20:19 . 2008-06-11 06:54 -------- d-----w- c:\users\ADMINI~1\AppData\Local\Microsoft Help
2010-11-23 20:19 . 2006-11-02 12:37 -------- d-----w- c:\users\ADMINI~1\AppData\Roaming\Media Center Programs
2010-11-23 20:19 . 2010-11-23 20:19 -------- d-----w- c:\users\Administrator
2010-11-23 15:56 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{31250762-9F82-42B0-9E90-CA0FD105170F}\mpengine.dll
2010-11-11 14:15 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-06 00:21 . 2010-10-14 16:46 842240 ----a-w- c:\windows\system32\drivers\geasszw.sys
2010-10-19 10:41 . 2009-10-13 12:33 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 15:27 . 2010-09-13 15:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-13 13:56 . 2010-10-14 19:09 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 18:52 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 18:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 18:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 18:52 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-14 18:52 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-14 18:52 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 18:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 18:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-01 1783136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-07-19 198608]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2010-04-08 63360]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
*Deregistered* - geasszw

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 16:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-10-27 20:55]

2010-12-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-04 12:01]

2010-12-06 c:\windows\Tasks\User_Feed_Synchronization-{3B2F4999-56A4-4DBF-BF13-AC05972B3087}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 00:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\geasszw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,40,38,83,d1,7c,ca,4b,bc,6c,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,40,38,83,d1,7c,ca,4b,bc,6c,04,\

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sys\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2010-12-06 00:26:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-06 00:26
ComboFix2.txt 2010-12-05 23:45
ComboFix3.txt 2010-12-04 21:33
ComboFix4.txt 2010-11-23 21:26
ComboFix5.txt 2010-12-05 23:52

Pre-Run: 30,967,312,384 bytes free
Post-Run: 30,892,331,008 bytes free

- - End Of File - - 30D70E6F8112391D0303EE9E5C2FE173


Thanks

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 05 December 2010 - 07:49 PM

Please run TDSSKiller and MBRCheck

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 06 December 2010 - 02:58 PM

I ran TDSSKiller. It identified a 'suspicious object' but didn't give me an option to 'cure'. Here is the log:

