Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something's on my Computer....Don't know what.


  • This topic is locked This topic is locked
37 replies to this topic

#1 justpassinthru2k

justpassinthru2k

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 22 December 2010 - 07:08 AM

New to the forums. Have had this issue for quite some time now and have decided to ask for help. I am running an XP Pro SP3 P4 3.2 gig dual proc with about 2 TB of disk storage and 2 gig of DDR2 ram, firewalled desktop behind a router. I have had my share of infections for which I have (I think) disinfected. I do believe I have something on my box still, which I cannot find with all the programs and utilities I have used. I am an IT professional and work with disinfections on an almost daily basis however, totally cleaning up my own personal home machine has become a challenge. Two main issues are: computer is EXTREEMLY slow re-booting / shutting down and I cannot run Combofix. Combofix just sits at the window stating that a badly infected machine can take longer than 10 minutes. I have run numerous utilities (will not name them in the forum unless asked to do so) as well as running System File Checker, cleaned out C:\Documents and Settings\ray\Local Settings\temp, C:\Documents and Settings\ray\Local Settings\Temporary Internet Files and C:\WINDOWS\temp. I have cleaned out the registry with several utilities all of which were up to date. MalewareBytes has occasionally found and disinfected items but my main two issues remain unaffected. I have successfully run Combofix in the past but as of about a month ago I have begun experiencing this "hanging / do nothing" issue. I would like to work with somebody who will systematically diagnose this issue so I can resolve this infection once and for all. I am awaiting your helpful response.

I have completed steps 1 thru 6 in the "Preparation Guide for use before using Malware Removal Tools". I download and run the "DDS" Tool and right after the dos window opens up I pop a "Windows - No Disk" error message stating "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c". If I click on Try Again, I get the same message back. If i click on continue, the colons start appearing and after 51 colons, it just stays there without incrementing. I cannot "X" out nor kill it in Task Manager. So, I ran another instance of "DDS" leaving the hung one, hung and I got my reports.

Now in running GMER, instance shows up in Task Manager but I see no activity on my desktop, no windows open for me to uncheck boxes as per the directions. CPU usage running from low 40's% to 100%. After numerous attempts, GMER ran successfully with the exception of receiving the same error, "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c" 6 times when I started GMER. After clicking continue 6 times I was able to complete the scan. Awaiting your response.

DDS LOG:


DDS (Ver_10-12-12.02) - NTFSx86
Run by ray at 11:29:49.95 on Tue 12/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1482 [GMT -5:00]

AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\logonui.exe
svchost.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Documents and Settings\ray\Local Settings\temp\5.tmp\MBR.DAT
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.optimum.net/optonline
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun: [Itiva Media Accelerator] c:\program files\itiva\itiva media accelerator\ItivaMediaAccelerator.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "d:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\watch.lnk - c:\program files\mustek 1200 ub plus\driver\WATCH.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522}
Trusted Zone: microsoft.com\www.update
Trusted Zone: optimum.net\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://cablevision.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ray\applic~1\mozilla\firefox\profiles\o6q6lbgy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.optonline.net/Home
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ray\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2010-3-15 15172]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-3-17 116264]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-3-18 4064]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-12-13 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-12-13 24064]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-12-11 18816]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009-10-29 2368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-2-26 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-2-26 1324056]
S3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-3-19 203264]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-2-26 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-2-26 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-2-26 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-2-26 72728]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\drivers\qcmdmxp.sys [2006-12-27 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\drivers\qcserxp.sys [2006-12-27 92800]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-12-12 14976]

=============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-12-21 14:13:13 -------- d-----w- c:\program files\HIDE
2010-12-21 02:26:17 -------- d-----w- c:\windows\F3C1DE9E5E164BA9B8547B53A45E3579.TMP
2010-12-21 01:56:21 3584 ----a-r- c:\docume~1\ray\applic~1\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe
2010-12-20 23:27:19 -------- d-----w- C:\JM
2010-12-20 23:12:55 49152 ------r- c:\windows\system32\ChCfg.exe
2010-12-20 23:12:36 2879488 ------r- c:\windows\SkyTel.exe
2010-12-20 23:11:52 -------- d-----w- c:\program files\Realtek
2010-12-20 23:11:43 499712 ------r- c:\windows\RtlExUpd.dll
2010-12-20 23:07:57 6912 ----a-r- c:\windows\system32\drivers\JGOGO.sys
2010-12-20 22:57:56 -------- d-----w- c:\windows\NV31003104.TMP
2010-12-20 15:00:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 15:00:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 00:36:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos Web Intelligence
2010-12-14 00:35:52 -------- d-----w- c:\program files\common files\Cisco Systems
2010-12-14 00:35:48 28912 ------w- c:\windows\system32\SophosBootTasks.exe
2010-12-13 16:55:23 -------- d-----w- c:\docume~1\ray\locals~1\applic~1\Sophos
2010-12-13 16:53:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2010-12-13 16:52:23 24064 ------w- c:\windows\system32\drivers\savonaccessfilter.sys
2010-12-13 16:52:23 153344 ------w- c:\windows\system32\drivers\savonaccesscontrol.sys
2010-12-13 16:52:21 -------- d-----w- C:\stdtsa
2010-12-13 15:30:18 -------- d-----w- C:\RemovalTool
2010-12-13 02:36:34 14976 ------w- c:\windows\system32\drivers\SophosBootDriver.sys
2010-12-13 02:36:31 -------- d-----w- C:\savw_95_sa
2010-12-11 21:19:43 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-07 23:14:54 -------- d-----w- c:\docume~1\ray\applic~1\PriceGong
2010-12-05 19:37:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-12-05 05:20:09 -------- d-----w- C:\RkUnhooker
2010-12-03 01:43:08 805400 ------r- c:\windows\system32\tmp5CB1.tmp
2010-12-03 01:43:08 805400 ------r- c:\windows\system32\tmp5CB0.tmp
2010-12-03 01:42:42 25600 ------w- c:\windows\system32\Ctxfihlp.exe
2010-12-03 01:42:19 53248 ------w- c:\windows\system32\ctdproxy.dll
2010-12-03 00:21:02 116224 -c----w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-03 00:20:58 23040 -c----w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-03 00:20:52 27648 -c----w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-03 00:20:49 4608 -c----w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-03 00:20:33 99865 -c----w- c:\windows\system32\dllcache\xlog.exe
2010-12-03 00:20:29 16970 -c----w- c:\windows\system32\dllcache\xem336n5.sys
2010-12-03 00:20:28 19455 -c----w- c:\windows\system32\dllcache\wvchntxx.sys
2010-12-03 00:20:25 12063 -c----w- c:\windows\system32\dllcache\wsiintxx.sys
2010-12-03 00:20:24 8192 -c----w- c:\windows\system32\dllcache\wshirda.dll
2010-12-03 00:20:13 8832 -c----w- c:\windows\system32\dllcache\wmiacpi.sys
2010-12-03 00:20:12 154624 -c----w- c:\windows\system32\dllcache\wlluc48.sys
2010-12-03 00:20:09 34890 -c----w- c:\windows\system32\dllcache\wlandrv2.sys
2010-12-03 00:18:57 24576 -c----w- c:\windows\system32\dllcache\viairda.sys
2010-12-03 00:17:59 50688 -c----w- c:\windows\system32\dllcache\umaxscan.dll
2010-12-03 00:16:58 230912 -c----w- c:\windows\system32\dllcache\tosdvd03.sys
2010-12-03 00:16:55 241664 -c----w- c:\windows\system32\dllcache\tosdvd02.sys
2010-12-03 00:16:52 28232 -c----w- c:\windows\system32\dllcache\tos4mo.sys
2010-12-03 00:16:47 123995 -c----w- c:\windows\system32\dllcache\tjisdn.sys
2010-12-03 00:16:25 138528 -c----w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-12-03 00:16:22 81408 -c----w- c:\windows\system32\dllcache\tgiul50.dll
2010-12-03 00:16:21 149376 -c----w- c:\windows\system32\dllcache\tffsport.sys
2010-12-03 00:16:18 17129 -c----w- c:\windows\system32\dllcache\tdkcd31.sys
2010-12-03 00:16:15 37961 -c----w- c:\windows\system32\dllcache\tdk100b.sys
2010-12-03 00:16:11 30464 -c----w- c:\windows\system32\dllcache\tbatm155.sys
2010-12-03 00:16:07 7040 -c----w- c:\windows\system32\dllcache\tandqic.sys
2010-12-03 00:16:04 36640 -c----w- c:\windows\system32\dllcache\t2r4mini.sys
2010-12-03 00:16:02 172768 -c----w- c:\windows\system32\dllcache\t2r4disp.dll
2010-12-03 00:14:57 24660 -c----w- c:\windows\system32\dllcache\spxupchk.dll
2010-12-03 00:14:53 61824 -c----w- c:\windows\system32\dllcache\speed.sys
2010-12-03 00:14:50 106584 -c----w- c:\windows\system32\dllcache\spdports.dll
2010-12-03 00:14:48 19072 -c----w- c:\windows\system32\dllcache\sparrow.sys
2010-12-03 00:14:45 7552 -c----w- c:\windows\system32\dllcache\sonypvu1.sys
2010-12-03 00:14:42 37040 -c----w- c:\windows\system32\dllcache\sonypi.sys
2010-12-03 00:14:39 114688 -c----w- c:\windows\system32\dllcache\sonypi.dll
2010-12-03 00:14:37 20752 -c----w- c:\windows\system32\dllcache\sonync.sys
2010-12-03 00:14:34 9600 -c----w- c:\windows\system32\dllcache\sonymc.sys
2010-12-03 00:14:33 7552 -c----w- c:\windows\system32\dllcache\sonyait.sys
2010-12-03 00:14:30 7040 -c----w- c:\windows\system32\dllcache\snyaitmc.sys
2010-12-03 00:14:14 58368 -c----w- c:\windows\system32\dllcache\smiminib.sys
2010-12-03 00:14:11 147200 -c----w- c:\windows\system32\dllcache\smidispb.dll
2010-12-03 00:12:57 161568 -c----w- c:\windows\system32\dllcache\sgsmusb.sys
2010-12-03 00:11:59 179264 -c----w- c:\windows\system32\dllcache\s3sav3d.dll
2010-12-03 00:10:54 19584 -c----w- c:\windows\system32\dllcache\rasirda.sys
2010-12-03 00:09:58 17792 -c----w- c:\windows\system32\dllcache\ppa.sys
2010-12-03 00:08:58 29769 -c----w- c:\windows\system32\dllcache\pcntn5m.sys
2010-12-03 00:07:58 54528 -c----w- c:\windows\system32\dllcache\opl3sax.sys
2010-12-03 00:06:58 33088 -c----w- c:\windows\system32\dllcache\n9i128v2.sys
2010-12-03 00:05:56 6528 -c----w- c:\windows\system32\dllcache\miniqic.sys
2010-12-03 00:04:53 70730 -c----w- c:\windows\system32\dllcache\lne100tx.sys
2010-12-03 00:04:50 20573 -c----w- c:\windows\system32\dllcache\lne100.sys
2010-12-03 00:04:48 25065 -c----w- c:\windows\system32\dllcache\lmndis3.sys
2010-12-03 00:04:42 15744 -c----w- c:\windows\system32\dllcache\lit220p.sys
2010-12-03 00:04:41 34688 -c----w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-12-03 00:04:38 26442 -c----w- c:\windows\system32\dllcache\lanepic5.sys
2010-12-03 00:04:36 19016 -c----w- c:\windows\system32\dllcache\ktc111.sys
2010-12-03 00:04:33 37376 -c----w- c:\windows\system32\dllcache\kousd.dll
2010-12-03 00:04:20 8192 -c----w- c:\windows\system32\dllcache\kbdkor.dll
2010-12-03 00:04:18 8704 -c----w- c:\windows\system32\dllcache\kbdjpn.dll
2010-12-03 00:04:05 5632 -c----w- c:\windows\system32\dllcache\kbd103.dll
2010-12-03 00:04:03 6144 -c----w- c:\windows\system32\dllcache\kbd101c.dll
2010-12-03 00:04:01 6144 -c----w- c:\windows\system32\dllcache\kbd101b.dll
2010-12-03 00:02:55 372824 -c----w- c:\windows\system32\dllcache\iconf32.dll
2010-12-03 00:01:59 199711 -c----w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-12-03 00:00:59 1733120 -c----w- c:\windows\system32\dllcache\g400d.dll
2010-12-02 23:59:56 7040 -c----w- c:\windows\system32\dllcache\exabyte2.sys
2010-12-02 23:58:59 114944 -c----w- c:\windows\system32\dllcache\epstw2k.sys
2010-12-02 23:57:59 41046 -c----w- c:\windows\system32\dllcache\digiisdn.dll
2010-12-02 23:56:52 39936 -c----w- c:\windows\system32\dllcache\cnxt1803.sys
2010-12-02 23:55:59 60416 -c----w- c:\windows\system32\dllcache\brserwdm.sys
2010-12-02 23:54:59 462848 -c----w- c:\windows\system32\dllcache\a3dapi.dll
2010-12-02 23:54:59 23552 -c----w- c:\windows\system32\dllcache\abp480n5.sys
2010-12-02 23:54:59 231552 -c----w- c:\windows\system32\dllcache\ac97ali.sys
2010-12-02 23:54:58 60928 ------r- c:\windows\system32\OLD147.tmp
2010-12-02 23:54:58 38400 -c----w- c:\windows\system32\dllcache\8514a.dll
2010-12-02 23:54:57 48128 -c----w- c:\windows\system32\dllcache\61883.sys
2010-12-02 23:54:56 148352 -c----w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-12-02 23:54:56 12288 -c----w- c:\windows\system32\dllcache\4mmdat.sys
2010-12-02 23:54:55 762780 -c----w- c:\windows\system32\dllcache\3cwmcru.sys
2010-12-02 23:54:55 689216 -c----w- c:\windows\system32\dllcache\3dfxvs.dll
2010-12-02 23:54:55 11264 -c----w- c:\windows\system32\dllcache\1394vdbg.sys
2010-12-02 23:54:35 66048 -c----w- c:\windows\system32\dllcache\s3legacy.dll
2010-12-02 23:36:44 -------- d-----w- c:\windows\system32\wbem\repository.tmp\FS
2010-12-02 23:36:43 -------- d-----w- c:\windows\system32\wbem\Repository.tmp
2010-12-02 23:27:47 -------- d-----w- c:\windows\system32\wbem\repository(5).tmp\FS
2010-12-02 23:27:47 -------- d-----w- c:\windows\system32\wbem\Repository(5).tmp
2010-12-02 03:00:42 -------- d-----w- c:\windows\system32\wbem\repository(4).tmp\FS
2010-12-02 03:00:42 -------- d-----w- c:\windows\system32\wbem\Repository(4).tmp
2010-12-02 02:47:20 -------- d-----w- c:\windows\system32\wbem\repository(3).tmp\FS
2010-12-02 02:47:20 -------- d-----w- c:\windows\system32\wbem\Repository(3).tmp
2010-12-02 02:25:59 805400 ------r- c:\windows\system32\tmpAB.tmp
2010-12-02 02:25:59 805400 ------r- c:\windows\system32\tmpAA.tmp
2010-12-02 00:11:03 805400 ------r- c:\windows\system32\tmpA7.tmp
2010-12-02 00:11:03 805400 ------r- c:\windows\system32\tmpA6.tmp
2010-12-01 02:59:33 -------- d-----w- c:\windows\system32\wbem\repository(2).tmp\FS
2010-12-01 02:59:33 -------- d-----w- c:\windows\system32\wbem\Repository(2).tmp
2010-11-30 22:54:57 805400 ------r- c:\windows\system32\tmpA9.tmp
2010-11-30 22:54:57 805400 ------r- c:\windows\system32\tmpA8.tmp

