Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects leading to multiple infections


  • This topic is locked This topic is locked
10 replies to this topic

#1 eadthem

eadthem

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 29 April 2011 - 10:18 PM

So a week or 2 ago when the new firefox 4 download was out i got it and was quickly dissapointed and noticed occasonal google result redirects. i removed FF4 and went back to 3.6 and noticed the same thing and tied to to a malware addon called XULrunner that kept comming back.

The google redirects only occur in iexplorer and firefox, K-meleon and chrome are unaffected.

So i dive in and attack with the usual(that i use on other peoples computers, this is my first infection in 5 years) nod32(found nothing) spybot S&D(found only cookies). So i installed malwarebytes and it pulled out a hiloti Trojan from 2 randomly named DLL files in the windows folder(theres some other suspects in there at bottom of post). Then the next day i had a couple hard to describe strange events and then about a hour later it reboots without warning or request.

I found a correlation between hiloti and virtumonde so i try vundofix and get nothing.

Next day i dig in deeper and after trying several more things i do gmer witch returns a hit for sinowal on the MBR, I then get combofix(i knew what it was and what it did and wasn't worried about the risks, (i have good backups) and it turned up nothing, And then i found the bleepingcomputer forums. I tryed TDSSkiller and it returned a result for rootkit.win32.backboot.gen and didnt fix it so i get SUPERAntiSpyware Free and all its findings are false positives, autoit3, angryipscan.

im running windows xp pro 32bit i do have windows disks after a bit of digging, I would prefer not to reinstall but i do have a clonezilla image from a year ago and current backups of all else.

Defogger was run and did not find any cdrom emulation software all tho i have used it in the past(i'm guessing i already had it disabled).

--------------------------------------- DDS.txt --------------------------------------
.

DDS (Ver_11-03-05.01) - NTFSx86

Run by pat at 21:51:51.75 on Fri 04/29/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1117 [GMT -5:00]

.

AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

D:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\MsPMSPSv.exe

D:\Program Files\VMware\VMware Player\vmware-authd.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

D:\Program Files\Common Files\Java\Java Update\jusched.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\vmnetdhcp.exe

D:\Program Files\K-Meleon\k-meleon.exe

C:\WINDOWS\explorer.exe

D:\Program Files\GhostWall\ghostwall.exe

D:\Program Files\mIRC\mirc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Program Files\Google\Update\GoogleUpdate.exe

D:\Program Files\Google\Update\GoogleUpdate.exe

D:\ins\vundufix\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Greenshot] "d:\program files\greenshot\Greenshot.exe"

uRun: [OscarEditor] "d:\program files\oscar editor\OscarEditor.exe" Minimum

mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r

mRun: [CTHelper] CTHELPER.EXE

mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r

mRun: [GhostWall] "d:\program files\ghostwall\ghostwall.exe" -minimize

mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [egui] "d:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [WheelMouse] d:\program files\a4tech\mouse\Amoumain.exe

mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"

StartupFolder: d:\documents and settings\pat\start menu\programs\startup\note.txt

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - d:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\diskch~1.lnk - d:\program files\diskcheckup\DiskCheckup.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll

LSP: d:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: aol.com\free

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {1F2E8D42-4C2C-43B7-A5A5-53E612D383FA} = 4.2.2.1,192.168.0.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - d:\docume~1\pat\applic~1\mozilla\firefox\profiles\39o1m4jn.ead\

FF - prefs.js: network.proxy.ftp - localhost

FF - prefs.js: network.proxy.ftp_port - 8118

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 8118

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 8118

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 8118

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Firefox 2, the theme, reloaded: {fd2f951f-77ea-4938-9493-0c892c027a13} - %profile%\extensions\{fd2f951f-77ea-4938-9493-0c892c027a13}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org

.

---- FIREFOX POLICIES ----

FF - user.js: lightweightThemes.isThemeSelected - true

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 95896]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-7-26 158736]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-7-26 42960]

R2 ekrn;ESET Service;d:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]

R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [2009-7-26 6520]

R2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2010-4-2 136176]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-20 47640]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2009-5-10 15840]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]

R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5f4e.tmp --> c:\windows\system32\5F4E.tmp [?]

R3 MouseCap;MouseCapture Driver;c:\windows\system32\drivers\MouseCap.sys [2005-8-8 6640]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-26 109328]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-12-22 120208]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

RUnknown SASDIFSV;SASDIFSV; [x]

RUnknown SASKUTIL;SASKUTIL; [x]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\ins\vcd\vcdrom.sys --> c:\ins\vcd\VCdRom.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2009-8-2 9159]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\d:\program files\logmein\x86\rainfo.sys --> d:\program files\logmein\x86\RaInfo.sys [?]

S2 MySQLS1;MySQLS1;d:\uniserver\usr\local\mysql\bin\mysqld-opt.exe mysqls1 --> d:\uniserver\usr\local\mysql\bin\mysqld-opt.exe MySQLS1 [?]

S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;"c:\apache2triad\bin\httpd.exe" -d ssl -n apache2ssl -k runservice --> c:\apache2triad\bin\httpd.exe [?]

S3 cpuz130;cpuz130;\??\d:\docume~1\pat\locals~1\temp\cpuz130\cpuz_x32.sys --> d:\docume~1\pat\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DBKDRVR54;DBKDRVR54;d:\program files\ce\dbk32.sys [2010-5-23 60416]

S3 gupdatem;Google Update Service (gupdatem);d:\program files\google\update\GoogleUpdate.exe [2010-4-2 136176]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-12-2 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-12-2 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-12-2 23936]

S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2009-8-2 15488]

S3 o1394bul;o1394bul;\??\d:\docume~1\pat\locals~1\temp\o1394bul.sys --> d:\docume~1\pat\locals~1\temp\o1394bul.sys [?]

S3 PgSql;Apache2Triad PostgreSQL Service;"c:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -n pgsql -d c:\apache2triad\pgsql\data\ --> c:\apache2triad\pgsql\bin\pg_ctl.exe [?]

S3 SlimFTPd;Apache2Triad SlimFTPd Server;"c:\apache2triad\ftp\slimftpd.exe" -service --> c:\apache2triad\ftp\SlimFTPd.exe [?]

S3 TetaSCDevice;TetaSCDevice;\??\c:\windows\system32\tetascop.sys --> c:\windows\system32\tetascop.SYS [?]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-1-7 31888]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\xmail.exe --> c:\apache2triad\mail\bin\XMail.exe [?]

S4 ApacheS1;ApacheS1;d:\uniserver\usr\local\apache2\bin\Apache.exe [2010-5-17 24645]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 MotoConnect Service;MotoConnect Service;d:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-12-2 91392]

.

=============== Created Last 30 ================

.

2011-04-29 23:37:18 -------- d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-29 23:02:46 -------- d-----w- C:\ComboFix

2011-04-29 03:47:32 -------- d-sha-r- C:\cmdcons

2011-04-29 03:44:01 98816 ----a-w- c:\windows\sed.exe

2011-04-29 03:44:01 89088 ----a-w- c:\windows\MBR.exe

2011-04-29 03:44:01 256512 ----a-w- c:\windows\PEV.exe

2011-04-29 03:44:01 161792 ----a-w- c:\windows\SWREG.exe

2011-04-29 00:56:51 -------- d-----w- d:\docume~1\pat\applic~1\Malwarebytes

2011-04-29 00:56:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-29 00:56:44 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-29 00:56:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-29 00:56:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware

2011-04-28 23:35:39 472808 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-04-28 23:35:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-27 04:55:41 -------- d-----w- C:\VundoFix Backups

2011-04-27 04:01:16 -------- d-----w- d:\docume~1\pat\locals~1\applic~1\v{64ED30C2-79A0-4D1B-AF03-3A3FC92F3A90}

2011-04-18 21:01:00 0 ----a-w- c:\windows\Yliyezevuqa.bin

2011-04-17 14:36:46 66520 ----a-w- d:\program files\mozilla firefox\plugins\npnul32.dll

2011-04-17 14:36:46 492504 ----a-w- d:\program files\mozilla firefox\sqlite3.dll

2011-04-17 14:36:46 25048 ----a-w- d:\program files\mozilla firefox\components\browserdirprovider.dll

2011-04-17 14:36:46 140248 ----a-w- d:\program files\mozilla firefox\components\brwsrcmp.dll