2010/12/06 19:30:30.0842 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/06 19:30:30.0842 ================================================================================
2010/12/06 19:30:30.0842 SystemInfo:
2010/12/06 19:30:30.0842
2010/12/06 19:30:30.0842 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/06 19:30:30.0842 Product type: Workstation
2010/12/06 19:30:30.0842 ComputerName: JOHN-PC
2010/12/06 19:30:30.0842 UserName: Administrator
2010/12/06 19:30:30.0842 Windows directory: C:\Windows
2010/12/06 19:30:30.0842 System windows directory: C:\Windows
2010/12/06 19:30:30.0857 Processor architecture: Intel x86
2010/12/06 19:30:30.0857 Number of processors: 2
2010/12/06 19:30:30.0857 Page size: 0x1000
2010/12/06 19:30:30.0857 Boot type: Safe boot with network
2010/12/06 19:30:30.0857 ================================================================================
2010/12/06 19:30:31.0169 Initialize success
2010/12/06 19:30:38.0002 ================================================================================
2010/12/06 19:30:38.0002 Scan started
2010/12/06 19:30:38.0002 Mode: Manual;
2010/12/06 19:30:38.0002 ================================================================================
2010/12/06 19:30:39.0500 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/06 19:30:39.0562 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/12/06 19:30:39.0624 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/12/06 19:30:39.0656 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/12/06 19:30:39.0702 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/12/06 19:30:39.0780 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
2010/12/06 19:30:39.0874 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/06 19:30:39.0921 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/12/06 19:30:39.0968 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/06 19:30:39.0999 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2010/12/06 19:30:40.0030 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/12/06 19:30:40.0061 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2010/12/06 19:30:40.0124 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/12/06 19:30:40.0170 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/12/06 19:30:40.0217 APL531 (1fc8a7e5c3aed31f00940c6ab2fd9b49) C:\Windows\system32\Drivers\ov550i.sys
2010/12/06 19:30:40.0326 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/12/06 19:30:40.0389 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/12/06 19:30:40.0451 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/06 19:30:40.0498 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/06 19:30:40.0576 athr (0437199c88f6e88a387cfec8a8886a6e) C:\Windows\system32\DRIVERS\athr.sys
2010/12/06 19:30:40.0670 AVGIDSEH (20a2d48722cf055c846bdeafa4f733ce) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2010/12/06 19:30:40.0748 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
2010/12/06 19:30:40.0810 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/06 19:30:40.0950 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/06 19:30:41.0013 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/06 19:30:41.0060 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/06 19:30:41.0106 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/06 19:30:41.0153 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/06 19:30:41.0184 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/06 19:30:41.0216 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/06 19:30:41.0247 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/12/06 19:30:41.0340 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/06 19:30:41.0372 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/06 19:30:41.0434 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/12/06 19:30:41.0496 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/06 19:30:41.0574 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/06 19:30:41.0606 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2010/12/06 19:30:41.0668 CnxtHdAudService (b6e7991e3d6146c04c85cd31af22a381) C:\Windows\system32\drivers\CHDRT32.sys
2010/12/06 19:30:41.0715 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/06 19:30:41.0746 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/12/06 19:30:41.0793 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/12/06 19:30:41.0886 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/06 19:30:41.0980 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/06 19:30:42.0058 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/06 19:30:42.0105 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/06 19:30:42.0198 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys
2010/12/06 19:30:42.0261 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/06 19:30:42.0370 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/06 19:30:42.0448 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/12/06 19:30:42.0557 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/06 19:30:42.0620 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/06 19:30:42.0682 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/06 19:30:42.0744 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/06 19:30:42.0822 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/06 19:30:42.0854 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/06 19:30:42.0900 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/06 19:30:42.0963 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/06 19:30:43.0010 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/06 19:30:43.0072 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/12/06 19:30:43.0088 Suspicious service (NoAccess): geasszw
2010/12/06 19:30:43.0166 geasszw (bcbf932d179ed01cfa1f3b5896b1c13a) C:\Windows\system32\drivers\geasszw.sys
2010/12/06 19:30:43.0166 Suspicious file (NoAccess): C:\Windows\system32\drivers\geasszw.sys. md5: bcbf932d179ed01cfa1f3b5896b1c13a
2010/12/06 19:30:43.0166 geasszw - detected Locked service (1)
2010/12/06 19:30:43.0259 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
2010/12/06 19:30:43.0306 HdAudAddService (7be40bb4cd16d8760e18ea981ff452ec) C:\Windows\system32\drivers\CHDART.sys
2010/12/06 19:30:43.0368 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/06 19:30:43.0431 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/06 19:30:43.0446 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/06 19:30:43.0556 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/06 19:30:43.0618 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/12/06 19:30:43.0696 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
2010/12/06 19:30:43.0758 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2010/12/06 19:30:43.0883 HSF_DPV (cc267848cb3508e72762be65734e764d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2010/12/06 19:30:43.0946 HSXHWAZL (a2882945cc4b6e3e4e9e825590438888) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2010/12/06 19:30:44.0024 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/06 19:30:44.0070 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/12/06 19:30:44.0117 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/06 19:30:44.0211 ialm (496db78e6a0c4c44023d9a92b4a7ac31) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/12/06 19:30:44.0304 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/12/06 19:30:44.0367 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/06 19:30:44.0460 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2010/12/06 19:30:44.0492 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/06 19:30:44.0570 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/06 19:30:44.0648 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/06 19:30:44.0710 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/06 19:30:44.0788 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/06 19:30:44.0835 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/12/06 19:30:44.0882 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/06 19:30:44.0928 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/06 19:30:44.0975 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/06 19:30:45.0022 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/06 19:30:45.0069 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/06 19:30:45.0131 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/06 19:30:45.0240 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/06 19:30:45.0303 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/06 19:30:45.0334 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/06 19:30:45.0365 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/06 19:30:45.0412 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/06 19:30:45.0459 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/12/06 19:30:45.0506 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/12/06 19:30:45.0568 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/06 19:30:45.0630 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/06 19:30:45.0677 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/06 19:30:45.0708 mouhid (a3a6dff7e9e757db3df51a833bc28885) C:\Windows\system32\drivers\mouhid.sys
2010/12/06 19:30:45.0755 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/06 19:30:45.0802 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/12/06 19:30:45.0864 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/06 19:30:45.0927 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/06 19:30:45.0989 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/06 19:30:46.0036 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/06 19:30:46.0067 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/06 19:30:46.0083 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/06 19:30:46.0145 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2010/12/06 19:30:46.0192 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/12/06 19:30:46.0254 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/06 19:30:46.0317 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/06 19:30:46.0395 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/06 19:30:46.0442 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/06 19:30:46.0473 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/06 19:30:46.0535 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/06 19:30:46.0566 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/06 19:30:46.0613 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/06 19:30:46.0644 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/06 19:30:46.0707 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/06 19:30:46.0769 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/06 19:30:46.0847 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/06 19:30:46.0863 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/06 19:30:46.0941 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/06 19:30:47.0003 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/06 19:30:47.0066 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/06 19:30:47.0128 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/06 19:30:47.0206 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/06 19:30:47.0237 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/06 19:30:47.0284 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/06 19:30:47.0378 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/06 19:30:47.0424 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/06 19:30:47.0487 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/06 19:30:47.0565 NVENETFD (a1108084b0d2fc43dcc401735770e2a3) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/12/06 19:30:47.0799 nvlddmkm (b36c3b866b0d47e2e2856ec8fd746e39) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/12/06 19:30:48.0033 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/12/06 19:30:48.0080 nvsmu (9aebc32f9d6e02ebee0369ab296fe7c8) C:\Windows\system32\DRIVERS\nvsmu.sys
2010/12/06 19:30:48.0126 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2010/12/06 19:30:48.0173 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/12/06 19:30:48.0314 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/12/06 19:30:48.0376 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/06 19:30:48.0423 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/06 19:30:48.0454 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/06 19:30:48.0516 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/06 19:30:48.0563 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2010/12/06 19:30:48.0626 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/12/06 19:30:48.0688 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\Windows\system32\drivers\PCTCore.sys
2010/12/06 19:30:48.0750 pctgntdi (d15669bd3e1cf18f00b46a7949ea541f) C:\Windows\System32\drivers\pctgntdi.sys
2010/12/06 19:30:48.0782 pctplsg (30c931fcb8df713bcd2fb7ce763a0b47) C:\Windows\System32\drivers\pctplsg.sys
2010/12/06 19:30:48.0844 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/06 19:30:49.0016 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/06 19:30:49.0062 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/12/06 19:30:49.0140 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/06 19:30:49.0203 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
2010/12/06 19:30:49.0296 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/12/06 19:30:49.0374 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/06 19:30:49.0421 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/06 19:30:49.0546 RapportKELL (915b82d664cd38743a59b3a3524a5d3a) C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
2010/12/06 19:30:49.0593 RapportPG (25f126fdd8df81a71ff518c914055cd8) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2010/12/06 19:30:49.0640 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/06 19:30:49.0702 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/06 19:30:49.0749 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/06 19:30:49.0796 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/06 19:30:49.0842 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/06 19:30:49.0920 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/06 19:30:49.0967 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/12/06 19:30:49.0998 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/06 19:30:50.0061 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/06 19:30:50.0154 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/06 19:30:50.0217 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/06 19:30:50.0310 sdbus (7b3973cc28b8aa3e9e2e5d53e720e2c9) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/06 19:30:50.0373 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/06 19:30:50.0420 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/06 19:30:50.0451 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/12/06 19:30:50.0498 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/06 19:30:50.0560 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/12/06 19:30:50.0591 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/06 19:30:50.0622 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/06 19:30:50.0654 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/06 19:30:50.0716 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/12/06 19:30:50.0763 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/12/06 19:30:50.0794 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/12/06 19:30:50.0856 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/06 19:30:50.0919 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/06 19:30:50.0997 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/06 19:30:51.0012 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/06 19:30:51.0044 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/06 19:30:51.0122 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/06 19:30:51.0184 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/06 19:30:51.0293 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/06 19:30:51.0324 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/06 19:30:51.0387 SynTP (f5d926807bd9bc0af68f9376144de425) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/06 19:30:51.0480 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/06 19:30:51.0543 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/06 19:30:51.0605 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/06 19:30:51.0652 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/06 19:30:51.0699 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/06 19:30:51.0761 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/06 19:30:51.0808 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/06 19:30:51.0870 TfFsMon (d2a1cd31200a6c9d3dfad022503e4836) C:\Windows\system32\drivers\TfFsMon.sys
2010/12/06 19:30:51.0933 TfNetMon (3e3a544d10b0ac1c4c133048f84390ac) C:\Windows\system32\drivers\TfNetMon.sys
2010/12/06 19:30:51.0980 TfSysMon (706be7328a35c39dbe449e10c1ac6a38) C:\Windows\system32\drivers\TfSysMon.sys
2010/12/06 19:30:52.0058 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/06 19:30:52.0136 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/06 19:30:52.0167 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/06 19:30:52.0198 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/12/06 19:30:52.0260 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/06 19:30:52.0323 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/06 19:30:52.0370 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/12/06 19:30:52.0416 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/06 19:30:52.0448 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/06 19:30:52.0510 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/06 19:30:52.0572 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\Windows\system32\Drivers\usbaapl.sys
2010/12/06 19:30:52.0635 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2010/12/06 19:30:52.0682 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/06 19:30:52.0744 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/06 19:30:52.0791 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/06 19:30:52.0822 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/06 19:30:52.0853 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/06 19:30:52.0916 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/06 19:30:52.0994 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/06 19:30:53.0056 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/06 19:30:53.0103 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/06 19:30:53.0181 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/12/06 19:30:53.0259 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/06 19:30:53.0306 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/06 19:30:53.0337 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/12/06 19:30:53.0352 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/12/06 19:30:53.0399 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2010/12/06 19:30:53.0446 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/06 19:30:53.0493 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/06 19:30:53.0540 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/06 19:30:53.0571 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/12/06 19:30:53.0664 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/06 19:30:53.0711 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/06 19:30:53.0727 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/06 19:30:53.0789 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/12/06 19:30:53.0852 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/06 19:30:53.0992 winachsf (0acd399f5db3df1b58903cf4949ab5a8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/12/06 19:30:54.0101 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/06 19:30:54.0195 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/06 19:30:54.0273 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/06 19:30:54.0335 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/12/06 19:30:54.0429 ================================================================================
2010/12/06 19:30:54.0429 Scan finished