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 11:40:08.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:01:30 PM

Posted 30 December 2010 - 01:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 31 December 2010 - 03:47 PM

Having a hard time running the DDS.scr and GMER. The initial DDS startup will count up about 52 colons and just stay there. Cannot cancel the app or shutdown the machine unless I do a HARD restart or shutdown. However, if I leave that window open and start a new instance of DDS, it will complete within 3 minutes. Also, DDS is giving the same repetitive error message after first starting; "Windows - No Disk" error message stating "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c". I can click on continue 6 times to get it to run. Attached is the log. GMER version 1.0.15.15530 will not run. Shows it in device manager at 50% and cannot stop or cancel it. Never get the box to begin the scan. GMER version 1.0.15.15281 I can get to run and those results are attached.

DDS Log

DDS (Ver_10-12-12.02) - NTFSx86
Run by ray at 8:38:11.14 on Fri 12/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1595 [GMT -5:00]

AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
AV: Sunbelt VIPRE *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\ray\Local Settings\temp\6.tmp\MBR.DAT
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\ray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.optimum.net/optonline
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522}
Trusted Zone: microsoft.com\www.update
Trusted Zone: optimum.net\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://cablevision.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ray\applic~1\mozilla\firefox\profiles\o6q6lbgy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.optonline.net/Home
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ray\application data\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2010-3-15 15172]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-3-17 116264]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-3-18 4064]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-12-13 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-12-13 24064]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-12-11 18816]
R2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2006-11-11 51200]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009-10-29 2368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-2-26 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-2-26 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-2-26 72728]
S2 gupdate1c987ea6b15f84e;Google Update Service (gupdate1c987ea6b15f84e);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-3-19 203264]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-7 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2010-2-26 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-2-26 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-2-26 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-2-26 72728]
S3 qcmdmxp;HTC Proprietary USB Driver (PID 0B03);c:\windows\system32\drivers\qcmdmxp.sys [2006-12-27 92800]
S3 qcserxp;HTC Diagnostic Port (PID 0B03);c:\windows\system32\drivers\qcserxp.sys [2006-12-27 92800]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-10-8 163056]
S4 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-6-14 97520]
S4 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-21 230640]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-12-12 14976]
S4 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2010-10-8 1541360]
S4 vcdrom;Virtual CD-ROM Device Driver;\??\p:\microsoft vcd control panel\vcdrom.sys --> p:\microsoft vcd control panel\VCdRom.sys [?]
S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys --> c:\windows\system32\drivers\xmasbus.sys [?]
S4 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2006-3-18 5248]