2011-04-17 14:36:46 1018328 ----a-w- d:\program files\mozilla firefox\js3250.dll

2011-04-09 03:45:57 -------- d-----w- d:\documents and settings\pat\.unidata

2011-04-09 03:45:18 -------- d-----w- d:\program files\IDV_2.9u3

2011-04-05 21:01:36 719832 ----a-w- d:\program files\mozilla firefox\mozcpp19.dll

2011-04-05 21:01:36 16856 ----a-w- d:\program files\mozilla firefox\plugin-container.exe

2011-03-31 21:50:05 45056 ----a-r- d:\docume~1\pat\applic~1\microsoft\installer\{361693f2-a153-4359-a4cb-a1b9ff2aa5e6}\Witness.exe1_361693F2A1534359A4CBA1B9FF2AA5E6.exe

2011-03-31 21:50:05 45056 ----a-r- d:\docume~1\pat\applic~1\microsoft\installer\{361693f2-a153-4359-a4cb-a1b9ff2aa5e6}\Witness.exe_361693F2A1534359A4CBA1B9FF2AA5E6.exe

2011-03-31 21:44:11 -------- d-----w- d:\program files\OSCAR Editor

2011-03-31 21:43:43 -------- d-----w- d:\program files\OscarX7

2011-03-31 21:38:29 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2011-03-31 21:38:29 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-03-31 21:38:26 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-03-31 21:38:26 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-03-31 21:38:19 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-03-31 21:38:19 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-03-31 21:38:07 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-03-31 21:38:07 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.

==================== Find3M ====================

.

2011-04-14 07:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 03:45:53 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-02-02 03:45:53 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2003-06-19 16:05:04 431888 --s-a-w- d:\program files\common files\riched20.dll

.

============= FINISH: 21:52:18.51 ===============
-------------------------------------end of dds.txt-----------------------------------------

Ok sense my last post
i ran mbr.exe -t from the mebroot helpasst tool someone posted after studying it and it found the root kit still there so i did mbr.exe -f and it fixed something.
rebooted

nod32 now can see that theres something mebroot running in ram but cant fix it so.

i had a read thrue my combofix log and made a cfscript for the locked registry entries after googleing parts and finding out there part of the root kit and it cleaned it up.
i also renamed the entire macromed folder in system32 ( knew this would mean i might need to reinstall shockwave and flash later).
RegLock::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

rebooted
Then did combofix again and noted that it cleaned up the registry entries, but nod32 still complained about a mebroot in memory so.
i rebooted in to recovery console and ran fixmbr it found a odd mbr and fixed it.
rebooted again nod32 had the same message so i tried running eMebRemover.exe(from eset/nod32) and it found and removed it then rebooted.

After booting up i ran a malwarebytes and a nod32 virus scan and they came up clean, I made a nod32 recovery cd using AIK and ran that and it scanned clean as well.

ive rerun DDS and attached and posted its detals below. Ive also rerun gmer per default instructions and attached it, And it appears im clean exept for a line
Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 66139608 in the gmer log.

If someone wants to check the logs over to make sure i'm not missing something that would be greatly appreciated. After getting a clean bill of health I'le do combofix /uninstall, and run OTclean otc.exe .

it appears i was infected with the folowing; xulrunner(firefox addon), Mebroot/sinowal, hiloti(malwarebytes).

Thanks


eadthem

Remember kids just because I took the risk and ran combofix myself dosen't mean you should. In fact i recommend against it.It really didn't help at all.

------------------------------------- DDS.txt -----------------------------------
.

DDS (Ver_11-03-05.01) - NTFSx86

Run by pat at 14:28:37.76 on Sat 04/30/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1509 [GMT -5:00]

.

AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

D:\Program Files\Google\Update\GoogleUpdate.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\uniserver\usr\local\mysql\bin\mysqld-opt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\vmnat.exe

D:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\WINDOWS\system32\CTHELPER.EXE

D:\Program Files\GhostWall\ghostwall.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

D:\Program Files\A4Tech\Mouse\Amoumain.exe

D:\Program Files\Common Files\Java\Java Update\jusched.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

D:\ins\vundufix\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Greenshot] "d:\program files\greenshot\Greenshot.exe"

uRun: [OscarEditor] "d:\program files\oscar editor\OscarEditor.exe" Minimum

mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r

mRun: [CTHelper] CTHELPER.EXE

mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r

mRun: [GhostWall] "d:\program files\ghostwall\ghostwall.exe" -minimize

mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [egui] "d:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [WheelMouse] d:\program files\a4tech\mouse\Amoumain.exe

mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"

StartupFolder: d:\documents and settings\pat\start menu\programs\startup\note.txt

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - d:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\diskch~1.lnk - d:\program files\diskcheckup\DiskCheckup.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll

LSP: d:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: aol.com\free

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {1F2E8D42-4C2C-43B7-A5A5-53E612D383FA} = 4.2.2.1,192.168.0.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - d:\docume~1\pat\applic~1\mozilla\firefox\profiles\39o1m4jn.ead\

FF - prefs.js: network.proxy.ftp - localhost

FF - prefs.js: network.proxy.ftp_port - 8118

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 8118

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 8118

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 8118

FF - prefs.js: network.proxy.type - 0

FF - plugin: d:\documents and settings\pat\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: d:\documents and settings\pat\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: d:\documents and settings\pat\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: d:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Firefox 2, the theme, reloaded: {fd2f951f-77ea-4938-9493-0c892c027a13} - %profile%\extensions\{fd2f951f-77ea-4938-9493-0c892c027a13}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org

.

---- FIREFOX POLICIES ----

FF - user.js: lightweightThemes.isThemeSelected - true

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 95896]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-7-26 158736]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-7-26 42960]

R2 ekrn;ESET Service;d:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]

R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [2009-7-26 6520]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-20 47640]

R2 MySQLS1;MySQLS1;d:\uniserver\usr\local\mysql\bin\mysqld-opt.exe mysqls1 --> d:\uniserver\usr\local\mysql\bin\mysqld-opt.exe MySQLS1 [?]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2009-5-10 15840]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]

R3 MouseCap;MouseCapture Driver;c:\windows\system32\drivers\MouseCap.sys [2005-8-8 6640]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-26 109328]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-12-22 120208]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\ins\vcd\vcdrom.sys --> c:\ins\vcd\VCdRom.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2009-8-2 9159]

S2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2010-4-2 136176]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\d:\program files\logmein\x86\rainfo.sys --> d:\program files\logmein\x86\RaInfo.sys [?]

S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;"c:\apache2triad\bin\httpd.exe" -d ssl -n apache2ssl -k runservice --> c:\apache2triad\bin\httpd.exe [?]

S3 cpuz130;cpuz130;\??\d:\docume~1\pat\locals~1\temp\cpuz130\cpuz_x32.sys --> d:\docume~1\pat\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DBKDRVR54;DBKDRVR54;d:\program files\ce\dbk32.sys [2010-5-23 60416]

S3 gupdatem;Google Update Service (gupdatem);d:\program files\google\update\GoogleUpdate.exe [2010-4-2 136176]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5f4e.tmp --> c:\windows\system32\5F4E.tmp [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-12-2 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-12-2 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-12-2 23936]

S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2009-8-2 15488]

S3 o1394bul;o1394bul;\??\d:\docume~1\pat\locals~1\temp\o1394bul.sys --> d:\docume~1\pat\locals~1\temp\o1394bul.sys [?]

S3 PgSql;Apache2Triad PostgreSQL Service;"c:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -n pgsql -d c:\apache2triad\pgsql\data\ --> c:\apache2triad\pgsql\bin\pg_ctl.exe [?]

S3 SlimFTPd;Apache2Triad SlimFTPd Server;"c:\apache2triad\ftp\slimftpd.exe" -service --> c:\apache2triad\ftp\SlimFTPd.exe [?]

S3 TetaSCDevice;TetaSCDevice;\??\c:\windows\system32\tetascop.sys --> c:\windows\system32\tetascop.SYS [?]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-1-7 31888]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

S3 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\xmail.exe --> c:\apache2triad\mail\bin\XMail.exe [?]

S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S4 ApacheS1;ApacheS1;d:\uniserver\usr\local\apache2\bin\Apache.exe [2010-5-17 24645]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 MotoConnect Service;MotoConnect Service;d:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-12-2 91392]

.

=============== Created Last 30 ================

.

