Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with some virus(es)


  • This topic is locked This topic is locked
20 replies to this topic

#1 ferdole

ferdole

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 29 September 2013 - 06:53 AM

Hello,

yesterday I installed a program belonging to Menthor Graphics SDD and now i am encountering some errors, such as NSIS Error when i try to uninstall Revo Uninstaller, i get a runtime Error: "R6002 -floating point support not loaded"  when i try to open Revo Uninstaller, a few unexpected processes when i start windows open such a 2* IEXPLORE.EXE.

I even encountered 2 errors while i was running the dds program (didn't note them down though). I would kindly appreciate any help you could provide...One more thing, I will be able to answer an presumably reply only at weekends..thank you for understaning.

 

DDS Log:

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 6.0.2900.2180
Run by Ferdole at 14:40:31 on 2013-09-29
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1270 [GMT 3:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\DOCUME~1\Ferdole\LOCALS~1\Temp\wlpbnj.exe
C:\DOCUME~1\Ferdole\LOCALS~1\Temp\winymxa.exe
C:\DOCUME~1\Ferdole\LOCALS~1\Temp\winclad.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BHOImpl Class: {E1499FE7-129D-4B6E-B681-DDF21E14172C} - c:\documents and settings\ferdole\my documents\itools\plugin\iToolsBHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
uPolicies-Explorer: NoDriveTypeAutoRun = dword:36
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{EA893AE2-B047-4513-876B-1E5C214FEB09} : DHCPNameServer = 192.168.1.1 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ferdole\application data\mozilla\firefox\profiles\1mky6ufy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\ferdole\my documents\itools\plugin\npiTools.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-11-4 232512]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-10-8 21992]
R2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [2013-9-28 54272]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\jhhhmd.sys --> c:\windows\system32\drivers\jhhhmd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-4-19 161384]
.
=============== File Associations ===============
.
ShellExec: psched.exe: open="d:\pspice\pspice\psched.exe"
.
=============== Created Last 30 ================
.
2013-09-28 12:22:29 -------- d-----w- C:\PADS Projects
2013-09-28 12:14:02 -------- d-----w- c:\windows\Downloaded Installations
2013-09-28 12:01:01 -------- d-----w- c:\documents and settings\all users\application data\pads
2013-09-28 09:15:50 323955 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2013-09-28 08:11:13 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2013-09-27 21:26:56 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2013-09-27 21:25:59 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2013-09-27 21:24:57 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2013-09-27 21:23:59 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2013-09-27 21:22:58 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2013-09-27 21:21:59 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2013-09-27 21:20:59 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2013-09-27 21:19:59 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2013-09-27 21:18:58 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2013-09-27 21:17:59 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys
2013-09-27 21:16:57 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2013-09-27 21:15:58 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2013-09-27 21:14:59 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-09-27 21:13:58 45568 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2013-09-27 21:12:59 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2013-09-27 21:11:59 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2013-09-27 21:10:59 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2013-09-27 21:09:58 595647 -c--a-w- c:\windows\system32\dllcache\es56cvmp.sys
2013-09-27 21:08:59 6216 -c--a-w- c:\windows\system32\dllcache\divaci.dll
2013-09-27 21:07:59 6656 -c--a-w- c:\windows\system32\dllcache\cmdide.sys
2013-09-27 21:06:59 516768 -c--a-w- c:\windows\system32\dllcache\ativvaxx.dll
2013-09-27 21:05:52 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2013-09-17 17:35:03 -------- d-----r- c:\program files\Skype
2013-09-14 08:01:04 237776 ----a-w- c:\windows\system32\tpuninst.exe
2013-09-12 19:04:15 -------- d-s---w- c:\documents and settings\ferdole\UserData
2013-09-11 20:19:12 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2013-09-11 20:19:08 164200 ----a-w- c:\windows\system32\nvsvc32.exe
2013-09-11 20:19:08 143720 ----a-w- c:\windows\system32\nvcolor.exe
2013-09-11 20:19:07 54272 ----a-w- c:\windows\system32\nvwddi.dll
2013-09-11 20:19:07 15512424 ----a-w- c:\windows\system32\nvcpl.dll
2013-09-11 20:19:07 108392 ----a-w- c:\windows\system32\nvmctray.dll
2013-09-05 14:04:02 209272 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2013-08-30 17:24:31 -------- d-----w- c:\windows\ERUNT
2013-08-30 17:17:52 -------- d-----w- C:\AdwCleaner
.
==================== Find3M  ====================
.
2013-09-19 17:02:38 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-19 17:02:38 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-11 20:18:55 1101436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-09-11 20:18:55 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-09-11 20:18:51 1101436 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-08-21 21:24:18 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2013-07-27 17:12:13 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-27 17:12:12 789416 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 14:41:25.98 ===============
 