2010/12/06 19:30:54.0429 ================================================================================
2010/12/06 19:30:54.0460 Detected object count: 1
2010/12/06 19:31:44.0661 Locked service(geasszw) - User select action: Skip
2010/12/06 19:31:52.0820 ================================================================================
2010/12/06 19:31:52.0820 Scan started
2010/12/06 19:31:52.0820 Mode: Manual;
2010/12/06 19:31:52.0820 ================================================================================
2010/12/06 19:31:53.0584 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/06 19:31:53.0646 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2010/12/06 19:31:53.0693 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2010/12/06 19:31:53.0724 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2010/12/06 19:31:53.0771 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2010/12/06 19:31:53.0834 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
2010/12/06 19:31:53.0896 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/06 19:31:53.0927 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2010/12/06 19:31:53.0958 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/06 19:31:54.0005 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2010/12/06 19:31:54.0021 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2010/12/06 19:31:54.0068 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2010/12/06 19:31:54.0099 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2010/12/06 19:31:54.0146 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/12/06 19:31:54.0224 APL531 (1fc8a7e5c3aed31f00940c6ab2fd9b49) C:\Windows\system32\Drivers\ov550i.sys
2010/12/06 19:31:54.0286 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2010/12/06 19:31:54.0317 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2010/12/06 19:31:54.0364 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/06 19:31:54.0426 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/06 19:31:54.0489 athr (0437199c88f6e88a387cfec8a8886a6e) C:\Windows\system32\DRIVERS\athr.sys
2010/12/06 19:31:54.0567 AVGIDSEH (20a2d48722cf055c846bdeafa4f733ce) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2010/12/06 19:31:54.0629 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
2010/12/06 19:31:54.0676 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/06 19:31:54.0801 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/06 19:31:54.0832 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/06 19:31:54.0879 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/06 19:31:54.0910 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/06 19:31:54.0941 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/06 19:31:54.0972 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/06 19:31:55.0004 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/12/06 19:31:55.0035 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/12/06 19:31:55.0097 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/06 19:31:55.0128 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/06 19:31:55.0175 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2010/12/06 19:31:55.0253 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/06 19:31:55.0300 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/06 19:31:55.0331 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2010/12/06 19:31:55.0378 CnxtHdAudService (b6e7991e3d6146c04c85cd31af22a381) C:\Windows\system32\drivers\CHDRT32.sys
2010/12/06 19:31:55.0409 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/06 19:31:55.0440 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2010/12/06 19:31:55.0487 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2010/12/06 19:31:55.0581 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/06 19:31:55.0643 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/06 19:31:55.0721 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/06 19:31:55.0784 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/06 19:31:55.0815 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys
2010/12/06 19:31:55.0877 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/06 19:31:55.0955 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/06 19:31:56.0033 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2010/12/06 19:31:56.0142 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/06 19:31:56.0189 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/06 19:31:56.0236 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/06 19:31:56.0298 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/06 19:31:56.0345 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/06 19:31:56.0361 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/06 19:31:56.0408 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/06 19:31:56.0454 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/06 19:31:56.0486 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/06 19:31:56.0532 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/12/06 19:31:56.0548 Suspicious service (NoAccess): geasszw
2010/12/06 19:31:56.0595 geasszw (bcbf932d179ed01cfa1f3b5896b1c13a) C:\Windows\system32\drivers\geasszw.sys
2010/12/06 19:31:56.0595 Suspicious file (NoAccess): C:\Windows\system32\drivers\geasszw.sys. md5: bcbf932d179ed01cfa1f3b5896b1c13a
2010/12/06 19:31:56.0610 geasszw - detected Locked service (1)
2010/12/06 19:31:56.0688 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
2010/12/06 19:31:56.0720 HdAudAddService (7be40bb4cd16d8760e18ea981ff452ec) C:\Windows\system32\drivers\CHDART.sys
2010/12/06 19:31:56.0782 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/06 19:31:56.0844 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/06 19:31:56.0876 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/06 19:31:56.0922 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/06 19:31:56.0969 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2010/12/06 19:31:57.0000 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
2010/12/06 19:31:57.0047 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2010/12/06 19:31:57.0110 HSF_DPV (cc267848cb3508e72762be65734e764d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2010/12/06 19:31:57.0156 HSXHWAZL (a2882945cc4b6e3e4e9e825590438888) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2010/12/06 19:31:57.0219 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/06 19:31:57.0250 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2010/12/06 19:31:57.0281 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/06 19:31:57.0375 ialm (496db78e6a0c4c44023d9a92b4a7ac31) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/12/06 19:31:57.0422 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2010/12/06 19:31:57.0484 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/06 19:31:57.0546 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2010/12/06 19:31:57.0578 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/06 19:31:57.0640 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/06 19:31:57.0718 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/06 19:31:57.0780 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/06 19:31:57.0843 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/06 19:31:57.0890 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2010/12/06 19:31:57.0936 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/06 19:31:57.0983 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/06 19:31:57.0999 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/06 19:31:58.0046 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/06 19:31:58.0108 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/06 19:31:58.0170 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/06 19:31:58.0248 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/06 19:31:58.0295 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/06 19:31:58.0326 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/06 19:31:58.0358 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/06 19:31:58.0404 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/06 19:31:58.0467 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/12/06 19:31:58.0498 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2010/12/06 19:31:58.0560 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/06 19:31:58.0607 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/06 19:31:58.0670 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/06 19:31:58.0701 mouhid (a3a6dff7e9e757db3df51a833bc28885) C:\Windows\system32\drivers\mouhid.sys
2010/12/06 19:31:58.0763 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/06 19:31:58.0794 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2010/12/06 19:31:58.0841 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/06 19:31:58.0888 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/06 19:31:58.0950 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/06 19:31:58.0982 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/06 19:31:59.0013 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/06 19:31:59.0044 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/06 19:31:59.0075 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2010/12/06 19:31:59.0106 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2010/12/06 19:31:59.0184 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/06 19:31:59.0247 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/06 19:31:59.0294 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/06 19:31:59.0340 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/06 19:31:59.0387 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/06 19:31:59.0465 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/06 19:31:59.0496 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/06 19:31:59.0528 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/06 19:31:59.0574 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/06 19:31:59.0637 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/06 19:31:59.0668 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/06 19:31:59.0715 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/06 19:31:59.0746 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/06 19:31:59.0808 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/06 19:31:59.0871 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/06 19:31:59.0918 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/06 19:31:59.0949 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/06 19:32:00.0027 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/06 19:32:00.0074 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/06 19:32:00.0120 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/06 19:32:00.0214 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/06 19:32:00.0261 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/06 19:32:00.0308 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/06 19:32:00.0370 NVENETFD (a1108084b0d2fc43dcc401735770e2a3) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2010/12/06 19:32:00.0604 nvlddmkm (b36c3b866b0d47e2e2856ec8fd746e39) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/12/06 19:32:00.0666 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2010/12/06 19:32:00.0698 nvsmu (9aebc32f9d6e02ebee0369ab296fe7c8) C:\Windows\system32\DRIVERS\nvsmu.sys
2010/12/06 19:32:00.0744 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2010/12/06 19:32:00.0807 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2010/12/06 19:32:00.0900 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/12/06 19:32:00.0963 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/06 19:32:01.0025 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/06 19:32:01.0056 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/06 19:32:01.0119 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/06 19:32:01.0134 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2010/12/06 19:32:01.0181 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/12/06 19:32:01.0244 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\Windows\system32\drivers\PCTCore.sys
2010/12/06 19:32:01.0275 pctgntdi (d15669bd3e1cf18f00b46a7949ea541f) C:\Windows\System32\drivers\pctgntdi.sys
2010/12/06 19:32:01.0306 pctplsg (30c931fcb8df713bcd2fb7ce763a0b47) C:\Windows\System32\drivers\pctplsg.sys
2010/12/06 19:32:01.0353 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/06 19:32:01.0478 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/06 19:32:01.0524 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2010/12/06 19:32:01.0602 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/06 19:32:01.0649 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
2010/12/06 19:32:01.0712 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2010/12/06 19:32:01.0758 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/06 19:32:01.0821 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/06 19:32:01.0946 RapportKELL (915b82d664cd38743a59b3a3524a5d3a) C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
2010/12/06 19:32:01.0992 RapportPG (25f126fdd8df81a71ff518c914055cd8) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
2010/12/06 19:32:02.0039 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/06 19:32:02.0102 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/06 19:32:02.0148 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/06 19:32:02.0195 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/06 19:32:02.0242 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/06 19:32:02.0289 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/06 19:32:02.0351 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2010/12/06 19:32:02.0398 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/06 19:32:02.0445 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/06 19:32:02.0538 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/06 19:32:02.0585 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/06 19:32:02.0663 sdbus (7b3973cc28b8aa3e9e2e5d53e720e2c9) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/06 19:32:02.0710 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/06 19:32:02.0757 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/06 19:32:02.0788 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/12/06 19:32:02.0835 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/06 19:32:02.0913 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2010/12/06 19:32:02.0928 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/06 19:32:02.0975 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/06 19:32:03.0006 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/06 19:32:03.0053 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2010/12/06 19:32:03.0084 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2010/12/06 19:32:03.0131 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2010/12/06 19:32:03.0209 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/06 19:32:03.0256 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/06 19:32:03.0334 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/06 19:32:03.0350 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/06 19:32:03.0381 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/06 19:32:03.0459 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/06 19:32:03.0506 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/06 19:32:03.0599 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/06 19:32:03.0630 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/06 19:32:03.0693 SynTP (f5d926807bd9bc0af68f9376144de425) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/06 19:32:03.0786 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/06 19:32:03.0849 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/06 19:32:03.0896 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/06 19:32:03.0942 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/06 19:32:03.0989 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/06 19:32:04.0052 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/06 19:32:04.0098 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/06 19:32:04.0161 TfFsMon (d2a1cd31200a6c9d3dfad022503e4836) C:\Windows\system32\drivers\TfFsMon.sys
2010/12/06 19:32:04.0192 TfNetMon (3e3a544d10b0ac1c4c133048f84390ac) C:\Windows\system32\drivers\TfNetMon.sys
2010/12/06 19:32:04.0208 TfSysMon (706be7328a35c39dbe449e10c1ac6a38) C:\Windows\system32\drivers\TfSysMon.sys
2010/12/06 19:32:04.0301 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/06 19:32:04.0348 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/06 19:32:04.0379 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/06 19:32:04.0442 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2010/12/06 19:32:04.0504 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/06 19:32:04.0582 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/06 19:32:04.0629 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2010/12/06 19:32:04.0676 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/06 19:32:04.0707 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/06 19:32:04.0754 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/06 19:32:04.0832 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\Windows\system32\Drivers\usbaapl.sys
2010/12/06 19:32:04.0894 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2010/12/06 19:32:04.0941 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/06 19:32:04.0988 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/06 19:32:05.0050 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/06 19:32:05.0066 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/06 19:32:05.0097 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/06 19:32:05.0159 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/06 19:32:05.0222 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/06 19:32:05.0253 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/06 19:32:05.0300 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/06 19:32:05.0362 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/12/06 19:32:05.0424 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/06 19:32:05.0471 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/06 19:32:05.0502 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2010/12/06 19:32:05.0534 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2010/12/06 19:32:05.0580 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2010/12/06 19:32:05.0627 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/06 19:32:05.0674 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/06 19:32:05.0721 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/06 19:32:05.0768 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2010/12/06 19:32:05.0846 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/06 19:32:05.0892 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/06 19:32:05.0908 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/06 19:32:05.0955 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2010/12/06 19:32:06.0017 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/06 19:32:06.0142 winachsf (0acd399f5db3df1b58903cf4949ab5a8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/12/06 19:32:06.0251 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/06 19:32:06.0345 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/06 19:32:06.0423 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/06 19:32:06.0470 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/12/06 19:32:06.0563 ================================================================================
2010/12/06 19:32:06.0563 Scan finished
2010/12/06 19:32:06.0563 ================================================================================
2010/12/06 19:32:06.0594 Detected object count: 1
2010/12/06 19:33:08.0558 geasszw (bcbf932d179ed01cfa1f3b5896b1c13a) C:\Windows\system32\drivers\geasszw.sys
2010/12/06 19:33:08.0558 Suspicious file (NoAccess): C:\Windows\system32\drivers\geasszw.sys. md5: bcbf932d179ed01cfa1f3b5896b1c13a
2010/12/06 19:33:08.0558 C:\Windows\system32\drivers\geasszw.sys - copied to quarantine
2010/12/06 19:33:08.0558 Locked service(geasszw) - User select action: Quarantine

