Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo under IE8 and Firefox keep redirecting


  • This topic is locked This topic is locked
21 replies to this topic

#1 deriderj

deriderj

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 19 May 2011 - 01:36 AM

When using Google or Yahoo and selecting something from the search results I am consistently (80% of the time) being redirected to another site. I can see in the status bar of the browser that it says it is being redirected when it occurs. When this first started happening it effected the sound and ultimately the sound stopped working altogether. The redirects have been going on for a long time (months). I installed all available Microsoft Application and Security updates (after reinstalling SP3).

I scanned this with Malwarebytes, Norton Anti-Virus, Microsoft's Security Essentials, Spybot Search & Destroy and Destroy and several vendor specific tools designed to remove the TDSS infection. I run Spywareblaster on this PC.

Symantec's tool to get rid of rootkits found Tidserv Activity 2 which it also called Backdoor.Tidserv and said it removed it but the redirects continued to occur.

I reinstalled XP SP3, ran chkdsk on all the drives, ran ccleaner to clean files and registry and installed and ran Glary utilities to clean the registry, defragged the drives.

I installed and tried Google Chrome and the redirect does not occur but I don't want to use Google Chrome because the interface is so different.

I uninstalled Norton from Comcast and installed the newest retail version of Norton and ran a computer scan but Norton found no infections and no files of ill repute. I uninstalled the newest version of Norton and installed the newest version of Comcast Xfinity protection suite which includes an updated version of Norton (updated from Comcast's previous version) and a ran a reputation scan and computer scan but Norton found no infections.

The computer works better than it did prior to all my attempts to correct the redirect. It performs better, has sound and doesn't crash with a blue screen the way it did but the redirect is still occurring.

I'm looking for help please in removing the stubborn infection that is causing Google and Yahoo search results to be redirected. Please let me know if there is any additional information required.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Kathy at 20:16:55.04 on Wed 05/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.124 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Eraser\Eraser.exe
C:\Program Files\LDS Media\LDS Library 2005\5.1.0\LDSLibQuickStart.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\SFT\GuardedID\gidd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathy\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Constant Guard Protection Suite: {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kathy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BMUpdate] c:\windows\system32\BMUpdate.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [LDSLibrary] c:\program files\lds media\lds library 2005\5.1.0\LDSLibQuickStart.exe
mRun: [OneTouch Monitor] c:\progra~1\vision~1\ONETOU~2.EXE
mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
StartupFolder: c:\docume~1\kathy\startm~1\programs\startup\checkf~1.lnk - c:\program files\visioneer onetouch\WiseUpdt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\easyup~1.lnk - c:\program files\clearplay easy updates\ClearPlayClient.jar
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flashp~1.lnk - c:\program files\smartdisk\flashpath\sdstat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\kathy\applic~1\mozilla\firefox\profiles\ipbk5uf5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{00f2c0c6-2194-484e-9064-44e57787867b}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{00f2c0c6-2194-484e-9064-44e57787867b}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{548f6736-8fe4-4680-82f2-170d6c07e1d2}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{548f6736-8fe4-4680-82f2-170d6c07e1d2}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\kathy\application data\move networks\plugins\071801000006\npqmp071801000006.dll
FF - plugin: c:\documents and settings\kathy\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np-mswmp.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npicaN.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npmozax.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozill~1\plugins\nppdf32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin4.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-5-18 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-5-18 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-5-18 25232]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-5-18 136312]
R2 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2006-7-13 72784]
R2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2011-5-11 60488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-5 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-5 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-5-18 130008]
R2 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2006-7-13 73296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-18 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110518.001\IDSXpx86.sys [2011-5-18 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110518.021\naveng.sys [2011-5-18 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110518.021\navex15.sys [2011-5-18 1542392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9fd0a8d460ea;Google Update Service (gupdate1c9fd0a8d460ea);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-19 00:20:57 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-05-19 00:20:57 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
2011-05-19 00:20:57 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-05-19 00:20:57 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-05-19 00:20:56 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-05-19 00:20:56 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-05-19 00:20:56 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-05-19 00:20:56 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-05-19 00:20:21 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-05-19 00:10:59 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-19 00:10:38 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-19 00:10:38 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-19 00:10:38 -------- d-----w- c:\program files\Symantec
2011-05-19 00:10:17 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-19 00:10:05 -------- d-----w- c:\windows\system32\drivers\N360
2011-05-19 00:10:03 -------- d-----w- c:\program files\Norton Security Suite
2011-05-19 00:09:47 -------- d-----w- c:\program files\NortonInstaller
2011-05-18 23:51:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\IsolatedStorage
2011-05-18 23:51:39 -------- d-----w- c:\docume~1\kathy\locals~1\applic~1\ID Vault
2011-05-18 23:51:25 87624 ----a-w- c:\program files\mozilla firefox\IdVaultCore.XmlSerializers.dll
2011-05-18 23:51:25 8007680 ----a-w- c:\program files\mozilla firefox\Microsoft.mshtml.dll
2011-05-18 23:51:25 1591880 ----a-w- c:\program files\mozilla firefox\IdVaultCore.dll
2011-05-18 23:51:25 129608 ----a-w- c:\program files\mozilla firefox\CommonDotNET.dll
2011-05-18 23:51:17 -------- d-----w- c:\docume~1\kathy\applic~1\ID Vault
2011-05-18 23:51:07 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2011-05-18 23:51:04 -------- d-----w- c:\documents and settings\all users\GID
2011-05-18 23:51:02 -------- d-----w- c:\program files\SFT
2011-05-18 23:50:54 -------- d-----w- c:\program files\Constant Guard Protection Suite
2011-05-18 23:50:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\White Sky, Inc
2011-05-17 23:57:28 176128 ----a-w- c:\windows\system32\BMUpdate.exe
2011-05-17 23:57:11 -------- d-----w- c:\program files\Visioneer OneTouch
2011-05-17 23:27:49 -------- d-----w- c:\windows\VizLog
2011-05-17 14:10:41 -------- d-----w- C:\GNCI
2011-04-28 08:26:02 -------- d-----w- c:\docume~1\kathy\locals~1\applic~1\NPE
2011-04-27 08:42:01 -------- d-----w- c:\documents and settings\kathy\DoctorWeb
2011-04-27 06:12:55 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-19 19:57:56 -------- d-----w- c:\docume~1\kathy\applic~1\GlarySoft
2011-04-19 19:54:39 -------- d-----w- c:\program files\Glary Utilities
2011-04-19 18:18:19 -------- d-----w- c:\program files\SpywareBlaster
2011-04-19 17:27:45 -------- d-----w- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2011-04-19 17:19:36 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-04-19 16:48:39 -------- d-----w- c:\windows\system32\winrm
2011-04-19 16:48:39 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-19 16:48:36 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
.
==================== Find3M ====================
.
2011-04-18 16:57:28 135360 ----a-w- C:\FixBlast.exe
2011-04-12 13:45:16 118784 --sha-r- c:\windows\system32\msimg32Z.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-04 00:03:48 66328 ----a-w- c:\windows\system32\SysEventMenu.dll
2011-03-04 00:03:22 53528 ----a-w- c:\windows\system32\GIDLogonXP.dll
2011-03-04 00:02:56 378648 ----a-w- c:\windows\system32\GIDHookLogon.dll
2011-03-04 00:02:46 392976 ----a-w- c:\windows\system32\GIDHook.dll
2011-03-04 00:01:58 100624 ----a-w- c:\windows\system32\GIDBIN3.dll
2011-03-04 00:01:40 172304 ----a-w- c:\windows\system32\GIDBIN1.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 08:15:13 11447056 ----a-w- c:\documents and settings\all users\Tempmozy-manualupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x862D6AB8]
3 CLASSPNP[0xF75D0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000078[0x862D1F18]
5 ACPI[0xF7447620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IdeDeviceP2T0L0-5[0x8633ED98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
user != kernel MBR !!!
.
============= FINISH: 20:18:28.09 ===============

Update: In my original post I noted that Google Chrome was not redirecting. Starting this morning, three weeks after installing Google Chrome it started (it is now) redirecting Yahoo and Google search results the same as Firefox and IE8.