 
Attach.txt:
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 26/09/2011 20:31:42
System Uptime: 29/09/2013 10:36:05 (4 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | M2N4-SLI
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket AM2  | 2420/220mhz
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket AM2  | 2420/220mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 20 GiB total, 2.413 GiB free.
D: is FIXED (NTFS) - 130 GiB total, 5.226 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: 
Description: PCI Memory Controller
Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&00
Manufacturer: 
Name: PCI Memory Controller
PNP Device ID: PCI\VEN_10DE&DEV_005E&SUBSYS_815A1043&REV_A3\3&2411E6FE&0&00
Service: 
.
Class GUID: 
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_815A1043&REV_A2\3&2411E6FE&0&09
Manufacturer: 
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0052&SUBSYS_815A1043&REV_A2\3&2411E6FE&0&09
Service: 
.
Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&15E2DB85&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\4&15E2DB85&0&0
Service: flpydisk
.
==== System Restore Points ===================
.
RP39: 28/09/2013 23:43:36 - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.04)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASUS Gamer OSD
ASUS nVidia Driver
Bonjour
BS.Player FREE
Caesar 3
Canon MP150
CCleaner
CircuitMaker 2000 Trial Version
Counter-Strike
CPUID CPU-Z 1.66.1
CPUID HWMonitor 1.18
DAEMON Tools Lite
Dota 2
DR vs AK
ffdshow [rev 1324] [2007-07-01]
FLEXid8 Driver
Fraps
Geeks3D.com FurMark 1.9.2
Google Chrome
Google Earth
Google Update Helper
Gothic
Gothic 2 Gold
Gothic II
Gothic II - Die Nacht des Raben
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
iTunes
League of Legends
Liss
Macrovision FLEXid Drivers
Mentor Graphics Products
MGC Visual Studio 7 Runtime
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders  (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox 23.0.1 (x86 en-US)
MSVC90_x86
MSXML 6.0 Parser (KB933579)
Nokia Connectivity Cable Driver
NVIDIA Control Panel 306.81
NVIDIA Drivers
NVIDIA Graphics Driver 306.81
NVIDIA Install Application
NVIDIA nView 136.28
NVIDIA Update 1.10.8
NVIDIA Update Components
Pando Media Booster
PSpice Student 9.1
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Revo Uninstaller 1.94
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Sentinel System Driver
Sierra Utilities
Skype™ 6.3
SpeedFan (remove only)
Steam
System Requirements Lab CYRI
Unlocker 1.9.2
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Imaging Component
Windows Update Remover
WinRAR archiver
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
29/09/2013 10:36:20, error: Dhcp [1002]  - The IP address lease 192.168.1.4 for the Network Card with network address 0018F37E2F24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
28/09/2013 15:25:50, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  This operation returned because the timeout period expired.
28/09/2013 15:00:10, error: Service Control Manager [7000]  - The hardlock service failed to start due to the following error:  The request could not be performed because of an I/O device error.
28/09/2013 10:50:02, error: Service Control Manager [7034]  - The NVIDIA Update Service Daemon service terminated unexpectedly.  It has done this 1 time(s).
27/09/2013 22:07:00, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
27/09/2013 15:44:31, error: Dhcp [1002]  - The IP address lease 192.168.1.3 for the Network Card with network address 0018F37E2F24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
23/09/2013 23:21:40, error: W32Time [17]  - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
22/09/2013 10:28:34, error: Dhcp [1002]  - The IP address lease 192.168.1.2 for the Network Card with network address 0018F37E2F24 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 01 October 2013 - 08:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 04 October 2013 - 03:34 PM

Unfortunately the junkware removal tool didn't work...it didn't pass the "checking system startup" though i had left him there for over 25 mins. The other programs worked fine..