2011-04-30 19:27:43 0 ---ha-w- d:\docume~1\pat\locals~1\applic~1\BITE.tmp

2011-04-30 18:46:02 0 ---ha-w- d:\docume~1\pat\locals~1\applic~1\BIT12.tmp

2011-04-30 18:22:59 -------- d-----w- C:\cf

2011-04-30 14:31:43 -------- d-----w- c:\windows\Profiles

2011-04-30 13:19:45 -------- d-----w- C:\HelpAsst_backup

2011-04-29 23:37:18 -------- d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-29 03:47:32 -------- d-sha-r- C:\cmdcons

2011-04-29 03:44:01 98816 ----a-w- c:\windows\sed.exe

2011-04-29 03:44:01 89088 ----a-w- c:\windows\MBR.exe

2011-04-29 03:44:01 256512 ----a-w- c:\windows\PEV.exe

2011-04-29 03:44:01 161792 ----a-w- c:\windows\SWREG.exe

2011-04-29 03:38:00 -------- d-----w- C:\Qoobox.before

2011-04-29 00:56:51 -------- d-----w- d:\docume~1\pat\applic~1\Malwarebytes

2011-04-29 00:56:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-29 00:56:44 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-29 00:56:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-29 00:56:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware

2011-04-28 23:35:39 472808 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-04-28 23:35:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-27 04:55:41 -------- d-----w- C:\VundoFix Backups

2011-04-27 04:01:16 -------- d-----w- d:\docume~1\pat\locals~1\applic~1\v{64ED30C2-79A0-4D1B-AF03-3A3FC92F3A90}

2011-04-18 21:01:00 0 ----a-w- c:\windows\Yliyezevuqa.bin

2011-04-17 14:36:46 66520 ----a-w- d:\program files\mozilla firefox\plugins\npnul32.dll

2011-04-17 14:36:46 492504 ----a-w- d:\program files\mozilla firefox\sqlite3.dll

2011-04-17 14:36:46 25048 ----a-w- d:\program files\mozilla firefox\components\browserdirprovider.dll

2011-04-17 14:36:46 140248 ----a-w- d:\program files\mozilla firefox\components\brwsrcmp.dll

2011-04-17 14:36:46 1018328 ----a-w- d:\program files\mozilla firefox\js3250.dll

2011-04-09 03:45:57 -------- d-----w- d:\documents and settings\pat\.unidata

2011-04-09 03:45:18 -------- d-----w- d:\program files\IDV_2.9u3

2011-04-05 21:01:36 719832 ----a-w- d:\program files\mozilla firefox\mozcpp19.dll

2011-04-05 21:01:36 16856 ----a-w- d:\program files\mozilla firefox\plugin-container.exe

2011-03-31 21:50:05 45056 ----a-r- d:\docume~1\pat\applic~1\microsoft\installer\{361693f2-a153-4359-a4cb-a1b9ff2aa5e6}\Witness.exe1_361693F2A1534359A4CBA1B9FF2AA5E6.exe

2011-03-31 21:50:05 45056 ----a-r- d:\docume~1\pat\applic~1\microsoft\installer\{361693f2-a153-4359-a4cb-a1b9ff2aa5e6}\Witness.exe_361693F2A1534359A4CBA1B9FF2AA5E6.exe

2011-03-31 21:44:11 -------- d-----w- d:\program files\OSCAR Editor

2011-03-31 21:43:43 -------- d-----w- d:\program files\OscarX7

2011-03-31 21:38:29 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2011-03-31 21:38:29 21504 ----a-w- c:\windows\system32\hidserv.dll

2011-03-31 21:38:26 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-03-31 21:38:26 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-03-31 21:38:19 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2011-03-31 21:38:19 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-03-31 21:38:07 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-03-31 21:38:07 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

.

==================== Find3M ====================

.

2011-04-14 07:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 03:45:53 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2011-02-02 03:45:53 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2003-06-19 16:05:04 431888 --s-a-w- d:\program files\common files\riched20.dll

.

============= FINISH: 14:29:54.00 ===============

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 01 May 2011 - 02:48 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:51 PM

Posted 07 May 2011 - 03:11 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 eadthem

eadthem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 08 May 2011 - 09:46 AM

Before your post i had run a windows update. Now that you have posted no further security type tools will be run(excluding the normal actions of nod32) without your direction.

per rule 2 of yours all logs have been posted rather than attached.

I have not had any google hijacked results sense my last post where i detailed what i did to clean the system, and i have sense then moved all my secure activity to my linux server.

dds dose not list a firewall but i am behind a windows iptables firewall and also behind a IDPS linux firewall.

thanks for your time

eadthem

-------------------------------------DDS.txt 5/8/11 ---------START------------------------------------
.

DDS (Ver_11-03-05.01) - NTFSx86

Run by pat at 9:21:32.87 on Sun 05/08/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1463 [GMT -5:00]

.

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\uniserver\usr\local\mysql\bin\mysqld-opt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\CTHELPER.EXE

D:\Program Files\GhostWall\ghostwall.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

D:\Program Files\A4Tech\Mouse\Amoumain.exe

D:\Program Files\Common Files\Java\Java Update\jusched.exe

D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\vmnetdhcp.exe

D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

D:\ins\vundufix\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Greenshot] dmr "d:\program files\greenshot\Greenshot.exe"

uRun: [OscarEditor] "d:\program files\oscar editor\OscarEditor.exe" Minimum

mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r

mRun: [CTHelper] CTHELPER.EXE

mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r

mRun: [GhostWall] "d:\program files\ghostwall\ghostwall.exe" -minimize

mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [egui] "d:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [WheelMouse] d:\program files\a4tech\mouse\Amoumain.exe

mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"

StartupFolder: d:\documents and settings\pat\start menu\programs\startup\note.txt

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - d:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe

StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\diskch~1.lnk - d:\program files\diskcheckup\DiskCheckup.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll

LSP: d:\program files\vmware\vmware player\vsocklib.dll

Trusted Zone: aol.com\free

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {1F2E8D42-4C2C-43B7-A5A5-53E612D383FA} = 4.2.2.1,192.168.0.1

Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - d:\docume~1\pat\applic~1\mozilla\firefox\profiles\39o1m4jn.ead\

FF - prefs.js: network.proxy.ftp - localhost

FF - prefs.js: network.proxy.ftp_port - 8118

FF - prefs.js: network.proxy.http - localhost

FF - prefs.js: network.proxy.http_port - 8118

FF - prefs.js: network.proxy.socks - localhost

FF - prefs.js: network.proxy.socks_port - 8118

FF - prefs.js: network.proxy.ssl - localhost

FF - prefs.js: network.proxy.ssl_port - 8118

FF - prefs.js: network.proxy.type - 0

FF - plugin: d:\documents and settings\pat\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: d:\documents and settings\pat\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: d:\documents and settings\pat\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: d:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Firefox 2, the theme, reloaded: {fd2f951f-77ea-4938-9493-0c892c027a13} - %profile%\extensions\{fd2f951f-77ea-4938-9493-0c892c027a13}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org

.

---- FIREFOX POLICIES ----

FF - user.js: lightweightThemes.isThemeSelected - true

.

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 115008]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 95896]

R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-7-26 158736]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-7-26 42960]

R2 ekrn;ESET Service;d:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-11-4 810144]

R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [2009-7-26 6520]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-20 47640]

R2 MySQLS1;MySQLS1;d:\uniserver\usr\local\mysql\bin\mysqld-opt.exe mysqls1 --> d:\uniserver\usr\local\mysql\bin\mysqld-opt.exe MySQLS1 [?]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [2009-5-10 15840]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-12-2 19712]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-12-2 8320]

R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-12-2 23936]

R3 MouseCap;MouseCapture Driver;c:\windows\system32\drivers\MouseCap.sys [2005-8-8 6640]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-26 109328]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-12-22 120208]

S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\ins\vcd\vcdrom.sys --> c:\ins\vcd\VCdRom.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [2009-8-2 9159]

S2 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2010-4-2 136176]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\d:\program files\logmein\x86\rainfo.sys --> d:\program files\logmein\x86\RaInfo.sys [?]

S3 Apache2SSL;Apache2Triad Apache2 Service with SSL;"c:\apache2triad\bin\httpd.exe" -d ssl -n apache2ssl -k runservice --> c:\apache2triad\bin\httpd.exe [?]

S3 cpuz130;cpuz130;\??\d:\docume~1\pat\locals~1\temp\cpuz130\cpuz_x32.sys --> d:\docume~1\pat\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 DBKDRVR54;DBKDRVR54;d:\program files\ce\dbk32.sys [2010-5-23 60416]

S3 gupdatem;Google Update Service (gupdatem);d:\program files\google\update\GoogleUpdate.exe [2010-4-2 136176]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5f4e.tmp --> c:\windows\system32\5F4E.tmp [?]