=============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-12-21 14:13:13 -------- d-----w- c:\program files\HIDE
2010-12-21 02:26:17 -------- d-----w- c:\windows\F3C1DE9E5E164BA9B8547B53A45E3579.TMP
2010-12-21 01:56:21 3584 ----a-r- c:\docume~1\ray\applic~1\microsoft\installer\{121634b0-2f4b-11d3-ada3-00c04f52dd52}\Icon386ED4E3.exe
2010-12-20 23:12:55 49152 ------r- c:\windows\system32\ChCfg.exe
2010-12-20 23:12:36 2879488 ------r- c:\windows\SkyTel.exe
2010-12-20 23:11:52 -------- d-----w- c:\program files\Realtek
2010-12-20 23:11:43 499712 ------r- c:\windows\RtlExUpd.dll
2010-12-20 23:07:57 6912 ----a-r- c:\windows\system32\drivers\JGOGO.sys
2010-12-20 22:57:56 -------- d-----w- c:\windows\NV31003104.TMP
2010-12-20 15:00:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 15:00:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 00:36:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos Web Intelligence
2010-12-14 00:35:52 -------- d-----w- c:\program files\common files\Cisco Systems
2010-12-14 00:35:48 28912 ------w- c:\windows\system32\SophosBootTasks.exe
2010-12-13 16:55:23 -------- d-----w- c:\docume~1\ray\locals~1\applic~1\Sophos
2010-12-13 16:53:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2010-12-13 16:52:23 24064 ------w- c:\windows\system32\drivers\savonaccessfilter.sys
2010-12-13 16:52:23 153344 ------w- c:\windows\system32\drivers\savonaccesscontrol.sys
2010-12-13 16:52:21 -------- d-----w- C:\stdtsa
2010-12-13 15:30:18 -------- d-----w- C:\RemovalTool
2010-12-13 02:36:34 14976 ------w- c:\windows\system32\drivers\SophosBootDriver.sys
2010-12-13 02:36:31 -------- d-----w- C:\savw_95_sa
2010-12-11 21:19:43 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-07 23:14:54 -------- d-----w- c:\docume~1\ray\applic~1\PriceGong
2010-12-05 19:37:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-12-05 05:20:09 -------- d-----w- C:\RkUnhooker
2010-12-03 01:43:08 805400 ------r- c:\windows\system32\tmp5CB1.tmp
2010-12-03 01:43:08 805400 ------r- c:\windows\system32\tmp5CB0.tmp
2010-12-03 01:42:42 25600 ------w- c:\windows\system32\Ctxfihlp.exe
2010-12-03 01:42:19 53248 ------w- c:\windows\system32\ctdproxy.dll
2010-12-03 00:21:02 116224 -c----w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-03 00:20:58 23040 -c----w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-03 00:20:52 27648 -c----w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-03 00:20:49 4608 -c----w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-03 00:20:33 99865 -c----w- c:\windows\system32\dllcache\xlog.exe
2010-12-03 00:20:29 16970 -c----w- c:\windows\system32\dllcache\xem336n5.sys
2010-12-03 00:20:28 19455 -c----w- c:\windows\system32\dllcache\wvchntxx.sys
2010-12-03 00:20:25 12063 -c----w- c:\windows\system32\dllcache\wsiintxx.sys
2010-12-03 00:20:24 8192 -c----w- c:\windows\system32\dllcache\wshirda.dll
2010-12-03 00:20:13 8832 -c----w- c:\windows\system32\dllcache\wmiacpi.sys
2010-12-03 00:20:12 154624 -c----w- c:\windows\system32\dllcache\wlluc48.sys
2010-12-03 00:20:09 34890 -c----w- c:\windows\system32\dllcache\wlandrv2.sys
2010-12-03 00:18:57 24576 -c----w- c:\windows\system32\dllcache\viairda.sys
2010-12-03 00:17:59 50688 -c----w- c:\windows\system32\dllcache\umaxscan.dll
2010-12-03 00:16:58 230912 -c----w- c:\windows\system32\dllcache\tosdvd03.sys
2010-12-03 00:16:55 241664 -c----w- c:\windows\system32\dllcache\tosdvd02.sys
2010-12-03 00:16:52 28232 -c----w- c:\windows\system32\dllcache\tos4mo.sys
2010-12-03 00:16:47 123995 -c----w- c:\windows\system32\dllcache\tjisdn.sys
2010-12-03 00:16:25 138528 -c----w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-12-03 00:16:22 81408 -c----w- c:\windows\system32\dllcache\tgiul50.dll
2010-12-03 00:16:21 149376 -c----w- c:\windows\system32\dllcache\tffsport.sys
2010-12-03 00:16:18 17129 -c----w- c:\windows\system32\dllcache\tdkcd31.sys
2010-12-03 00:16:15 37961 -c----w- c:\windows\system32\dllcache\tdk100b.sys
2010-12-03 00:16:11 30464 -c----w- c:\windows\system32\dllcache\tbatm155.sys
2010-12-03 00:16:07 7040 -c----w- c:\windows\system32\dllcache\tandqic.sys
2010-12-03 00:16:04 36640 -c----w- c:\windows\system32\dllcache\t2r4mini.sys
2010-12-03 00:16:02 172768 -c----w- c:\windows\system32\dllcache\t2r4disp.dll
2010-12-03 00:14:57 24660 -c----w- c:\windows\system32\dllcache\spxupchk.dll
2010-12-03 00:14:53 61824 -c----w- c:\windows\system32\dllcache\speed.sys
2010-12-03 00:14:50 106584 -c----w- c:\windows\system32\dllcache\spdports.dll
2010-12-03 00:14:48 19072 -c----w- c:\windows\system32\dllcache\sparrow.sys
2010-12-03 00:14:45 7552 -c----w- c:\windows\system32\dllcache\sonypvu1.sys
2010-12-03 00:14:42 37040 -c----w- c:\windows\system32\dllcache\sonypi.sys
2010-12-03 00:14:39 114688 -c----w- c:\windows\system32\dllcache\sonypi.dll
2010-12-03 00:14:37 20752 -c----w- c:\windows\system32\dllcache\sonync.sys
2010-12-03 00:14:34 9600 -c----w- c:\windows\system32\dllcache\sonymc.sys
2010-12-03 00:14:33 7552 -c----w- c:\windows\system32\dllcache\sonyait.sys
2010-12-03 00:14:30 7040 -c----w- c:\windows\system32\dllcache\snyaitmc.sys
2010-12-03 00:14:14 58368 -c----w- c:\windows\system32\dllcache\smiminib.sys
2010-12-03 00:14:11 147200 -c----w- c:\windows\system32\dllcache\smidispb.dll
2010-12-03 00:12:57 161568 -c----w- c:\windows\system32\dllcache\sgsmusb.sys
2010-12-03 00:11:59 179264 -c----w- c:\windows\system32\dllcache\s3sav3d.dll
2010-12-03 00:10:54 19584 -c----w- c:\windows\system32\dllcache\rasirda.sys
2010-12-03 00:09:58 17792 -c----w- c:\windows\system32\dllcache\ppa.sys
2010-12-03 00:08:58 29769 -c----w- c:\windows\system32\dllcache\pcntn5m.sys
2010-12-03 00:07:58 54528 -c----w- c:\windows\system32\dllcache\opl3sax.sys
2010-12-03 00:06:58 33088 -c----w- c:\windows\system32\dllcache\n9i128v2.sys
2010-12-03 00:05:56 6528 -c----w- c:\windows\system32\dllcache\miniqic.sys
2010-12-03 00:04:53 70730 -c----w- c:\windows\system32\dllcache\lne100tx.sys
2010-12-03 00:04:50 20573 -c----w- c:\windows\system32\dllcache\lne100.sys
2010-12-03 00:04:48 25065 -c----w- c:\windows\system32\dllcache\lmndis3.sys
2010-12-03 00:04:42 15744 -c----w- c:\windows\system32\dllcache\lit220p.sys
2010-12-03 00:04:41 34688 -c----w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-12-03 00:04:38 26442 -c----w- c:\windows\system32\dllcache\lanepic5.sys
2010-12-03 00:04:36 19016 -c----w- c:\windows\system32\dllcache\ktc111.sys
2010-12-03 00:04:33 37376 -c----w- c:\windows\system32\dllcache\kousd.dll
2010-12-03 00:04:20 8192 -c----w- c:\windows\system32\dllcache\kbdkor.dll
2010-12-03 00:04:18 8704 -c----w- c:\windows\system32\dllcache\kbdjpn.dll
2010-12-03 00:04:05 5632 -c----w- c:\windows\system32\dllcache\kbd103.dll
2010-12-03 00:04:03 6144 -c----w- c:\windows\system32\dllcache\kbd101c.dll
2010-12-03 00:04:01 6144 -c----w- c:\windows\system32\dllcache\kbd101b.dll
2010-12-03 00:02:55 372824 -c----w- c:\windows\system32\dllcache\iconf32.dll
2010-12-03 00:01:59 199711 -c----w- c:\windows\system32\dllcache\hsf_faxx.sys
2010-12-03 00:00:59 1733120 -c----w- c:\windows\system32\dllcache\g400d.dll
2010-12-02 23:59:56 7040 -c----w- c:\windows\system32\dllcache\exabyte2.sys
2010-12-02 23:58:59 114944 -c----w- c:\windows\system32\dllcache\epstw2k.sys
2010-12-02 23:57:59 41046 -c----w- c:\windows\system32\dllcache\digiisdn.dll
2010-12-02 23:56:52 39936 -c----w- c:\windows\system32\dllcache\cnxt1803.sys
2010-12-02 23:55:59 60416 -c----w- c:\windows\system32\dllcache\brserwdm.sys
2010-12-02 23:54:59 462848 -c----w- c:\windows\system32\dllcache\a3dapi.dll
2010-12-02 23:54:59 23552 -c----w- c:\windows\system32\dllcache\abp480n5.sys
2010-12-02 23:54:59 231552 -c----w- c:\windows\system32\dllcache\ac97ali.sys
2010-12-02 23:54:58 60928 ------r- c:\windows\system32\OLD147.tmp
2010-12-02 23:54:58 38400 -c----w- c:\windows\system32\dllcache\8514a.dll
2010-12-02 23:54:57 48128 -c----w- c:\windows\system32\dllcache\61883.sys
2010-12-02 23:54:56 148352 -c----w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-12-02 23:54:56 12288 -c----w- c:\windows\system32\dllcache\4mmdat.sys
2010-12-02 23:54:55 762780 -c----w- c:\windows\system32\dllcache\3cwmcru.sys
2010-12-02 23:54:55 689216 -c----w- c:\windows\system32\dllcache\3dfxvs.dll
2010-12-02 23:54:55 11264 -c----w- c:\windows\system32\dllcache\1394vdbg.sys
2010-12-02 23:54:35 66048 -c----w- c:\windows\system32\dllcache\s3legacy.dll
2010-12-02 23:36:44 -------- d-----w- c:\windows\system32\wbem\repository.tmp\FS
2010-12-02 23:36:43 -------- d-----w- c:\windows\system32\wbem\Repository.tmp
2010-12-02 23:27:47 -------- d-----w- c:\windows\system32\wbem\repository(5).tmp\FS
2010-12-02 23:27:47 -------- d-----w- c:\windows\system32\wbem\Repository(5).tmp
2010-12-02 03:00:42 -------- d-----w- c:\windows\system32\wbem\repository(4).tmp\FS
2010-12-02 03:00:42 -------- d-----w- c:\windows\system32\wbem\Repository(4).tmp
2010-12-02 02:47:20 -------- d-----w- c:\windows\system32\wbem\repository(3).tmp\FS
2010-12-02 02:47:20 -------- d-----w- c:\windows\system32\wbem\Repository(3).tmp
2010-12-02 02:25:59 805400 ------r- c:\windows\system32\tmpAB.tmp
2010-12-02 02:25:59 805400 ------r- c:\windows\system32\tmpAA.tmp
2010-12-02 00:11:03 805400 ------r- c:\windows\system32\tmpA7.tmp
2010-12-02 00:11:03 805400 ------r- c:\windows\system32\tmpA6.tmp