 

Rogue Killer report: 

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Ferdole [Admin rights]
Mode : Remove -- Date : 10/04/2013 21:26:41
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SECU][PUM] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ SECU][PUM] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ SECU][PUM] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (LdrLoadDll) : ntdll.dll -> HOOKED (Unknown @ 0x200373C6)
[Inline] EAT @explorer.exe (NtQueryDirectoryFile) : ntdll.dll -> HOOKED (Unknown @ 0x2003795E)
[Inline] EAT @explorer.exe (NtResumeThread) : ntdll.dll -> HOOKED (Unknown @ 0x20035BDA)
[Inline] EAT @explorer.exe (ZwQueryDirectoryFile) : ntdll.dll -> HOOKED (Unknown @ 0x2003795E)
[Inline] EAT @explorer.exe (ZwResumeThread) : ntdll.dll -> HOOKED (Unknown @ 0x20035BDA)
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xC8F71CF4)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD1600AAJS-22PSA0 +++++
--- User ---
[MBR] 3a614b10ca45df27962b44d37c3be535
[BSP] cf0f6b0f83eb86721c85956fbe8673bb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 20002 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 40965750 | Size: 132614 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_10042013_212641.txt >>
RKreport[0]_D_08302013_201623.txt;RKreport[0]_S_10042013_212532.txt
 
 
Adw Cleaner report: 
 
# AdwCleaner v3.001 - Report created 30/08/2013 at 20:19:54
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Ferdole - FERDOLE-9A672AF
# Running from : C:\Documents and Settings\Ferdole\My Documents\Downloads\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Browse2Save
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
Folder Deleted : C:\Documents and Settings\All Users\Application Data\RightClick
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Search-NewTab
Folder Deleted : C:\Documents and Settings\All Users\Application Data\WxDFastUpdater
Folder Deleted : C:\Documents and Settings\Ferdole\Local Settings\Application Data\visi_coupon
Folder Deleted : C:\Documents and Settings\Ferdole\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\Ferdole\Application Data\DriverCure
[!] Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pfmopbbadnfoelckkcmjjeaaegjpjjbk
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_48c708f2
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{14F35FFC-522A-4DD1-A07E-6B8B65C6891E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AC329328-7EC4-4C34-B672-0A2B90CB9B00}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{855E2E7F-A93A-48F1-0938-3E43090D07D0}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v6.0.2900.2180
 
 
-\\ Mozilla Firefox v23.0.1 (en-US)
 
[ File : C:\Documents and Settings\Ferdole\Application Data\Mozilla\Firefox\Profiles\1mky6ufy.default\prefs.js ]
 
 
-\\ Google Chrome v29.0.1547.62
 
[ File : C:\Documents and Settings\Ferdole\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4597 octets] - [30/08/2013 20:18:06]
AdwCleaner[S0].txt - [4305 octets] - [30/08/2013 20:19:54]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4365 octets] ##########
 
# AdwCleaner v3.006 - Report created 04/10/2013 at 21:32:10
# Updated 01/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : Ferdole - FERDOLE-9A672AF
# Running from : C:\Documents and Settings\Ferdole\My Documents\Downloads\adwcleaner (1).exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Documents and Settings\Ferdole\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_eooncjejnppfjjklapaamhcdmjbilmde_0.localstorage
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v6.0.2900.2180
 
 
-\\ Mozilla Firefox v23.0.1 (en-US)
 
[ File : C:\Documents and Settings\Ferdole\Application Data\Mozilla\Firefox\Profiles\1mky6ufy.default\prefs.js ]
 
 
-\\ Google Chrome v29.0.1547.76
 
[ File : C:\Documents and Settings\Ferdole\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4597 octets] - [30/08/2013 20:18:06]
AdwCleaner[R1].txt - [1586 octets] - [04/10/2013 21:29:43]
AdwCleaner[S0].txt - [4445 octets] - [30/08/2013 20:19:54]
AdwCleaner[S1].txt - [1513 octets] - [04/10/2013 21:32:10]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1573 octets] ##########
 