S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2009-8-2 15488]

S3 o1394bul;o1394bul;\??\d:\docume~1\pat\locals~1\temp\o1394bul.sys --> d:\docume~1\pat\locals~1\temp\o1394bul.sys [?]

S3 PgSql;Apache2Triad PostgreSQL Service;"c:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -n pgsql -d c:\apache2triad\pgsql\data\ --> c:\apache2triad\pgsql\bin\pg_ctl.exe [?]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 SlimFTPd;Apache2Triad SlimFTPd Server;"c:\apache2triad\ftp\slimftpd.exe" -service --> c:\apache2triad\ftp\SlimFTPd.exe [?]

S3 TetaSCDevice;TetaSCDevice;\??\c:\windows\system32\tetascop.sys --> c:\windows\system32\tetascop.SYS [?]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2011-1-7 31888]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

S3 XMail;Apache2Triad Xmail Service;c:\apache2triad\mail\bin\xmail.exe --> c:\apache2triad\mail\bin\XMail.exe [?]

S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S4 ApacheS1;ApacheS1;d:\uniserver\usr\local\apache2\bin\Apache.exe [2010-5-17 24645]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 MotoConnect Service;MotoConnect Service;d:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-12-2 91392]

.

=============== Created Last 30 ================

.

2011-05-07 02:22:56 -------- d-----w- d:\docume~1\pat\applic~1\mIRC

2011-05-01 18:54:11 -------- d-----w- d:\program files\Microsoft CAPICOM 2.1.0.2

2011-05-01 18:44:30 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-04-30 23:12:53 -------- d-----w- d:\docume~1\pat\applic~1\SUPERAntiSpyware.com

2011-04-30 23:12:40 -------- d-----w- d:\program files\SUPERAntiSpyware

2011-04-30 22:42:33 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-04-30 22:42:29 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-04-30 22:42:28 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2011-04-30 22:42:24 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2011-04-30 22:42:20 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2011-04-30 22:41:44 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2011-04-30 22:41:36 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2011-04-30 22:41:34 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2011-04-30 22:41:26 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2011-04-30 22:41:24 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2011-04-30 22:40:32 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys

2011-04-30 22:40:26 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys

2011-04-30 22:40:22 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys

2011-04-30 22:40:09 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys

2011-04-30 22:40:00 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll

2011-04-30 22:38:58 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys

2011-04-30 22:37:56 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll

2011-04-30 22:36:56 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll

2011-04-30 22:36:55 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe

2011-04-30 22:36:52 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll

2011-04-30 22:36:42 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys

2011-04-30 22:36:39 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys

2011-04-30 22:36:35 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys

2011-04-30 22:36:31 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys

2011-04-30 22:36:26 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys

2011-04-30 22:36:19 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys

2011-04-30 22:36:15 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll

2011-04-30 22:36:13 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys

2011-04-30 22:36:09 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys

2011-04-30 22:36:05 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys

2011-04-30 22:34:56 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys

2011-04-30 22:33:24 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys

2011-04-30 22:33:21 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll

2011-04-30 22:33:17 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys

2011-04-30 22:33:14 35913 -c--a-w- c:\windows\system32\dllcache\smcirda.sys

2011-04-30 22:33:11 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys

2011-04-30 22:33:07 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys

2011-04-30 22:33:07 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys

2011-04-30 22:33:06 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys

2011-04-30 22:33:02 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll

2011-04-30 22:31:51 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys

2011-04-30 22:31:48 18400 -c--a-w- c:\windows\system32\dllcache\sgsmld.sys

2011-04-30 22:31:45 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys

2011-04-30 22:31:42 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll

2011-04-30 22:31:39 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys

2011-04-30 22:31:32 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys

2011-04-30 22:31:14 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys

2011-04-30 22:31:13 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys

2011-04-30 22:31:10 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys

2011-04-30 22:29:58 79872 -c--a-w- c:\windows\system32\dllcache\rwia430.dll

2011-04-30 22:29:50 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll

2011-04-30 22:29:49 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll

2011-04-30 22:29:46 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys

2011-04-30 22:29:43 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys

2011-04-30 22:29:40 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys

2011-04-30 22:29:35 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll

2011-04-30 22:29:32 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys

2011-04-30 22:29:28 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys

2011-04-30 22:29:24 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys

2011-04-30 22:29:20 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll

2011-04-30 22:16:17 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys

2011-04-30 22:16:12 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys

2011-04-30 22:16:09 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys

2011-04-30 22:16:05 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll

2011-04-30 22:16:02 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys

2011-04-30 22:14:54 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll

2011-04-30 22:13:50 41984 -c--a-w- c:\windows\system32\dllcache\ovui2rc.dll

2011-04-30 22:12:55 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys

2011-04-30 22:12:51 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll

2011-04-30 22:12:40 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys

2011-04-30 22:12:10 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys

2011-04-30 22:12:07 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys

2011-04-30 22:12:06 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys

2011-04-30 22:12:05 226816 -c--a-w- c:\windows\system32\dllcache\npdrmv2.dll

2011-04-30 22:10:59 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll

2011-04-30 22:10:56 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys

2011-04-30 22:10:53 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll

2011-04-30 22:10:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys

2011-04-30 22:10:46 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys

2011-04-30 22:10:28 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys

2011-04-30 22:10:22 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys

2011-04-30 22:10:12 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys

2011-04-30 22:10:10 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys

2011-04-30 22:09:39 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2011-04-30 22:09:35 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys

2011-04-30 22:09:24 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys

2011-04-30 22:09:10 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2011-04-30 22:09:01 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys

2011-04-30 22:08:56 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys

2011-04-30 22:08:53 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll

2011-04-30 22:08:51 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys

2011-04-30 22:08:48 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll

2011-04-30 22:08:45 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys

2011-04-30 22:08:38 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys

2011-04-30 22:08:33 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys

2011-04-30 22:08:02 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys

2011-04-30 22:06:55 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll

2011-04-30 22:05:21 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2011-04-30 22:05:18 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys

