Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe - Application Error


  • Please log in to reply
20 replies to this topic

#1 2blori

2blori

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 03 August 2011 - 02:33 PM

Since yesterday when I am on the internet I periodically receive this message

"iexplore.exe-Application Error"

then explanation is:

"The instruction at "0x05200ce2" referenced memory at "0x0e783000", the memory could not be "written" and it shuts down the internet completely." I am given the option to click "ok" to terminate program or click "cancel" to debug the program

When this started yesterday I had google.com set as my homepage, did some experimenting and noticed that if I set the home page to MSN it did not happen as often as it seems to on google. Initially I thought this was due to an update as per a google search and reset the tab options - which seemed to slow down the problem yesterday afternoon.

However having same problem again today.

Ran a Malware scan yesterday just in case and it found 23 bugs which were all removed. I downloaded this a month or so ago per instructions from bleepingcomputer along with the RKill. Had an infection last month. Maybe I didn't get rid of it all the way???

Joined the bleepingcomputer community this morning and have worked through all of the instructions of "to do's" before making this post. Sorry I have done several searches - could not find the same issue.

gmer did note a problem with: device\harddisk0\DRO.............TDL4@MBR

Please help.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:14 PM

Posted 03 August 2011 - 09:03 PM

Welcome aboard Posted Image

Looks like a possible rootkit.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 August 2011 - 11:50 AM

Here are all of the scan test results:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/5/2011 8:56:06 AM
mbam-log-2011-08-05 (08-56-06).txt

Scan type: Quick scan
Objects scanned: 156023
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





MiniToolBox by Farbar
Ran by user (administrator) on 05-08-2011 at 08:45:32
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: 10.70.174.1:8080
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration








Windows IP Configuration

Host Name . . . . . . . . . . . . : lherring
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : CNet PRO200WL PCI Fast Ethernet Adapter
Physical Address. . . . . . . . . : 00-08-A1-11-D7-D8
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.70.174.35
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.70.174.1
DHCP Server . . . . . . . . . . . : 10.69.174.136
DNS Servers . . . . . . . . . . . : 10.70.174.1
Lease Obtained. . . . . . . . . . : Friday, August 05, 2011 8:19:55 AM
Lease Expires . . . . . . . . . . : Monday, August 08, 2011 8:19:55 AM

Server: UnKnown
Address: 10.70.174.1

Name: google.com
Addresses: 74.125.227.51, 74.125.227.50, 74.125.227.49, 74.125.227.48
74.125.227.52


Pinging google.com [74.125.227.51] with 32 bytes of data:

Reply from 74.125.227.51: bytes=32 time=11ms TTL=53
Reply from 74.125.227.51: bytes=32 time=12ms TTL=52

Ping statistics for 74.125.227.51:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.70.174.1

Name: yahoo.com
Addresses: 72.30.2.43, 69.147.125.65, 67.195.160.76, 209.191.122.70
98.137.149.56

Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=59ms TTL=51
Reply from 72.30.2.43: bytes=32 time=59ms TTL=51
Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 59ms, Maximum = 59ms, Average = 59ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 08 a1 11 d7 d8 ...... CNet PRO200WL PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.70.174.1 10.70.174.35 20
10.0.0.0 255.0.0.0 10.70.174.35 10.70.174.35 20
10.70.174.35 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.70.174.35 10.70.174.35 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.70.174.35 10.70.174.35 20
255.255.255.255 255.255.255.255 10.70.174.35 10.70.174.35 1
Default Gateway: 10.70.174.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/03/2011 09:13:00 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18999, fault address 0x00026265.
Processing media-specific event for [iexplore.exe!ws!]

Error: (08/03/2011 09:04:52 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/03/2011 09:04:52 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (08/03/2011 08:56:57 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/03/2011 08:09:47 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/03/2011 08:09:46 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (08/02/2011 02:05:25 PM) (Source: Application Error) (User: )
Description: Fault bucket -2070362295.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (08/02/2011 02:03:57 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.18999, fault address 0x000678b8.
Processing media-specific event for [iexplore.exe!ws!]

Error: (08/02/2011 02:00:29 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/02/2011 01:15:41 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.


System errors:
=============
Error: (08/05/2011 08:33:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (08/05/2011 08:29:01 AM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (08/05/2011 08:20:13 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (08/03/2011 01:33:01 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (08/03/2011 01:08:46 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0

Error: (08/03/2011 01:06:29 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0

Error: (08/03/2011 01:06:27 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0

Error: (08/03/2011 10:21:27 AM) (Source: BROWSER) (User: )
Description: The browser was unable to promote itself to master browser. The computer that currently
believes it is the master browser is EMAILSERV.

Error: (08/03/2011 10:00:17 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2

Error: (08/03/2011 09:44:07 AM) (Source: Service Control Manager) (User: )
Description: The MCSTRM service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (08/03/2011 09:13:00 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.1899900026265

Error: (08/03/2011 09:04:52 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (08/03/2011 09:04:52 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (08/03/2011 08:56:57 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (08/03/2011 08:09:47 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (08/03/2011 08:09:46 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (08/02/2011 02:05:25 PM) (Source: Application Error)(User: )
Description: -2070362295

Error: (08/02/2011 02:03:57 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.18999000678b8

Error: (08/02/2011 02:00:29 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (08/02/2011 01:15:41 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.


========================= Memory info: ===================================

Percentage of memory in use: 47%
Total physical RAM: 511.01 MB
Available physical RAM: 268.27 MB
Total Pagefile: 1249.49 MB
Available Pagefile: 987.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.79 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:37.24 GB) (Free:12.3 GB) NTFS
5 Drive f: (SYS) (Network) (Total:8.2 GB) (Free:2.31 GB) NWFS
6 Drive g: (VOL2) (Network) (Total:68.36 GB) (Free:52.48 GB) NWFS
7 Drive h: (VOL1) (Network) (Total:16.95 GB) (Free:3.92 GB) NWFS
8 Drive l: (VOL3) (Network) (Total:68.34 GB) (Free:24.14 GB) NWFS
9 Drive m: (VOL3) (Network) (Total:68.34 GB) (Free:24.14 GB) NWFS
10 Drive r: (VOL3) (Network) (Total:68.34 GB) (Free:24.14 GB) NWFS
11 Drive s: (VOL2) (Network) (Total:68.36 GB) (Free:12.78 GB) NWFS
12 Drive t: (VOL3) (Network) (Total:68.34 GB) (Free:24.14 GB) NWFS
13 Drive u: (SYS) (Network) (Total:8.2 GB) (Free:2.31 GB) NWFS
14 Drive v: (SYS) (Network) (Total:8.2 GB) (Free:2.31 GB) NWFS
15 Drive w: (SYS) (Network) (Total:8.2 GB) (Free:2.31 GB) NWFS
16 Drive x: (SYS) (Network) (Total:8.2 GB) (Free:2.31 GB) NWFS
17 Drive y: (SYS) (Network) (Total:8.2 GB) (Free:2.31 GB) NWFS
18 Drive z: (VOL2) (Network) (Total:68.36 GB) (Free:52.48 GB) NWFS

========================= Users: ========================================

User accounts for \\LHERRING

Administrator ASPNET Guest
HelpAssistant lawuser SUPPORT_388945a0
user


== End of log ==

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee Security Scan Plus
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player
Adobe Reader X (10.1.0)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-05 11:46:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75CAA0 rev.16.06V16
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kxliapob.sys


