Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows XP Repair/ TDSS Google Redirect


  • This topic is locked This topic is locked
16 replies to this topic

#1 KCNoob

KCNoob

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 06 July 2011 - 04:44 PM

Hello,

I am a new user and have been dealing with the "Windows XP Repair" virus for several days. I managed to clear the symptoms of the fake AV/ repair using a combination of Malwarebytes, Superantispyware and Trend Micro Office Scan - although I'm not entirely sure which program actually helped. The pop-up warnings and messages have stopped, all files appear visible and accessible.

However, the problems with the web browser redirect problems still remain. I have managed to access certain websites such as this one after researching on other computers and pasting the URL. I previously was limited to researching the problem on my PDA with little patience and being ignorant of the do's and don't recommended on this forum. As such, I went through a series of attempts to use the AV programs listed above without resolving the problem and potentially complicating things. I peformed the "forbidden" and ran Combofix without your guidance, which fortunately does not seem to have completely destroyed my computer. It did not resolve the problems, so I downloaded TDSSKiller and ran it. TDSKiller would not run, even after at least 10 attempts and changing the file names to various names ending in ".com".

Before reading the full instructions here, I re-ran Combofix and found that it will not run citing an error stating "Cannot write to file C:\32788R22FWJFW". From there I stopped and started reading the complete instructions from this forum from another computer. Current symptons are as follows:

- Web browser redirect
- Cannot access safemode (page loads then freezes upon the log-in screen)
- I have dual monitors (Analog + Digital). Only the analog monitor seems to be working although all the settings are curently on "extended desktop". Using the Intel Graphics Media Accelerator Driver for Mobile.

I have now followed the "preparation guide" and am seeking your help. Thank you in advance for any assistance you can provide. Below are the log files:

-----------------------------------------------------------------------------------------------------------------------
DDS LOG

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by kchang at 11:19:59 on 2011-07-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1960.1148 [GMT -7:00]
.
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {641ABAA0-3702-4767-9ABD-BEFA5FDDBBDE}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\kchang\Desktop\ComboFix.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\32788R22FWJFW\iexplore.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://rglsupernet.webexone.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.Exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Bonus.SSR.FR10] "c:\program files\abbyy finereader 10\Bonus.ScreenshotReader.exe" /autorun
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{08b785c1-3893-4154-b53b-f5d341d0aaaa}\Icon3E5562ED7.ico
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.20.21 192.168.0.10
TCP: Interfaces\{FEF487F0-213A-4821-A3B3-CF9C8B0E5944} : DhcpNameServer = 192.168.20.21 192.168.0.10
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: igfxcui - igfxdev.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kchang\application data\mozilla\firefox\profiles\xk3soso7.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-6-5 109184]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-6-5 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-6-5 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2011-5-18 24064]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-6-5 12496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-22 814344]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-15 1176824]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-6-10 18944]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-6-5 256512]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-5-18 51792]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-12-4 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-12-4 36368]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.EXE [2011-5-18 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-5-18 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2011-5-18 44800]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-30 22712]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2011-5-18 47616]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-1-4 339984]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-30 366640]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-6-3 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2009-7-15 497008]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-7-15 689416]
.
=============== File Associations ===============
.
JSEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
=============== Created Last 30 ================
.
2011-07-06 18:01:36 -------- d-s---w- C:\ComboFix
2011-07-06 00:21:49 -------- d--h--w- c:\windows\PIF
2011-07-05 23:47:56 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 20:10:08 -------- d-sha-r- C:\cmdcons
2011-07-05 20:04:27 98816 ----a-w- c:\windows\sed.exe
2011-07-05 20:04:27 518144 ----a-w- c:\windows\SWREG.exe
2011-07-05 20:04:27 256000 ----a-w- c:\windows\PEV.exe
2011-07-05 20:04:27 208896 ----a-w- c:\windows\MBR.exe
2011-07-05 19:42:46 -------- d-----w- c:\windows\pss
2011-07-05 19:03:00 -------- d-----w- c:\windows\system32\appmgmt
2011-07-05 18:54:34 388096 ----a-r- c:\documents and settings\kchang\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-05 18:54:33 -------- d-----w- c:\program files\HiJack
2011-07-05 15:58:26 -------- d-----w- c:\program files\AVAST Software
2011-07-05 15:58:26 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-07-05 07:01:41 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-05 07:00:06 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-07-04 17:23:39 -------- d-----w- c:\documents and settings\kchang\application data\Verizon Wireless
2011-07-01 19:10:54 -------- d-----w- c:\documents and settings\kchang\application data\SUPERAntiSpyware.com
2011-07-01 19:10:54 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-01 19:10:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-01 04:18:08 -------- d-----w- c:\documents and settings\all users\application data\WEngineLite
2011-07-01 04:18:07 -------- d-----w- c:\documents and settings\all users\application data\Verizon Wireless
2011-07-01 04:07:21 -------- d-----w- c:\program files\Verizon Wireless
2011-07-01 04:06:52 -------- d-----w- c:\program files\Novatel Wireless
2011-07-01 04:06:49 -------- d-----w- c:\windows\Downloaded Installations
2011-07-01 00:09:55 -------- d-----w- c:\documents and settings\kchang\application data\Malwarebytes
2011-07-01 00:09:41 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 00:09:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-01 00:09:36 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 00:09:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-30 21:49:52 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-30 21:49:52 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-17 10:01:33 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 22:32:41 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 10:00:20 -------- d-----w- c:\program files\MSXML 4.0
2011-06-10 16:11:53 -------- d-----w- c:\program files\common files\AnswerWorks 5.0
2011-06-10 16:11:42 4199768 ----a-w- c:\windows\system32\cdintf400.dll
2011-06-10 16:11:21 -------- d-----w- c:\program files\common files\Intuit
2011-06-10 16:11:16 -------- d-----w- c:\program files\Quicken
2011-06-10 16:11:16 -------- d-----w- c:\documents and settings\kchang\application data\Intuit
2011-06-10 16:10:55 -------- d-----w- c:\documents and settings\all users\application data\Intuit
.
==================== Find3M ====================
.
2011-07-05 23:47:40 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-19 00:25:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-19 00:22:31 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ---ha-w- c:\windows\system32\schannel(2).dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ---h--w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 11:32:03.98 ===============