Then I ran MBRcheck. Here is the log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP G6000 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 121):
0x83639000 \SystemRoot\system32\ntkrnlpa.exe
0x83606000 \SystemRoot\system32\hal.dll
0x8040D000 \SystemRoot\system32\kdcom.dll
0x80414000 \SystemRoot\system32\PSHED.dll
0x80425000 \SystemRoot\system32\BOOTVID.dll
0x8042D000 \SystemRoot\system32\CLFS.SYS
0x8046E000 \SystemRoot\system32\CI.dll
0x8054E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805CA000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80604000 \SystemRoot\system32\drivers\acpi.sys
0x8064A000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80653000 \SystemRoot\system32\drivers\fltmgr.sys
0x80685000 \SystemRoot\system32\drivers\msisadrv.sys
0x8068D000 \SystemRoot\system32\drivers\pci.sys
0x806B4000 \SystemRoot\System32\Drivers\geasszw.sys
0x80787000 \SystemRoot\System32\drivers\partmgr.sys
0x80796000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80799000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x807A3000 \SystemRoot\system32\drivers\volmgr.sys
0x807B2000 \SystemRoot\System32\drivers\volmgrx.sys
0x805D7000 \SystemRoot\system32\drivers\pciide.sys
0x805DE000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805EC000 \SystemRoot\System32\drivers\mountmgr.sys
0x80400000 \SystemRoot\system32\drivers\atapi.sys
0x84004000 \SystemRoot\system32\drivers\ataport.SYS
0x84022000 \SystemRoot\system32\drivers\fileinfo.sys
0x84032000 \SystemRoot\system32\drivers\PCTCore.sys
0x8408D000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x84096000 \SystemRoot\System32\Drivers\ksecdd.sys
0x84209000 \SystemRoot\system32\drivers\ndis.sys
0x84314000 \SystemRoot\system32\drivers\msrpc.sys
0x8433F000 \SystemRoot\system32\drivers\NETIO.SYS
0x84107000 \SystemRoot\System32\drivers\tcpip.sys
0x8437A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89209000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89319000 \SystemRoot\system32\drivers\volsnap.sys
0x8935A000 \SystemRoot\System32\Drivers\mup.sys
0x89369000 \SystemRoot\System32\drivers\ecache.sys
0x89390000 \SystemRoot\system32\drivers\disk.sys
0x893A1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x893C2000 \SystemRoot\system32\drivers\crcdisk.sys
0x893CB000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
0x893F4000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x89200000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x89352000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x84395000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x843A5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x843AC000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x89355000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x843B5000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x843BF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x841F1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x84200000 \SystemRoot\system32\drivers\Afc.sys
0x8406B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x84083000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8CC0D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8CC9A000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8D00E000 \SystemRoot\system32\DRIVERS\athr.sys
0x8D0C7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8D0DA000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8D0DF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D0EA000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8D11A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D11C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D127000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D156000 \SystemRoot\system32\DRIVERS\storport.sys
0x8D197000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D1A2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D1B9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D1C4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D1E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8CD9B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8CDAF000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8CDC4000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8D1F6000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8CDD4000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D000000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8CC00000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D404000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8D40D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D442000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D453000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D45C000 \SystemRoot\System32\Drivers\Null.SYS
0x8D463000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D46A000 \SystemRoot\System32\drivers\vga.sys
0x8D476000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D497000 \SystemRoot\System32\drivers\watchdog.sys
0x8D4A3000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D4AB000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D4B6000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D4C4000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D4CD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D4E3000 \??\C:\Windows\System32\drivers\pctgntdi.sys
0x8D51A000 \ArcName\multi(0)disk(0)rdisk(0)partition(1)\Windows\system32\drivers\PctWfpFilter.sys
0x8D537000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D54B000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D57D000 \SystemRoot\system32\drivers\afd.sys
0x8D5C5000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8D5CE000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8D5E4000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DA05000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DA41000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DA4B000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DA62000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8DA79000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8DA86000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8DA91000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x81470000 \SystemRoot\System32\win32k.sys
0x8DA99000 \SystemRoot\System32\drivers\Dxapi.sys
0x81680000 \SystemRoot\System32\drivers\dxg.sys
0x816B0000 \SystemRoot\System32\TSDDD.dll
0x81730000 \SystemRoot\System32\framebuf.dll
0x8DAA3000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8DACD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8DAD7000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8DAF0000 \SystemRoot\System32\drivers\mpsdrv.sys
0x8DB05000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8DB24000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8DB5D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8DB75000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77250000 \Windows\System32\ntdll.dll