2011-04-30 22:05:16 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll

2011-04-30 22:05:13 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll

2011-04-30 22:05:11 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys

2011-04-30 22:05:08 61952 -c--a-w- c:\windows\system32\dllcache\icam4ext.dll

2011-04-30 22:05:06 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll

2011-04-30 22:05:04 26624 -c--a-w- c:\windows\system32\dllcache\icam3ext.dll

2011-04-30 22:05:01 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys

2011-04-30 22:04:59 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys

2011-04-30 22:04:57 109085 -c--a-w- c:\windows\system32\dllcache\ibmtrp.sys

2011-04-30 22:04:54 100936 -c--a-w- c:\windows\system32\dllcache\ibmtok.sys

2011-04-30 22:04:51 9216 -c--a-w- c:\windows\system32\dllcache\ibmsgnet.dll

2011-04-30 22:04:49 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys

2011-04-30 22:04:45 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll

2011-04-30 22:04:45 161020 -c--a-w- c:\windows\system32\dllcache\i81xnt5.sys

2011-04-30 22:04:42 58592 -c--a-w- c:\windows\system32\dllcache\i740nt5.sys

2011-04-30 22:04:38 353184 -c--a-w- c:\windows\system32\dllcache\i740dnt5.dll

2011-04-30 22:04:38 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys

2011-04-30 22:04:36 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys

2011-04-30 22:02:58 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll

2011-04-30 22:01:58 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys

2011-04-30 22:00:42 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys

2011-04-30 21:59:58 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys

2011-04-30 21:58:56 334208 -c--a-w- c:\windows\system32\dllcache\ds1wdm.sys

2011-04-30 21:57:58 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll

2011-04-30 21:56:58 60970 -c--a-w- c:\windows\system32\dllcache\cpqtrnd5.sys

2011-04-30 21:55:59 223232 -c--a-w- c:\windows\system32\dllcache\camdrv21.sys

2011-04-30 21:55:58 314752 -c--a-w- c:\windows\system32\dllcache\camdro21.sys

2011-04-30 21:55:12 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys

2011-04-30 21:55:10 31529 -c--a-w- c:\windows\system32\dllcache\brzwlan.sys

2011-04-30 21:55:09 10368 -c--a-w- c:\windows\system32\dllcache\brusbscn.sys

2011-04-30 21:55:08 11008 -c--a-w- c:\windows\system32\dllcache\brusbmdm.sys

2011-04-30 21:55:07 9728 -c--a-w- c:\windows\system32\dllcache\brserif.dll

2011-04-30 21:55:07 60416 -c--a-w- c:\windows\system32\dllcache\brserwdm.sys

2011-04-30 21:55:06 5120 -c--a-w- c:\windows\system32\dllcache\brscnrsm.dll

2011-04-30 21:55:05 39552 -c--a-w- c:\windows\system32\dllcache\brparwdm.sys

2011-04-30 21:55:03 3168 -c--a-w- c:\windows\system32\dllcache\brparimg.sys

2011-04-30 21:55:00 41472 -c--a-w- c:\windows\system32\dllcache\brmfusb.dll

2011-04-30 21:53:59 49920 -c--a-w- c:\windows\system32\dllcache\atirtcap.sys

2011-04-30 21:52:14 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys

2011-04-30 21:52:12 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys

2011-04-30 21:52:12 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys

2011-04-30 21:52:11 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys

2011-04-30 21:52:10 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys

2011-04-30 21:52:10 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys

2011-04-30 21:52:09 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys

2011-04-30 21:52:08 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys

2011-04-30 21:52:08 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys

2011-04-30 21:50:44 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

2011-04-30 20:38:07 -------- d-----w- d:\program files\Windows Imaging

2011-04-30 20:35:48 -------- d-----w- d:\program files\Windows AIK

2011-04-30 20:26:43 -------- d-----w- d:\program files\MSXML 6.0

2011-04-30 18:46:02 0 ---ha-w- d:\docume~1\pat\locals~1\applic~1\BIT12.tmp

2011-04-30 18:22:59 -------- d-----w- C:\cf

2011-04-30 14:31:43 -------- d-----w- c:\windows\Profiles

2011-04-30 13:19:45 -------- d-----w- C:\HelpAsst_backup

2011-04-29 23:37:18 -------- d-----w- d:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-29 03:47:32 -------- d-sha-r- C:\cmdcons

2011-04-29 03:44:01 98816 ----a-w- c:\windows\sed.exe

2011-04-29 03:44:01 89088 ----a-w- c:\windows\MBR.exe

2011-04-29 03:44:01 256512 ----a-w- c:\windows\PEV.exe

2011-04-29 03:44:01 161792 ----a-w- c:\windows\SWREG.exe

2011-04-29 03:38:00 -------- d-----w- C:\Qoobox.before

2011-04-29 00:56:51 -------- d-----w- d:\docume~1\pat\applic~1\Malwarebytes

2011-04-29 00:56:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-29 00:56:44 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-29 00:56:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-29 00:56:40 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware

2011-04-28 23:35:39 472808 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-04-28 23:35:39 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-27 04:55:41 -------- d-----w- C:\VundoFix Backups

2011-04-27 04:01:16 -------- d-----w- d:\docume~1\pat\locals~1\applic~1\v{64ED30C2-79A0-4D1B-AF03-3A3FC92F3A90}

2011-04-18 21:01:00 0 ----a-w- c:\windows\Yliyezevuqa.bin

2011-04-17 14:36:46 66520 ----a-w- d:\program files\mozilla firefox\plugins\npnul32.dll

2011-04-17 14:36:46 492504 ----a-w- d:\program files\mozilla firefox\sqlite3.dll

2011-04-17 14:36:46 25048 ----a-w- d:\program files\mozilla firefox\components\browserdirprovider.dll

2011-04-17 14:36:46 140248 ----a-w- d:\program files\mozilla firefox\components\brwsrcmp.dll

2011-04-17 14:36:46 1018328 ----a-w- d:\program files\mozilla firefox\js3250.dll

2011-04-09 03:45:57 -------- d-----w- d:\documents and settings\pat\.unidata

2011-04-09 03:45:18 -------- d-----w- d:\program files\IDV_2.9u3

.

==================== Find3M ====================

.

2011-04-14 07:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll

2003-06-19 16:05:04 431888 --s-a-w- d:\program files\common files\riched20.dll

.

============= FINISH: 9:23:48.71 ===============

-------------------------------------DDS.txt 5/8/11 ---------END--------------------------------------

-------------------------------------attach.txt 5/8/11 ------START------------------------------------
.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 5/10/2009 1:07:06 PM

System Uptime: 5/8/2011 9:16:10 AM (0 hours ago)

.

Motherboard: MSI | | MS-6590

Processor: AMD Athlon™ XP 3000+ | Socket-A | 2171/166mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 12 GiB total, 0.391 GiB free.

D: is FIXED (NTFS) - 466 GiB total, 39.346 GiB free.

E: is CDROM ()

L: is FIXED (FAT32) - 20 GiB total, 15.674 GiB free.

S: is NetworkDisk (NTFS) - 28 GiB total, 18.614 GiB free.

T: is NetworkDisk (NTFS) - 28 GiB total, 18.614 GiB free.

U: is NetworkDisk (NTFS) - 28 GiB total, 18.614 GiB free.

V: is NetworkDisk (NTFS) - 28 GiB total, 18.614 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: 1394 Net Adapter

Device ID: V1394\NIC1394\51063EB923C01

Manufacturer: Microsoft

Name: 1394 Net Adapter

PNP Device ID: V1394\NIC1394\51063EB923C01

Service: NIC1394

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

7-Zip 9.20

A4tech USB Mouse Quality Testing Program V6.0

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Shockwave Player 11.5

AkelPad 4.2.3

Amazon Unbox Video

Aspell English Dictionary-0.50-2

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

ATITool Overclocking Utility

Audacity 1.3.12 (Unicode)

AutoHotkey 1.0.48.05

AutoIt v3.2.8.1

AVR Studio 3.56

AVRStudio4

Azureus

BETA NOAA Weather and Climate Toolkit

BRL-CAD

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center HydraVision Full

Catalyst Control Center Localization All

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CDex extraction audio

Cheat Engine 5.4

CmdHere Powertoy For Windows XP

Creative MediaSource

Creative System Information

Debugging Tools for Windows (x86)

DirectX for Managed Code Update (October 2004)

DiskCheckup V3.0

DropMyRights

DScaler 4 Test Version

EasyTAG 2.1.6

EPSON Printer Software

ESET NOD32 Antivirus

ESET Online Scanner v3

EVE Online (remove only)

FileZilla (remove only)

FlightGear v2.0.0

FreeCAD 0.10

FreePCB 1.2

GC-Prevue 18.3.2

GhostWall v1.150

GIMP 2.6.7

GIMP 2.7.0-r28042

Git 1.7.0.2-preview20100309

GNU Aspell 0.50-3

Gnumeric Spreadsheet 1.9.16-20091130

Google Chrome

Google Earth

Google SketchUp 7

Google Talk Plugin

Google Update Helper

GR2Analyst Version 1.65

Greenshot

GTK+ Runtime 2.14.7 rev a (remove only)

Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2455033)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB958655-v2)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB979306)

InfraRecorder

Integrated Data Viewer 2.9u3

IrfanView (remove only)

iWheelWorks 7.80

Jahshaka

Java Auto Updater

Java™ 6 Update 25

K-Meleon 1.5.3 en-US (remove only)

LibreOffice 3.3

Light PHP Edit 0.9.2

LinCity-NG 2.0

LP Viewer V2010

LTspice/SwCADIII

Malwarebytes' Anti-Malware

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Application Error Reporting

Microsoft Bootvis

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft DirectX 9.0 SDK Update (October 2004)

Microsoft Help Viewer 1.0

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft MSDN 2005 Express Edition - ENU

Microsoft Platform SDK (R2) (3790.2075)

Microsoft Silverlight

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Express Edition - ENU

Microsoft Visual C++ 2005 Express Edition - ENU Service Pack 1 (KB926748)

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974

Microsoft Visual C++ 2010 Express - ENU

MinGW 5.1.3

mIRC

Motorola Driver Installation 4.2.0

Mozilla Firefox (3.6.16)

Mozilla Thunderbird (3.1.10)

MSI Radio

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

msxml4

Mumble 1.2.3

Network Addon Mod Version May 2010 Version

NOAA Weather and Climate Toolkit

Null-modem emulator (com0com)

OpenAL

OpenLibraries

Oracle VM VirtualBox 4.0.0

OSCAR Editor

Pandora

Pidgin

Platform

Privoxy 3.0.6

QuickField 5.6 Student

QuickTime

RapidSVN-0.10.0

ReactOS Build Environment for Windows 1.4.5

Realterm 2.0.0.57

Safari

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

Skins

SMPlayer 0.6.8

Sound Blaster Audigy 2 ZS

Spybot - Search & Destroy

SSC Service Utility v4.30

Star Wars Galaxies

Star WarsŪ: Knights of the Old Republic ™

StripboardMagic

SUPERAntiSpyware

System Requirements Lab

TeamSpeak 2 RC2

TeamSpeak 3 Client

TeamTalk 3

TeamTalk 4

TinyCAD 2.70.00

Tor 0.2.1.26

Traffic Simulator Configuration Tool

TV Tuner Driver

UltraVNC 1.0.5

Unknown Horizons

Unlocker 1.8.5

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2345886)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VDmos tool

Ventrilo Client

VIA Platform Device Manager

Vidalia 0.2.9

ViewMate 11.0

VLC media player 1.1.5

VMware Player

WebFldrs XP

WinDirStat 1.1.2

Windows Automated Installation Kit

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player Firefox Plugin

Windows XP Service Pack 3

WinPcap 4.1.2

Wireshark 1.4.3

World of Warcraft

World of Warcraft Beta

Zint

.