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 19 May 2011 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 22 May 2011 - 03:12 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 deriderj

deriderj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 23 May 2011 - 03:16 AM

Nice to meet you Gringo!

Thank you for offering to help me out. Here are the three logs / reports (DDS.txt, Attach.txt and Report.txt), that you asked for.

Joel

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by Kathy at 3:02:27 on 2011-05-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.333 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Eraser\Eraser.exe
C:\Program Files\LDS Media\LDS Library 2005\5.1.0\LDSLibQuickStart.exe
C:\Program Files\SFT\GuardedID\gidd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Kathy\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Constant Guard Protection Suite: {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\kathy\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BMUpdate] c:\windows\system32\BMUpdate.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [LDSLibrary] c:\program files\lds media\lds library 2005\5.1.0\LDSLibQuickStart.exe
mRun: [OneTouch Monitor] c:\progra~1\vision~1\ONETOU~2.EXE
mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
StartupFolder: c:\docume~1\kathy\startm~1\programs\startup\checkf~1.lnk - c:\program files\visioneer onetouch\WiseUpdt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\easyup~1.lnk - c:\program files\clearplay easy updates\ClearPlayClient.jar
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flashp~1.lnk - c:\program files\smartdisk\flashpath\sdstat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: &Google Search - c:\program files\google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Si&milar Pages - c:\program files\google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\googletoolbar.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1303232809312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: GIDLogonXP - GIDLogonXP.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{00f2c0c6-2194-484e-9064-44e57787867b}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{00f2c0c6-2194-484e-9064-44e57787867b}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{548f6736-8fe4-4680-82f2-170d6c07e1d2}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\{548f6736-8fe4-4680-82f2-170d6c07e1d2}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
FF - component: c:\documents and settings\kathy\application data\mozilla\firefox\profiles\ipbk5uf5.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\kathy\application data\move networks\plugins\071801000006\npqmp071801000006.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np-mswmp.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npicaN.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npmozax.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozill~1\plugins\nppdf32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npqtplugin4.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft research\hdview for firefox\nphdview.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-5-18 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-5-18 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-5-18 25232]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-5-18 136312]
R2 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [2006-7-13 72784]
R2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2011-5-11 60488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-5 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-5 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-5-18 130008]
R2 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [2006-7-13 73296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-18 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110518.001\IDSXpx86.sys [2011-5-18 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110522.002\NAVENG.SYS [2011-5-22 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110522.002\NAVEX15.SYS [2011-5-22 1542392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9fd0a8d460ea;Google Update Service (gupdate1c9fd0a8d460ea);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-19 00:20:57 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-05-19 00:20:57 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
2011-05-19 00:20:57 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-05-19 00:20:57 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-05-19 00:20:56 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-05-19 00:20:56 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-05-19 00:20:56 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-05-19 00:20:56 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-05-19 00:20:21 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-05-19 00:10:59 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-19 00:10:38 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-19 00:10:38 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-19 00:10:38 -------- d-----w- c:\program files\Symantec
2011-05-19 00:10:17 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-19 00:10:05 -------- d-----w- c:\windows\system32\drivers\N360
2011-05-19 00:10:03 -------- d-----w- c:\program files\Norton Security Suite
2011-05-19 00:09:47 -------- d-----w- c:\program files\NortonInstaller
2011-05-18 23:51:43 -------- d-----w- c:\documents and settings\all users\application data\IsolatedStorage
2011-05-18 23:51:39 -------- d-----w- c:\documents and settings\kathy\local settings\application data\ID Vault
2011-05-18 23:51:25 87624 ----a-w- c:\program files\mozilla firefox\IdVaultCore.XmlSerializers.dll
2011-05-18 23:51:25 8007680 ----a-w- c:\program files\mozilla firefox\Microsoft.mshtml.dll
2011-05-18 23:51:25 1591880 ----a-w- c:\program files\mozilla firefox\IdVaultCore.dll
2011-05-18 23:51:25 129608 ----a-w- c:\program files\mozilla firefox\CommonDotNET.dll
2011-05-18 23:51:17 -------- d-----w- c:\documents and settings\kathy\application data\ID Vault
2011-05-18 23:51:07 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2011-05-18 23:51:04 -------- d-----w- c:\documents and settings\all users\GID
2011-05-18 23:51:02 -------- d-----w- c:\program files\SFT
2011-05-18 23:50:54 -------- d-----w- c:\program files\Constant Guard Protection Suite
2011-05-18 23:50:45 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
2011-05-17 23:57:28 176128 ----a-w- c:\windows\system32\BMUpdate.exe
2011-05-17 23:57:11 -------- d-----w- c:\program files\Visioneer OneTouch
2011-05-17 23:27:49 -------- d-----w- c:\windows\VizLog
2011-05-17 14:10:41 -------- d-----w- C:\GNCI
2011-04-28 08:26:02 -------- d-----w- c:\documents and settings\kathy\local settings\application data\NPE
2011-04-27 08:42:01 -------- d-----w- c:\documents and settings\kathy\DoctorWeb
2011-04-27 06:12:55 -------- d-----w- c:\program files\Emsisoft Anti-Malware
.
==================== Find3M ====================
.
2011-04-18 16:57:28 135360 ----a-w- C:\FixBlast.exe
2011-04-12 13:45:16 118784 --sha-r- c:\windows\system32\msimg32Z.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-04 00:03:48 66328 ----a-w- c:\windows\system32\SysEventMenu.dll
2011-03-04 00:03:22 53528 ----a-w- c:\windows\system32\GIDLogonXP.dll
2011-03-04 00:02:56 378648 ----a-w- c:\windows\system32\GIDHookLogon.dll
2011-03-04 00:02:46 392976 ----a-w- c:\windows\system32\GIDHook.dll
2011-03-04 00:01:58 100624 ----a-w- c:\windows\system32\GIDBIN3.dll
2011-03-04 00:01:40 172304 ----a-w- c:\windows\system32\GIDBIN1.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 08:15:13 11447056 ----a-w- c:\documents and settings\all users\Tempmozy-manualupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x862D6AB8]
3 CLASSPNP[0xF75D0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000078[0x862D1F18]
5 ACPI[0xF7447620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IdeDeviceP2T0L0-5[0x8633ED98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
user != kernel MBR !!!
.
============= FINISH: 3:03:42.29 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/10/2006 7:35:25 PM
System Uptime: 5/19/2011 12:35:07 PM (87 hours ago)
.
Motherboard: Acer | | FC51GM
Processor: AMD Athlon™ 64 Processor 3700+ | Socket 939 | 2210/201mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 114 GiB total, 61.579 GiB free.
D: is FIXED (FAT32) - 114 GiB total, 67.114 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&BE1C8A6&0&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0269\4&BE1C8A6&0&01
Service: NVENETFD
.
==== System Restore Points ===================
.
RP1: 4/28/2011 3:58:04 AM - System Checkpoint
RP2: 4/28/2011 3:58:19 AM - Norton_Power_Eraser_20110428035812312
RP3: 4/29/2011 4:07:55 AM - System Checkpoint
RP4: 4/30/2011 4:20:31 AM - System Checkpoint
RP5: 5/1/2011 4:49:10 AM - System Checkpoint
RP6: 5/2/2011 4:49:20 AM - System Checkpoint
RP7: 5/3/2011 4:49:28 AM - System Checkpoint
RP8: 5/4/2011 5:02:29 AM - System Checkpoint
RP9: 5/5/2011 5:47:48 AM - System Checkpoint
RP10: 5/6/2011 5:48:04 AM - System Checkpoint
RP11: 5/7/2011 5:48:13 AM - System Checkpoint
RP12: 5/8/2011 5:48:19 AM - System Checkpoint
RP13: 5/9/2011 5:48:31 AM - System Checkpoint
RP14: 5/10/2011 5:48:40 AM - System Checkpoint
RP15: 5/11/2011 5:48:47 AM - System Checkpoint
RP16: 5/12/2011 5:48:55 AM - System Checkpoint
RP17: 5/13/2011 5:49:02 AM - System Checkpoint
RP18: 5/14/2011 6:49:03 AM - System Checkpoint
RP19: 5/15/2011 6:49:40 AM - System Checkpoint
RP20: 5/16/2011 6:49:46 AM - System Checkpoint
RP21: 5/17/2011 6:49:54 AM - System Checkpoint
RP22: 5/17/2011 6:34:04 PM - Removed TurboTax ItsDeductible 2005
RP23: 5/17/2011 6:34:38 PM - Removed TurboTax ItsDeductible 2006
RP24: 5/18/2011 10:49:08 PM - System Checkpoint
RP25: 5/19/2011 11:06:46 PM - System Checkpoint
RP26: 5/20/2011 11:56:25 PM - System Checkpoint
RP27: 5/22/2011 12:52:07 AM - System Checkpoint
RP28: 5/23/2011 12:52:29 AM - System Checkpoint
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe Acrobat 4.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
Ancestral Quest 11
Ancestral Quest Collaboration Support
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Athlon 64 Processor Driver
Bing Bar
Canon Camera Access Library
Canon Digital Camera Solution Disk 40-46 Software Starter Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Inkjet Printer Driver Add-On Module
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PhotoRecord
Canon PIXMA iP5000
Canon PowerShot SD1200 IS_IXUS 95 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Citrix XenApp Web Plugin
ClearPlay Easy Updates
Compatibility Pack for the 2007 Office system
Constant Guard Protection Suite
Critical Update for Windows Media Player 11 (KB959772)
DBCM
Driver Detective
Dynex DX-E102 PCI 10/100Mb Network Adapter
Easy-WebPrint
ebgcInfra
ebgcRes
ebgcSDK
Educated Investor WealthBuilder
Eraser 6.0.8.2273
FamilySearch Indexing
FlashPath
French Spelling Settings
GemMaster Mystic
Glary Utilities 2.33.0.1158
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GuardedID
HDView for Firefox
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iClean
ImageMixer 3 SE Ver.5 Transfer Utility
ImageMixer 3 SE Ver.5 Video Tools
InterActual Player
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 15
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
LDS Collectors Library 2005
LogMeIn
Lotus 1-2-3 97
Luxor
Luxor 2
LUXOR: Quest for the Afterlife
Malwarebytes' Anti-Malware
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable - KB2467175
Move Media Player
Move Networks MoveMedia
Mozilla Firefox 4.0 (x86 en-US)
MozyHome
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Music Transfer Utility Ver.2
Norton Security Scan
Norton Security Suite
NTI Backup NOW! 4
NTI CD & DVD-Maker
NVIDIA Drivers
OLYMPUS CAMEDIA Master Pro
OmniPage Pro 12.0
OneTouch Version 3.0
Otto
PaperPort 7.02
PCShowBuzz
PDF-XChange 2.5 Driver Install
PDF-XChange 3.0
Pinnacle Studio LINX
PowerDVD
Quicken 2009
QuickTime
RealArcade
Realtek AC'97 Audio
ScanSoft RealSpeak
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Encoders
Spybot - Search & Destroy
SpywareBlaster 4.4
Studio
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmniper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wmniper
TurboTax 2009 wrapper
TurboTax 2009 wutiper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wmniper
TurboTax 2010 wrapper
TurboTax 2010 wutiper
TurboTax Deluxe 2005
TurboTax Deluxe 2007
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
ViewSonic Monitor Drivers
WebFldrs XP
WexTech AnswerWorks
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
5/17/2011 5:42:21 PM, error: Service Control Manager [7023] - The DNS Client service terminated with the following error: No protocol sequences have been registered.
5/17/2011 5:42:20 PM, error: dnscache [11004] - Unable to start DNS Client service. Could not start the Remote Procedure Call (RPC) interface for this service. To correct the problem, you may restart the RPC and DNS Client services. To do so, use the following commands at a command prompt: (1) type "net start rpc" to start the RPC service, and (2) type "net start dnscache" to start the DNS Client service. For specific error code information, see the record data displayed below.
.
==== End Of File ===========================