Processes (total 29):
0 System Idle Process
4 System
376 C:\Windows\System32\smss.exe
500 csrss.exe
536 csrss.exe
544 C:\Windows\System32\wininit.exe
588 C:\Windows\System32\winlogon.exe
616 C:\Windows\System32\services.exe
632 C:\Windows\System32\lsass.exe
640 C:\Windows\System32\lsm.exe
788 C:\Windows\System32\svchost.exe
844 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1096 C:\Windows\System32\svchost.exe
1148 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1284 C:\Windows\System32\svchost.exe
1440 C:\Windows\System32\svchost.exe
1684 C:\Windows\System32\svchost.exe
1700 C:\Windows\System32\svchost.exe
1816 C:\Windows\explorer.exe
1908 C:\Windows\System32\svchost.exe
888 C:\Program Files\Windows Media Player\wmpnscfg.exe
1672 C:\Program Files\Internet Explorer\iexplore.exe
1784 C:\Program Files\Internet Explorer\iexplore.exe
1156 C:\Program Files\Internet Explorer\iexplore.exe
1812 C:\Windows\System32\notepad.exe
2040 C:\Users\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000019`1018be00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-60UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Thanks

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 06 December 2010 - 05:27 PM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a Vista recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#11 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 08 December 2010 - 06:19 AM