 
Combo fix log:
 
ComboFix 13-10-01.03 - Ferdole 04/10/2013  23:09:49.5.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1511 [GMT 3:00]
Running from: c:\documents and settings\Ferdole\My Documents\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ferdole\WINDOWS
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\csetup.log
c:\windows\system32\frapsvid.dll
c:\windows\system32\Oleaut32.1
c:\windows\system32\Oleaut32.2
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-04 to 2013-10-04  )))))))))))))))))))))))))))))))
.
.
2013-09-28 12:22 . 2013-09-28 12:22 -------- d-----w- C:\PADS Projects
2013-09-28 12:14 . 2013-09-28 12:14 -------- d-----w- c:\windows\Downloaded Installations
2013-09-28 12:01 . 2013-09-28 12:01 -------- d-----w- c:\documents and settings\All Users\Application Data\pads
2013-09-28 09:15 . 1999-09-20 02:38 323955 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2013-09-28 08:13 . 2013-09-28 08:17 -------- d-----w- c:\program files\Microsoft Works
2013-09-28 08:11 . 2013-09-28 08:11 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2013-09-28 08:09 . 2013-09-28 08:09 -------- d-----r- C:\MSOCache
2013-09-27 21:25 . 2001-08-17 19:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2013-09-27 21:25 . 2001-08-17 19:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2013-09-27 21:25 . 2001-08-17 19:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2013-09-27 21:25 . 2001-08-17 10:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2013-09-27 21:25 . 2001-08-17 19:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2013-09-27 21:25 . 2001-08-17 19:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2013-09-27 21:25 . 2001-08-17 19:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2013-09-27 21:25 . 2001-08-17 19:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2013-09-27 21:23 . 2001-08-17 11:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2013-09-27 21:22 . 2001-08-17 09:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2013-09-27 21:21 . 2001-08-17 09:12 24576 -c--a-w- c:\windows\system32\dllcache\smc8000n.sys
2013-09-27 21:20 . 2001-08-17 09:51 98080 -c--a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2013-09-27 21:19 . 2001-08-17 09:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2013-09-27 21:18 . 2001-08-17 10:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2013-09-27 21:17 . 2004-08-03 21:56 211712 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2013-09-27 21:16 . 2001-08-17 09:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2013-09-27 21:15 . 2001-08-17 11:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2013-09-27 21:14 . 2001-08-17 10:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2013-09-27 21:13 . 2001-08-17 19:36 45568 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2013-09-27 21:12 . 2001-08-17 19:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2013-09-27 21:11 . 2001-08-17 10:28 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2013-09-27 21:10 . 2004-08-03 20:08 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2013-09-27 21:09 . 2001-08-17 10:28 595647 -c--a-w- c:\windows\system32\dllcache\es56cvmp.sys
2013-09-27 21:08 . 2001-08-17 19:36 6216 -c--a-w- c:\windows\system32\dllcache\divaci.dll
2013-09-27 21:07 . 2001-08-17 10:51 6656 -c--a-w- c:\windows\system32\dllcache\cmdide.sys
2013-09-27 21:06 . 2004-08-03 21:56 516768 -c--a-w- c:\windows\system32\dllcache\ativvaxx.dll
2013-09-27 21:05 . 2001-08-17 11:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2013-09-27 20:32 . 2013-09-28 08:12 -------- d-----w- c:\program files\Microsoft.NET
2013-09-17 17:35 . 2013-09-17 17:35 -------- d-----r- c:\program files\Skype
2013-09-14 08:01 . 2008-02-03 22:10 237776 ----a-w- c:\windows\system32\tpuninst.exe
2013-09-12 19:04 . 2013-09-28 18:40 -------- d-s---w- c:\documents and settings\Ferdole\UserData
2013-09-11 20:19 . 2013-09-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2013-09-11 20:19 . 2013-09-14 09:02 -------- d-----w- c:\documents and settings\UpdatusUser
2013-09-11 20:19 . 2013-09-11 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2013-09-11 20:19 . 2012-09-23 13:04 164200 ----a-w- c:\windows\system32\nvsvc32.exe