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 8:38:37.93 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:30 PM

Posted 01 January 2011 - 12:48 PM

Hello justpassinthru2k ,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Utorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

2.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java™ 6 Update 17
Java™ 6 Update 18
Java™ 6 Update 19



3.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

Additional instructions can be found here if needed.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 01 January 2011 - 07:16 PM

Fireman4it,

Did as you suggested above and cannot run ComboFix. Stalls at "However, scan times for badly infected machines may easily double". Left it at this screen (after ComboFix successfully backed up the registry) for at least 12 hours with no movement. Also tried starting another instance of ComboFix but no signs of the second instance starting. Awaiting your direction.....

#6 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 01 January 2011 - 07:44 PM

Ran HijackThis. Below is the log, hope this helps;

Logfile of HijackThis v1.98.0
Scan saved at 7:29:07 PM, on 1/1/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\rmbr.cfxxe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis\HijackThis1980.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/optonline
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Module Loader] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe -StartUpRun
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://cablevision.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:30 PM

Posted 01 January 2011 - 09:58 PM

Hello,

Please delete the copy of Combofix you have on your desktop and do the following.

Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------
  • Now Boot into Safemode
    Now reboot into Safe Mode.
    This can be done tapping the F8 key as soon as you start your computer
    You will be brought to a menu where you can choose to boot into safe mode.
    Make sure you choose the option with networking support.
    Please see here for additional details.
  • Double click on 1234.scr & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 02 January 2011 - 09:37 AM

Fireman4it,

I did as you suggested, deleted desktop ComboFix from desktop (and anywhere else I had it saved), downloaded the new one associated with the links you attached, re-booted to safe mode with networking and ran the "new" ComboFix. I let it sit ALLLLL night and at 9am it was stalled again in exactly the same manner and place. No difference running it in safe mode or normal mode. Still cannot run it. Awaiting you're response on further suggestions.
Ray

Edited by justpassinthru2k, 02 January 2011 - 10:13 AM.


#9 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 02 January 2011 - 10:12 AM

Fireman4it,

I did as you suggested, deleted desktop ComboFix from desktop (and anywhere else I had it saved), downloaded the new one associated with the links you attached, re-booted to safe mode with networking and ran the "new" ComboFix. I let it sit ALLLLL night and at 9am it was stalled again in exactly the same manner and place. No difference running it in safe mode or normal mode. Still cannot run it. Awaiting you're response on further suggestions.
Ray

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:30 PM

Posted 02 January 2011 - 02:14 PM

Hello,

Lets try this:

1.
See if Combofix produced a log. It may not have. It would be here if it did C:\Combofix.txt


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
4.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Things to include in your next reply::
Combofix.txt if there is one
MBAM log
TDSSKiller log
MBR check log
A new HIjackthis log.

Edited by fireman4it, 02 January 2011 - 02:16 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 02 January 2011 - 10:44 PM

fireman4it,

I performed the requested tasks and here are the results;

1. No ComboFix log was created/found fron prior running.
2. Upon running the requested MalewareBytes, no malware was found. Log found below and attached.
3. Upon running the requested MBRCheck, unknown if it completed successfully. Could not close out window. Ran twice, first time locked up the box and had to cold restart. Second time, could not close out the window but was able to move the window around leaving multiple shadows for each time I stopped. Had to cold restart again. Copies of each scan are also included below

MalewareBytes Log;

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5446

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2011 8:08:29 PM
mbam-log-2011-01-02 (20-08-29).txt

Scan type: Quick scan
Objects scanned: 187273
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

TDSSKiller log;