I have run the MBR check and fixed the MBR, then re-run MBR check. Here is the log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP G6000 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 121):
0x83611000 \SystemRoot\system32\ntkrnlpa.exe
0x839CA000 \SystemRoot\system32\hal.dll
0x80400000 \SystemRoot\system32\kdcom.dll
0x80407000 \SystemRoot\system32\PSHED.dll
0x80418000 \SystemRoot\system32\BOOTVID.dll
0x80420000 \SystemRoot\system32\CLFS.SYS
0x80461000 \SystemRoot\system32\CI.dll
0x80541000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805BD000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80602000 \SystemRoot\system32\drivers\acpi.sys
0x80648000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80651000 \SystemRoot\system32\drivers\fltmgr.sys
0x80683000 \SystemRoot\system32\drivers\msisadrv.sys
0x8068B000 \SystemRoot\system32\drivers\pci.sys
0x806B2000 \SystemRoot\System32\Drivers\geasszw.sys
0x80785000 \SystemRoot\System32\drivers\partmgr.sys
0x80794000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80797000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x807A1000 \SystemRoot\system32\drivers\volmgr.sys
0x807B0000 \SystemRoot\System32\drivers\volmgrx.sys
0x805CA000 \SystemRoot\system32\drivers\pciide.sys
0x805D1000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805DF000 \SystemRoot\System32\drivers\mountmgr.sys
0x805EF000 \SystemRoot\system32\drivers\atapi.sys
0x84009000 \SystemRoot\system32\drivers\ataport.SYS
0x84027000 \SystemRoot\system32\drivers\fileinfo.sys
0x84037000 \SystemRoot\system32\drivers\PCTCore.sys
0x84092000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8409B000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8420A000 \SystemRoot\system32\drivers\ndis.sys
0x84315000 \SystemRoot\system32\drivers\msrpc.sys
0x84340000 \SystemRoot\system32\drivers\NETIO.SYS
0x8410C000 \SystemRoot\System32\drivers\tcpip.sys
0x8437B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89203000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89313000 \SystemRoot\system32\drivers\volsnap.sys
0x89354000 \SystemRoot\System32\Drivers\mup.sys
0x89363000 \SystemRoot\System32\drivers\ecache.sys
0x8938A000 \SystemRoot\system32\drivers\disk.sys
0x8939B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x893BC000 \SystemRoot\system32\drivers\crcdisk.sys
0x893C5000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
0x893EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x84396000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x893F9000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x8439F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8934C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x843AF000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x893FC000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x843B8000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x843C2000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x84070000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x84200000 \SystemRoot\system32\drivers\Afc.sys
0x8D203000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8D21B000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8D221000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8D2AE000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8D404000 \SystemRoot\system32\DRIVERS\athr.sys
0x8D4BD000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8D4D0000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8D4D5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D4E0000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8D510000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D512000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D51D000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D54C000 \SystemRoot\system32\DRIVERS\storport.sys
0x8D58D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D598000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D5AF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D5BA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5DD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D5EC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D3AF000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8D3C4000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8D400000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8D3D4000 \SystemRoot\system32\DRIVERS\ks.sys
0x8407F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8D80C000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D819000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8D822000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D857000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D868000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D871000 \SystemRoot\System32\Drivers\Null.SYS
0x8D878000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D87F000 \SystemRoot\System32\drivers\vga.sys
0x8D88B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D8AC000 \SystemRoot\System32\drivers\watchdog.sys
0x8D8B8000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D8C0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D8CB000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D8D9000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D8E2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D8F8000 \??\C:\Windows\System32\drivers\pctgntdi.sys
0x8D92F000 \ArcName\multi(0)disk(0)rdisk(0)partition(1)\Windows\system32\drivers\PctWfpFilter.sys
0x8D94C000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D960000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D992000 \SystemRoot\system32\drivers\afd.sys
0x8D9DA000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8D9E3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DE0D000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DE1B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DE57000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DE61000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DE78000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8DE8F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8DE9C000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8DEA7000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x816C0000 \SystemRoot\System32\win32k.sys
0x8DEAF000 \SystemRoot\System32\drivers\Dxapi.sys
0x818D0000 \SystemRoot\System32\drivers\dxg.sys
0x81900000 \SystemRoot\System32\TSDDD.dll
0x81980000 \SystemRoot\System32\framebuf.dll
0x8DEB9000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8DEE3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8DEED000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8DF06000 \SystemRoot\System32\drivers\mpsdrv.sys
0x8DF1B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8DF3A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8DF73000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8DF8B000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77C80000 \Windows\System32\ntdll.dll