---- System - GMER 1.0.15 ----

SSDT 82377500 ZwAllocateVirtualMemory
SSDT 823E7160 ZwCreateKey
SSDT 82377A28 ZwCreateProcess
SSDT 823779B0 ZwCreateProcessEx
SSDT 823777D0 ZwCreateThread
SSDT 82377C80 ZwDeleteKey
SSDT 82377AA0 ZwDeleteValueKey
SSDT 82377578 ZwQueueApcThread
SSDT 82377410 ZwReadVirtualMemory
SSDT 82377C08 ZwRenameKey
SSDT 82377668 ZwSetContextThread
SSDT 82377B90 ZwSetInformationKey
SSDT 823778C0 ZwSetInformationProcess
SSDT 823776E0 ZwSetInformationThread
SSDT 82377B18 ZwSetValueKey
SSDT 82377848 ZwSuspendProcess
SSDT 823775F0 ZwSuspendThread
SSDT 82377938 ZwTerminateProcess
SSDT 82377758 ZwTerminateThread
SSDT 82377488 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket F8A36345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket F8A3634D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket F8A36353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket F8A36371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 F8A3638E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A F8A363A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 F8A363CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C F8A363D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 F8A363EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D F8A3648D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D F8A3648D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C F8A364DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 F8A364F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD F8A3650D 39 Bytes CALL F8A3646D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 F8A36F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 F8A3701C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F8A3701F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 F8A3701F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B F8A37087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...
PAGEKD KDCOM.DLL!KdSendPacket + 5F F8A37211 15 Bytes [02, 00, 00, 6A, 64, 8D, 45, ...]
? nwfilter.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B16840
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1688] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16A4B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0103000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00D4000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0102000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D3000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B16840
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16A4B

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdD0Transition] [F8A365DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdD3Transition] [F8A365E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdRestore] [F8A36619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdReceivePacket] [F8A3660D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize0] [F8A365F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdSave] [F8A36625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize1] [F8A365FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntoskrnl.exe[KDCOM.dll!KdSendPacket] [F8A36631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [F8A36619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!WRITE_REGISTER_UCHAR] 6C6C642E
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!READ_REGISTER_UCHAR] 8B550000
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!HalPrivateDispatchTable] 835151EC
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!KeFindConfigurationEntry] 8300F865
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!InbvDisplayString] 8A000C7D
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!KdDebuggerNotPresent] 00010081
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!_strupr] 01918A00
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!strstr] 0F000001
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!MmMapIoSpace] 00008386
IAT \WINDOWS\system32\KDCOM.DLL[ntoskrnl.exe!atol] 57565300
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726B
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F894C63E] nwfilter.sys
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 82377298
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 823771A0
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F894C63E] nwfilter.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BBC.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 8224CFA8
Device \Driver\Tcpip \Device\Ip 8214D6D0
Device \Driver\Tcpip \Device\Tcp 8224CFA8
Device \Driver\Tcpip \Device\Tcp 8214D6D0
Device \Driver\Tcpip \Device\Udp 8224CFA8
Device \Driver\Tcpip \Device\Udp 8214D6D0
Device \Driver\Tcpip \Device\RawIp 8224CFA8
Device \Driver\Tcpip \Device\RawIp 8214D6D0
Device \Driver\Tcpip \Device\IPMULTICAST 8224CFA8
Device \Driver\Tcpip \Device\IPMULTICAST 8214D6D0

---- Threads - GMER 1.0.15 ----

Thread System [4:108] 823630B3
Thread System [4:116] 82363923
Thread System [4:120] 823647FB

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#4 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 August 2011 - 03:20 PM

Broni,

I was looking at some of your posts and noticed that most of them were after 10pm. Also did some research on the possible rootkit that is indicated on the scans on my previous post - in several other problems similar to mine I noticed that they (expert advise giver :thumbup2: ) normally followed up by asking the person with the possible infection to run the Unhooker scan.

Please know that I understand that you are helping many people and are very busy....I am not trying to rush anything, however this is my work computer and I will not be on it after 5p today until Monday morning 8a - thought that maybe it would be helpful to run and post this scan for you as well.

My apologies if I am out of line on this. (also - just FYI I do have previous scan files of the Malware, Gmer as I ran those before posting my problem in this forum per the instructions).

Thanks for your help.