GMER LOG

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-06 14:15:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925042 rev.HP15
Running: gmer.exe; Driver: C:\DOCUME~1\kchang\LOCALS~1\Temp\pxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT 81E17EE0 ZwCreateKey
SSDT 81E19080 ZwCreateMutant
SSDT 81E173E0 ZwCreateProcess
SSDT 81E176A0 ZwCreateProcessEx
SSDT 81E18D40 ZwCreateThread
SSDT 81E18460 ZwDeleteKey
SSDT 81E18720 ZwDeleteValueKey
SSDT 81E18EE0 ZwLoadDriver
SSDT 81E17960 ZwOpenProcess
SSDT 81E19220 ZwSetSystemInformation
SSDT 81E181A0 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA0BE8620]
SSDT 81E18BA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket F7987345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket F798734D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket F7987353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket F7987371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 F798738E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A F79873A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 F79873CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C F79873D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 F79873EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D F798748D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D F798748D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C F79874DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 F79874F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD F798750D 241 Bytes CALL F798746D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 F7987F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 F798801C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F798801F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F798801F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B F7988087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...
? C:\WINDOWS\system32\drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\kchang\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A91 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0CD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5691 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0050000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 004D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 004C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WS2_32.dll!send 71AB4C27 5 Bytes JMP 004E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 004F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WS2_32.dll!recv 71AB676F 5 Bytes JMP 004B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00E868C7
.text C:\Program Files\Internet Explorer\iexplore.exe[2204] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00E86AD2
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[2604] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605B49 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[2604] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 32920DB5 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5329 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E525B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E512C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E518E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E538C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00E868C7
.text C:\Program Files\Internet Explorer\iexplore.exe[3236] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00E86AD2
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[5240] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605B49 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[5240] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 32920DB5 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:144] 89CD70B3
Thread System [4:156] 89CD87FB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\APSHook.dll APSHook.dll

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 09 July 2011 - 01:05 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 09 July 2011 - 03:57 PM

Thanks for replying to my post. In response to your instructions to download ComboFix, before starting this topic I previously downloaded ComboFix and ran it. I was having some problems with it as noted in my original post. I went to check for the log file and I did not find it.