2011/01/02 20:12:23.0562 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/02 20:12:23.0562 ================================================================================
2011/01/02 20:12:23.0562 SystemInfo:
2011/01/02 20:12:23.0562
2011/01/02 20:12:23.0562 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/02 20:12:23.0562 Product type: Workstation
2011/01/02 20:12:23.0562 ComputerName: RIGHTWINXP
2011/01/02 20:12:23.0562 UserName: ray
2011/01/02 20:12:23.0562 Windows directory: C:\WINDOWS
2011/01/02 20:12:23.0562 System windows directory: C:\WINDOWS
2011/01/02 20:12:23.0562 Processor architecture: Intel x86
2011/01/02 20:12:23.0562 Number of processors: 2
2011/01/02 20:12:23.0562 Page size: 0x1000
2011/01/02 20:12:23.0562 Boot type: Normal boot
2011/01/02 20:12:23.0562 ================================================================================
2011/01/02 20:12:29.0500 Initialize success
2011/01/02 20:12:35.0500 ================================================================================
2011/01/02 20:12:35.0500 Scan started
2011/01/02 20:12:35.0500 Mode: Manual;
2011/01/02 20:12:35.0500 ================================================================================
2011/01/02 20:12:36.0093 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/02 20:12:36.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/02 20:12:36.0218 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/02 20:12:36.0281 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/02 20:12:36.0421 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/01/02 20:12:36.0500 AnyDVD (b9b27616dc541945737b837da374147a) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/01/02 20:12:36.0562 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/02 20:12:36.0578 ASAPIW2k (4f9cbbf95e8f7a0d4c0edcfe3b78102e) C:\WINDOWS\system32\drivers\ASAPIW2k.sys
2011/01/02 20:12:36.0671 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/01/02 20:12:36.0718 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/02 20:12:36.0781 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/02 20:12:36.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/02 20:12:36.0875 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys
2011/01/02 20:12:36.0921 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/02 20:12:36.0984 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/02 20:12:37.0031 BENDER (fc6d0c2f327a5f716fdfdc24a305aceb) C:\WINDOWS\system32\drivers\bender.sys
2011/01/02 20:12:37.0078 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/01/02 20:12:37.0078 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/01/02 20:12:37.0468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/02 20:12:37.0562 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/02 20:12:37.0656 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/02 20:12:37.0734 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/02 20:12:37.0796 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/02 20:12:37.0843 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/01/02 20:12:37.0953 CT20XUT (134cdd242af1ae9961f065fba3508a7b) C:\WINDOWS\system32\drivers\CT20XUT.SYS
2011/01/02 20:12:37.0984 CT20XUT.SYS (134cdd242af1ae9961f065fba3508a7b) C:\WINDOWS\System32\drivers\CT20XUT.SYS
2011/01/02 20:12:38.0031 ctac32k (93439baf09ce3c6d4ce55da5b07d1b6a) C:\WINDOWS\system32\drivers\ctac32k.sys
2011/01/02 20:12:38.0078 ctaud2k (6ab74512f09d673452d63ddec9014db5) C:\WINDOWS\system32\drivers\ctaud2k.sys
2011/01/02 20:12:38.0140 ctdvda2k (788db5d99b2ca44ff61d8ed7b3c67c2e) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2011/01/02 20:12:38.0187 CTEXFIFX (3a9ad039d94be8d955ad0b2cb207378d) C:\WINDOWS\system32\drivers\CTEXFIFX.SYS
2011/01/02 20:12:38.0234 CTEXFIFX.SYS (3a9ad039d94be8d955ad0b2cb207378d) C:\WINDOWS\System32\drivers\CTEXFIFX.SYS
2011/01/02 20:12:38.0281 CTHWIUT (4602ad8c8e1b285e1a23a957f487da86) C:\WINDOWS\system32\drivers\CTHWIUT.SYS
2011/01/02 20:12:38.0296 CTHWIUT.SYS (4602ad8c8e1b285e1a23a957f487da86) C:\WINDOWS\System32\drivers\CTHWIUT.SYS
2011/01/02 20:12:38.0343 ctprxy2k (d42b84671f2193330215d3c375a2e948) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2011/01/02 20:12:38.0375 ctsfm2k (974cfcbe3206367bec1d527d9dade998) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2011/01/02 20:12:38.0421 CTUSFSYN (12a7b253f9128b3b68a9979827047b76) C:\WINDOWS\system32\drivers\ctusfsyn.sys
2011/01/02 20:12:38.0515 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/02 20:12:38.0593 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/02 20:12:38.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/01/02 20:12:38.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/02 20:12:38.0718 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/02 20:12:38.0765 DNE (694616f813fb627a32c9e32dec133078) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/01/02 20:12:38.0843 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/02 20:12:38.0906 ElbyCDIO (fa13264eea448b2e1b3a844ae4f75c7a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/01/02 20:12:38.0953 ElbyDelay (df9957db3bfe5136aad3c2c101806c98) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
2011/01/02 20:12:39.0015 emupia (04afe5c11777e33178ec11e1fac47b07) C:\WINDOWS\system32\drivers\emupia2k.sys
2011/01/02 20:12:39.0046 Eplpdx02 (f9472131367d39435d750f5fa3d23582) C:\WINDOWS\system32\Drivers\EPLPDX02.SYS
2011/01/02 20:12:39.0109 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/02 20:12:39.0187 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/02 20:12:39.0250 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/02 20:12:39.0312 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/02 20:12:39.0375 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/02 20:12:39.0421 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/02 20:12:39.0453 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/02 20:12:39.0500 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/01/02 20:12:39.0546 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/02 20:12:39.0593 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/02 20:12:39.0671 GT680x (7b90be6811334caa9243b89f3d3fee1a) C:\WINDOWS\system32\Drivers\gt680x.sys
2011/01/02 20:12:39.0734 ha20x2k (41fce1833d8f659acc56cb0ee43b2ced) C:\WINDOWS\system32\drivers\ha20x2k.sys
2011/01/02 20:12:39.0796 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/02 20:12:39.0843 hidgame (923ee4eef2582909a056904ca8026015) C:\WINDOWS\system32\DRIVERS\hidgame.sys
2011/01/02 20:12:39.0890 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/02 20:12:39.0968 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/02 20:12:40.0000 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/02 20:12:40.0046 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/02 20:12:40.0093 HSFHWBS2 (6db36593abdda54c505b77a4f135d5f3) C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
2011/01/02 20:12:40.0140 HSF_DPV (01dc6300bd5b4eaa3de6fc3fa4adb82a) C:\WINDOWS\system32\DRIVERS\USR_MDMV.sys
2011/01/02 20:12:40.0203 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/02 20:12:40.0296 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/02 20:12:40.0343 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297) C:\WINDOWS\system32\Drivers\Icam3.sys
2011/01/02 20:12:40.0390 Icam4USB (222f74130a2e3a2ed655226d97f03812) C:\WINDOWS\system32\Drivers\Icam4USB.sys
2011/01/02 20:12:40.0421 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/02 20:12:40.0468 InCDfs (b87fc7c71632240dac8f4d20e9ce8377) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/01/02 20:12:40.0500 InCDPass (2e878405128ec98886eb9c2216ac7bd6) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/01/02 20:12:40.0515 InCDrec (ddf078917a42f105385d7eb6debb3433) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/01/02 20:12:40.0546 incdrm (7f352360e947ad2cd4ba60de27b1a299) C:\WINDOWS\system32\drivers\incdrm.sys
2011/01/02 20:12:40.0781 IntcAzAudAddService (60d7460b07012d364ced11dd9fd83e1f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/02 20:12:41.0000 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/02 20:12:41.0062 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/02 20:12:41.0125 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/02 20:12:41.0171 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/02 20:12:41.0218 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/02 20:12:41.0281 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/02 20:12:41.0343 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/02 20:12:41.0390 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/02 20:12:41.0453 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/01/02 20:12:41.0484 JGOGO (c995c0e8b4503fac38793bb0236ad246) C:\WINDOWS\system32\DRIVERS\JGOGO.sys
2011/01/02 20:12:41.0515 JRAID (f4a31e66a61c0783f51157519b03280b) C:\WINDOWS\system32\DRIVERS\jraid.sys
2011/01/02 20:12:41.0562 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/02 20:12:41.0625 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/02 20:12:41.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/02 20:12:41.0750 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/02 20:12:41.0828 MarvinBus (7584ffb07305d2e9e3823059a9310b0f) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
2011/01/02 20:12:41.0859 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/02 20:12:41.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/02 20:12:41.0984 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/02 20:12:42.0031 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/02 20:12:42.0062 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/02 20:12:42.0078 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/02 20:12:42.0140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/02 20:12:42.0171 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/02 20:12:42.0234 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/02 20:12:42.0281 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/02 20:12:42.0343 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/02 20:12:42.0406 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/02 20:12:42.0453 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/02 20:12:42.0515 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/02 20:12:42.0562 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/02 20:12:42.0578 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/01/02 20:12:42.0625 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/01/02 20:12:42.0687 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/02 20:12:42.0734 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/02 20:12:42.0796 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/02 20:12:42.0843 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/02 20:12:42.0890 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/02 20:12:42.0937 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/02 20:12:42.0984 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/02 20:12:43.0031 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/02 20:12:43.0078 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/02 20:12:43.0140 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/02 20:12:43.0218 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/02 20:12:43.0281 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/02 20:12:43.0343 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/02 20:12:43.0406 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/01/02 20:12:43.0453 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/02 20:12:43.0609 nv (70cb8915895ccb92ddf23ce890c4f5be) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/02 20:12:43.0781 nv4 (70cb8915895ccb92ddf23ce890c4f5be) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/02 20:12:43.0859 nvata (c03e15101f6d9e82cd9b0e7d715f5de3) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/01/02 20:12:43.0906 nvatabus (b7fb72492b753930ec70a0f49d04f12f) C:\WINDOWS\system32\drivers\nvatabus.sys
2011/01/02 20:12:43.0953 nvax (47b3852808dd579a463fce7085b77413) C:\WINDOWS\system32\drivers\nvax.sys
2011/01/02 20:12:44.0000 NVENET (e07c1f16e5a4e32fc3c0f62b59815ef0) C:\WINDOWS\system32\DRIVERS\NVENET.sys
2011/01/02 20:12:44.0046 NVENETFD (b9333604527e02cd2223f200c0bae7e0) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/02 20:12:44.0078 nvnetbus (5e9e55f7ee644c7c5fd78a206fbe37ab) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/02 20:12:44.0125 nvnforce (adbcba116496229a163193bbe0bb28ce) C:\WINDOWS\system32\drivers\nvapu.sys
2011/01/02 20:12:44.0171 nv_agp (29291c3a7256337327051cc37e4fc09a) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2011/01/02 20:12:44.0250 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/02 20:12:44.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/02 20:12:44.0359 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/02 20:12:44.0390 ossrv (11b3328d84ed6c11baf4f4f115459ab6) C:\WINDOWS\system32\drivers\ctoss2k.sys
2011/01/02 20:12:44.0453 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/02 20:12:44.0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/02 20:12:44.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/02 20:12:44.0593 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/02 20:12:44.0656 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/02 20:12:44.0718 PCLEPCI (1bebe7de8508a02650cdce45c664c2a2) C:\WINDOWS\system32\drivers\pclepci.sys
2011/01/02 20:12:44.0750 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/02 20:12:44.0796 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/01/02 20:12:44.0890 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/01/02 20:12:44.0921 Point32 (d0be72557de73acabbab536496d23115) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/01/02 20:12:44.0968 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/02 20:12:45.0015 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/02 20:12:45.0062 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/02 20:12:45.0109 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/02 20:12:45.0187 PzWDM (36cf3653d367cbc72a38625543f3d4d1) C:\WINDOWS\system32\Drivers\PzWDM.sys
2011/01/02 20:12:45.0218 qcmdmxp (dbf1dd3024a5e85d7458daf3d54b85ed) C:\WINDOWS\system32\DRIVERS\qcmdmxp.sys
2011/01/02 20:12:45.0265 qcserxp (dbf1dd3024a5e85d7458daf3d54b85ed) C:\WINDOWS\system32\DRIVERS\qcserxp.sys
2011/01/02 20:12:45.0406 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/02 20:12:45.0484 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/02 20:12:45.0515 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/02 20:12:45.0578 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/02 20:12:45.0640 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/02 20:12:45.0671 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/02 20:12:45.0750 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/02 20:12:45.0812 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/02 20:12:45.0843 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/02 20:12:45.0921 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/01/02 20:12:45.0968 SAVOnAccessControl (d9df915972694b5274facc8d00492acd) C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
2011/01/02 20:12:46.0015 SAVOnAccessFilter (31b35cca652a3553fa4fb99ea79c35bf) C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
2011/01/02 20:12:46.0062 SAVRKBootTasks (68de5b1e82d3dd10f5f6169522c7c88a) C:\WINDOWS\system32\SAVRKBootTasks.sys
2011/01/02 20:12:46.0328 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/02 20:12:46.0421 Sentinel (d23fc3f409fdbb2a5c230abc137c4b45) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2011/01/02 20:12:46.0515 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/02 20:12:46.0578 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/02 20:12:46.0640 SetupSys (edbecd7f71e40521c8685f0b1f96d3a0) C:\WINDOWS\system32\drivers\SetupSys.sys
2011/01/02 20:12:46.0703 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/02 20:12:46.0765 SI3112r (3da2f680bfc8e92a535cea5a5d80ac37) C:\WINDOWS\system32\DRIVERS\SI3112r.sys
2011/01/02 20:12:46.0796 SiFilter (d893aa1d1ee007b7ab1b16e1099e9f17) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
2011/01/02 20:12:46.0843 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/02 20:12:46.0875 SophosBootDriver (3bdf94e0827d13e44249a646f6c0eb7c) C:\WINDOWS\system32\DRIVERS\SophosBootDriver.sys
2011/01/02 20:12:46.0937 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/02 20:12:47.0000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/02 20:12:47.0062 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/02 20:12:47.0125 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/02 20:12:47.0156 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/02 20:12:47.0218 SVKP (f05028b163b92c302a74409d683ac9b0) C:\WINDOWS\system32\SVKP.sys
2011/01/02 20:12:47.0265 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/02 20:12:47.0328 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/02 20:12:47.0468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/02 20:12:47.0531 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/02 20:12:47.0593 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/02 20:12:47.0640 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/02 20:12:47.0718 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/02 20:12:47.0812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/02 20:12:47.0906 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/02 20:12:47.0968 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/02 20:12:48.0046 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/02 20:12:48.0109 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/02 20:12:48.0171 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\drivers\usbohci.sys
2011/01/02 20:12:48.0218 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/02 20:12:48.0265 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/02 20:12:48.0296 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/01/02 20:12:48.0343 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/02 20:12:48.0390 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/01/02 20:12:48.0437 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/02 20:12:48.0484 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/02 20:12:48.0546 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
2011/01/02 20:12:48.0609 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/02 20:12:48.0656 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/01/02 20:12:48.0703 wandrv (85d294b1ba9307c229c099d1699c19ee) C:\WINDOWS\system32\DRIVERS\wandrv.sys
2011/01/02 20:12:48.0734 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
2011/01/02 20:12:48.0796 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/01/02 20:12:48.0859 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/02 20:12:48.0937 winachsf (35104d888a90ebc18f71fdc2374d2bb9) C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
2011/01/02 20:12:49.0015 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/01/02 20:12:49.0078 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/02 20:12:49.0125 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/02 20:12:49.0171 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/02 20:12:49.0203 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/02 20:12:49.0250 xmasscsi (4059ad5e639fa47e334304cbe82e9572) C:\WINDOWS\System32\Drivers\xmasscsi.sys
2011/01/02 20:12:49.0312 yukonwxp (4fd408e42b3e516732e607bed06f39fb) C:\WINDOWS\system32\DRIVERS\yukonwxp.sys
2011/01/02 20:12:49.0640 ================================================================================
2011/01/02 20:12:49.0640 Scan finished
2011/01/02 20:12:49.0640 ================================================================================
2011/01/02 20:13:22.0828 Deinitialize success