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF5CB1000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 4030464 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xBE012000 C:\WINDOWS\System32\nv4_disp.dll 3956736 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 81.97 )
0xF60FC000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3538944 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.97 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA120E000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110522.002\NAVEX15.SYS 1536000 bytes (Symantec Corporation, AV Engine)
0xF2E11000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx86.sys 819200 bytes (Symantec Corporation, BASH Driver)
0xF728F000 SYMEFA.SYS 765952 bytes
0xF71EB000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB7047000 C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS 548864 bytes (Symantec Corporation, Symantec AutoProtect)
0xF301D000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF2F6F000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF5B1A000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF3332000 C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS 364544 bytes (Symantec Corporation, Network Dispatch Driver)
0xF33E7000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF31EE000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110518.001\IDSxpx86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0xB7E40000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF735C000 SYMDS.SYS 356352 bytes
0xF5C43000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 303104 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xBE3D8000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB7F10000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF5C0C000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)
0xF5B78000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7441000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB8142000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71BE000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9EEEB000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF308D000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF319E000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF73EB000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF32E4000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF32BE000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 155648 bytes (Symantec Corporation, Symantec Event Library)
0xF2BD9000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF30B8000 C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS 147456 bytes (Symantec Corporation, Iron Driver)
0xF5C8D000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF60C4000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF60A1000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF317C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73B3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7411000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF2F01000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 122880 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF71A4000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73D3000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF2BC1000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF6089000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 98304 bytes (Dynex , Dynex DX-E102/E202 10/100Mb NDIS XP Driver )
0xF7278000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5BE1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB8D4A000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB832D000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA11FA000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110522.002\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xF5BF8000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF60E8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF3440000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF34C3000 C:\WINDOWS\system32\DRIVERS\mozy.sys 77824 bytes (Mozy, Inc., Mozy Change Monitor Filter Driver)
0xBE000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF734A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB80E1000 C:\WINDOWS\System32\Drivers\FlashNT.SYS 69632 bytes (SmartDisk Corporation, FlashPath Driver for Windows NT 4.0 & 2000)
0xF7430000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5BD0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF3508000 C:\WINDOWS\System32\Drivers\Sdselect.SYS 69632 bytes (SmartDisk Corporation, SD Select Driver for Windows 2000)
0xB7855000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF77C0000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7600000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7580000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF65B9000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7660000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF77E0000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF77D0000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF30DC000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6549000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7590000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF77A0000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF75D0000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF65A9000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75B0000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6589000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF76B0000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF77B0000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75A0000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6599000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF76A0000 C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS 45056 bytes (Symantec Corporation, Symantec AutoProtect)
0xF7570000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB7F71000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0xF6559000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF6569000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75C0000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7670000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF6579000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7680000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA269E000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7650000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF78C0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78E8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7960000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7970000 C:\WINDOWS\System32\Drivers\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF78A8000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF78F8000 C:\DOCUME~1\Kathy\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF77F0000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF3473000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7968000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7860000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78A0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF327E000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF78B0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF349B000 C:\WINDOWS\System32\Drivers\GIDv2.SYS 20480 bytes (StrikeForce Technologies, Inc., GuardedID v2 Keyboard Filter)
0xF7978000 C:\WINDOWS\system32\DRIVERS\irsir.sys 20480 bytes (Microsoft Corporation, Serial Infrared Driver)
0xF78B8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF77F8000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7850000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7800000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7840000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xF7858000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7888000 C:\WINDOWS\System32\Drivers\Sdfloppy.sys 20480 bytes (SmartDisk Corporation, SDFloppy Driver for Windows 2000)
0xF7848000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7958000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF3453000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB769D000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF31DA000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF6460000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF7160000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xF715C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF716C000 C:\WINDOWS\System32\Drivers\UBHelper.SYS 16384 bytes
0xF7980000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF2C11000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF5BC4000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7A08000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xF2F63000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF647C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7A54000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF33AB000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xF7ACE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A74000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7AA2000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7ACC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A70000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7AD0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AB4000 C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys 8192 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
0xF7ADA000 C:\Program Files\LogMeIn\x86\RaInfo.sys 8192 bytes (LogMeIn, Inc., RemotelyAnywhere Kernel Information Provider)
0xF7AD2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AC0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AC2000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A72000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C78000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BCE000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C77000 C:\WINDOWS\system32\DRIVERS\LMImirr.sys 4096 bytes (LogMeIn, Inc., LogMeIn Mirror Miniport Driver)
0xF7CBA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B38000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x84388454 LDT (IN GDT of Core 1) Modification, Base+0x490, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x6E8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x73000000 LDT (IN GDT of Core 1) Modification, Base+0x0B8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x8400844F LDT (IN GDT of Core 1) Modification, Base+0xC08, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x8430844F LDT (IN GDT of Core 1) Modification, Base+0xC38, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x8460844F LDT (IN GDT of Core 1) Modification, Base+0xC68, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x8490844F LDT (IN GDT of Core 1) Modification, Base+0xC98, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x84C0844F LDT (IN GDT of Core 1) Modification, Base+0xCC8, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x84F0844F LDT (IN GDT of Core 1) Modification, Base+0xCF8, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x8490844F LDT (IN GDT of Core 1) Modification, Base+0xF68, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x84908452 LDT (IN GDT of Core 1) Modification, Base+0xFA8, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x1AD7FED9 LDT (IN GDT of Core 1) Modification, Base+0xC08, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x49ED3B7C LDT (IN GDT of Core 1) Modification, Base+0xC20, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x08BCAAB0 LDT (IN GDT of Core 1) Modification, Base+0xE50, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x9DAAA51C LDT (IN GDT of Core 1) Modification, Base+0xF58, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x4367BFD6 LDT (IN GDT of Core 1) Modification, Base+0xF68, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x44167A5F LDT (IN GDT of Core 1) Modification, Base+0xFC8, DPL_USER, Rpl : 3, Type: CallGate32, Core [1]