Should I re-run the installed version of ComboFix? (it previously got hung up after an error - "Cannot write to file C:\32788R22FWJFW") Should I uninstall ComboFix and re-install and run? Or some other step?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 09 July 2011 - 04:17 PM

right click and delete the version of ComboFix that you have on your desktop

download a fresh copy from the above link, but rename it to iexplore before saving it to your desktop,

if you still have trouble running it, then run it in safe mode:


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Edited by CatByte, 09 July 2011 - 04:19 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 09 July 2011 - 11:40 PM

Here are the results from ComboFix....

----------------------------------------------------

ComboFix 11-07-09.03 - kchang 07/09/2011 19:17:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1960.1451 [GMT -7:00]
Running from: c:\documents and settings\kchang\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {641ABAA0-3702-4767-9ABD-BEFA5FDDBBDE}
FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-07-08 20:48 . 2011-07-08 20:48 -------- d-----w- c:\program files\SystemRequirementsLab
2011-07-06 00:21 . 2011-07-06 00:21 -------- d--h--w- c:\windows\PIF
2011-07-05 23:47 . 2011-07-05 23:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-05 18:54 . 2011-07-05 18:54 -------- d-----w- c:\program files\HiJack
2011-07-05 15:58 . 2011-07-05 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-05 15:58 . 2011-07-05 15:58 -------- d-----w- c:\program files\AVAST Software
2011-07-05 07:01 . 2011-07-05 15:22 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-05 07:00 . 2011-07-05 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-07-04 17:23 . 2011-07-04 17:23 -------- d-----w- c:\documents and settings\kchang\Application Data\Verizon Wireless
2011-07-01 19:10 . 2011-07-01 19:10 -------- d-----w- c:\documents and settings\kchang\Application Data\SUPERAntiSpyware.com
2011-07-01 19:10 . 2011-07-01 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-07-01 19:10 . 2011-07-01 20:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-01 04:18 . 2011-07-01 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEngineLite
2011-07-01 04:18 . 2011-07-04 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2011-07-01 04:07 . 2011-07-01 04:18 -------- d-----w- c:\program files\Verizon Wireless
2011-07-01 04:06 . 2011-07-01 04:06 -------- d-----w- c:\program files\Novatel Wireless
2011-07-01 04:06 . 2011-07-01 04:06 -------- d-----w- c:\windows\Downloaded Installations
2011-07-01 04:06 . 2011-07-01 04:06 -------- d-----w- c:\documents and settings\kchang\Application Data\InstallShield
2011-07-01 00:09 . 2011-07-01 00:09 -------- d-----w- c:\documents and settings\kchang\Application Data\Malwarebytes
2011-07-01 00:09 . 2011-07-01 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-01 00:09 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 00:09 . 2011-07-01 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-01 00:09 . 2011-05-29 16:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 21:49 . 2011-06-30 21:49 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-17 10:01 . 2011-06-30 21:43 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-16 22:32 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-11 10:00 . 2011-06-11 10:00 -------- d-----w- c:\program files\MSXML 4.0
2011-06-10 16:11 . 2011-06-10 16:11 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2011-06-10 16:11 . 2010-09-01 01:43 4199768 ----a-w- c:\windows\system32\cdintf400.dll
2011-06-10 16:11 . 2011-06-10 16:11 -------- d-----w- c:\program files\Common Files\Intuit
2011-06-10 16:11 . 2011-06-10 16:17 -------- d-----w- c:\program files\Quicken
2011-06-10 16:11 . 2011-06-10 16:11 -------- d-----w- c:\documents and settings\kchang\Application Data\Intuit
2011-06-10 16:10 . 2011-06-10 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-05 23:47 . 2011-05-18 21:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-19 00:25 . 2011-05-19 00:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-19 00:22 . 2011-05-19 00:22 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-02 15:31 . 2011-05-18 18:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2006-02-28 11:00 151552 ---ha-w- c:\windows\system32\schannel(2).dll
2011-04-29 16:19 . 2006-02-28 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2006-02-28 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2006-02-28 11:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2006-02-28 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2006-02-28 11:00 385024 ---h--w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2006-02-28 11:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-14 16:26 . 2011-05-20 16:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-01 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1044480]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-02 367128]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.Exe" [2008-05-08 77616]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-05 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-05 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-20 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2008-06-10 238896]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2008-06-02 24848]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-09-08 849192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Bonus.SSR.FR10"="c:\program files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" [2009-12-24 941320]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-12 576104]
VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2011-5-20 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 23:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 23:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-06-02 12:06 112400 ----a-w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2417785743-1643406147-6647096-1665\Scripts\Logon\0\0]
"Script"=RGL.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2417785743-1643406147-6647096-500\Scripts\Logon\0\0]
"Script"=RGL.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TmProxy"=3 (0x3)
"TmPfw"=3 (0x3)
"tmlisten"=2 (0x2)
"TMBMServer"=3 (0x3)
"ntrtscan"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42666:TCP"= 42666:TCP:Trend Micro OfficeScan Listener
.
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/5/2008 5:08 PM 109184]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [6/5/2008 5:08 PM 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/5/2008 5:08 PM 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [5/18/2011 11:10 AM 24064]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [6/5/2008 5:08 PM 12496]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe [12/22/2009 1:08 AM 814344]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 4:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 4:00 AM 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 3:11 PM 1176824]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/10/2008 11:13 AM 18944]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [6/5/2008 5:07 PM 256512]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/30/2011 5:09 PM 366640]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [5/18/2011 12:35 PM 51792]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [12/4/2009 3:39 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [12/4/2009 3:38 PM 36368]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.EXE [5/18/2011 11:16 AM 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 1:29 PM 475520]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [5/18/2011 11:26 AM 244368]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/18/2011 11:41 AM 44800]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/30/2011 5:09 PM 22712]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [5/18/2011 11:25 AM 47616]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [1/4/2010 6:03 PM 339984]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 10:01 AM 174720]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S4 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [7/15/2009 4:39 PM 497008]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/15/2009 4:37 PM 689416]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://rglsupernet.webexone.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\kchang\Application Data\Mozilla\Firefox\Profiles\xk3soso7.default\
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
JSEFile=c:\windows\system32\rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 21:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1960)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
.
- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2011-07-09 21:18:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-10 04:18
.
Pre-Run: 226,499,817,472 bytes free
Post-Run: 226,550,624,256 bytes free
.
- - End Of File - - 29D80E68408E49918AA88B71CB225497