MBRCheck_01.02.11_20.14.35 Log;

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000bbfd

Kernel Drivers (total 179):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9EF2000 nvata.sys
0xBA0F8000 jraid.sys
0xB9EDA000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9EBA000 SI3112r.sys
0xBA338000 cercsr6.sys
0xB9EA1000 nvatabus.sys
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E81000 fltmgr.sys
0xB9E6F000 sr.sys
0xBA4BC000 SiWinAcc.sys
0xBA128000 PxHelp20.sys
0xBA4C0000 PzWDM.sys
0xB9E58000 KSecDD.sys
0xB9E45000 WudfPf.sys
0xB9DB8000 Ntfs.sys
0xB9D8B000 NDIS.sys
0xBA340000 nv_agp.sys
0xB9D71000 Mup.sys
0xBA5AE000 JGOGO.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA188000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7C27000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7C13000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3C0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA198000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB7BFF000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7BDB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA616000 \SystemRoot\System32\Drivers\ElbyDelay.sys
0xBA3D0000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xBA3D8000 \SystemRoot\system32\drivers\iviaspi.sys
0xBA3E0000 \SystemRoot\system32\drivers\ASAPIW2k.sys
0xBA574000 \SystemRoot\system32\drivers\pfc.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7BB8000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3F0000 \SystemRoot\System32\Drivers\incdrm.SYS
0xBA3F8000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xBA400000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB7B7F000 \SystemRoot\system32\DRIVERS\USR_BSC2.sys
0xB7A82000 \SystemRoot\system32\DRIVERS\USR_MDMV.sys
0xB79CF000 \SystemRoot\system32\DRIVERS\HSF_USR.sys
0xBA408000 \SystemRoot\System32\Drivers\Modem.SYS
0xB7950000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB792C000 \SystemRoot\system32\drivers\portcls.sys
0xBA1D8000 \SystemRoot\system32\drivers\drmk.sys
0xB78F7000 \SystemRoot\system32\drivers\ctoss2k.sys
0xB828A000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xB78CF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB7884000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB784D000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xBA618000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB782E000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA7DD000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7817000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8262000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7806000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8322000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB825A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8252000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB824A000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB8312000 \SystemRoot\System32\Drivers\pcouffin.sys
0xB77D6000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8302000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8242000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA410000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA61C000 \SystemRoot\system32\drivers\SetupSys.sys
0xBA61E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7778000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D4D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB774A000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xB82F2000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB82E2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB47F4000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB477C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAE4BA000 \SystemRoot\system32\drivers\ha20x2k.sys
0xAE48A000 \SystemRoot\System32\drivers\emupia2k.sys
0xAE461000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xAE3C5000 \SystemRoot\System32\drivers\ctac32k.sys
0xAE384000 \SystemRoot\System32\drivers\CT20XUT.SYS
0xAE23D000 \SystemRoot\System32\drivers\CTEXFIFX.SYS
0xB45EF000 \SystemRoot\system32\DRIVERS\savonaccessfilter.sys
0xB45E7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAA4BA000 \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys
0xAAD8A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAA76D000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xAD896000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAD88E000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xA6E33000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA70EE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAD876000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA70DE000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xA6E2F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA65C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xADD47000 \SystemRoot\System32\Drivers\Null.SYS
0xBA662000 \SystemRoot\System32\Drivers\Beep.SYS
0xAAE3B000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xAD89E000 \SystemRoot\System32\drivers\vga.sys
0xBA664000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA666000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA6739000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA5DC1000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xAA528000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAA520000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA6735000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA5DAE000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA5D55000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA5D2F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA5D07000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA6729000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA6721000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAA518000 \SystemRoot\system32\DRIVERS\point32.sys
0xA5CE5000 \SystemRoot\System32\drivers\afd.sys
0xA670D000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA66ED000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA5CBA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA6522000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xA5C4A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA66DD000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA66CD000 \SystemRoot\System32\Drivers\Fips.SYS
0xA6516000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xAA510000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xA667D000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xA5BCF000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xA60C4000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6094000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA5B68000 \SystemRoot\System32\Drivers\dump_nvata.sys
0xBA606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB28F1000 \SystemRoot\System32\drivers\Dxapi.sys
0xAA4E0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6F6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA53C3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA638000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA5387000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xA8314000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xBA658000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA536B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA528F000 \SystemRoot\system32\DRIVERS\srv.sys
0xA526B000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAAC24000 \??\C:\WINDOWS\system32\SVKP.sys
0xA5E52000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA4EB0000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA4DAF000 \??\C:\WINDOWS\system32\Drivers\EPLPDX02.SYS
0xA4D9A000 \SystemRoot\system32\drivers\wdmaud.sys
0xA47FE000 \SystemRoot\System32\Drivers\HTTP.sys
0xA4668000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
860 C:\WINDOWS\system32\smss.exe
1020 csrss.exe
1044 C:\WINDOWS\system32\winlogon.exe
1088 C:\WINDOWS\system32\services.exe
1100 C:\WINDOWS\system32\lsass.exe
1272 C:\WINDOWS\system32\svchost.exe
1320 svchost.exe
1360 C:\WINDOWS\system32\svchost.exe
1396 C:\WINDOWS\system32\svchost.exe
1456 svchost.exe
1480 svchost.exe
1600 C:\WINDOWS\system32\spoolsv.exe
1652 C:\Program Files\Creative\Shared Files\CTAudSvc.exe
1700 svchost.exe
1744 C:\WINDOWS\system32\PackethSvc.exe
1760 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
1772 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1800 C:\WINDOWS\system32\CTSVCCDA.EXE
1812 C:\WINDOWS\system32\Crypserv.exe
1936 C:\WINDOWS\system32\svchost.exe
1972 C:\Program Files\Java\jre6\bin\jqs.exe
2036 C:\WINDOWS\system32\svchost.exe
184 C:\WINDOWS\system32\nvsvc32.exe
272 C:\WINDOWS\system32\svchost.exe
316 locator.exe
340 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
452 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
516 C:\WINDOWS\system32\svchost.exe
584 C:\WINDOWS\wanmpsvc.exe
624 C:\WINDOWS\system32\MsPMSPSv.exe
668 C:\WINDOWS\system32\searchindexer.exe
2324 alg.exe
2608 C:\WINDOWS\explorer.exe
2796 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
2812 C:\WINDOWS\SoundMan.exe
3988 C:\WINDOWS\system32\rundll32.exe
308 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
3408 C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
3436 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3744 C:\WINDOWS\system32\Ctxfihlp.exe
3756 C:\WINDOWS\system32\CTxfispi.exe
2980 C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
3176 C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
3340 C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
3648 wmiprvse.exe
2148 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
2680 C:\Documents and Settings\ray\desktop\RootKit Tools\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600AAJS-75B4A0, Rev: 01.03A01
PhysicalDrive1 Model Number: WDCWD1600JS-60MHB1, Rev: 10.02E02
PhysicalDrive2 Model Number: WDCWD1600JS-60MHB1, Rev: 10.02E02
PhysicalDrive3 Model Number: ST3500630AS, Rev: 3.AAE
PhysicalDrive4 Model Number: SATASAMSUNG, Rev:
PhysicalDrive5 Model Number: WD5000AAC External, Rev: 1.65

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0

MBRCheck_01.02.11_20.35.19 Log;