0x6763696D LDT (IN GDT of Core 1) Modification, Base+0x3F8, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x84F08633 LDT (IN GDT of Core 1) Modification, Base+0x8D8, DPL_SYSTEM, Rpl : 3, Type: CallGate32, Core [1]
0x84488450 LDT (IN GDT of Core 1) Modification, Base+0xC50, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84708450 LDT (IN GDT of Core 1) Modification, Base+0xC78, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84F88477 LDT (IN GDT of Core 1) Modification, Base+0xD00, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x138, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84500000 LDT (IN GDT of Core 1) Modification, Base+0x2B8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x00450000 LDT (IN GDT of Core 1) Modification, Base+0x828, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84A00000 LDT (IN GDT of Core 1) Modification, Base+0xFB8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84280000 LDT (IN GDT of Core 1) Modification, Base+0xC50, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84480000 LDT (IN GDT of Core 1) Modification, Base+0xC68, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84640000 LDT (IN GDT of Core 1) Modification, Base+0xC80, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84280000 LDT (IN GDT of Core 1) Modification, Base+0xE88, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84100000 LDT (IN GDT of Core 1) Modification, Base+0xEC0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84280000 LDT (IN GDT of Core 1) Modification, Base+0xF10, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84100000 LDT (IN GDT of Core 1) Modification, Base+0xF48, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84980000 LDT (IN GDT of Core 1) Modification, Base+0x168, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x138, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x340, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x843C0000 LDT (IN GDT of Core 1) Modification, Base+0xA40, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84700000 LDT (IN GDT of Core 1) Modification, Base+0xA60, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x844C0000 LDT (IN GDT of Core 1) Modification, Base+0xC50, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x84708450 LDT (IN GDT of Core 1) Modification, Base+0xC78, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x84ACF730 LDT (IN GDT of Core 1) Modification, Base+0xCB0, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x84CC0000 LDT (IN GDT of Core 1) Modification, Base+0xCD0, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x69657869 LDT (IN GDT of Core 1) Modification, Base+0x760, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x84E084BD LDT (IN GDT of Core 1) Modification, Base+0xD28, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x84D884C1 LDT (IN GDT of Core 1) Modification, Base+0xD30, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x84A084BD LDT (IN GDT of Core 1) Modification, Base+0xD40, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x849884C1 LDT (IN GDT of Core 1) Modification, Base+0xD48, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x84380000 LDT (IN GDT of Core 1) Modification, Base+0x4A0, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x859885F4 LDT (IN GDT of Core 1) Modification, Base+0x4A8, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84208444 LDT (IN GDT of Core 1) Modification, Base+0x4B8, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x859C846A LDT (IN GDT of Core 1) Modification, Base+0x4C0, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x00D00000 LDT (IN GDT of Core 1) Modification, Base+0xB70, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00CE0000 LDT (IN GDT of Core 1) Modification, Base+0x078, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x548, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x846884A0 LDT (IN GDT of Core 1) Modification, Base+0xCB0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84380100 LDT (IN GDT of Core 1) Modification, Base+0xF38, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x009C0001 LDT (IN GDT of Core 1) Modification, Base+0x130, DPL_SYSTEM, Rpl : 1, Type: CallGate32, Core [1]
0x00680002 LDT (IN GDT of Core 1) Modification, Base+0x298, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x00210002 LDT (IN GDT of Core 1) Modification, Base+0x640, DPL_SYSTEM, Rpl : 2, Type: CallGate32, Core [1]
0xAE05981C LDT (IN GDT of Core 1) Modification, Base+0x960, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x6E0B5806 LDT (IN GDT of Core 1) Modification, Base+0x990, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0xF0CFE829 LDT (IN GDT of Core 1) Modification, Base+0xA38, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x9CF45BC0 LDT (IN GDT of Core 1) Modification, Base+0x140, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x14A4092C LDT (IN GDT of Core 1) Modification, Base+0x270, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0xF3FB69FF LDT (IN GDT of Core 1) Modification, Base+0x4A0, DPL_INVALID, Rpl : 3, Type: CallGate32, Core [1]
0x85010000 LDT (IN GDT of Core 1) Modification, Base+0x7B0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84788610 LDT (IN GDT of Core 1) Modification, Base+0xED0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x78460001 LDT (IN GDT of Core 1) Modification, Base+0xAD8, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0x84F88487 LDT (IN GDT of Core 1) Modification, Base+0x300, DPL_SYSTEM, Rpl : 3, Type: CallGate32, Core [1]
0x84010000 LDT (IN GDT of Core 1) Modification, Base+0x518, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0xF6D8C1B2 LDT (IN GDT of Core 1) Modification, Base+0x960, DPL_USER, Rpl : 2, Type: CallGate32, Core [1]
0xF70C5195 LDT (IN GDT of Core 1) Modification, Base+0xA58, DPL_INVALID, Rpl : 1, Type: CallGate32, Core [1]
0xA623834C LDT (IN GDT of Core 1) Modification, Base+0xA70, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x2CA1FD1A LDT (IN GDT of Core 1) Modification, Base+0xA80, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x84E80000 LDT (IN GDT of Core 1) Modification, Base+0x488, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x73000000 LDT (IN GDT of Core 1) Modification, Base+0x8B0, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x930, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0xE4980034 LDT (IN GDT of Core 1) Modification, Base+0x970, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0xE2180078 LDT (IN GDT of Core 1) Modification, Base+0x7F0, DPL_INVALID, Rpl : 0, Type: CallGate32, Core [1]
0x84048475 LDT (IN GDT of Core 1) Modification, Base+0xF40, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x84688451 LDT (IN GDT of Core 1) Modification, Base+0xF68, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x84688451 LDT (IN GDT of Core 1) Modification, Base+0xFA8, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x76412D70 LDT (IN GDT of Core 1) Modification, Base+0x390, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x49018400 LDT (IN GDT of Core 1) Modification, Base+0x930, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x859C844E LDT (IN GDT of Core 1) Modification, Base+0x528, DPL_INVALID, Rpl : 2, Type: CallGate32, Core [1]
0x00FD0000 LDT (IN GDT of Core 1) Modification, Base+0xD38, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00EB0000 LDT (IN GDT of Core 1) Modification, Base+0xD40, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00D90000 LDT (IN GDT of Core 1) Modification, Base+0xD48, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00C70000 LDT (IN GDT of Core 1) Modification, Base+0xD50, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00B50000 LDT (IN GDT of Core 1) Modification, Base+0xD58, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00A40000 LDT (IN GDT of Core 1) Modification, Base+0xD60, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00920000 LDT (IN GDT of Core 1) Modification, Base+0xD68, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00810000 LDT (IN GDT of Core 1) Modification, Base+0xD70, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x00700000 LDT (IN GDT of Core 1) Modification, Base+0xD78, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x005F0000 LDT (IN GDT of Core 1) Modification, Base+0xD80, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x004D0000 LDT (IN GDT of Core 1) Modification, Base+0xD88, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x003C0000 LDT (IN GDT of Core 1) Modification, Base+0xD90, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x002B0000 LDT (IN GDT of Core 1) Modification, Base+0xD98, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x001B0000 LDT (IN GDT of Core 1) Modification, Base+0xDA0, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x000A0000 LDT (IN GDT of Core 1) Modification, Base+0xDA8, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x84600000 LDT (IN GDT of Core 1) Modification, Base+0xA20, DPL_SYSTEM, Rpl : 0, Type: CallGate32, Core [1]
0x846C0000 LDT (IN GDT of Core 1) Modification, Base+0xC70, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x84A88451 LDT (IN GDT of Core 1) Modification, Base+0xCB0, DPL_USER, Rpl : 1, Type: CallGate32, Core [1]
0x84388484 LDT (IN GDT of Core 1) Modification, Base+0xCC0, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x05550000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x85E80660 ] PID: 400, 1077248 bytes
0x054E0000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x85E80660 ] PID: 400, 126976 bytes
0x03310000 Hidden Image-->System.XML.dll [ EPROCESS 0x85E80660 ] PID: 400, 2060288 bytes
0x04570000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x85E80660 ] PID: 400, 266240 bytes
0x042C0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x85E80660 ] PID: 400, 270336 bytes
0x05B70000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x8627A910 ] PID: 3872, 270336 bytes
0x058F0000 Hidden Image-->log4net.dll [ EPROCESS 0x85E80660 ] PID: 400, 282624 bytes
0x03F90000 Hidden Image-->System.Data.dll [ EPROCESS 0x85E80660 ] PID: 400, 2961408 bytes
0x06690000 Hidden Image-->System.Data.dll [ EPROCESS 0x84BA7468 ] PID: 2940, 2961408 bytes
0x056E0000 Hidden Image-->System.Data.dll [ EPROCESS 0x8627A910 ] PID: 3872, 2961408 bytes
0x04AC0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x85E80660 ] PID: 400, 307200 bytes
0x03540000 Hidden Image-->System.dll [ EPROCESS 0x85E80660 ] PID: 400, 3190784 bytes
0x04B60000 Hidden Image-->System.dll [ EPROCESS 0x85E7BDA0 ] PID: 2464, 3190784 bytes
0x06330000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x85E80660 ] PID: 400, 421888 bytes
0x032A0000 Hidden Image-->System.configuration.dll [ EPROCESS 0x85E80660 ] PID: 400, 438272 bytes
0x03080000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x85E80660 ] PID: 400, 471040 bytes
0x043B0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x85E80660 ] PID: 400, 479232 bytes
0x05F40000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x85E80660 ] PID: 400, 479232 bytes
0x04D20000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x85E80660 ] PID: 400, 5033984 bytes
0x04690000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x85E7BDA0 ] PID: 2464, 5033984 bytes
0x00F70000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x85E80660 ] PID: 400, 53248 bytes
0x05370000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x85E80660 ] PID: 400, 634880 bytes
0x042D0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x85E7BDA0 ] PID: 2464, 634880 bytes
0x01030000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x85E80660 ] PID: 400, 77824 bytes
0x03ED0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x85E80660 ] PID: 400, 778240 bytes
0x05540000 Hidden Image-->Microsoft.mshtml.dll [ EPROCESS 0x84BA7468 ] PID: 2940, 8015872 bytes
0x03DE0000 Hidden Image-->Microsoft.mshtml.dll [ EPROCESS 0x8627A910 ] PID: 3872, 8015872 bytes
0x0F8C0000 Hidden Image-->CustomMarshalers.dll [ EPROCESS 0x8627A910 ] PID: 3872, 81920 bytes
0x03200000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x85E80660 ] PID: 400, 86016 bytes
0x05DA0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x85E80660 ] PID: 400, 872448 bytes