Processes (total 24):
0 System Idle Process
4 System
376 C:\Windows\System32\smss.exe
436 csrss.exe
472 csrss.exe
480 C:\Windows\System32\wininit.exe
524 C:\Windows\System32\winlogon.exe
552 C:\Windows\System32\services.exe
568 C:\Windows\System32\lsass.exe
576 C:\Windows\System32\lsm.exe
724 C:\Windows\System32\svchost.exe
780 C:\Windows\System32\svchost.exe
932 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
1020 C:\Windows\System32\svchost.exe
1076 C:\Windows\System32\svchost.exe
1092 C:\Windows\System32\svchost.exe
1212 C:\Windows\System32\svchost.exe
1384 C:\Windows\System32\svchost.exe
1620 C:\Windows\System32\svchost.exe
1628 C:\Windows\System32\svchost.exe
412 C:\Windows\explorer.exe
804 C:\Program Files\Windows Media Player\wmpnscfg.exe
280 C:\Users\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000019`1018be00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-60UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D94F393960D1CD66C2071F2D7260A5196DF105AC


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

There seemed no problem with the MBR repair, but I have a recovery disc just in case.

Hannah

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 08 December 2010 - 06:43 PM

Good that you've got the disk :thumbup2:

1. Put the Windows Vista disk in the disk drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.
8. Type Bootrec.exe /FixMbr
9. Now type Exit and press ENTER

Now please rerun MBRCheck and post the log :)
Posted Image
m0le is a proud member of UNITE

#13 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 09 December 2010 - 06:55 AM

I have completed the MBR repair as per your instructions. Here is the MBRcheck log created after I finished the repair:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Quanta
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP G6000 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 122):
0x8360E000 \SystemRoot\system32\ntkrnlpa.exe
0x839C7000 \SystemRoot\system32\hal.dll
0x8040D000 \SystemRoot\system32\kdcom.dll
0x80414000 \SystemRoot\system32\PSHED.dll
0x80425000 \SystemRoot\system32\BOOTVID.dll
0x8042D000 \SystemRoot\system32\CLFS.SYS
0x8046E000 \SystemRoot\system32\CI.dll
0x8054E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805CA000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80609000 \SystemRoot\system32\drivers\acpi.sys
0x8064F000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80658000 \SystemRoot\system32\drivers\fltmgr.sys
0x8068A000 \SystemRoot\system32\drivers\msisadrv.sys
0x80692000 \SystemRoot\system32\drivers\pci.sys
0x806B9000 \SystemRoot\System32\Drivers\geasszw.sys
0x8078C000 \SystemRoot\System32\drivers\partmgr.sys
0x8079B000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8079E000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x807A8000 \SystemRoot\system32\drivers\volmgr.sys
0x8400B000 \SystemRoot\System32\drivers\volmgrx.sys
0x84055000 \SystemRoot\system32\drivers\pciide.sys
0x8405C000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8406A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8407A000 \SystemRoot\system32\drivers\atapi.sys
0x84082000 \SystemRoot\system32\drivers\ataport.SYS
0x840A0000 \SystemRoot\system32\drivers\fileinfo.sys
0x840B0000 \SystemRoot\system32\drivers\PCTCore.sys
0x8410B000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x84114000 \SystemRoot\System32\Drivers\ksecdd.sys
0x84206000 \SystemRoot\system32\drivers\ndis.sys
0x84311000 \SystemRoot\system32\drivers\msrpc.sys
0x8433C000 \SystemRoot\system32\drivers\NETIO.SYS
0x8920E000 \SystemRoot\System32\drivers\tcpip.sys
0x892F8000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8940F000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8951F000 \SystemRoot\system32\drivers\volsnap.sys
0x89560000 \SystemRoot\System32\Drivers\mup.sys
0x8956F000 \SystemRoot\System32\drivers\ecache.sys
0x89596000 \SystemRoot\system32\drivers\disk.sys
0x895A7000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x895C8000 \SystemRoot\system32\drivers\crcdisk.sys
0x895D1000 \SystemRoot\system32\DRIVERS\AVGIDSEH.Sys
0x89400000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x89313000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8940B000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0x8931C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x89558000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8932C000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x895FA000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x89335000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8933F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8937D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8938C000 \SystemRoot\system32\drivers\Afc.sys
0x89394000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x893AC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8D00C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8D099000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8D400000 \SystemRoot\system32\DRIVERS\athr.sys
0x8D4B9000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8D4CC000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8D4D1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D4DC000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8D50C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D50E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D519000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D548000 \SystemRoot\system32\DRIVERS\storport.sys
0x8D589000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D594000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D5AB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D5B6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5D9000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D5E8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D19A000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8D1AF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8D5FC000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8D1BF000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D1E9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8D1F3000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D000000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x893B2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x893E7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x89200000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x893F8000 \SystemRoot\System32\Drivers\Null.SYS
0x84377000 \SystemRoot\System32\Drivers\Beep.SYS
0x8437E000 \SystemRoot\System32\drivers\vga.sys
0x8438A000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x843AB000 \SystemRoot\System32\drivers\watchdog.sys
0x843B7000 \SystemRoot\system32\drivers\rdpencdd.sys
0x843BF000 \SystemRoot\System32\Drivers\Msfs.SYS
0x843CA000 \SystemRoot\System32\Drivers\Npfs.SYS
0x843D8000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x843E1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x84185000 \??\C:\Windows\System32\drivers\pctgntdi.sys
0x841BC000 \ArcName\multi(0)disk(0)rdisk(0)partition(1)\Windows\system32\drivers\PctWfpFilter.sys
0x841D9000 \SystemRoot\system32\DRIVERS\smb.sys
0x807B7000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DC03000 \SystemRoot\system32\drivers\afd.sys
0x8DC4B000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8DC54000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DC6A000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DC78000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DCB4000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DCBE000 \SystemRoot\System32\Drivers\dfsc.sys
0x8DCD5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8DCEC000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8DD27000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8DD34000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8DD3F000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x81450000 \SystemRoot\System32\win32k.sys
0x8DD47000 \SystemRoot\System32\drivers\Dxapi.sys
0x81660000 \SystemRoot\System32\drivers\dxg.sys
0x81690000 \SystemRoot\System32\TSDDD.dll
0x81710000 \SystemRoot\System32\framebuf.dll
0x8DD51000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8DD7B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8DD85000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8DD9E000 \SystemRoot\System32\drivers\mpsdrv.sys
0x8DDB3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x98404000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9843D000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x98455000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x76F90000 \Windows\System32\ntdll.dll