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xF692A000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF8356000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF4125000 C:\WINDOWS\system32\NetWare\nwfs.sys 516096 bytes (Novell, Inc., Novell NetWare Redirector)
0xF550C000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF67CB000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF5617000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF3E70000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF68D0000 C:\WINDOWS\system32\drivers\emu10k1m.sys 286720 bytes (Creative Technology Ltd., Creative SB Live! Adapter Driver)
0xF3091000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF84E7000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF84A8000 SSIDRV.SYS 188416 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Interdiction Driver)
0xF4030000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF847B000 C:\WINDOWS\SYSTEM32\Drivers\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF208A000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF557C000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF55EF000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF42BB000 C:\WINDOWS\system32\NetWare\srvloc.sys 163840 bytes (Novell, Inc., SLP Driver)
0xF55C9000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF68AC000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6851000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6889000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF55A7000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF840C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF845C000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF833C000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF1E6F000 C:\DOCUME~1\user\LOCALS~1\Temp\kxliapob.sys 102400 bytes
0xF8444000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF54CC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF842C000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF83E3000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF683A000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF4366000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xF34A3000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6875000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6916000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF5670000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF83FA000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF84D6000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6829000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF85F6000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6B1A000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8676000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF6B2A000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF6B4A000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF6B0A000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF423B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF8716000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF8776000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF8596000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF85E6000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xF6AFA000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8576000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF86E6000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF85B6000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF8766000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8566000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF86D6000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8556000 SSFS0BBC.SYS 45056 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper FileSystem Filter Driver)
0xF8536000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF8726000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF85A6000 nicm.sys 40960 bytes (Novell, Inc., Novell InterService Communication Driver)
0xF422B000 C:\WINDOWS\system32\NetWare\nwsipx32.sys 40960 bytes (Novell, Inc., Novell Client IPX/SPX API)
0xF8706000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF111F000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8586000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF85D6000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF86F6000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8796000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF86C6000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF6B3A000 C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes (Creative Technology Ltd., SoundFont® Manager)
0xF8546000 SSHRMD.SYS 36864 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Mini Driver)
0xF8786000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF87CE000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF88CE000 C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS 32768 bytes (CNet Technology, Inc. , NDIS 5.0 driver )
0xF87E6000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF88A6000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF88DE000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF882E000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF87BE000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF890E000 C:\WINDOWS\system32\NetWare\resmgr.sys 28672 bytes (Novell, Inc., Novell NetWare Resource Manager)
0xF88BE000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF88EE000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF892E000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF88D6000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xF888E000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF88AE000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF88C6000 C:\WINDOWS\system32\NetWare\NWSAP.sys 24576 bytes
0xF880E000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF884E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF8806000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF885E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF88F6000 C:\WINDOWS\system32\NetWare\nwdhcp.sys 20480 bytes (Novell, Inc., DHCP Service)
0xF87C6000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8936000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF8876000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF87B6000 C:\WINDOWS\SYSTEM32\Drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8886000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF2DC1000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xF8303000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xF8A2A000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8A06000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF43C0000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF894A000 nwfilter.sys 16384 bytes
0xF89E2000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8A16000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF8946000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF5687000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF89DA000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF89FE000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF8307000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF89F2000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF82FF000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8A36000 00000019 8192 bytes
0xF8ABE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8AA6000 C:\WINDOWS\system32\drivers\ctlfacem.sys 8192 bytes (Creative Technology Ltd., Creative SB Live! Interface Driver)
0xF8ADA000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8ABA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8A3A000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8A36000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8AC2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8A86000 C:\WINDOWS\system32\NetWare\NWSNS.sys 8192 bytes (Novell, Inc., Novell Client Simple Naming Services)
0xF8A4C000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8AC6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8AAC000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8AB0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8A38000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C14000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8C0F000 C:\WINDOWS\system32\DRIVERS\ctljystk.sys 4096 bytes (Creative Technology Ltd., Creative Joyport Enabler)
0xF8BF8000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8B3F000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0x8214D400 unknown_irp_handler 3072 bytes
0x8214D478 unknown_irp_handler 2952 bytes
0x8214D4F0 unknown_irp_handler 2832 bytes
0x8214D568 unknown_irp_handler 2712 bytes
0x8214D5E0 unknown_irp_handler 2592 bytes
0x8214D658 unknown_irp_handler 2472 bytes
0x8214D6D0 unknown_irp_handler 2352 bytes
0x82117BE0 unknown_irp_handler 1056 bytes
0x82117C58 unknown_irp_handler 936 bytes
0x82117CD0 unknown_irp_handler 816 bytes
0x8224CCD8 unknown_irp_handler 808 bytes
0x82151CD8 unknown_irp_handler 808 bytes
0x82117D48 unknown_irp_handler 696 bytes
0x8224CD50 unknown_irp_handler 688 bytes
0x82151D50 unknown_irp_handler 688 bytes
0x82117DC0 unknown_irp_handler 576 bytes
0x8224CDC8 unknown_irp_handler 568 bytes
0x82151DC8 unknown_irp_handler 568 bytes
0x82117E38 unknown_irp_handler 456 bytes
0x8224CE40 unknown_irp_handler 448 bytes
0x82151E40 unknown_irp_handler 448 bytes
0x82117EB0 unknown_irp_handler 336 bytes
0x8224CEB8 unknown_irp_handler 328 bytes
0x82151EB8 unknown_irp_handler 328 bytes
0x8224CF30 unknown_irp_handler 208 bytes
0x82151F30 unknown_irp_handler 208 bytes
0x8224CFA8 unknown_irp_handler 88 bytes
0x82151FA8 unknown_irp_handler 88 bytes
!!!!!!!!!!!Hidden driver: 0x82372F38 00000093 0 bytes
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [hdaudbus.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [rdpdr.sys]
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
0x823634A5 Unknown page with executable code, 2907 bytes
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [modem.sys]
WARNING: Virus alike driver modification [usbehci.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [intelppm.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [cercsr6.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
0x823630B3 Unknown thread object [ ETHREAD 0x8235CB30 ] TID: 108, 600 bytes
0x82363923 Unknown thread object [ ETHREAD 0x8235C640 ] TID: 116, 600 bytes
0x823647FB Unknown thread object [ ETHREAD 0x8235A020 ] TID: 120, 600 bytes
WARNING: Virus alike driver modification [arp1394.sys]
WARNING: Virus alike driver modification [nic1394.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
0x82360FB5 Unknown page with executable code, 75 bytes
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [slnthal.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:14 PM

Posted 05 August 2011 - 08:08 PM

We have several issues there, but let's start with curing possible rootkit.