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 23 May 2011 - 03:34 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 deriderj

deriderj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 24 May 2011 - 12:56 AM

Hey Gringo,

When I ran ComboFix like you asked, ComboFix asked to install the Recovery Console, I said yes, and the Recovery Console installed without incident. I don't know if it matters but it might, so I thought I should tell you that in all cases I am running these tools and utilities while accessing the infected PC remotely using LogMeIn. I did loose remote connectivity at one point while running ComboFix but I was able to reconnect after a couple of minutes. ComboFix had not rebooted the infected computer, I had only lost remote connectivity for some unknown reason.

After I ran ComboFix and copied the report I rebooted the infected PC to put it back to "normal" (I had shut off most of the utility programs running in the system tray along with all anti-malware utilities). After the reboot I tried several searches using Google and several using Yahoo using IE8 and Firefox. When selecting from the respective search lists, no matter the browser, no redirect(s) occurred.

I would like to think that the infection has been expunged but the fact is that the redirect doesn't occur 100% of the time and so it will take a few more days of using the PC before there is convincing evidence that the infection has been removed. Of course, in the meantime, if there is something you want or need me to do just let me konw and i'm happy to do your bidding.

As always, thank you for your help on this.

Here is the ComboFix log:

ComboFix 11-05-23.02 - Kathy 05/23/2011 23:41:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.237 [GMT -5:00]
Running from: c:\documents and settings\Kathy\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kathy\Application Data\Adobe\plugs
c:\documents and settings\Kathy\Application Data\Adobe\shed
c:\documents and settings\Kathy\Desktop\Scanner.lnk
c:\documents and settings\Kathy\WINDOWS
c:\program files\Luxor 2
c:\program files\Luxor 2\3rdparty.gvf
c:\program files\Luxor 2\activation_info.xml
c:\program files\Luxor 2\assets\splashscreen.jpg
c:\program files\Luxor 2\bfgstate.xml
c:\program files\Luxor 2\data.mjz
c:\program files\Luxor 2\DSETUP.dll
c:\program files\Luxor 2\engine.dll
c:\program files\Luxor 2\file.dll
c:\program files\Luxor 2\fmodex.dll
c:\program files\Luxor 2\gfx.dll
c:\program files\Luxor 2\gfx_dd7.dll
c:\program files\Luxor 2\gfx_dx8.dll
c:\program files\Luxor 2\img_jpg.dll
c:\program files\Luxor 2\img_png.dll
c:\program files\Luxor 2\img_tga.dll
c:\program files\Luxor 2\LaunchGame.bfg
c:\program files\Luxor 2\locale\english.mjz
c:\program files\Luxor 2\logger.dll
c:\program files\Luxor 2\nwfvjlx.exe
c:\program files\Luxor 2\pics\60x40.jpg
c:\program files\Luxor 2\pics\80x80.jpg
c:\program files\Luxor 2\pics\feature.jpg
c:\program files\Luxor 2\pics\luxor2_175x150.swf
c:\program files\Luxor 2\platform.dll
c:\program files\Luxor 2\Read_Me.html
c:\program files\Luxor 2\snd3d.dll
c:\program files\Luxor 2\snd3d_fmod.dll
c:\program files\Luxor 2\thread.dll
c:\program files\Luxor 2\Uninstall.exe
c:\program files\Luxor 2\UnlockGame.bfg
c:\windows\system32\autorun.ini
c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 )))))))))))))))))))))))))))))))
.
.
2011-05-19 00:26 . 2011-05-19 00:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\ID Vault
2011-05-19 00:10 . 2010-08-21 04:59 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-19 00:10 . 2011-05-19 00:21 -------- d-----w- c:\program files\Symantec
2011-05-19 00:10 . 2011-05-19 00:21 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-19 00:10 . 2011-05-19 00:21 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-19 00:10 . 2010-08-21 04:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-19 00:10 . 2011-05-19 00:26 -------- d-----w- c:\windows\system32\drivers\N360
2011-05-19 00:10 . 2011-05-19 00:10 -------- d-----w- c:\program files\Norton Security Suite
2011-05-19 00:09 . 2011-05-19 00:09 -------- d-----w- c:\program files\NortonInstaller
2011-05-18 23:51 . 2011-05-18 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\IsolatedStorage
2011-05-18 23:51 . 2011-05-18 23:52 -------- d-----w- c:\documents and settings\Kathy\Local Settings\Application Data\ID Vault
2011-05-18 23:51 . 2011-05-11 20:36 87624 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
2011-05-18 23:51 . 2011-05-11 20:36 1591880 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
2011-05-18 23:51 . 2011-05-11 20:36 129608 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
2011-05-18 23:51 . 2011-05-11 20:34 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
2011-05-18 23:51 . 2011-05-18 23:58 -------- d-----w- c:\documents and settings\Kathy\Application Data\ID Vault
2011-05-18 23:51 . 2011-03-04 00:02 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2011-05-18 23:51 . 2011-05-18 23:51 -------- d-----w- c:\documents and settings\All Users\GID
2011-05-18 23:51 . 2011-05-18 23:51 -------- d-----w- c:\program files\SFT
2011-05-18 23:50 . 2011-05-18 23:51 -------- d-----w- c:\program files\Constant Guard Protection Suite
2011-05-18 23:50 . 2011-05-18 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\White Sky, Inc
2011-05-17 23:57 . 2001-07-03 19:12 176128 ----a-w- c:\windows\system32\BMUpdate.exe
2011-05-17 23:57 . 2011-05-24 03:23 -------- d-----w- c:\program files\Visioneer OneTouch
2011-05-17 23:27 . 2011-05-17 23:49 -------- d-----w- c:\windows\VizLog
2011-05-17 14:10 . 2011-05-21 16:51 -------- d-----w- C:\GNCI
2011-04-28 08:26 . 2011-04-28 09:11 -------- d-----w- c:\documents and settings\Kathy\Local Settings\Application Data\NPE
2011-04-27 08:42 . 2011-04-27 08:42 -------- d-----w- c:\documents and settings\Kathy\DoctorWeb
2011-04-27 06:12 . 2011-04-27 09:29 -------- d-----w- c:\program files\Emsisoft Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 19:06 . 2009-08-18 16:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-04-22 19:06 . 2009-08-18 16:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-04-18 16:57 . 2011-04-18 18:50 135360 ----a-w- C:\FixBlast.exe
2011-03-07 05:33 . 2004-08-10 20:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 20:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-04 00:03 . 2011-03-04 00:03 66328 ----a-w- c:\windows\system32\SysEventMenu.dll
2011-03-04 00:03 . 2011-03-04 00:03 53528 ----a-w- c:\windows\system32\GIDLogonXP.dll
2011-03-04 00:02 . 2011-03-04 00:02 378648 ----a-w- c:\windows\system32\GIDHookLogon.dll
2011-03-04 00:02 . 2011-03-04 00:02 392976 ----a-w- c:\windows\system32\GIDHook.dll
2011-03-04 00:01 . 2011-03-04 00:01 100624 ----a-w- c:\windows\system32\GIDBIN3.dll
2011-03-04 00:01 . 2011-03-04 00:01 172304 ----a-w- c:\windows\system32\GIDBIN1.dll