2013-09-11 20:19 . 2012-09-23 13:04 143720 ----a-w- c:\windows\system32\nvcolor.exe
2013-09-11 20:19 . 2012-09-23 13:04 54272 ----a-w- c:\windows\system32\nvwddi.dll
2013-09-11 20:19 . 2012-09-23 13:04 15512424 ----a-w- c:\windows\system32\nvcpl.dll
2013-09-11 20:19 . 2012-09-23 13:04 108392 ----a-w- c:\windows\system32\nvmctray.dll
2013-09-05 14:04 . 2013-09-05 14:04 209272 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-19 17:02 . 2012-03-29 17:20 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-19 17:02 . 2011-09-26 20:05 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-21 21:24 . 2011-09-26 17:57 196608 ----a-w- c:\windows\system32\drivers\nStandard.bin
2013-07-27 17:12 . 2012-09-19 07:49 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-27 17:12 . 2012-09-19 07:49 789416 ----a-w- c:\windows\system32\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-21 18:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4980544 ----a-w- d:\daemon\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 08:44 104800 ------w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-05-31 08:56 152392 ----a-w- d:\itunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-09-23 13:04 108392 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2013-04-19 19:13 4288048 ------w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 95232 ----a-w- d:\unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Steam Client Service"=3 (0x3)
"iPod Service"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"SkypeUpdate"=2 (0x2)
"IDriverT"=3 (0x3)
"WZCSVC"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\steam\\Steam.exe"=
"d:\\steam\\steamapps\\common\\dota 2 beta\\dota.exe"=
"d:\\steam\\steamapps\\hitman_silent\\counter-strike\\hl.exe"=
"d:\\utorrent\\uTorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\04.PADS 2005\\CRACK\\keygen.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58035:TCP"= 58035:TCP:Pando Media Booster
"58035:UDP"= 58035:UDP:Pando Media Booster
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [04/11/2011 18:22 232512]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [08/10/2011 21:36 21992]
R2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\SSIPDDP.SYS [28/09/2013 14:59 54272]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [19/04/2013 15:14 161384]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AMSINT32
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-20 09:07 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 17:02]
.
2013-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-26 20:04]
.
2013-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-26 20:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Ferdole\Application Data\Mozilla\Firefox\Profiles\1mky6ufy.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PSpice Student - c:\program files\OrCAD_Demo\DeIsL1.isu
AddRemove-Sierra Utilities - c:\program files\Sierra On-Line\sutil32.exe
AddRemove-{B685940C-D24C-D952-1E06-B59C10A30DAE} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~1\{D8D9E~1\Setup.exe
AddRemove-{EC4F1832-3242-F796-6F59-8470D164E429} - c:\docume~1\ALLUSE~1\APPLIC~1\INSTAL~1\{D46DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-04 23:14
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
c:\documents and settings\Ferdole\Start Menu\Programs\Startup\hsrwnvxq.exe 181232 bytes executable
c:\documents and settings\Ferdole\Application Data\Yahoo!\Messenger\Shortcut\adelutza :*.lnk 1860 bytes hidden from API
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4016)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\windows\ATKKBService.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\docume~1\Ferdole\LOCALS~1\Temp\kerelq.exe
.
**************************************************************************
.
Completion time: 2013-10-04  23:18:20 - machine was rebooted
ComboFix-quarantined-files.txt  2013-10-04 20:18
.
Pre-Run: 3,515,052,032 bytes free
Post-Run: 3,580,801,024 bytes free
.
- - End Of File - - B2671DF3A1EFAC91164D0A79EF303E4B
8F558EB6672622401DA993E1E865C861
 