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 10 July 2011 - 07:30 AM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



NEXT



Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 10 July 2011 - 12:19 PM

...MalwareBytes Log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7062

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/10/2011 8:47:40 AM
mbam-log-2011-07-10 (08-47-40).txt

Scan type: Quick scan
Objects scanned: 174387
Time elapsed: 1 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------

ESET Scan Log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=cf27a4d2fbfcc643ab1e3bc37f98009d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-10 05:05:17
# local_time=2011-07-10 10:05:17 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 4481608 4481608 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=60727
# found=0
# cleaned=0
# scan_time=2197

---------------------------------------

ComboFix Quarantine Log:

2011-07-10 02:39:41 . 2011-07-10 02:39:41 13,035 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-07-10 02:07:34 . 2011-07-10 02:07:35 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 10 July 2011 - 12:45 PM

Scan With RootKitUnHooker

  • Please Download Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




Please advise how the computer is running and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 10 July 2011 - 07:38 PM

RKUnhooker Log below....I will test out the computer and post a separate reply regarding the status.

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF4FD3000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6021120 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF4BBF000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 3629056 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0xBF25B000 C:\WINDOWS\System32\igxpdx32.DLL 3174400 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 2146304 bytes (Intel Corporation, Component GHAL Driver)
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA3B76000 C:\WINDOWS\system32\DRIVERS\snp2uvc.sys 1806336 bytes (-, UVC Camera Streaming Driver)
0xF4716000 C:\WINDOWS\system32\DRIVERS\TM_CFW.sys 1802240 bytes (Trend Micro Inc., Trend Micro NDIS 5.0 Intermedia Driver (i386-fre))
0xA38E3000 C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys 1318912 bytes (Trend Micro Inc., VsapiNT )
0xA9BC6000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1204224 bytes (Agere Systems, SoftModem Device Driver)
0xF49E0000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 856064 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xA3A25000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 851968 bytes
0xF71FC000 iaStor.sys 851968 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x97614000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xF7126000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF4B0B000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xA3D53000 C:\WINDOWS\System32\Drivers\ATSwpWDF.sys 471040 bytes (AuthenTec, Inc., AuthenTec Swipe Sensor WDF USB Driver Prototype)
0xA3DC6000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF490B000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA3F08000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9753C000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xA9D28000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 356352 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xA389A000 C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys 299008 bytes (Trend Micro Inc., Post Filter For XP)
0xBF562000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x92E4F000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF4F81000 C:\WINDOWS\system32\DRIVERS\e1y5132.sys 253952 bytes (Intel Corporation, Intel® Gigabit Network Connection NDIS 5.1 deserialized driver)
0xF48CE000 C:\WINDOWS\system32\DRIVERS\NWADIenum.sys 249856 bytes (Novatel Wireless Inc, NWADI Interface Bus Enumerator)
0xF4AD4000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x97826000 C:\WINDOWS\system32\drivers\tmcomm.sys 212992 bytes (Trend Micro Inc., TrendMicro Common Module)
0xF4969000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7358000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x97976000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF70F9000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA3B4B000 C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys 176128 bytes (Novatel Wireless Inc., Novatel Wireless USB Modem/Serial Device Driver)
0xA3B20000 C:\WINDOWS\system32\DRIVERS\nwusbser.sys 176128 bytes (Novatel Wireless Inc., Novatel Wireless USB Modem/Serial Device Driver)
0xA3AF5000 C:\WINDOWS\system32\DRIVERS\nwusbser2.sys 176128 bytes (Novatel Wireless Inc., Novatel Wireless USB Modem/Serial Device Driver)
0xA3E36000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF4F35000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA3EE0000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF72E4000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA3EBA000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA3D2F000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA9D04000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF4F5D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF4AB1000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA3E98000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA3E61000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF71DC000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF49C1000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 126976 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xF730A000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7329000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF70C6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF70E0000 SafeBoot.sys 102400 bytes
0xA9CEC000 C:\WINDOWS\system32\drivers\AEAudio.sys 98304 bytes (Andrea Electronics Corporation, Audio Noise Filtering Driver (32-bit))
0xF72CC000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF71B3000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF49AA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x977E8000 C:\WINDOWS\system32\drivers\tmactmon.sys 90112 bytes (Trend Micro Inc., TrendMicro Activity Monitor Module)
0xA3E83000 C:\WINDOWS\system32\DRIVERS\tmtdi.sys 86016 bytes (Trend Micro Inc., Trend Micro TDI Driver (i386-fre))