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000bbfd

Kernel Drivers (total 179):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xB9EF2000 nvata.sys
0xBA0F8000 jraid.sys
0xB9EDA000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9EBA000 SI3112r.sys
0xBA338000 cercsr6.sys
0xB9EA1000 nvatabus.sys
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E81000 fltmgr.sys
0xB9E6F000 sr.sys
0xBA4BC000 SiWinAcc.sys
0xBA128000 PxHelp20.sys
0xBA4C0000 PzWDM.sys
0xB9E58000 KSecDD.sys
0xB9E45000 WudfPf.sys
0xB9DB8000 Ntfs.sys
0xB9D8B000 NDIS.sys
0xBA340000 nv_agp.sys
0xB9D71000 Mup.sys
0xBA5AE000 JGOGO.sys
0xBA158000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA168000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB7C66000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB7C52000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA198000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA564000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB7C3E000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB7C1A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA178000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA60C000 \SystemRoot\System32\Drivers\ElbyDelay.sys
0xBA3C0000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xBA3C8000 \SystemRoot\system32\drivers\iviaspi.sys
0xBA3D0000 \SystemRoot\system32\drivers\ASAPIW2k.sys
0xBA568000 \SystemRoot\system32\drivers\pfc.sys
0xBA188000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7BF7000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3D8000 \SystemRoot\System32\Drivers\incdrm.SYS
0xBA3E0000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xBA3E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB7BBE000 \SystemRoot\system32\DRIVERS\USR_BSC2.sys
0xB7AC1000 \SystemRoot\system32\DRIVERS\USR_MDMV.sys
0xB7A0E000 \SystemRoot\system32\DRIVERS\HSF_USR.sys
0xBA3F0000 \SystemRoot\System32\Drivers\Modem.SYS
0xB798F000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB796B000 \SystemRoot\system32\drivers\portcls.sys
0xBA1B8000 \SystemRoot\system32\drivers\drmk.sys
0xB7936000 \SystemRoot\system32\drivers\ctoss2k.sys
0xBA3F8000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xB790E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA580000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB78C3000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB788C000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xBA60E000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xB786D000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA7FD000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA588000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7856000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB82B1000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7845000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8361000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB82A9000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB82A1000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8299000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xB8351000 \SystemRoot\System32\Drivers\pcouffin.sys
0xB7815000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8341000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8291000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8289000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA610000 \SystemRoot\system32\drivers\SetupSys.sys
0xBA612000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB77B7000 \SystemRoot\system32\DRIVERS\update.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB7789000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0xB8331000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB8321000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB4833000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB47BB000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5B2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAE4F9000 \SystemRoot\system32\drivers\ha20x2k.sys
0xAE4C9000 \SystemRoot\System32\drivers\emupia2k.sys
0xAE4A0000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xAE404000 \SystemRoot\System32\drivers\ctac32k.sys
0xAE3C3000 \SystemRoot\System32\drivers\CT20XUT.SYS
0xAE27C000 \SystemRoot\System32\drivers\CTEXFIFX.SYS
0xB4656000 \SystemRoot\system32\DRIVERS\savonaccessfilter.sys
0xAB3F0000 \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys
0xB284C000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB283C000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xB2834000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB462E000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB4636000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xB7781000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAD4BC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAAD99000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAD4AC000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xB776D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAA75C000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xA7123000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xA5EB9000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA64C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA79C000 \SystemRoot\System32\Drivers\Null.SYS
0xBA64E000 \SystemRoot\System32\Drivers\Beep.SYS
0xA6E44000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAA79B000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xAA571000 \SystemRoot\system32\DRIVERS\point32.sys
0xAA569000 \SystemRoot\System32\drivers\vga.sys
0xBA650000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA652000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA6852000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA5E80000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xAA561000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAA559000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA684E000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA5E6D000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA5E14000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA5DEE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA5DC6000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA70D3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA683A000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA5DA4000 \SystemRoot\System32\drivers\afd.sys
0xA70C3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA6732000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA5D79000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA682E000 \??\C:\WINDOWS\system32\drivers\pclepci.sys
0xA5D09000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA6722000 \SystemRoot\System32\Drivers\Fips.SYS
0xA6557000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xA66E2000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6119000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA5CA2000 \SystemRoot\System32\Drivers\dump_nvata.sys
0xBA5B6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA5F48000 \SystemRoot\System32\drivers\Dxapi.sys
0xAA541000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7A9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA54FD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA606000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA54C1000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xB2918000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xAD9DE000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA5481000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA53FD000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA53A5000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA71F000 \??\C:\WINDOWS\system32\SVKP.sys
0xA4E4A000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4813000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA4DFF000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA4669000 \SystemRoot\System32\Drivers\HTTP.sys
0xA4630000 \??\C:\WINDOWS\system32\Drivers\EPLPDX02.SYS
0xA3CDB000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
860 C:\WINDOWS\system32\smss.exe
1020 csrss.exe
1044 C:\WINDOWS\system32\winlogon.exe
1088 C:\WINDOWS\system32\services.exe
1100 C:\WINDOWS\system32\lsass.exe
1268 C:\WINDOWS\system32\svchost.exe
1320 svchost.exe
1360 C:\WINDOWS\system32\svchost.exe
1396 C:\WINDOWS\system32\svchost.exe
1448 svchost.exe
1480 svchost.exe
1576 C:\WINDOWS\system32\spoolsv.exe
1656 C:\Program Files\Creative\Shared Files\CTAudSvc.exe
1704 svchost.exe
1744 C:\WINDOWS\system32\PackethSvc.exe
1764 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
1792 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1812 C:\WINDOWS\system32\CTSVCCDA.EXE
1828 C:\WINDOWS\system32\Crypserv.exe
1940 C:\WINDOWS\system32\svchost.exe
1964 C:\Program Files\Java\jre6\bin\jqs.exe
2028 C:\WINDOWS\system32\svchost.exe
2044 C:\WINDOWS\system32\nvsvc32.exe
312 C:\WINDOWS\system32\svchost.exe
360 locator.exe
384 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
468 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
500 C:\WINDOWS\system32\svchost.exe
588 C:\WINDOWS\wanmpsvc.exe
660 C:\WINDOWS\system32\MsPMSPSv.exe
680 C:\WINDOWS\system32\searchindexer.exe
2260 C:\WINDOWS\explorer.exe
2432 C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
2760 C:\WINDOWS\SoundMan.exe
3516 C:\WINDOWS\system32\rundll32.exe
3832 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
2776 C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
2832 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3992 C:\WINDOWS\system32\CTxfispi.exe
4016 C:\WINDOWS\system32\Ctxfihlp.exe
2124 C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
2156 C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
2232 C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
2472 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
3036 alg.exe
3616 wmiprvse.exe
1388 C:\Documents and Settings\ray\desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600AAJS-75B4A0, Rev: 01.03A01
PhysicalDrive1 Model Number: WDCWD1600JS-60MHB1, Rev: 10.02E02
PhysicalDrive2 Model Number: WDCWD1600JS-60MHB1, Rev: 10.02E02
PhysicalDrive3 Model Number: ST3500630AS, Rev: 3.AAE
PhysicalDrive4 Model Number: SATASAMSUNG, Rev:
PhysicalDrive5 Model Number: WD5000AAC External, Rev: 1.65

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0

HijackThis Log;

Logfile of HijackThis v1.98.0
Scan saved at 8:33:32 PM, on 1/2/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Downloads\HijackThis\HijackThis1980.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/optonline
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Module Loader] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe -StartUpRun
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://cablevision.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

I really hope this helps you. Awaiting you're reply on further suggestions.

Thank You,
Ray

Attached Files



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:30 PM

Posted 02 January 2011 - 11:47 PM

Hello,

AS FOR THAT "NO DISK ERROR" YOU KEEP GETTING:

Here is a couple of things to read to see if this is your problem.

Clicked on My Computer and noticed the hard drive was set as F:, The C:
drive was listed as removable media (usb camera). I moved the camera from C:
to G: and problem was solved. Hard Drive is now listed as F: but that
doesn't really matter to me or friend so all is well. I wasn't looking
forward to fixing the problem but was Very happy I got it all figured out in
about 15 minutes. Guess next time I will pay more attention when installing
and unplug any USB devices not needed till after the XP install. Live and
learn.

http://support.microsoft.com/default.aspx?scid=kb;en-us;330137

Make sure your Harddrive Letter is C: or that anyother removable media is not set to C:



1.
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F0 - system.ini: Shell=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - (no file)
O11 - Options group: [INTERNATIONAL] International
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/optonline


Then close all windows except HijackThis and click Fix Checked.

Restart


2.
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

4.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

5.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose [/b]Select All[/b].
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

Things to include in your next reply::
RkuUNhooker log
Gmer log
Eset log
Bootkit Remover log
A new HiJackThis log
How is your machine running now? Any signs of Malware?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 03 January 2011 - 09:46 PM

fireman4it,

As per your directions:

1. Make sure your Harddrive Letter is C: or that anyother removable media is not set to C:
My Hard Drive IS infact "My C Drive".



Things to include in your next reply::
RkuUNhooker log
Gmer log
Eset log
Bootkit Remover log
A new HiJackThis log
How is your machine running now? Any signs of Malware?