==== Event Viewer Messages From Past Week ========

.

5/8/2011 9:18:52 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VMware Authorization Service service to connect.

5/8/2011 9:18:52 AM, error: Service Control Manager [7000] - The VMware Authorization Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

5/8/2011 8:36:21 AM, error: Service Control Manager [7000] - The TetaSCDevice service failed to start due to the following error: The system cannot find the file specified.

5/6/2011 8:01:12 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 10 time(s).

5/6/2011 7:56:02 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 9 time(s).

5/6/2011 4:21:47 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 8 time(s).

5/6/2011 4:16:33 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 7 time(s).

5/6/2011 4:11:48 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 6 time(s).

5/6/2011 4:04:23 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 5 time(s).

5/6/2011 3:56:42 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 4 time(s).

5/6/2011 3:51:50 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 3 time(s).

5/6/2011 3:51:01 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 2 time(s).

5/5/2011 5:10:57 PM, error: Service Control Manager [7034] - The Amazon Unbox Video Service service terminated unexpectedly. It has done this 1 time(s).

5/5/2011 4:01:01 PM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 00045A8E355B has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

5/5/2011 3:34:39 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

5/1/2011 8:09:26 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SUSE that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1F2E8D42-4C2C-43B7-A5A5. The master browser is stopping or an election is being forced.

5/1/2011 6:54:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Amazon Unbox Video Service service to connect.

5/1/2011 6:54:42 PM, error: Service Control Manager [7000] - The MSI 8606 Video Capture service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/1/2011 6:54:42 PM, error: Service Control Manager [7000] - The MSI 8606 Tuner service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/1/2011 6:54:42 PM, error: Service Control Manager [7000] - The MSI 8606 Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/1/2011 6:54:42 PM, error: Service Control Manager [7000] - The MSI 8606 Audio Capture service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

5/1/2011 6:54:42 PM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.

5/1/2011 10:51:40 AM, error: ACPI [5] - AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x74), which lies in the 0x74 - 0x76 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.

.

==== End Of File ===========================

-------------------------------------attach.txt 5/8/11 ------END--------------------------------------

-------------------------------------RKU.txt 5/8/11 ---------START------------------------------------
RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Drivers

==============================================

0xB94FE000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3891200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xBF1CD000 C:\WINDOWS\System32\ati3duag.dll 3821568 bytes (ATI Technologies Inc. , ati3duag.dll)

0xBF572000 C:\WINDOWS\System32\ativvaxx.dll 2670592 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2192768 bytes

0x804D7000 RAW 2192768 bytes

0x804D7000 WMIxWDM 2192768 bytes

0xBF800000 Win32k 1859584 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xAF3A2000 C:\WINDOWS\system32\drivers\ha10kx2k.sys 905216 bytes (Creative Technology Ltd, Creative EMU10KX HAL (WDM))

0xAC44B000 C:\WINDOWS\system32\Drivers\vmx86.sys 851968 bytes (VMware, Inc., VMware kernel driver)

0xACA13000 C:\WINDOWS\system32\DRIVERS\eamon.sys 684032 bytes (ESET, Amon monitor)

0xAF2C2000 C:\WINDOWS\system32\drivers\ctac32k.sys 647168 bytes (Creative Technology Ltd, Creative AC3 SW Decoder Device Driver (WDM))

0xBF065000 C:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xBF0FE000 C:\WINDOWS\System32\atikvmag.dll 540672 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xAF227000 C:\WINDOWS\System32\Drivers\wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)

0xAF008000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB7506000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xB9490000 C:\WINDOWS\system32\drivers\ctaud2k.sys 368640 bytes (Creative Technology Ltd, Creative WDM Audio Device Driver)

0xAF19B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xAC263000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBF182000 C:\WINDOWS\System32\atiok3x2.dll 307200 bytes (ATI Technologies Inc., Ring 0 x2 component)

0xBF9C6000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xAB5C5000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB7580000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB75F2000 C:\WINDOWS\system32\drivers\windrvr6.sys 196608 bytes (Jungo, WinDriver Device Driver 10.10)

0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xAC543000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF786A000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xB941D000 C:\WINDOWS\system32\drivers\ctoss2k.sys 180224 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))

0xAB4AA000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xAF078000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xAEB0A000 C:\WINDOWS\system32\DRIVERS\atinavt2.sys 172032 bytes (ATI Technologies Inc., ATI T200 Unified AVStream Driver)

0xAF173000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xAF0CB000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xAF113000 C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys 155648 bytes (Oracle Corporation, VirtualBox Support Driver)

0xAF47F000 C:\WINDOWS\system32\drivers\hap16v2k.sys 151552 bytes (Creative Technology Ltd, Creative EMU10KX-P16v HAL (WDM))

0xAEFE4000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xB946C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB7636000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB9449000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xABF98000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))

0xAF139000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xAF380000 C:\WINDOWS\system32\drivers\emupia2k.sys 139264 bytes (Creative Technology Ltd, E-mu Plug-in Architecture Driver (WDM))

0xAF0F1000 D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)

0xF7479000 fasttx2k.sys 135168 bytes (Promise Technology, Inc., Promise FastTrak Series Driver for WindowsXP)

0x806EF000 ACPI_HAL 131840 bytes

0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xAF360000 C:\WINDOWS\system32\drivers\ctsfm2k.sys 131072 bytes (Creative Technology Ltd, SoundFont® Manager (WDM))

0xF7441000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xAF2A3000 C:\WINDOWS\system32\DRIVERS\ehdrv.sys 126976 bytes (ESET, ESET Helper driver)

0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xB7564000 C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys 114688 bytes (Oracle Corporation, VirtualBox Bridged Networking Driver)

0xF7850000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB75B0000 C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys 106496 bytes (Oracle Corporation, VirtualBox Host-Only Network Adapter Driver)

0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xAEFCC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xAF15B000 C:\WINDOWS\system32\DRIVERS\epfwtdir.sys 98304 bytes (ESET, ESET Antivirus Network Redirector)

0xF7461000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)

0xF7418000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB75DB000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xAC68E000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB7622000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xB94EA000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xAF1F4000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xF7405000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF742F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB75CA000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF76F7000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF7507000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF7607000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xF7537000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xF7517000 C:\WINDOWS\system32\DRIVERS\com0com.sys 61440 bytes (Vyacheslav Frolov, Null-modem emulator)

0xBA087000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF74F7000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xAC6CB000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xB9E4E000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF7617000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xBA7B8000 C:\WINDOWS\system32\DRIVERS\ATITool.sys 53248 bytes (W1zzard, ATITool Low-Level Driver)

0xF7657000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF7557000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xBA077000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xB9E2E000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)

0xBA057000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xAC833000 C:\WINDOWS\system32\Drivers\vmci.sys 49152 bytes (VMware, Inc., VMware kernel driver)

0xF7577000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF7547000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xBA027000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xBA097000 C:\WINDOWS\system32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)

0xAC853000 C:\WINDOWS\system32\drivers\hcmon.sys 40960 bytes (VMware, Inc., VMware USB monitor)

0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xAC373000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)

0xB9E6E000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xBA047000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF7567000 C:\WINDOWS\system32\DRIVERS\AN983.sys 36864 bytes (ADMtek Incorporated., ADMtek AN983/AN985/ADM951X NDIS5 Driver)