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 05 October 2013 - 07:29 AM


Reported by Gmer.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-04 23:14
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Ferdole\Start Menu\Programs\Startup\hsrwnvxq.exe 181232 bytes executable
c:\documents and settings\Ferdole\Application Data\Yahoo!\Messenger\Shortcut\adelutza :*.lnk 1860 bytes hidden from API


---

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
Please let me know what problem persists.

#5 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 October 2013 - 07:58 AM

Well i still get the runtime error "R6002 floating point support not loaded" when i try to open revo uninstalle, CPUID HWMonitor and some other programs, and the unknown process IEXPLORE.EXE form the startup still appears.

 

 

rogue killer report:

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Ferdole [Admin rights]
Mode : Remove -- Date : 10/05/2013 15:54:07
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 2 ¤¤¤
[SUSP PATH] winrtkvi.exe -- C:\Documents and Settings\Ferdole\Local Settings\temp\winrtkvi.exe [-] -> KILLED [TermProc]
[SUSP PATH] ttnt.exe -- C:\Documents and Settings\Ferdole\Local Settings\temp\ttnt.exe [-] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SECU][PUM] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ SECU][PUM] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ SECU][PUM] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (LdrLoadDll) : ntdll.dll -> HOOKED (Unknown @ 0x200373C6)
[Inline] EAT @explorer.exe (NtQueryDirectoryFile) : ntdll.dll -> HOOKED (Unknown @ 0x2003795E)
[Inline] EAT @explorer.exe (NtResumeThread) : ntdll.dll -> HOOKED (Unknown @ 0x20035BDA)
[Inline] EAT @explorer.exe (ZwQueryDirectoryFile) : ntdll.dll -> HOOKED (Unknown @ 0x2003795E)
[Inline] EAT @explorer.exe (ZwResumeThread) : ntdll.dll -> HOOKED (Unknown @ 0x20035BDA)
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xC8F71CF4)
[Inline] EAT @explorer.exe (WSARecv) : WS2_32.dll -> HOOKED (Unknown @ 0x200377EB)
[Inline] EAT @explorer.exe (WSARecvFrom) : WS2_32.dll -> HOOKED (Unknown @ 0x20037892)
[Inline] EAT @explorer.exe (WSASend) : WS2_32.dll -> HOOKED (Unknown @ 0x20037757)
[Inline] EAT @explorer.exe (WSASendTo) : WS2_32.dll -> HOOKED (Unknown @ 0x2003779E)
[Inline] EAT @explorer.exe (closesocket) : WS2_32.dll -> HOOKED (Unknown @ 0x2003793F)
[Inline] EAT @explorer.exe (recv) : WS2_32.dll -> HOOKED (Unknown @ 0x200376DD)
[Inline] EAT @explorer.exe (recvfrom) : WS2_32.dll -> HOOKED (Unknown @ 0x20037717)
[Inline] EAT @explorer.exe (send) : WS2_32.dll -> HOOKED (Unknown @ 0x20037606)
[Inline] EAT @explorer.exe (sendto) : WS2_32.dll -> HOOKED (Unknown @ 0x20037634)
[Inline] EAT @explorer.exe (DnsQuery_A) : DNSAPI.dll -> HOOKED (Unknown @ 0x200374EF)
[Inline] EAT @explorer.exe (DnsQuery_UTF8) : DNSAPI.dll -> HOOKED (Unknown @ 0x200375B4)
[Inline] EAT @explorer.exe (DnsQuery_W) : DNSAPI.dll -> HOOKED (Unknown @ 0x2003753E)
[Inline] EAT @IEXPLORE.EXE (LdrLoadDll) : ntdll.dll -> HOOKED (Unknown @ 0x200173C6)
[Inline] EAT @IEXPLORE.EXE (NtQueryDirectoryFile) : ntdll.dll -> HOOKED (Unknown @ 0x2001795E)
[Inline] EAT @IEXPLORE.EXE (NtResumeThread) : ntdll.dll -> HOOKED (Unknown @ 0x20015BDA)
[Inline] EAT @IEXPLORE.EXE (ZwQueryDirectoryFile) : ntdll.dll -> HOOKED (Unknown @ 0x2001795E)
[Inline] EAT @IEXPLORE.EXE (ZwResumeThread) : ntdll.dll -> HOOKED (Unknown @ 0x20015BDA)
[Inline] EAT @IEXPLORE.EXE (WSARecv) : ws2_32.dll -> HOOKED (Unknown @ 0x200177EB)
[Inline] EAT @IEXPLORE.EXE (WSARecvFrom) : ws2_32.dll -> HOOKED (Unknown @ 0x20017892)
[Inline] EAT @IEXPLORE.EXE (WSASend) : ws2_32.dll -> HOOKED (Unknown @ 0x20017757)
[Inline] EAT @IEXPLORE.EXE (WSASendTo) : ws2_32.dll -> HOOKED (Unknown @ 0x2001779E)
[Inline] EAT @IEXPLORE.EXE (closesocket) : ws2_32.dll -> HOOKED (Unknown @ 0x2001793F)
[Inline] EAT @IEXPLORE.EXE (recv) : ws2_32.dll -> HOOKED (Unknown @ 0x200176DD)
[Inline] EAT @IEXPLORE.EXE (recvfrom) : ws2_32.dll -> HOOKED (Unknown @ 0x20017717)
[Inline] EAT @IEXPLORE.EXE (send) : ws2_32.dll -> HOOKED (Unknown @ 0x20017606)
[Inline] EAT @IEXPLORE.EXE (sendto) : ws2_32.dll -> HOOKED (Unknown @ 0x20017634)
[Inline] EAT @IEXPLORE.EXE (DnsQuery_A) : DNSAPI.dll -> HOOKED (Unknown @ 0x200174EF)
[Inline] EAT @IEXPLORE.EXE (DnsQuery_UTF8) : DNSAPI.dll -> HOOKED (Unknown @ 0x200175B4)
[Inline] EAT @IEXPLORE.EXE (DnsQuery_W) : DNSAPI.dll -> HOOKED (Unknown @ 0x2001753E)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD1600AAJS-22PSA0 +++++
--- User ---
[MBR] 3a614b10ca45df27962b44d37c3be535
[BSP] cf0f6b0f83eb86721c85956fbe8673bb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 20002 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 40965750 | Size: 132614 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_10052013_155407.txt >>
RKreport[0]_D_10042013_212641.txt;RKreport[0]_S_10042013_212532.txt;RKreport[0]_S_10052013_155326.txt