RkuUNhooker log:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB7C0A000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6135808 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 178.13 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6057984 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 178.13 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAE220000 C:\WINDOWS\System32\drivers\CTEXFIFX.SYS 1339392 bytes (Creative Technology Ltd., Creative XFi Effects)
0xAE49D000 C:\WINDOWS\system32\drivers\ha20x2k.sys 1191936 bytes (Creative Technology Ltd, Creative 20X HAL (WDM))
0xB7A65000 C:\WINDOWS\system32\DRIVERS\USR_MDMV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB79B2000 C:\WINDOWS\system32\DRIVERS\HSF_USR.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xAE3A8000 C:\WINDOWS\System32\drivers\ctac32k.sys 638976 bytes (Creative Technology Ltd, Creative AC3 SW Decoder Device Driver (WDM))
0xB9DB8000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB7933000 C:\WINDOWS\system32\drivers\ctaud2k.sys 520192 bytes (Creative Technology Ltd, Creative WDM Audio Device Driver)
0xA5DF1000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xA5C41000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB775B000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA5D4C000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA5239000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB7867000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 307200 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA45A4000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB7B62000 C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys 233472 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB7830000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xB78DA000 C:\WINDOWS\system32\drivers\ctoss2k.sys 217088 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))
0xAE46D000 C:\WINDOWS\System32\drivers\emupia2k.sys 196608 bytes (Creative Technology Ltd, E-mu Plug-in Architecture Driver (WDM))
0xB77B9000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB772D000 C:\WINDOWS\system32\DRIVERS\MarvinBus.sys 188416 bytes (Pinnacle Systems GmbH, Pinnacle Marvin Discrete Bus Enumerator)
0xA536D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D8B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAE367000 C:\WINDOWS\System32\drivers\CT20XUT.SYS 180224 bytes (Creative Technology Ltd., Creative 20X Utility Effects)
0xA5CB1000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAE444000 C:\WINDOWS\system32\drivers\ctsfm2k.sys 167936 bytes (Creative Technology Ltd, SoundFont® Manager (WDM))
0xB78B2000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA5D24000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA5CFE000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA427000 C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys 155648 bytes (Sophos Plc, SAV On-access and HIPS for Windows XP (x86))
0xA51ED000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB790F000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB7BBE000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB7B9B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA4CBC000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xA5CDC000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E81000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9EBA000 SI3112r.sys 131072 bytes (Silicon Image, Inc, Serial ATA RAID miniport driver)
0xB7811000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 126976 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D71000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA5BDA000 C:\WINDOWS\System32\Drivers\dump_nvata.sys 102400 bytes
0xA5DB8000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver)
0xB9EF2000 nvata.sys 102400 bytes (NVIDIA Corporation, NVIDIAŽ nForce™ IDE Performance Driver)
0xB9EA1000 nvatabus.sys 102400 bytes (NVIDIA Corporation, NVIDIAŽ nForce™ IDE Performance Driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EDA000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9E58000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB77FA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xBFF60000 C:\WINDOWS\System32\RDPDD.dll 94208 bytes (Microsoft Corporation, RDP Display Driver)
0xA4B56000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB7BE2000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xA5331000 C:\WINDOWS\System32\Drivers\SENTINEL.SYS 81920 bytes (Rainbow Technologies, Inc., Sentinel System Driver (NT Parallel driver))
0xB7BF6000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA5DA5000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9E45000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E6F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xA4B6B000 C:\WINDOWS\system32\Drivers\EPLPDX02.SYS 69632 bytes (MK Systems CO., LTD., LPT I/O driver for EPSON PRINTER)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB77E9000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA6011000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xA663A000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA1D8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA6051000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB475F000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA118000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xA704B000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA6FFB000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB82F5000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xBA208000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA662A000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0F8000 jraid.sys 45056 bytes (JMicron Technology Corp., JMicron JMB36X RAID Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB82C5000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA128000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB82E5000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA108000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA705B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA188000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB8305000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA666A000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA436C000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB82D5000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 36864 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xA665A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA3D8000 C:\WINDOWS\system32\drivers\ASAPIW2k.sys 32768 bytes (Pinnacle Systems GmbH, ASAPI)
0xBA338000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xBA400000 C:\WINDOWS\system32\drivers\ctprxy2k.sys 32768 bytes (Creative Technology Ltd, Creative Proxy Device Driver (WDM))
0xBA3E8000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xBA3F8000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xAA4D5000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xAAC2B000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xAD861000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA3E0000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver)
0xAD859000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xAAC0B000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xAAC13000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA3F0000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xAD879000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xBA3D0000 C:\WINDOWS\system32\drivers\iviaspi.sys 24576 bytes (InterVideo, Inc., InterVideo ASPI Shell)
0xB8235000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB822D000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xAA4ED000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xB45D2000 C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys 24576 bytes (Sophos Plc, SAV On-access and HIPS for Windows XP (x86))
0xAA4BD000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xAA4E5000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB823D000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xBA3C8000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 20480 bytes (SlySoft, Inc., AnyDVD Filter Driver)
0xB47D7000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xAA4DD000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA340000 nv_agp.sys 20480 bytes (NVIDIA Corporation, NVIDIA nForce AGP Filter)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB824D000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8245000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xAAC1B000 C:\WINDOWS\system32\SAVRKBootTasks.sys 20480 bytes (Sophos Plc, Sophos boot tasks for Windows 2000)
0xB8255000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xAA4A5000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA53C6000 C:\WINDOWS\System32\Drivers\Aspi32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xA6487000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xA6D98000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA5A4000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xBA588000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xA649B000 C:\WINDOWS\system32\drivers\pclepci.sys 16384 bytes (Pinnacle Systems GmbH, PCLEPCI)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4BC000 SiWinAcc.sys 16384 bytes (Silicon Image, Inc, Windows Accelerator Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xABDA9000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA6D9C000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA6786000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xA53A2000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xA678A000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA590000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA570000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xBA4C0000 PzWDM.sys 12288 bytes (Prassi Technology, PzWDM.sys)
0xA6782000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA6772000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBA622000 C:\WINDOWS\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xBA66A000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA614000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA606000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 8192 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xBA620000 C:\WINDOWS\System32\Drivers\ElbyDelay.sys 8192 bytes (Elaborate Bytes AG, Elby Delay Lower Filter Driver)
0xBA668000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AE000 JGOGO.sys 8192 bytes (JMicron , SCSI Port upper filter driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA66C000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5F8000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA66E000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA624000 C:\WINDOWS\system32\drivers\SetupSys.sys 8192 bytes (Conexant, Diagnostic Interface DRIVER)
0xBA626000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5CA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xAA743000 C:\WINDOWS\System32\Drivers\ATMhelpr.SYS 4096 bytes (Adobe Systems Incorporated, Windows NT Font Driver Helper)
0xBA7B7000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xAA4FE000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xAA744000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA7A8000 C:\WINDOWS\system32\SVKP.sys 4096 bytes (AntiCracking, SVKP driver for NT)
==============================================
>Stealth
==============================================

GMER log:

Still cannot run GMER. Will try in safe mode and if successful, I will edit this post.

ESET log:

C:\Documents and Settings\ray\My Documents\Keyspan Boot Stick\Outlook\Previous Netscape\isiss-OutlookMig\debugDOTvbs probably unknown SCRIPT virus deleted - quarantined
C:\Documents and Settings\ray\My Documents\Keyspan Boot Stick\Outlook\Previous Netscape\isiss-OutlookMig\zOLKScript5DOTvbs probably unknown SCRIPT virus deleted - quarantined
C:\Documents and Settings\rayNEW\My Documents\Keyspan Boot Stick\Outlook\Previous Netscape\isiss-OutlookMig\debugDOTvbs probably unknown SCRIPT virus deleted - quarantined
C:\Documents and Settings\rayNEW\My Documents\Keyspan Boot Stick\Outlook\Previous Netscape\isiss-OutlookMig\zOLKScript5DOTvbs probably unknown SCRIPT virus deleted - quarantined
C:\Downloads\NoAdWare\noadware.exe Win32/NoAdware application deleted - quarantined
C:\Downloads\Unlocker 1.9.0\unlocker-1.9.0.zip Win32/Adware.ADON application deleted - quarantined
C:\System Volume Information\_restore{C9E9BA2F-E0F4-4C2B-A3CA-CAF197A12F7B}\RP16\A0018396.exe Win32/NoAdware application deleted - quarantined
F:\Downloaded Torrents\Applications\Veritas Backup Exec v10\Veritas.Backup.Exec.v10.keygen\keygen.exe a variant of Win32/Keygen.AD application cleaned by deleting - quarantined
F:\Downloaded Torrents\Apps Temp Move\Backup exec 11d\BackExec 11.d\keygen.exe a variant of Win32/Keygen.AD application cleaned by deleting - quarantined
F:\Downloaded Torrents\Apps Temp Move\Backup exec 11d\BackExec 11.d\Tlf-Soft-11.08.06 Symantec Backup Exec v11D.iso a variant of Win32/Keygen.AD application deleted - quarantined
F:\Downloaded Torrents\Apps Temp Move\Symantec\Norton Ghost v10.0.0.8400\File\GHOST10.exe probably a variant of Win32/Adware.Agent.GFRJHWV application deleted - quarantined
F:\Downloaded Torrents\Apps Temp Move\Symantec\Norton Ghost v10.0.0.8400\File\Extracted\GHOST10.iso probably a variant of Win32/Adware.Agent.GFRJHWV application deleted - quarantined
F:\Downloaded Torrents\Apps Temp Move\VERITAS Backup Exec 10\Veritas Backup Exec v10\Veritas.Backup.Exec.v10.keygen\keygen.exe a variant of Win32/Keygen.AD application cleaned by deleting - quarantined
F:\Downloads\NoAdWare\noadware.exe Win32/NoAdware application deleted - quarantined

BootKit Remover log:

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

NEW HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:33:18 PM, on 1/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Documents and Settings\ray\Desktop\3 GMER\ihyzbi81.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Documents and Settings\ray\Desktop\3 GMER\ihyzbi81.exe
C:\Documents and Settings\ray\Desktop\3 GMER\new\gmer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\ray\Desktop\3 GMER\ihyzbi81.exe
C:\Documents and Settings\ray\Desktop\RootKit Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Module Loader] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe -StartUpRun
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://cablevision.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Media Toolbox 6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Google Update Service (gupdate1c987ea6b15f84e) (gupdate1c987ea6b15f84e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\1234\PEV.cfxxe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9429 bytes


Box is still slow. Will edit post if improvment after safe mode GMER and re-start.

Awaiting your reply
Ray

Attached Files



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:30 PM

Posted 03 January 2011 - 10:06 PM

Hello,

Please run the following batch file then try and run Combofix again.


1.
Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for "save as" and select all files. Save this to your desktop and close notepad.

@echo off
sc stop PEVSystemStart
sc delete PEVSystemStart
del remservice.bat 
EXIT
Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


2.
Use Windows Explorer to find and delete these files:

C:\1234\PEV.cfxxe

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete




3.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

4.
Please download a new copy of Combofix and run it in Safemode with Networking

Link 1
Link 2

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

Finally, please post a new HijackThis log, Combofix.txt and a description of any remaining problems.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 justpassinthru2k

justpassinthru2k
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 04 January 2011 - 06:52 AM

fireman4it,

Still cannot run ComboFix so no log to post, weather in normal mode or safe mode with networking. Computer is still very slow shutting down and booting up.

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:46:54 AM, on 1/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ray\Desktop\RootKit Tools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Module Loader] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe -StartUpRun
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Watch.lnk = C:\Program Files\Mustek 1200 UB Plus\Driver\WATCH.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://cablevision.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Media Toolbox 6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Google Update Service (gupdate1c987ea6b15f84e) (gupdate1c987ea6b15f84e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9308 bytes

Awaiting further direction.

Thanks,
Ray




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users