2011-03-03 13:21 . 2005-03-02 01:06 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 08:15 . 2011-02-23 08:14 11447056 ----a-w- c:\documents and settings\All Users\Tempmozy-manualupdate-c0261ff8012aad585d55140a9b6ddcb9.exe
2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-01-01 08:00 . 2011-04-06 15:33 135168 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2011-02-08 19:24 3443000 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2011-02-08 19:24 3443000 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMUpdate"="c:\windows\system32\BMUpdate.exe" [2001-07-03 176128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-12 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-12 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"LDSLibrary"="c:\program files\LDS Media\LDS Library 2005\5.1.0\LDSLibQuickStart.exe" [2004-11-12 36864]
"GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-03-04 393992]
.
c:\documents and settings\Kathy\Start Menu\Programs\Startup\
Check for OneTouch Updates.lnk - c:\program files\Visioneer OneTouch\WiseUpdt.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Constant Guard.lnk - c:\program files\Constant Guard Protection Suite\IDVault.exe [2011-5-11 3228232]
Easy Updates.lnk - c:\program files\ClearPlay Easy Updates\ClearPlayClient.jar [2010-8-21 3382834]
FlashPath Monitor.lnk - c:\program files\SmartDisk\FlashPath\sdstat.exe [2006-7-13 184320]
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2011-2-8 3600184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GIDLogonXP]
2011-03-04 00:03 53528 ----a-w- c:\windows\system32\GIDLogonXP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 19:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Easy Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Easy Updates.lnk
backup=c:\windows\pss\Easy Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor Ver.5.lnk]
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor Ver.5.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PDF-Capture.lnk]
backup=c:\windows\pss\PDF-Capture.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kathy^Start Menu^Programs^Startup^ClearPlay Easy Updates.lnk]
path=c:\documents and settings\Kathy\Start Menu\Programs\Startup\ClearPlay Easy Updates.lnk
backup=c:\windows\pss\ClearPlay Easy Updates.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
2005-11-17 00:00 397312 ----a-w- c:\acer\Empowering Technology\eRecovery\Monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iClean]
2002-06-24 11:53 212992 ----a-w- c:\program files\Aladdin Systems\iClean\iClean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-10 20:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-11-05 20:35 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2007-04-11 20:32 56080 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2007-04-17 19:03 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-10 20:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
2005-05-12 02:15 45056 ----a-w- c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-12-01 18:02 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-12-01 18:02 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-12-01 18:02 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]
2002-08-01 10:49 49152 ----a-w- c:\program files\ScanSoft\OmniPagePro12.0\opware12.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-10 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-10 20:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
2001-08-10 17:50 40960 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-11-17 10:42 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-05 00:45 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [5/18/2011 7:20 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [5/18/2011 7:20 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 12:36 AM 802936]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [5/18/2011 6:51 PM 25232]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [5/18/2011 7:20 PM 136312]
R2 FlashNT;FlashNT;c:\windows\system32\drivers\FLASHNT.SYS [7/13/2006 11:33 PM 72784]
R2 IDVaultSvc;CGPS Service;c:\program files\Constant Guard Protection Suite\IDVaultSvc.exe [5/11/2011 3:34 PM 60488]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/5/2010 4:25 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/5/2007 7:52 AM 12856]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [5/18/2011 7:20 PM 130008]
R2 Sdselect;Sdselect;c:\windows\system32\drivers\sdselect.sys [7/13/2006 11:33 PM 73296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/18/2011 7:34 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110518.001\IDSXpx86.sys [5/18/2011 7:21 PM 341944]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9fd0a8d460ea;Google Update Service (gupdate1c9fd0a8d460ea);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2009 7:46 PM 133104]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2009 7:46 PM 133104]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 3:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-03-04 00:04 433416 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-04-19 22:24]
.
2011-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-05 00:45]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 00:46]
.
2011-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-05 00:46]
.
2010-05-16 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-05 20:35]
.
2011-05-23 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2011-04-19 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\googletoolbar.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\googletoolbar.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\googletoolbar.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Si&milar Pages - c:\program files\Google\googletoolbar.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\googletoolbar.dll/cmtrans.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Kathy\Application Data\Mozilla\Firefox\Profiles\ipbk5uf5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Google Update - c:\documents and settings\Kathy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-MoveMinutesQuickCheck - c:\program files\moveminute\05091201\movemedia.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-BFG-Luxor 2 - c:\program files\Luxor 2\Uninstall.exe
AddRemove-DBCM - c:\zacks\zir\UninDBCM.isu
AddRemove-MoveMinute - c:\program files\moveminute\05091201\movemedia.exe
AddRemove-RealArcade - c:\program files\RealArcade\Installer\bin\gameinstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 23:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\GIDLogonXP.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\GIDHookLogon.dll
c:\windows\system32\GIDBIN1.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-05-23 23:56:16
ComboFix-quarantined-files.txt 2011-05-24 04:55
.
Pre-Run: 69,197,201,408 bytes free
Post-Run: 69,257,392,128 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /bootlog
.
- - End Of File - - 620BF3DC439955374195E4D42F75D7C6