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 08 August 2011 - 08:15 AM

2011/08/08 08:06:07.0421 0468 TDSS rootkit removing tool 2.5.14.0 Aug 5 2011 16:09:29
2011/08/08 08:06:09.0437 0468 ================================================================================
2011/08/08 08:06:09.0437 0468 SystemInfo:
2011/08/08 08:06:09.0437 0468
2011/08/08 08:06:09.0437 0468 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/08 08:06:09.0437 0468 Product type: Workstation
2011/08/08 08:06:09.0437 0468 ComputerName: LHERRING
2011/08/08 08:06:09.0437 0468 UserName: user
2011/08/08 08:06:09.0437 0468 Windows directory: C:\WINDOWS
2011/08/08 08:06:09.0437 0468 System windows directory: C:\WINDOWS
2011/08/08 08:06:09.0437 0468 Processor architecture: Intel x86
2011/08/08 08:06:09.0437 0468 Number of processors: 1
2011/08/08 08:06:09.0437 0468 Page size: 0x1000
2011/08/08 08:06:09.0437 0468 Boot type: Normal boot
2011/08/08 08:06:09.0437 0468 ================================================================================
2011/08/08 08:06:11.0593 0468 Initialize success
2011/08/08 08:06:28.0281 0396 ================================================================================
2011/08/08 08:06:28.0281 0396 Scan started
2011/08/08 08:06:28.0281 0396 Mode: Manual;
2011/08/08 08:06:28.0281 0396 ================================================================================
2011/08/08 08:06:29.0937 0396 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/08 08:06:30.0171 0396 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/08 08:06:30.0375 0396 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/08 08:06:30.0546 0396 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/08/08 08:06:30.0671 0396 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/08/08 08:06:31.0250 0396 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/08 08:06:31.0375 0396 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/08 08:06:31.0531 0396 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/08 08:06:31.0718 0396 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/08 08:06:31.0828 0396 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/08 08:06:31.0953 0396 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/08 08:06:32.0156 0396 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/08 08:06:32.0250 0396 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/08 08:06:32.0359 0396 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/08 08:06:32.0468 0396 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/08/08 08:06:32.0921 0396 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2011/08/08 08:06:33.0468 0396 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/08 08:06:33.0781 0396 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2011/08/08 08:06:34.0218 0396 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/08 08:06:34.0671 0396 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/08 08:06:34.0875 0396 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/08 08:06:35.0312 0396 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/08 08:06:35.0812 0396 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/08 08:06:36.0093 0396 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2011/08/08 08:06:36.0609 0396 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2011/08/08 08:06:37.0187 0396 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/08 08:06:37.0562 0396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/08/08 08:06:37.0812 0396 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/08 08:06:38.0031 0396 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/08/08 08:06:38.0328 0396 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/08 08:06:38.0500 0396 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/08 08:06:38.0734 0396 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/08 08:06:39.0015 0396 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/08/08 08:06:39.0375 0396 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/08/08 08:06:39.0625 0396 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/08 08:06:40.0062 0396 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/08 08:06:40.0468 0396 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/08/08 08:06:40.0671 0396 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/08/08 08:06:40.0828 0396 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/08/08 08:06:41.0109 0396 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/08 08:06:41.0546 0396 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/08 08:06:41.0781 0396 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/08 08:06:42.0125 0396 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/08 08:06:42.0218 0396 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/08 08:06:42.0406 0396 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/08 08:06:42.0562 0396 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/08 08:06:42.0828 0396 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/08 08:06:43.0109 0396 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/08 08:06:43.0375 0396 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/08 08:06:43.0609 0396 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/08 08:06:43.0984 0396 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/08 08:06:44.0187 0396 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/08 08:06:44.0468 0396 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/08 08:06:44.0859 0396 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/08 08:06:45.0359 0396 libusb0 (bb90b64682d4108819947940bd7c4ea5) C:\WINDOWS\system32\DRIVERS\libusb0.sys
2011/08/08 08:06:46.0109 0396 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/08 08:06:46.0234 0396 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/08 08:06:46.0546 0396 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/08 08:06:46.0843 0396 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/08 08:06:47.0062 0396 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/08 08:06:47.0515 0396 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/08 08:06:48.0296 0396 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/08 08:06:49.0312 0396 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/08 08:06:49.0484 0396 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/08 08:06:50.0015 0396 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/08 08:06:50.0593 0396 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/08 08:06:50.0953 0396 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/08 08:06:51.0375 0396 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/08 08:06:51.0671 0396 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/08 08:06:52.0156 0396 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/08 08:06:52.0359 0396 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/08 08:06:52.0531 0396 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/08 08:06:52.0718 0396 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/08 08:06:52.0890 0396 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/08 08:06:53.0140 0396 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/08 08:06:53.0390 0396 NetwareWorkstation (47775e88ee6bdea803bb0edcb6612e4f) C:\WINDOWS\system32\NetWare\nwfs.sys
2011/08/08 08:06:53.0609 0396 NICM (c501404558ea82e8a875de6331f0748d) C:\WINDOWS\system32\drivers\nicm.sys
2011/08/08 08:06:53.0734 0396 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/08 08:06:53.0937 0396 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/08 08:06:54.0281 0396 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/08 08:06:54.0468 0396 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/08 08:06:54.0781 0396 NWDHCP (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys
2011/08/08 08:06:54.0890 0396 NWDNS (5fe8761fe5fa3761f778fb8d7c0a6763) C:\WINDOWS\system32\NetWare\nwdns.sys
2011/08/08 08:06:55.0062 0396 NWFILTER (7bbf493e2b4979312fa5b350fcf5a4c4) C:\WINDOWS\system32\NetWare\nwfilter.sys
2011/08/08 08:06:55.0203 0396 NWHOST (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys
2011/08/08 08:06:55.0328 0396 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/08 08:06:55.0421 0396 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/08 08:06:55.0562 0396 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/08/08 08:06:55.0750 0396 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/08/08 08:06:55.0890 0396 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/08/08 08:06:56.0109 0396 NWSAP (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys
2011/08/08 08:06:56.0171 0396 NWSIPX32 (0c19ea7bf54f23ef37d8a14c61f64891) C:\WINDOWS\system32\NetWare\nwsipx32.sys
2011/08/08 08:06:56.0375 0396 NWSLP (0b5c354bebc5381b59a196bd7e517814) C:\WINDOWS\system32\NetWare\nwslp.sys
2011/08/08 08:06:56.0593 0396 NWSNS (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys
2011/08/08 08:06:57.0000 0396 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/08/08 08:06:57.0265 0396 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/08 08:06:57.0468 0396 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/08 08:06:57.0625 0396 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/08 08:06:59.0453 0396 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/08 08:07:01.0828 0396 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/08 08:07:01.0984 0396 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/08/08 08:07:02.0140 0396 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/08 08:07:02.0296 0396 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/08 08:07:03.0265 0396 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/08 08:07:03.0500 0396 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/08 08:07:03.0812 0396 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/08 08:07:04.0031 0396 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/08 08:07:04.0437 0396 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/08 08:07:04.0781 0396 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/08 08:07:05.0265 0396 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/08 08:07:05.0593 0396 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/08 08:07:05.0843 0396 RESMGR (16c27d650113b0aa0c8255c561a71cd4) C:\WINDOWS\system32\NetWare\resmgr.sys
2011/08/08 08:07:06.0203 0396 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/08 08:07:06.0437 0396 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/08/08 08:07:06.0546 0396 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/08/08 08:07:06.0750 0396 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/08 08:07:06.0890 0396 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2011/08/08 08:07:07.0250 0396 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/08 08:07:07.0359 0396 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/08 08:07:07.0562 0396 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/08 08:07:07.0875 0396 SRVLOC (21d0242d37ab7b275261ed030adaaad5) C:\WINDOWS\system32\NetWare\srvloc.sys
2011/08/08 08:07:08.0250 0396 SSFS0BBC (227b94ee964849be199db7ab0295262e) C:\WINDOWS\system32\Drivers\SSFS0BBC.SYS
2011/08/08 08:07:08.0562 0396 SSHRMD (7a16bb99604cd987e8e2f17ef1e06f54) C:\WINDOWS\system32\Drivers\SSHRMD.SYS
2011/08/08 08:07:08.0906 0396 SSIDRV (709f4547c0dfe87079b878b503fb8d3c) C:\WINDOWS\system32\Drivers\SSIDRV.SYS
2011/08/08 08:07:09.0265 0396 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/08 08:07:09.0640 0396 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/08 08:07:10.0375 0396 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/08 08:07:10.0531 0396 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/08 08:07:10.0734 0396 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/08 08:07:10.0875 0396 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/08 08:07:11.0078 0396 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/08 08:07:11.0281 0396 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/08 08:07:11.0500 0396 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/08 08:07:11.0671 0396 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/08 08:07:11.0781 0396 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/08 08:07:11.0890 0396 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/08 08:07:12.0031 0396 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/08 08:07:12.0203 0396 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/08 08:07:12.0281 0396 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/08 08:07:12.0406 0396 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/08 08:07:12.0468 0396 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/08 08:07:12.0656 0396 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/08 08:07:12.0765 0396 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/08 08:07:12.0890 0396 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/08 08:07:13.0203 0396 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/08 08:07:13.0328 0396 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/08 08:07:13.0406 0396 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/08/08 08:07:13.0421 0396 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/08/08 08:07:13.0437 0396 Boot (0x1200) (4bff15001a2c45e48fe5294eddd23090) \Device\Harddisk0\DR0\Partition0
2011/08/08 08:07:13.0453 0396 ================================================================================
2011/08/08 08:07:13.0453 0396 Scan finished
2011/08/08 08:07:13.0453 0396 ================================================================================
2011/08/08 08:07:13.0531 0360 Detected object count: 1
2011/08/08 08:07:13.0531 0360 Actual detected object count: 1
2011/08/08 08:07:33.0546 0360 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/08/08 08:07:33.0546 0360 \Device\Harddisk0\DR0 - ok
2011/08/08 08:07:33.0546 0360 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/08 08:07:43.0375 0452 Deinitialize success

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:14 PM

Posted 08 August 2011 - 06:47 PM

Good :)

How is computer doing?