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 05 October 2013 - 08:36 AM


You have a CD Emulator Software (Daemon Tools, Alcohol etc) installed, the drivers this software uses can interfere with the Anti-Rootkit tools we use. These interferences can take a few forms, like GMER crashing or causing BSODs, or Rootkit scans produces large amounts of FPs and general dross. This 'dross' often makes it hard to differentiate between genuine malicious Rootkits, and the legitimate drivers used by CM Emulators.

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
  • IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

    HOW TO: Enable the CD Emulators... < restore only when we are finished.

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.
    ===

    Read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Double-click on TDSSKiller.exe to run the application.
      tdss1.png
    • Click Change parameters
      settings20121003115955.png
    • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
      tdss3.png
    • Click on the Start Scan button to begin the scan and wait for it to finish.
      NOTE: Do not use the computer during the scan!
    • During the scan it will look similar to the image below:
      tdss4.jpg
    • When it finishes, you will either see a report that no threats were found like below:
      tdss5.jpg
      If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
    • If any infection or suspected items are found, you will see a window similar to below:
      tdss7.jpg
      • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
      • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
      • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
      • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
    • Click Continue to apply selected actions.
    • A reboot may be required to complete disinfection. A window like the below will appear:
      tdss6.jpg
      Reboot immediately if TDSSKiller states that one is needed.
    • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
    • Paste the log to your next reply, DO NOT ATTACH IT.
    ===

    Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan.
    • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
    • Please paste the contents of that log in your next reply.
    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===



#7 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 October 2013 - 01:53 PM

I apologize for my delayed answer, but the kaspersky page was down for a couple of hours..

I didn't receive any errors from the DeFogger.