0x94C93000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF4B86000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF4BAB000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF4FBF000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA3F61000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF71CA000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7347000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF4999000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF4B9A000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 69632 bytes (REDC, RICOH SD Driver)
0x93D0C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF5BF4000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF5C54000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7497000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF5C64000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xA4632000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF3E13000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF5BE4000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0x94FF4000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7667000 C:\WINDOWS\system32\drivers\tmevtmgr.sys 61440 bytes (Trend Micro Inc., TrendMicro Event Management Module)
0xF3E23000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74A7000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF74F7000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF5C24000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF5966000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xA432D000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xA430D000 C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys 53248 bytes (Trend Micro Inc., Pre-Filter For XP)
0xF74C7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF5C14000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF5946000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF5C44000 C:\WINDOWS\system32\DRIVERS\rismc32.sys 49152 bytes (RICOH Company, Ltd., PC-SC Driver for RICOH SmartCard Reader)
0xA4622000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF5C34000 C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS 45056 bytes (Infineon Technologies AG, Infineon Trusted Platform Module)
0xF5C04000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74B7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF5956000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF74D7000 SbAlg.sys 45056 bytes (SafeBoot N.V., SafeBoot FIPS AES Algorithm (256 bit))
0xF7507000 sfaudio.sys 45056 bytes (Sonic Focus, Inc, Sonic Focus DSP driver for ADI)
0xF5C74000 C:\WINDOWS\system32\DRIVERS\HECI.sys 40960 bytes (Intel Corporation, Intel® Management Engine Interface)
0xF7487000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF3E63000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF5926000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0x93FB4000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF74E7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF5976000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF5936000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA4652000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA4642000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF2E44000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xA4B83000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xA4B5B000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\Accelerometer.sys 28672 bytes (Hewlett-Packard Corporation, HP Accelerometer - SATA/RAID)
0xF7777000 C:\WINDOWS\system32\DRIVERS\btport.sys 28672 bytes (Broadcom Corporation., Bluetooth BTPORT Driver for Windows 2000)
0xF77CF000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xA5813000 C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS 28672 bytes (Smith Micro Inc., Smith Micro NDIS 5.0 Protocol Driver)
0xA4B6B000 C:\WINDOWS\system32\DRIVERS\sncduvc.SYS 28672 bytes (-, USBCAMD for Sonix UVC)
0xA4B4B000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF778F000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA4B7B000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF779F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA4B93000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7717000 hpdskflt.sys 20480 bytes (Hewlett-Packard Corporation, HP Disk Filter - SATA/RAID)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0xA4B8B000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77B7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7787000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0x91B87000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF68AA000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF705C000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xA7612000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF796B000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA7C22000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7040000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF703C000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF68A6000 C:\WINDOWS\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
0xF1387000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF689A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA5C74000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF68A2000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7987000 00000024 8192 bytes
0xA730E000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xA7310000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA730C000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A13000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xA730A000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xA7308000 C:\WINDOWS\System32\Drivers\RsvLock.SYS 8192 bytes (SafeBoot International, SafeBoot Reserved Files Lock Driver)
0xF798D000 SbFsLock.sys 8192 bytes (SafeBoot International, SafeBoot FS Locker)
0xF79F3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79F1000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BA8000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF2DD7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA495A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x89D33F38 00000240 0 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\SafeBoot.sys]
0x893534A5 Unknown page with executable code, 2907 bytes
0x893530B3 Unknown thread object [ ETHREAD 0x8931DDA8 ] TID: 144, 600 bytes
0x893547FB Unknown thread object [ ETHREAD 0x8931D640 ] TID: 156, 600 bytes