Please give me fresh RKUnhooker log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 11 August 2011 - 04:14 PM

Sorry for the delay in my response, but my job is out in the field several days a week. Computer seems to be running fine today and earlier this week. Here is the scan

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAllocateVirtualMemory, Type: Address change 0x80568FCA-->823CD588 [Unknown module filename]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x80570833-->823E7160 [Unknown module filename]
ntoskrnl.exe-->NtCreateProcess, Type: Address change 0x805B14AC-->823CDAB0 [Unknown module filename]
ntoskrnl.exe-->NtCreateProcessEx, Type: Address change 0x8057FE4C-->823CDA38 [Unknown module filename]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x80587A3C-->823CD858 [Unknown module filename]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x80595316-->823CDD08 [Unknown module filename]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80592D64-->823CDB28 [Unknown module filename]
ntoskrnl.exe-->NtQueueApcThread, Type: Address change 0x8058A487-->823CD600 [Unknown module filename]
ntoskrnl.exe-->NtReadVirtualMemory, Type: Address change 0x8057E4B8-->823CD498 [Unknown module filename]
ntoskrnl.exe-->NtRenameKey, Type: Address change 0x8064EAEA-->823CDC90 [Unknown module filename]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x8062E057-->823CD6F0 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationKey, Type: Address change 0x8064E1CE-->823CDC18 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationProcess, Type: Address change 0x8056DDD9-->823CD948 [Unknown module filename]
ntoskrnl.exe-->NtSetInformationThread, Type: Address change 0x80575756-->823CD768 [Unknown module filename]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80572A6E-->823CDBA0 [Unknown module filename]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x8062FC39-->823CD8D0 [Unknown module filename]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x805E053E-->823CD678 [Unknown module filename]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805824CC-->823CD9C0 [Unknown module filename]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8057BA6F-->823CD7E0 [Unknown module filename]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057E60A-->823CD510 [Unknown module filename]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x823CA830 [4] System
0x81E23BE0 [316] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x81E79988 [360] C:\Program Files\TightVNC\WinVNC.exe (TightVNC Group, TightVNC Win32 Server)
0x821D0020 [420] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x8210D368 [476] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x822DC400 [500] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x8222BAE8 [544] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x81DCB020 [548] C:\WINDOWS\system32\nwtray.exe (Novell, Inc., Novell System Tray Icon)
0x821DCDA0 [556] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x81F769B0 [716] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x82105DA0 [776] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x821CB388 [840] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x819E5020 [900] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)
0x821DD8E8 [908] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x820FDDA0 [956] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81E97380 [988] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x821D36C0 [1092] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x821E0BE0 [1116] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81E1C6F8 [1132] C:\Program Files\Office-Logic\OL32.EXE (LAN-ACES Inc., Office-Logic)
0x81EB7638 [1228] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x81DC7758 [1384] C:\WINDOWS\system32\devldr32.exe (Creative Technology Ltd., DevLdr32)
0x8227B460 [1712] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81EEC020 [1744] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc., MobileDeviceService)
0x81F5D808 [1764] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe (Provtech Limited, Main Executable)
0x81E16860 [1820] C:\Documents and Settings\user\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc., Dropbox)
0x81EA2BE0 [2012] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x81C070B0 [2172] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)
0x81AE2978 [2428] C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe (Adobe Systems Incorporated, Adobe Reader )
0x81961BE0 [2456] C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe (Adobe Systems Incorporated, Adobe Reader )
0x822BAA60 [2904] C:\Documents and Settings\user\Desktop\RKUnhookerLE.EXE (UG North, RKULE, SR2 Overlord)
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xF7AB1000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF8356000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF526C000 C:\WINDOWS\system32\NetWare\nwfs.sys 516096 bytes (Novell, Inc., Novell NetWare Redirector)
0xF663B000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF7952000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF6748000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF5057000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF7A57000 C:\WINDOWS\system32\drivers\emu10k1m.sys 286720 bytes (Creative Technology Ltd., Creative SB Live! Adapter Driver)
0xF4283000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF84E7000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF84A8000 SSIDRV.SYS 188416 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Interdiction Driver)
0xF5177000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF847B000 C:\WINDOWS\SYSTEM32\Drivers\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF66D3000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6720000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF5402000 C:\WINDOWS\system32\NetWare\srvloc.sys 163840 bytes (Novell, Inc., SLP Driver)
0xF6615000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF4237000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF7A33000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF79D8000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7A10000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF66FE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF840C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF845C000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF833C000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF8444000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF65B8000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF842C000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF83E3000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF79C1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF547A000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xF45C2000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF79FC000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7A9D000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF67A1000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF83FA000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF84D6000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF79B0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF86D6000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7CF1000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8616000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF7D01000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF87A6000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7CE1000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF51D4000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF85E6000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF5578000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF30F3000 C:\WINDOWS\System32\Drivers\usbaapl.sys 57344 bytes (Apple, Inc., Apple Mobile Device USB Driver)
0xF8596000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8676000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))
0xF7CD1000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8576000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7CB1000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF85B6000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF8646000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8566000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7CC1000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8556000 SSFS0BBC.SYS 45056 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper FileSystem Filter Driver)
0xF8536000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF85F6000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF85A6000 nicm.sys 40960 bytes (Novell, Inc., Novell InterService Communication Driver)
0xF6538000 C:\WINDOWS\system32\NetWare\nwsipx32.sys 40960 bytes (Novell, Inc., Novell Client IPX/SPX API)
0xF7C91000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF3133000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8586000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF8666000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7CA1000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF8626000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF8796000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7D11000 C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes (Creative Technology Ltd., SoundFont® Manager)
0xF8546000 SSHRMD.SYS 36864 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Mini Driver)
0xF8656000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF87CE000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF8876000 C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS 32768 bytes (CNet Technology, Inc. , NDIS 5.0 driver )
0xF88EE000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8906000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF887E000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF88D6000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF87BE000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF882E000 C:\WINDOWS\system32\NetWare\resmgr.sys 28672 bytes (Novell, Inc., Novell NetWare Resource Manager)
0xF890E000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF891E000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF8886000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF8916000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))
0xF88A6000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF88AE000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8856000 C:\WINDOWS\system32\NetWare\NWSAP.sys 24576 bytes
0xF888E000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF88DE000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF88C6000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF88E6000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF88CE000 C:\WINDOWS\system32\NetWare\nwdhcp.sys 20480 bytes (Novell, Inc., DHCP Service)
0xF87C6000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF8896000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF889E000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF87B6000 C:\WINDOWS\SYSTEM32\Drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF893E000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF89EE000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)
0xF89DE000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8A06000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF54E0000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF894A000 nwfilter.sys 16384 bytes
0xF89FA000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF89D2000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF8946000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF8A2E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF89F6000 C:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF89CE000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF89E2000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8A02000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF8307000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8A68000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8A5C000 C:\WINDOWS\system32\drivers\ctlfacem.sys 8192 bytes (Creative Technology Ltd., Creative SB Live! Interface Driver)
0xF8A82000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8A66000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8A3A000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8A36000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8A6A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8A80000 C:\WINDOWS\system32\NetWare\NWSNS.sys 8192 bytes (Novell, Inc., Novell Client Simple Naming Services)