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 24 May 2011 - 07:16 AM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 deriderj

deriderj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 24 May 2011 - 11:34 PM

Gringo,

I ran TDSSKILLER as you asked. It found no infected or suspicious files and it did not require that I reboot. I have included the TDSSKILLER log in this post as you requested. Please let me know if there is anything else you would like me to do.

Thank you,

Joel

2011/05/24 23:27:00.0000 4732 TDSS rootkit removing tool 2.5.2.0 May 24 2011 11:01:23
2011/05/24 23:27:00.0546 4732 ================================================================================
2011/05/24 23:27:00.0546 4732 SystemInfo:
2011/05/24 23:27:00.0546 4732
2011/05/24 23:27:00.0546 4732 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/24 23:27:00.0546 4732 Product type: Workstation
2011/05/24 23:27:00.0546 4732 ComputerName: DESK
2011/05/24 23:27:00.0546 4732 UserName: Kathy
2011/05/24 23:27:00.0546 4732 Windows directory: C:\WINDOWS
2011/05/24 23:27:00.0546 4732 System windows directory: C:\WINDOWS
2011/05/24 23:27:00.0546 4732 Processor architecture: Intel x86
2011/05/24 23:27:00.0546 4732 Number of processors: 1
2011/05/24 23:27:00.0546 4732 Page size: 0x1000
2011/05/24 23:27:00.0546 4732 Boot type: Normal boot
2011/05/24 23:27:00.0546 4732 ================================================================================
2011/05/24 23:27:02.0984 4732 Initialize success
2011/05/24 23:27:08.0234 4940 ================================================================================
2011/05/24 23:27:08.0234 4940 Scan started
2011/05/24 23:27:08.0234 4940 Mode: Manual;
2011/05/24 23:27:08.0234 4940 ================================================================================
2011/05/24 23:27:08.0765 4940 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/24 23:27:08.0812 4940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/24 23:27:08.0843 4940 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/24 23:27:08.0906 4940 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/24 23:27:09.0171 4940 ALCXWDM (f3e15607ba53249c765e36388b332c2f) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/05/24 23:27:09.0343 4940 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/05/24 23:27:09.0390 4940 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/24 23:27:09.0531 4940 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/24 23:27:09.0578 4940 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/24 23:27:09.0718 4940 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/24 23:27:09.0750 4940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/24 23:27:09.0796 4940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/24 23:27:09.0968 4940 BHDrvx86 (925a191c8c06124426c63ceb2ea93085) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx86.sys
2011/05/24 23:27:10.0140 4940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/24 23:27:10.0218 4940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/24 23:27:10.0250 4940 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/24 23:27:10.0281 4940 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/24 23:27:10.0484 4940 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/24 23:27:10.0562 4940 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/24 23:27:10.0609 4940 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/24 23:27:10.0703 4940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/24 23:27:10.0750 4940 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/24 23:27:10.0812 4940 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/24 23:27:10.0937 4940 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/05/24 23:27:10.0984 4940 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/05/24 23:27:11.0109 4940 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/24 23:27:11.0140 4940 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\Drivers\fdc.sys
2011/05/24 23:27:11.0156 4940 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/24 23:27:11.0203 4940 FlashNT (336d337a862fb994edad4426fc275fc6) C:\WINDOWS\system32\drivers\FlashNT.sys
2011/05/24 23:27:11.0296 4940 Flpydisk (badedbf182e560fa9a179b0f5f552958) C:\WINDOWS\system32\Drivers\Sdfloppy.sys
2011/05/24 23:27:11.0375 4940 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/24 23:27:11.0453 4940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/24 23:27:11.0484 4940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/24 23:27:11.0531 4940 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/24 23:27:11.0656 4940 GIDv2 (936ca0dc0acce06fe55de222ca5e56df) C:\WINDOWS\system32\drivers\GIDv2.sys
2011/05/24 23:27:11.0703 4940 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/24 23:27:11.0750 4940 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/24 23:27:11.0890 4940 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/24 23:27:11.0968 4940 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/24 23:27:12.0156 4940 IDSxpx86 (612a496401c840d9f5378de5ecb49a7c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110518.005\IDSxpx86.sys
2011/05/24 23:27:12.0312 4940 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/24 23:27:12.0421 4940 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/24 23:27:12.0468 4940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/24 23:27:12.0562 4940 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/24 23:27:12.0609 4940 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/24 23:27:12.0640 4940 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/24 23:27:12.0656 4940 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/05/24 23:27:12.0687 4940 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/24 23:27:12.0796 4940 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/05/24 23:27:12.0828 4940 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/24 23:27:12.0859 4940 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/24 23:27:12.0890 4940 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/24 23:27:12.0968 4940 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/24 23:27:13.0015 4940 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/24 23:27:13.0125 4940 LHidFilt (3fa98339e8d9e007726be62f231e2015) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/05/24 23:27:13.0250 4940 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/05/24 23:27:13.0406 4940 LMImirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\LMImirr.sys
2011/05/24 23:27:13.0453 4940 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/05/24 23:27:13.0515 4940 LMouFilt (f259f758e04d8fb8d48c6cdbe45223e8) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/05/24 23:27:13.0609 4940 LUsbFilt (ca26e46ec8891058c9e10363df4e4650) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2011/05/24 23:27:13.0687 4940 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/05/24 23:27:13.0765 4940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/24 23:27:13.0812 4940 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/24 23:27:13.0859 4940 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/24 23:27:13.0890 4940 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/24 23:27:13.0968 4940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/24 23:27:14.0015 4940 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/24 23:27:14.0062 4940 mozyFilter (b8e08bfcab2be31804cea983d2094faf) C:\WINDOWS\system32\DRIVERS\mozy.sys
2011/05/24 23:27:14.0093 4940 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/24 23:27:14.0140 4940 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/24 23:27:14.0250 4940 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/24 23:27:14.0281 4940 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/24 23:27:14.0359 4940 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/24 23:27:14.0375 4940 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/24 23:27:14.0421 4940 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/24 23:27:14.0484 4940 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/24 23:27:14.0687 4940 NAVENG (920d9701bba90dbb7ccfd3536ea4d6f9) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110524.018\NAVENG.SYS
2011/05/24 23:27:14.0796 4940 NAVEX15 (31b1a9b53c3319b97f7874347cd992d2) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110524.018\NAVEX15.SYS