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 10 July 2011 - 07:56 PM

Hi,

Please do the following:

Earlier on ComboFix installed the Recovery Console. We're going to use that now.
  • Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    Posted Image


    Posted Image

  • When you get to the above screen, take note of the number that references your operating system.
  • If it's '1' like the picture above, type 1 and press Enter
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    Otherwise type in the password and then press enter.

    Posted Image

  • Next type FIXMBR

    Posted Image

  • If it asks if you're sure you want to write a new MBR, answer 'Y'
  • Then type EXIT to reboot the machine.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 10 July 2011 - 09:13 PM

Okay, so I followed your instructions regarding the recovery console and things are looking much better. I've tried using Internet Explorer and Firefox, searched using various search engines was able to click on links without being redirected. The internet browsing seems to be working fine now.

I did notice that the Favorites in IE are hidden. I can toggle the IE toolbar (right click on toolbar and select Favorites) and then all my favorites appear in the toolbar, but otherwise the favorites are not shown when clicking the Favorites drop down.

Aside from the internet redirect issues, the other problems I previously had were 1) not being able to run in Safe Mode and 2)could not provide output to my 2nd monitor via a digital connection (dual-monitor setup from laptop using extended desktop). I have not tried to run in safe mode yet and won't be able to test out the monitor issue until tomorrow when I return to work. I don't know if it is related to the virus issues, but the timing seems inline.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 10 July 2011 - 09:27 PM

Try running the following:


Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 10 July 2011 - 09:55 PM

Great!!! That seemed to do the trick.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:38 AM

Posted 10 July 2011 - 10:00 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the RKU,DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 KCNoob

KCNoob
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 10 July 2011 - 11:59 PM

CatByte,

I've completed the cleanup and security tips. Everything appears to in good working condition. Thank you so much for your assistance in dealing with these problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users