0xF8AE8000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8A6C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8A5E000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8A60000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8A38000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8B18000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8B17000 C:\WINDOWS\system32\DRIVERS\ctljystk.sys 4096 bytes (Creative Technology Ltd., Creative Joyport Enabler)
0xF8C42000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8C2D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0x8210D290 unknown_irp_handler 3440 bytes
0x82114290 unknown_irp_handler 3440 bytes
0x8211D358 unknown_irp_handler 3240 bytes
0x8211E450 unknown_irp_handler 2992 bytes
0x8219B450 unknown_irp_handler 2992 bytes
0x8211B450 unknown_irp_handler 2992 bytes
0x82119450 unknown_irp_handler 2992 bytes
0x8219F450 unknown_irp_handler 2992 bytes
0x8211C5E8 unknown_irp_handler 2584 bytes
0x821135E8 unknown_irp_handler 2584 bytes
0x8211F6E0 unknown_irp_handler 2336 bytes
0x8210D6E0 unknown_irp_handler 2336 bytes
0x821156E0 unknown_irp_handler 2336 bytes
0x8211D7A8 unknown_irp_handler 2136 bytes
0x8211E8A0 unknown_irp_handler 1888 bytes
0x8211B8A0 unknown_irp_handler 1888 bytes
0x821168A0 unknown_irp_handler 1888 bytes
0x82113A38 unknown_irp_handler 1480 bytes
0x8210CA60 unknown_irp_handler 1440 bytes
0x8219CA60 unknown_irp_handler 1440 bytes
0x8211FB30 unknown_irp_handler 1232 bytes
0x8210DB30 unknown_irp_handler 1232 bytes
0x82115B30 unknown_irp_handler 1232 bytes
0x8211ECF0 unknown_irp_handler 784 bytes
0x8211BCF0 unknown_irp_handler 784 bytes
0x8211FE88 unknown_irp_handler 376 bytes
0x8211CE88 unknown_irp_handler 376 bytes
0x82113E88 unknown_irp_handler 376 bytes
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [hdaudbus.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [rdpdr.sys]
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [modem.sys]
WARNING: Virus alike driver modification [usbehci.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [intelppm.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [cercsr6.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [arp1394.sys]
WARNING: Virus alike driver modification [nic1394.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [slnthal.sys]
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\user\Local Settings\Temp\MHS\{DRAFTS}\Draft-000d015c-131754
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B75C, Type: Inline - RelativeJump 0x804E275C-->804E27A1 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BAAC, Type: Inline - RelativeJump 0x804E2AAC-->804E2A8C [ntoskrnl.exe]
ntoskrnl.exe-->FsRtlRegisterUncProvider, Type: EAT modification 0x80683A70-->F894C63E [nwfilter.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF6787460-->823CD350 [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF865BB1C-->823CD258 [unknown_code_page]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF865BB28-->823CD350 [unknown_code_page]
[2172]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77A811F8-->715B9F5D [aclayers.dll]
[2172]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77A811FC-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->715B9F5D [aclayers.dll]
[2172]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E42B3C6-->3E2DD145 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->3E2EDB44 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->3E3E5052 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->3E3E4FEF [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->3E3E4F8C [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->3E215501 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->3E3E4E54 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->3E3E4DF2 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->3E3E4F21 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->3E3E4EB6 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->3E2E9AE9 [ieframe.dll]
[2172]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->3E254696 [ieframe.dll]
[2172]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->715B9E59 [aclayers.dll]
[2172]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->715BA16B [aclayers.dll]
[2172]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->715BA067 [aclayers.dll]
[2172]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[2172]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->715B9E59 [aclayers.dll]
[316]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[316]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[316]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[316]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[316]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[316]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[316]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[316]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[3624]AcroRd32.exe-->advapi32.dll+0x000018E4, Type: Code Mismatch 0x77DD18E4 + 6372 [10 00 60 88 50 00 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x000018F0, Type: Code Mismatch 0x77DD18F0 + 6384 [D0 02 60 88 50 02 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x000018FC, Type: Code Mismatch 0x77DD18FC + 6396 [50 03 60 88 10 01 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x00001928, Type: Code Mismatch 0x77DD1928 + 6440 [D0 01 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x00001934, Type: Code Mismatch 0x77DD1934 + 6452 [10 04 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x0000193C, Type: Code Mismatch 0x77DD193C + 6460 [50 01 60 88 10 02 60 88 10 03 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x0000194C, Type: Code Mismatch 0x77DD194C + 6476 [D0 00 60 88 90 00 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x00001958, Type: Code Mismatch 0x77DD1958 + 6488 [90 02 60 88 90 01 60 88]
[3624]AcroRd32.exe-->advapi32.dll+0x00001970, Type: Code Mismatch 0x77DD1970 + 6512 [90 03 60 88 D0 03 60 88]
[3624]AcroRd32.exe-->advapi32.dll-->CryptAcquireContextA, Type: IAT modification 0x004CB064-->003D0010 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptAcquireContextW, Type: IAT modification 0x004CB068-->003D0050 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptCreateHash, Type: IAT modification 0x004CB074-->003D02D0 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptDecrypt, Type: IAT modification 0x004CB054-->003D0250 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptDestroyHash, Type: IAT modification 0x004CB080-->003D0350 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptDestroyKey, Type: IAT modification 0x004CB07C-->003D0110 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptGenRandom, Type: IAT modification 0x004CB050-->003D01D0 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptGetHashParam, Type: IAT modification 0x004CB060-->003D0410 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptGetProvParam, Type: IAT modification 0x004CB048-->003D0150 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptGetUserKey, Type: IAT modification 0x004CB070-->003D0210 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptHashData, Type: IAT modification 0x004CB084-->003D0310 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptImportKey, Type: IAT modification 0x004CB06C-->003D00D0 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptReleaseContext, Type: IAT modification 0x004CB078-->003D0090 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptSetProvParam, Type: IAT modification 0x004CB04C-->003D0190 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptSignHashA, Type: IAT modification 0x004CB058-->003D0390 [unknown_code_page]
[3624]AcroRd32.exe-->advapi32.dll-->CryptSignHashW, Type: IAT modification 0x004CB05C-->003D03D0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->AbortDoc, Type: Inline - RelativeJump 0x77F44CD2-->003C0030 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->AddFontResourceW, Type: Inline - RelativeJump 0x77F3FFAB-->003C0B30 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->BeginPath, Type: Inline - RelativeJump 0x77F2D4B0-->003C0770 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->CloseFigure, Type: Inline - RelativeJump 0x77F2ED1A-->003C0070 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->CreateDCA, Type: Inline - RelativeJump 0x77F1B7D2-->003C00B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->CreateDCW, Type: Inline - RelativeJump 0x77F1BE38-->003C00F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->CreateICW, Type: Inline - RelativeJump 0x77F2C813-->003C0130 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->CreateScalableFontResourceW, Type: Inline - RelativeJump 0x77F40160-->003C0AF0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->DeleteDC, Type: Inline - RelativeJump 0x77F16E5F-->003C0170 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->DeleteObject, Type: Inline - RelativeJump 0x77F16BFA-->003C01B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->EndDoc, Type: Inline - RelativeJump 0x77F2DEF1-->003C01F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->EndPage, Type: Inline - RelativeJump 0x77F2DC61-->003C0230 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->EndPath, Type: Inline - RelativeJump 0x77F2D530-->003C09B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->Escape, Type: Inline - RelativeJump 0x77F26F5A-->003C0270 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->ExtEscape, Type: Inline - RelativeJump 0x77F1C3CC-->003C02B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->ExtSelectClipRgn, Type: Inline - RelativeJump 0x77F17874-->003C02F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->ExtTextOutA, Type: Inline - RelativeJump 0x77F1D3FA-->003C0870 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - RelativeJump 0x77F18086-->003C08B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->FillPath, Type: Inline - RelativeJump 0x77F46144-->003C07B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetClipBox, Type: Inline - RelativeJump 0x77F16AA1-->003C0330 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetDeviceCaps, Type: Inline - RelativeJump 0x77F15A71-->003C0370 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetFontData, Type: Inline - RelativeJump 0x77F1F314-->003C0BB0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetGlyphOutlineW, Type: Inline - RelativeJump 0x77F3E6D1-->003C0BF0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetTextFaceA, Type: Inline - RelativeJump 0x77F1F365-->003C0C30 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetTextFaceW, Type: Inline - RelativeJump 0x77F1A5CB-->003C0C70 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetTextMetricsA, Type: Inline - RelativeJump 0x77F1DF45-->003C0CF0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->GetTextMetricsW, Type: Inline - RelativeJump 0x77F17DB9-->003C0D30 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->IntersectClipRect, Type: Inline - RelativeJump 0x77F16A56-->003C03B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->LineTo, Type: Inline - RelativeJump 0x77F1D997-->003C03F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->MoveToEx, Type: Inline - RelativeJump 0x77F1A21A-->003C0430 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->PolyBezierTo, Type: Inline - RelativeJump 0x77F2EBD1-->003C0470 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->PolyDraw, Type: Inline - RelativeJump 0x77F4667B-->003C07F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->PolylineTo, Type: Inline - RelativeJump 0x77F2EC7E-->003C04B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->Rectangle, Type: Inline - RelativeJump 0x77F1E9BE-->003C08F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->RemoveFontResourceW, Type: Inline - RelativeJump 0x77F3D07C-->003C0B70 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->ResetDCW, Type: Inline - RelativeJump 0x77F2B9AF-->003C09F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->RestoreDC, Type: Inline - RelativeJump 0x77F18B28-->003C04F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SaveDC, Type: Inline - RelativeJump 0x77F18BEE-->003C0530 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SelectClipPath, Type: Inline - RelativeJump 0x77F2D5B7-->003C0A30 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SelectClipRgn, Type: Inline - RelativeJump 0x77F17AA0-->003C0570 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SelectObject, Type: Inline - RelativeJump 0x77F15B70-->003C05B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetBkMode, Type: Inline - RelativeJump 0x77F15EDB-->003C0830 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetICMMode, Type: Inline - RelativeJump 0x77F1E868-->003C0CB0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetMiterLimit, Type: Inline - RelativeJump 0x77F20E8E-->003C0AB0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetPolyFillMode, Type: Inline - RelativeJump 0x77F20817-->003C0A70 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetStretchBltMode, Type: Inline - RelativeJump 0x77F18597-->003C05F0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetTextAlign, Type: Inline - RelativeJump 0x77F18C8B-->003C0930 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetTextColor, Type: Inline - RelativeJump 0x77F15D77-->003C0970 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->SetWorldTransform, Type: Inline - RelativeJump 0x77F1B457-->003C0630 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->StartDocW, Type: Inline - RelativeJump 0x77F45962-->003C0730 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->StartPage, Type: Inline - RelativeJump 0x77F2F49E-->003C0670 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->StretchDIBits, Type: Inline - RelativeJump 0x77F1B0AE-->003C06B0 [unknown_code_page]