2011/05/24 23:27:14.0953 4940 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/24 23:27:14.0984 4940 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/24 23:27:15.0015 4940 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/24 23:27:15.0046 4940 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/24 23:27:15.0093 4940 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/24 23:27:15.0218 4940 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/24 23:27:15.0296 4940 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/24 23:27:15.0359 4940 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/24 23:27:15.0437 4940 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/24 23:27:15.0484 4940 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/24 23:27:15.0531 4940 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/05/24 23:27:15.0562 4940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/24 23:27:15.0765 4940 nv (77be0cee4e4a17474650d38ccc9d5579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/24 23:27:15.0921 4940 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/05/24 23:27:15.0953 4940 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/05/24 23:27:15.0984 4940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/24 23:27:16.0015 4940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/24 23:27:16.0046 4940 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/24 23:27:16.0171 4940 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/24 23:27:16.0203 4940 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/24 23:27:16.0234 4940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/24 23:27:16.0296 4940 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/24 23:27:16.0406 4940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/24 23:27:16.0437 4940 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/24 23:27:16.0562 4940 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/05/24 23:27:16.0609 4940 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/24 23:27:16.0625 4940 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/24 23:27:16.0703 4940 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/24 23:27:16.0734 4940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/24 23:27:16.0765 4940 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/24 23:27:16.0890 4940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/24 23:27:16.0921 4940 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/05/24 23:27:16.0937 4940 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/24 23:27:16.0984 4940 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/24 23:27:17.0062 4940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/24 23:27:17.0078 4940 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/24 23:27:17.0125 4940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/24 23:27:17.0171 4940 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/24 23:27:17.0265 4940 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/24 23:27:17.0421 4940 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/24 23:27:17.0484 4940 RTL8023xp (6164f7cff5bd381fda94badc417832c6) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/05/24 23:27:17.0531 4940 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/24 23:27:17.0640 4940 Sdselect (7c4b01e60c2fd76ed7bc408b87d226c3) C:\WINDOWS\system32\drivers\Sdselect.sys
2011/05/24 23:27:17.0687 4940 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/24 23:27:17.0734 4940 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/24 23:27:17.0781 4940 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/24 23:27:17.0875 4940 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/24 23:27:17.0984 4940 smserial (544763e5ef4d8ef4c880bdfa7b7c5383) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/05/24 23:27:18.0109 4940 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/24 23:27:18.0187 4940 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/24 23:27:18.0359 4940 SRTSP (83726cf02eced69138948083e06b6eac) C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS
2011/05/24 23:27:18.0406 4940 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS
2011/05/24 23:27:18.0468 4940 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/24 23:27:18.0593 4940 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/24 23:27:18.0656 4940 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/24 23:27:18.0781 4940 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS
2011/05/24 23:27:18.0890 4940 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS
2011/05/24 23:27:18.0968 4940 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/05/24 23:27:19.0046 4940 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS
2011/05/24 23:27:19.0140 4940 SYMTDI (dec35ccaf7a222df918306cd2fdfbd39) C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS
2011/05/24 23:27:19.0281 4940 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/24 23:27:19.0406 4940 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/24 23:27:19.0484 4940 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/24 23:27:19.0593 4940 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/24 23:27:19.0640 4940 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/24 23:27:19.0734 4940 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
2011/05/24 23:27:19.0843 4940 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/24 23:27:19.0906 4940 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/24 23:27:19.0968 4940 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/24 23:27:20.0078 4940 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/24 23:27:20.0109 4940 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/24 23:27:20.0140 4940 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/24 23:27:20.0203 4940 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/24 23:27:20.0343 4940 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/24 23:27:20.0406 4940 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/24 23:27:20.0453 4940 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/24 23:27:20.0593 4940 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/24 23:27:20.0687 4940 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/24 23:27:20.0734 4940 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/24 23:27:20.0812 4940 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/24 23:27:21.0000 4940 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/24 23:27:21.0062 4940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/24 23:27:21.0093 4940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/24 23:27:21.0140 4940 ZDPNDIS5 (29c917279d79848b3dd94909fc00e2a8) C:\WINDOWS\system32\ZDPNDIS5.SYS
2011/05/24 23:27:21.0265 4940 MBR (0x1B8) (99852d5c3a78447c3d6d82b6155fe848) \Device\Harddisk0\DR0
2011/05/24 23:27:21.0343 4940 ================================================================================
2011/05/24 23:27:21.0343 4940 Scan finished
2011/05/24 23:27:21.0343 4940 ================================================================================
2011/05/24 23:27:21.0359 4932 Detected object count: 0
2011/05/24 23:27:21.0359 4932 Actual detected object count: 0

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 25 May 2011 - 08:31 AM

color=blue]HelpAsst_mebroot_fix[/color]

  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 deriderj

deriderj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 26 May 2011 - 01:41 AM

Gringo,

I ran HelpAsst_mebroot_fix as you asked me to do.

In the command windows where the utility was running an error message came up that said, "HelpAssistant profile note found Press any key to continue...". I pressed a key and after a few seconds a message came up that said, "user & kernel MBR OK The tool has completed Press any key to continue...". I pressed a key and the window closed.

All in all quite uneventful which is probably a good thing. There is no log to post because the utility didn't find an issue, so there was no reboot and no running of the "helpasst -mbrt" command.

Hopefully I did everything correctly. Please let me know if there is more to do.


Thanks again,

Joel

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 26 May 2011 - 02:45 AM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.4
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 29 May 2011 - 03:45 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 deriderj

deriderj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 29 May 2011 - 12:08 PM

Hey Gringo,

Sorry I haven't responded. I would still like help and will run your procedures this A.M.

Thanks again,

Joel

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 29 May 2011 - 01:14 PM

Ok I will be waiting


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 deriderj

deriderj
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 30 May 2011 - 12:16 AM

Gringo,

I was following you procedures but when I ran tfc.exe and selected "start" tcf said that it was stopping processes and I lost access to the remote PC. I won't be able to talk someone through making sure the utility finished correctly, then rebooting the PC until later Monday morning. Once it reboots I should regain the ability to connect remotely and then I will finish the procedures and report back the results.

There were no issues up to the point of losing remote connectivity.

Joel

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:37 AM

Posted 30 May 2011 - 12:37 AM

ok no problem


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users