Processes (total 25):
0 System Idle Process
4 System
440 C:\Windows\System32\smss.exe
500 csrss.exe
536 csrss.exe
544 C:\Windows\System32\wininit.exe
588 C:\Windows\System32\winlogon.exe
616 C:\Windows\System32\services.exe
632 C:\Windows\System32\lsass.exe
640 C:\Windows\System32\lsm.exe
780 C:\Windows\System32\svchost.exe
836 C:\Windows\System32\svchost.exe
992 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1080 C:\Windows\System32\svchost.exe
1136 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\svchost.exe
1268 C:\Windows\System32\svchost.exe
1424 C:\Windows\System32\svchost.exe
1684 C:\Windows\System32\svchost.exe
1692 C:\Windows\System32\svchost.exe
1796 C:\Windows\explorer.exe
120 C:\Windows\System32\svchost.exe
1764 C:\Program Files\Windows Media Player\wmpnscfg.exe
1548 C:\Users\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000019`1018be00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-60UST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

Thanks

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:32 AM

Posted 09 December 2010 - 06:12 PM

That's done the trick :thumbup2:

Please run Combofix again and let's see if that removes the rootkit now
Posted Image
m0le is a proud member of UNITE

#15 HannahPethen

HannahPethen
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 09 December 2010 - 07:49 PM

Its good that the recovery disk worked to fix the MBR. I have run combofix again. Here is the log:

omboFix 10-12-08.04 - Administrator 10/12/2010 0:19.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1982.1438 [GMT 0:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"C:\kxldypog.sys"
"c:\users\john\AppData\Local\Lsepag.bin"
"c:\windows\system32\drivers\geasszw.sys"
"c:\windows\system32\drivers\lbmmjpcv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\geasszw.sys . . . . Failed to delete
.
---- Previous Run -------
.
c:\windows\system32\drivers\geasszw.sys . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_geasszw
-------\Service_geasszw
-------\Legacy_GEASSZW
-------\Service_geasszw


((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.

2010-12-10 00:26 . 2010-12-10 00:26 -------- d-----w- c:\users\john\AppData\Local\temp
2010-12-10 00:26 . 2010-12-10 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-06 19:33 . 2010-12-06 19:33 -------- d-----w- C:\TDSSKiller_Quarantine
2010-11-23 20:19 . 2010-11-23 20:19 -------- d-----w- c:\users\Administrator
2010-11-23 15:56 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{31250762-9F82-42B0-9E90-CA0FD105170F}\mpengine.dll
2010-11-11 14:15 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 00:41 . 2010-10-14 16:46 842240 ----a-w- c:\windows\system32\drivers\geasszw.sys
2010-10-19 10:41 . 2009-10-13 12:33 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-13 15:27 . 2010-09-13 15:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-13 13:56 . 2010-10-14 19:09 8147456 ----a-w- c:\windows\system32\wmploc.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-01 1783136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-02-02 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-02-02 59664]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-07-19 198608]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2010-04-08 63360]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-02-02 33552]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2010-09-13 25680]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-02-05 233136]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme
*Deregistered* - geasszw

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 16:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-10-27 20:55]

2010-12-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-04 12:01]

2010-12-10 c:\windows\Tasks\User_Feed_Synchronization-{3B2F4999-56A4-4DBF-BF13-AC05972B3087}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=HP&pf=laptop
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 00:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\geasszw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,40,38,83,d1,7c,ca,4b,bc,6c,04,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,40,38,83,d1,7c,ca,4b,bc,6c,04,\

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sys\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"

[HKEY_USERS\S-1-5-21-759214962-1265539685-4049476873-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2010-12-10 00:46:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-10 00:46
ComboFix2.txt 2010-12-06 00:26
ComboFix3.txt 2010-12-05 23:45
ComboFix4.txt 2010-12-04 21:33
ComboFix5.txt 2010-12-09 23:44

Pre-Run: 30,953,426,944 bytes free
Post-Run: 30,897,246,208 bytes free

- - End Of File - - 75CEFF16030FD1007120E41217F8FCA5

Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users