[3624]AcroRd32.exe-->gdi32.dll-->StrokePath, Type: Inline - RelativeJump 0x77F460B7-->003C06F0 [unknown_code_page]
[3624]AcroRd32.exe-->kernel32.dll+0x00002FDC, Type: Code Mismatch 0x7C802FDC + 12252 [10 01 AC 83]
[3624]AcroRd32.exe-->kernel32.dll-->CreateEventW, Type: Inline - RelativeJump 0x7C80A749-->002C0030 [unknown_code_page]
[3624]AcroRd32.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->002C00F0 [unknown_code_page]
[3624]AcroRd32.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->002C00B0 [unknown_code_page]
[3624]AcroRd32.exe-->kernel32.dll-->CreateThread, Type: Inline - RelativeJump 0x7C8106D7-->002C0170 [unknown_code_page]
[3624]AcroRd32.exe-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x004CB474-->002C0110 [unknown_code_page]
[3624]AcroRd32.exe-->kernel32.dll-->OpenEventW, Type: Inline - RelativeJump 0x7C8131E0-->002C0070 [unknown_code_page]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 6 [28 00 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateKey, Type: Code Mismatch 0x7C90D0EE + 6 [68 01 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateKey, Type: Code Mismatch 0x7C90D0EE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateMutant, Type: Code Mismatch 0x7C90D10E + 6 [28 02 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateMutant, Type: Code Mismatch 0x7C90D10E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateSection, Type: Code Mismatch 0x7C90D17E + 6 [68 02 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtCreateSection, Type: Code Mismatch 0x7C90D17E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 6 [A8 04 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 6 [68 00 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenKey, Type: Code Mismatch 0x7C90D5CE + 6 [A8 01 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenKey, Type: Code Mismatch 0x7C90D5CE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenMutant, Type: Inline - RelativeCall 0x7C90D5E4-->7B90EBEA [unknown_code_page]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenMutant, Type: Code Mismatch 0x7C90D5DE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 6 [28]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 8 [16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 6 [68]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 8 [16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 6 [28 04 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenSection, Type: Code Mismatch 0x7C90D62E + 6 [A8 02 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenSection, Type: Code Mismatch 0x7C90D62E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenThread, Type: Inline - RelativeCall 0x7C90D664-->7B90EC6B [unknown_code_page]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenThreadToken, Type: Inline - RelativeCall 0x7C90D674-->7B90EC7C [unknown_code_page]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 6 [68 04 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 6 [A8 00 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x7C90D7B4-->7B90EDB9 [unknown_code_page]
[3624]AcroRd32.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Code Mismatch 0x7C90D7AE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 6 [28 01 16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 6 [A8]
[3624]AcroRd32.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 8 [16 00]
[3624]AcroRd32.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 11 [E2]
[3624]AcroRd32.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Inline - RelativeCall 0x7C90DF14-->7B90F51D [unknown_code_page]
[3624]AcroRd32.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 11 [E2]
[3624]AcroRd32.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x7C9C1340-->002C0110 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->ActivateKeyboardLayout, Type: Inline - RelativeJump 0x7E428673-->003B04F0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->ChangeClipboardChain, Type: Inline - RelativeJump 0x7E430487-->003B0430 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->CloseClipboard, Type: Inline - RelativeJump 0x7E430265-->003B00B0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->CountClipboardFormats, Type: Inline - RelativeJump 0x7E43167F-->003B01F0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->EmptyClipboard, Type: Inline - RelativeJump 0x7E430D96-->003B0130 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->EnumClipboardFormats, Type: Inline - RelativeJump 0x7E43E53D-->003B01B0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetClipboardData, Type: Inline - RelativeJump 0x7E430DBA-->003B0030 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetClipboardFormatNameA, Type: Inline - RelativeJump 0x7E431290-->003B0270 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetClipboardFormatNameW, Type: Inline - RelativeJump 0x7E45957F-->003B0230 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetClipboardOwner, Type: Inline - RelativeJump 0x7E430DA8-->003B0370 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetClipboardSequenceNumber, Type: Inline - RelativeJump 0x7E42F17A-->003B0330 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetClipboardViewer, Type: Inline - RelativeJump 0x7E46CB94-->003B0470 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetOpenClipboardWindow, Type: Inline - RelativeJump 0x7E431691-->003B03F0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->GetPriorityClipboardFormat, Type: Inline - RelativeJump 0x7E46CC96-->003B03B0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->IsClipboardFormatAvailable, Type: Inline - RelativeJump 0x7E42F166-->003B00F0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->OpenClipboard, Type: Inline - RelativeJump 0x7E430277-->003B0070 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->RegisterClassExA, Type: Inline - RelativeJump 0x7E427C39-->003B0530 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->RegisterClipboardFormatA, Type: Inline - RelativeJump 0x7E418E28-->003B02F0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->RegisterClipboardFormatW, Type: Inline - RelativeJump 0x7E41AF34-->003B02B0 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->SetClipboardData, Type: Inline - RelativeJump 0x7E430F9E-->003B0170 [unknown_code_page]
[3624]AcroRd32.exe-->user32.dll-->SetClipboardViewer, Type: Inline - RelativeJump 0x7E430473-->003B04B0 [unknown_code_page]
[3624]AcroRd32.exe-->wininet.dll+0x00001AAC, Type: Code Mismatch 0x3D931AAC + 6828 [50 03 19 C4 90 03 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001AB8, Type: Code Mismatch 0x3D931AB8 + 6840 [D0 05 19 C4 10 06 19 C4 D0 03 19 C4 10 04 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001AC8, Type: Code Mismatch 0x3D931AC8 + 6856 [50 04 19 C4 90 04 19 C4 D0 04 19 C4 50 05 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001AD8, Type: Code Mismatch 0x3D931AD8 + 6872 [90 05 19 C4 10 05 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001B10, Type: Code Mismatch 0x3D931B10 + 6928 [10 00 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001B28, Type: Code Mismatch 0x3D931B28 + 6952 [50 00 19 C4 90 00 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001B54, Type: Code Mismatch 0x3D931B54 + 6996 [10 07 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001B6C, Type: Code Mismatch 0x3D931B6C + 7020 [50 06 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001B7C, Type: Code Mismatch 0x3D931B7C + 7036 [50 07 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001BC0, Type: Code Mismatch 0x3D931BC0 + 7104 [D0 00 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001BCC, Type: Code Mismatch 0x3D931BCC + 7116 [10 01 19 C4 50 01 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001BD8, Type: Code Mismatch 0x3D931BD8 + 7128 [90 06 19 C4 D0 06 19 C4 90 01 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001BF4, Type: Code Mismatch 0x3D931BF4 + 7156 [90 07 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001C14, Type: Code Mismatch 0x3D931C14 + 7188 [10 02 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001C20, Type: Code Mismatch 0x3D931C20 + 7200 [50 02 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001C2C, Type: Code Mismatch 0x3D931C2C + 7212 [90 02 19 C4 D0 02 19 C4 10 03 19 C4]
[3624]AcroRd32.exe-->wininet.dll+0x00001C60, Type: Code Mismatch 0x3D931C60 + 7264 [D0 01 19 C4]
[3624]AcroRd32.exe-->wininet.dll-->advapi32.dll-->CryptAcquireContextA, Type: IAT modification 0x3D9311F0-->003D0010 [unknown_code_page]
[3624]AcroRd32.exe-->wininet.dll-->advapi32.dll-->CryptAcquireContextW, Type: IAT modification 0x3D931264-->003D0050 [unknown_code_page]
[3624]AcroRd32.exe-->wininet.dll-->advapi32.dll-->CryptGenRandom, Type: IAT modification 0x3D9311F4-->003D01D0 [unknown_code_page]
[3624]AcroRd32.exe-->wininet.dll-->advapi32.dll-->CryptGetProvParam, Type: IAT modification 0x3D931268-->003D0150 [unknown_code_page]
[3624]AcroRd32.exe-->wininet.dll-->advapi32.dll-->CryptReleaseContext, Type: IAT modification 0x3D9311F8-->003D0090 [unknown_code_page]
[3624]AcroRd32.exe-->wininet.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x3D931324-->002C0110 [unknown_code_page]
[900]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->715BA16B [aclayers.dll]
[900]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->715BA067 [aclayers.dll]
[900]iexplore.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77A811F8-->715B9F5D [aclayers.dll]
[900]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77A811FC-->715BA16B [aclayers.dll]
[900]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->715BA16B [aclayers.dll]
[900]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->715BA067 [aclayers.dll]
[900]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->715BA16B [aclayers.dll]
[900]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->715BA067 [aclayers.dll]
[900]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->715BA067 [aclayers.dll]
[900]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->715B9F5D [aclayers.dll]
[900]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->715BA16B [aclayers.dll]
[900]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->715BA067 [aclayers.dll]
[900]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->3E2EDB44 [ieframe.dll]
[900]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->3E3E5052 [ieframe.dll]
[900]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->3E3E4FEF [ieframe.dll]
[900]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->3E3E4F8C [ieframe.dll]
[900]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->3E215501 [ieframe.dll]
[900]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->715BA16B [aclayers.dll]
[900]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->715BA067 [aclayers.dll]
[900]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->3E3E4E54 [ieframe.dll]
[900]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->3E3E4DF2 [ieframe.dll]
[900]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->3E3E4F21 [ieframe.dll]
[900]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->3E3E4EB6 [ieframe.dll]
[900]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->715B9E59 [aclayers.dll]
[900]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->715BA16B [aclayers.dll]
[900]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->715BA067 [aclayers.dll]
[900]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[900]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->715B9E59 [aclayers.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:14 PM