0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xB9E1E000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xBA067000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xBA778000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xAB6CE000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xBA758000 C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys 36864 bytes (Oracle Corporation, VirtualBox USB Monitor Driver)

0xB9DEE000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF780F000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)

0xBA1F0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xB9BA6000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xF77B7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF7717000 videX32.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)

0xF7747000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF77FF000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xB9BC6000 D:\DOCUME~1\pat\LOCALS~1\Temp\mbr.sys 28672 bytes

0xBA1E8000 C:\WINDOWS\system32\drivers\npf.sys 28672 bytes (CACE Technologies, Inc., npf.sys (NT5/6 x86) Kernel Driver)

0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF771F000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)

0xF77BF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF7787000 C:\WINDOWS\system32\DRIVERS\motmodem.sys 24576 bytes (Motorola, Motorola USB Modem and Ports Driver)

0xBA208000 C:\WINDOWS\system32\DRIVERS\motport.sys 24576 bytes (Motorola, Motorola USB Modem and Ports Driver)

0xF77EF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xBA1D0000 D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)

0xF7757000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)

0xF77AF000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF7817000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xAEB6C000 C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys 24576 bytes (VMware, Inc., VMware bridge driver (32-bit))

0xF77F7000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xB9B8E000 C:\WINDOWS\system32\DRIVERS\motccgp.sys 20480 bytes (Motorola, Motorola USB Composite Device Driver)

0xBA200000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF77C7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF77E7000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF77CF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF773F000 C:\WINDOWS\system32\drivers\VMkbd.sys 20480 bytes (VMware, Inc., VMware keyboard filter driver (32-bit))

0xAEB54000 C:\WINDOWS\system32\drivers\vmnetuserif.sys 20480 bytes (VMware, Inc., VMware network application interface driver (32-bit))

0xB9BBE000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xBA198000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xBA1A0000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xACAE2000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xAC7B3000 C:\WINDOWS\system32\drivers\PfModNT.sys 16384 bytes (Creative Technology Ltd., PCI/ISA Device Info. Service)

0xBA730000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xAC0DF000 D:\Program Files\VMware\VMware Player\vstor2-ws60.sys 16384 bytes (VMware, Inc., VMware Virtual Storage Volume Driver)

0xAF0A7000 C:\WINDOWS\system32\DRIVERS\BdaSup.SYS 12288 bytes (Microsoft Corporation, Microsoft BDA Driver Support Library)

0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xBA1AC000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBA734000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)

0xB7676000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xB766E000 C:\WINDOWS\system32\DRIVERS\motccgpfl.sys 12288 bytes (Motorola, Motorola USB Composite Filter Driver)

0xBA7FC000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xBA724000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF7943000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xB7C6C000 C:\WINDOWS\system32\DRIVERS\VMNET.SYS 12288 bytes (VMware, Inc., VMware virtual network driver (32-bit))

0xB7C70000 C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys 12288 bytes (VMware, Inc., VMware virtual network adapter driver (32-bit))

0xBA7E4000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)

0xF79B3000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF79DD000 C:\WINDOWS\system32\drivers\ctprxy2k.sys 8192 bytes (Creative Technology Ltd, Creative Proxy Device Driver (WDM))

0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF79C3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF79AD000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xB7ABF000 C:\WINDOWS\system32\drivers\ghstwall.sys 8192 bytes

0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF79D1000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF79A5000 C:\WINDOWS\System32\Drivers\MouseCap.sys 8192 bytes (-, MouseCapture)

0xF79C9000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xF79BB000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF79A3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF79A1000 C:\WINDOWS\system32\drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF798B000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0xF79BF000 C:\WINDOWS\system32\Drivers\VMparport.sys 8192 bytes (VMware, Inc., VMware parallel port driver)

0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7ABB000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7A98000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xB923D000 C:\WINDOWS\system32\DRIVERS\lmimirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)

0xB86C3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

==============================================

>Stealth

==============================================

0x05BE0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 102400 bytes

0x064C0000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 1150976 bytes

0x00D10000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 118784 bytes

0x012B0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 118784 bytes

0x05A40000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 118784 bytes

0x061A0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 135168 bytes

0x05850000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 151552 bytes

0x05F40000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 1740800 bytes

0x060F0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 217088 bytes

0x05890000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 233472 bytes

0x88C95F13 Unknown page with executable code, 237 bytes

0x00EE0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 28672 bytes

0x01110000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 28672 bytes

0x056D0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04A00000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x00D40000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x00D70000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x03950000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x03C80000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x043A0000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x043E0000 Hidden Image-->AEM.Plugin.WinMessages.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x043C0000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04530000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04510000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x048E0000 Hidden Image-->CLI.Caste.HydraVision.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04900000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x049B0000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x049A0000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x049D0000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04B50000 Hidden Image-->ResourceManagement.Foundation.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04B80000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04BE0000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04D20000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04DA0000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04DB0000 Hidden Image-->AEM.Plugin.REG.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04DE0000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04E60000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04EB0000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04F00000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04F20000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x050B0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x050A0000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x050D0000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x056E0000 Hidden Image-->Branding.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x05700000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x057E0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x057F0000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x05800000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x05950000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x05960000 Hidden Image-->CLI.Caste.HydraVision.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x05C10000 Hidden Image-->atixclib.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x066E0000 Hidden Image-->CLI.Caste.HydraVision.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 28672 bytes

0x04930000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 299008 bytes

0x06E00000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 299008 bytes

0x01130000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x886D15A0 ] PID: 2828, 307200 bytes

0x00DB0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 307200 bytes

0x037F0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 36864 bytes

0x03820000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 36864 bytes

0x04F50000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x03AC0000 Hidden Image-->Interop.WBOCXLib.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x00D10000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x038D0000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x03900000 Hidden Image-->AxInterop.WBOCXLib.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x03C20000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x03DB0000 Hidden Image-->CLI.Aspect.MultiVPU4.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x03DD0000 Hidden Image-->CLI.Aspect.ALICrossfire.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x03DF0000 Hidden Image-->CLI.Aspect.PowerXpress.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x048D0000 Hidden Image-->CLI.Caste.HydraVision.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x04990000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x04E30000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x04F80000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x05010000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x05090000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x05110000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x05100000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x057D0000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 36864 bytes

0x06130000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 372736 bytes

0x06B60000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 372736 bytes

0x053C0000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 413696 bytes

0x05D20000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 413696 bytes

0x061D0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 446464 bytes

0x00D40000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 45056 bytes

0x00DB0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 45056 bytes

0x00D30000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x00E10000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x03960000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x04E40000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x04EE0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x04F70000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x04FE0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 45056 bytes

0x04540000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x88B72BE0 ] PID: 3852, 454656 bytes

0x06AE0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 462848 bytes

0x05A60000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 503808 bytes

0x05640000 Hidden Image-->ResourceManagement.Foundation.Implementation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 512000 bytes

0x03940000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x03930000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x03A60000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x04380000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x04500000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x04E20000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x04F40000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x04FA0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x052B0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x05920000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x05930000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 53248 bytes

0x055B0000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 552960 bytes

0x06BC0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 602112 bytes

0x88D2DDA4 Unknown page with executable code, 604 bytes

0x04FB0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 61440 bytes

0x05080000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 61440 bytes

0x05140000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 61440 bytes

0x051A0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 61440 bytes

0x06890000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 684032 bytes

0x00DC0000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x886D15A0 ] PID: 2828, 69632 bytes

0x00D80000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 69632 bytes

0x038B0000 Hidden Image-->CLI.Component.SkinFactory.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 69632 bytes

0x04910000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 69632 bytes

0x04D40000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 69632 bytes

0x05120000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 69632 bytes

0x88D35D46 Unknown page with executable code, 698 bytes

0x06240000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Wizard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 700416 bytes

0x05980000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 724992 bytes

0x04E00000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 77824 bytes

0x04EC0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 77824 bytes

0x05060000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 77824 bytes

0x06A10000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 806912 bytes

0x06D30000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 823296 bytes

0x00D50000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 86016 bytes

0x04E80000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 86016 bytes

0x05820000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 86016 bytes

0x03910000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 94208 bytes

0x04A10000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 94208 bytes

0x05180000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x88B72BE0 ] PID: 3852, 94208 bytes





!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

-------------------------------------RKU.txt 5/8/11 ---------END--------------------------------------

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:51 PM

Posted 08 May 2011 - 02:02 PM

update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 eadthem

eadthem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 10 May 2011 - 09:50 PM

OK this new version of combo fix has made a big difference.
The old version apr28 did not successfully close explorer.exe it closed and then restarted.

this version closed explorer.exe and kept it closed and then pulled some trash out of system32. Noting the common theme of fix and patch in the exe's i searched and found some others.

loadfix.exe
fixmapi.exe
qprocess.exe
processr.sys
faxpatch.exe
mspatcha.dll
Of course Some of the files are probably legitimate and I have not yet looked in to them. I will and ile edit my message with the results.

You should know that other than a few sites I care nothing about all passwords and secure stuff is done on my nix server now, Including BC forums. So when you say download directly to desktop, I download it on my server to /home/file/ins/ and its merged in to D:\ins\ on the windows machines HDD. combofix is/has been run from that location but all explorer windows are closed before it starts.

RAIDMAGT listed in the log as a new addition is quite likely the promise array management tool i ran to get SMART logs off my RAID 0 D: array, I had some chkdsk messages that were concerning on D: (program files, Documents and Settings, temp, swap) during a recent boot, SMART came back clean. C drive(/windows only) had no errors or smart errors.

You did not specify you wanted to see the log, So the LOG CAN BE FOUND at http://final.servegame.com/BC/combofix4.txt 415KB if you need it. The folder also includes all other logs related to this http://final.servegame.com/BC/ .

Sorry about the length I had run windows update after my original post before your first reply(I had thought I had fixed the problem).

As agreed no updates or other security actions have/will happen during your assistance.

Thanks for your help
ead

--------------- Selected Highlights from comboxfix4.txt ----------------------
ComboFix 11-05-09.04 - pat 05/10/2011 20:54:15.5.1 - x86

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

***************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-10 21:02

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

---------------------end selected highlights of combofix4.log-----------------
If you need the whole log its 415KB, state the method and ile deliver it. Its at http://final.servegame.com/BC/combofix4.txt .

Edited by eadthem, 10 May 2011 - 10:13 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:51 PM

Posted 10 May 2011 - 10:15 PM

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 eadthem

eadthem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 10 May 2011 - 10:47 PM

computers doing decently for a 8 year old :P no major issues.

TFC was nice found some temp folders i didn't know about (c drive is a 10gb partition and it cleared .5GB from it)

thanks for your help
ead

--------------------------mbam.log--------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org



Database version: 6551



Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702



5/10/2011 10:38:19 PM

mbam-log-2011-05-10 (22-38-19).txt



Scan type: Quick scan

Objects scanned: 207932

Time elapsed: 8 minute(s), 38 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

(No malicious items detected)

--------------------------mbam.log--------------------------------

--------------------------hijackthis.log--------------------------------
Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:36:03 PM, on 5/10/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\CTHELPER.EXE

D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\explorer.exe

D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\msiexec.exe

D:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [GhostWall] "D:\Program Files\GhostWall\ghostwall.exe" -minimize

O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [WheelMouse] D:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Greenshot] dmr "D:\Program Files\Greenshot\Greenshot.exe"

O4 - HKCU\..\Run: [OscarEditor] "D:\Program Files\OSCAR Editor\OscarEditor.exe" Minimum

O4 - Startup: note.txt

O4 - Global Startup: Amazon Unbox.lnk = D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe

O4 - Global Startup: DiskCheckup.lnk = D:\Program Files\DiskCheckup\DiskCheckup.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: d:\program files\vmware\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: d:\program files\vmware\vmware player\vsocklib.dll

O15 - Trusted Zone: *.clonewarsadventures.com

O15 - Trusted Zone: *.freerealms.com

O15 - Trusted Zone: *.soe.com

O15 - Trusted Zone: *.sony.com

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F2E8D42-4C2C-43B7-A5A5-53E612D383FA}: NameServer = 4.2.2.1,192.168.0.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{1F2E8D42-4C2C-43B7-A5A5-53E612D383FA}: NameServer = 4.2.2.1,192.168.0.1

O17 - HKLM\System\CS3\Services\Tcpip\..\{1F2E8D42-4C2C-43B7-A5A5-53E612D383FA}: NameServer = 4.2.2.1,192.168.0.1

O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - D:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - C:\apache2triad\bin\httpd.exe (file missing)

O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Unknown owner - C:\apache2triad\bin\httpd.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe (file missing)

O23 - Service: MySQLS1 - Unknown owner - D:\uniserver\usr\local\mysql\bin\mysqld-opt.exe

O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - Unknown owner - C:\apache2triad\pgsql\bin\pg_ctl.exe (file missing)

O23 - Service: Promise Array Message Agent (RAIDmAgt) - Unknown owner - D:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgAgt.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - D:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe (file missing)

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Program Files\VMware\VMware Player\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe (file missing)



--

End of file - 7540 bytes
--------------------------hijackthis.log--------------------------------

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:51 PM

Posted 10 May 2011 - 11:04 PM

Greetings

5G's That is real nice :thumbsup:


These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
      O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
      O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Greenshot] dmr "C:\Program Files\Greenshot\Greenshot.exe"
      O4 - HKCU\..\Run: [OscarEditor] "C:\Program Files\OSCAR Editor\OscarEditor.exe" Minimum
      O4 - Startup: note.txt
      O4 - Global Startup: Amazon Unbox.lnk = C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
      O4 - Global Startup: DiskCheckup.lnk = C:\Program Files\DiskCheckup\DiskCheckup.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 eadthem

eadthem
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 13 May 2011 - 04:19 PM

C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application

C:\System Volume Information\_restore{8460C0D6-A1A2-47AC-88C0-BF4987B2D9F8}\RP9\A0010508.exe Win32/PrcView application

C:\WINDOWS\ohirifaduf.7z a variant of Win32/Kryptik.MTG trojan

D:\Documents and Settings.old\pat\Local Settings\Temp\ReactOS-0.3.10-REL-iso.zip probably a variant of Win32/TrojanDownloader.Agent.HDZMUGE trojan

D:\ins\CheatEngine54.exe multiple threats

D:\ins\ipscan.exe Win32/NetTool.Portscan.C application

D:\ins\mirc715.exe Win32/OpenCandy application

D:\ins\SmitfraudFix.exe multiple threats

D:\ins\vundufix\SmitfraudFix.exe multiple threats

D:\ins\vundufix\SmitfraudFix\Process.exe Win32/PrcView application

D:\ins\vundufix\SmitfraudFix\restart.exe Win32/Shutdown.NAA application

D:\Program Files\CE\Cheat Engine.exe a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files\CE\dbk32.dll a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files\CE\dbk32.sys a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files\CE\Systemcallretriever.exe a variant of Win32/HackTool.SystemCall.AA application

D:\Program Files\CE\systemcallsignal.exe a variant of Win32/HackTool.SystemCall.AA application

D:\Program Files\Cheat Engine\Cheat Engine.exe a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files\Cheat Engine\dbk32.dll a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files\Cheat Engine\dbk32.sys a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files\Cheat Engine\Systemcallretriever.exe a variant of Win32/HackTool.SystemCall.AA application

D:\Program Files\Cheat Engine\systemcallsignal.exe a variant of Win32/HackTool.SystemCall.AA application

D:\Program Files.old\Cheat Engine\Cheat Engine.exe a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files.old\Cheat Engine\dbk32.dll a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files.old\Cheat Engine\dbk32.sys a variant of Win32/HackTool.CheatEngine.AA application

D:\Program Files.old\Cheat Engine\Systemcallretriever.exe a variant of Win32/HackTool.SystemCall.AA application

D:\Program Files.old\Cheat Engine\systemcallsignal.exe a variant of Win32/HackTool.SystemCall.AA application

-------------------------------------------------------------------
the only line of any concern is
C:\WINDOWS\ohirifaduf.7z a variant of Win32/Kryptik.MTG trojan

And its simply some suspicious files that i zipped up and deleted when i first found out i was infected.
All the rest of it is legitimate items.

mirc715 = mIRC irc client
reactos-0.3.10-rel-iso.zip = the reactos operating system ISO
ipscan = angry ip scanner and port probe (like nmap lite but with a gui)
cheat engine = runtime assembly level debugger ive used for programming. also will let you recover the contents of a notepad/msword/firefox session that has crashed with unsaved posts/text :P

process.exe I don't remember so its probably not needed.

it took 24 hours to scan :P 1,500,000 files ish.

when i said TFC removed .5GB i meant 500MB.



Unless you have anything else you can recommend i think its clean now.

thanks
eadthem akip

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:51 PM

Posted 15 May 2011 - 02:38 PM

Hello

The Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:51 PM

Posted 19 May 2011 - 02:44 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users