Posted 11 August 2011 - 05:57 PM

Good :)

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 August 2011 - 11:35 AM

I ran the eset and it said "no threats found" - didn't give me an option for a report.

#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:14 PM

Posted 12 August 2011 - 11:52 AM

You can safely uninstall McAfee Security Scan Plus, typical foistware.

Now, you're not running any AV program.
Install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 August 2011 - 03:43 PM

Ran the scans - no problems found - updated Java and removed older versions. Everything still seems to be working with no problems. You mentioned there were several items you saw a problem with in an earlier post....are these the items we just took care of? If yes-thank you!! May I also ask, should I run any of these tests on a routine basis? It seems as though these nasty bugs seem to creep in from anywhere regardless of what type of security you have in place.

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:14 PM

Posted 12 August 2011 - 04:18 PM

Good news :)

You should run TFC weekly and MBAM once in a while.

One more thing we have to fix.

Re-run MiniToolbox.

Checkmark following boxes:
  • Flush DNS
  • Reset IE Proxy Settings
Click Go and post the result.

Restart computer.

Re-run MiniToolbox again.

Checkmark following boxes:
  • Report IE Proxy Settings
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 15 August 2011 - 08:29 AM

MiniToolBox by Farbar
Ran by user (administrator) on 15-08-2011 at 08:27:32
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

== End of log ==

#15 2blori

2blori
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 15 August 2011 - 09:36 AM

When I tried to get back on the internet after the last step I could not, ran the IE Proxy report and it indicated "no settings" I could not get on the internet. System restored back to Friday after doing the JAVA update so I could get back on the internet. Not sure why the reset actually removed all settings????




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users