 

Kaspersky report:

 

21:38:14.0546 2804  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
21:38:14.0781 2804  ============================================================
21:38:14.0781 2804  Current date / time: 2013/10/05 21:38:14.0781
21:38:14.0781 2804  SystemInfo:
21:38:14.0781 2804  
21:38:14.0781 2804  OS Version: 5.1.2600 ServicePack: 2.0
21:38:14.0781 2804  Product type: Workstation
21:38:14.0781 2804  ComputerName: FERDOLE-9A672AF
21:38:14.0781 2804  UserName: Ferdole
21:38:14.0781 2804  Windows directory: C:\WINDOWS
21:38:14.0781 2804  System windows directory: C:\WINDOWS
21:38:14.0781 2804  Processor architecture: Intel x86
21:38:14.0781 2804  Number of processors: 2
21:38:14.0781 2804  Page size: 0x1000
21:38:14.0781 2804  Boot type: Normal boot
21:38:14.0781 2804  ============================================================
21:38:15.0953 2804  Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:38:15.0953 2804  ============================================================
21:38:15.0953 2804  \Device\Harddisk0\DR0:
21:38:15.0953 2804  MBR partitions:
21:38:15.0953 2804  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2711637
21:38:15.0953 2804  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x27116B5, BlocksNum 0x1030354B
21:38:15.0953 2804  ============================================================
21:38:16.0015 2804  D: <-> \Device\Harddisk0\DR0\Partition2
21:38:16.0046 2804  C: <-> \Device\Harddisk0\DR0\Partition1
21:38:16.0046 2804  ============================================================
21:38:16.0046 2804  Initialize success
21:38:16.0046 2804  ============================================================
21:38:24.0796 2920  ============================================================
21:38:24.0796 2920  Scan started
21:38:24.0796 2920  Mode: Manual; SigCheck; TDLFS; 
21:38:24.0796 2920  ============================================================
21:38:25.0125 2920  ================ Scan system memory ========================
21:38:25.0125 2920  System memory - ok
21:38:25.0125 2920  ================ Scan services =============================
21:38:25.0234 2920  Abiosdsk - ok
21:38:25.0234 2920  abp480n5 - ok
21:38:25.0265 2920  [ A10C7534F7223F4A73A948967D00E69B ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:38:26.0296 2920  ACPI - ok
21:38:26.0312 2920  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
21:38:26.0468 2920  ACPIEC - ok
21:38:26.0515 2920  [ 24A0876D07EF356DCBC1D7A7929354AB ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
21:38:26.0515 2920  AdobeFlashPlayerUpdateSvc - ok
21:38:26.0531 2920  adpu160m - ok
21:38:26.0546 2920  [ 841F385C6CFAF66B58FBD898722BB4F0 ] aec             C:\WINDOWS\system32\drivers\aec.sys
21:38:26.0671 2920  aec - ok
21:38:26.0703 2920  [ 55E6E1C51B6D30E54335750955453702 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
21:38:26.0750 2920  AFD - ok
21:38:26.0750 2920  Aha154x - ok
21:38:26.0750 2920  aic78u2 - ok
21:38:26.0750 2920  aic78xx - ok
21:38:26.0859 2920  [ FCB505A7FA9DD4B8B98064792FD038A4 ] ALCXWDM         C:\WINDOWS\system32\drivers\ALCXWDM.SYS
21:38:27.0015 2920  ALCXWDM ( UnsignedFile.Multi.Generic ) - warning
21:38:27.0015 2920  ALCXWDM - detected UnsignedFile.Multi.Generic (1)
21:38:27.0062 2920  [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
21:38:27.0171 2920  Alerter - ok
21:38:27.0171 2920  [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG             C:\WINDOWS\System32\alg.exe
21:38:27.0234 2920  ALG - ok
21:38:27.0234 2920  AliIde - ok
21:38:27.0265 2920  [ FF8562F78B45A811C1EE23431622D4CC ] AmdK8           C:\WINDOWS\system32\DRIVERS\AmdK8.sys
21:38:27.0296 2920  AmdK8 - ok
21:38:27.0296 2920  amsint - ok
21:38:27.0296 2920  amsint32 - ok
21:38:27.0390 2920  [ 4FE5C6D40664AE07BE5105874357D2ED ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
21:38:27.0390 2920  Apple Mobile Device - ok
21:38:27.0406 2920  [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
21:38:27.0468 2920  AppMgmt - ok
21:38:27.0468 2920  asc - ok
21:38:27.0468 2920  asc3350p - ok
21:38:27.0484 2920  asc3550 - ok
21:38:27.0500 2920  [ 9D8CB58B9A9E177DDD599791A58A654D ] AsIO            C:\WINDOWS\system32\drivers\AsIO.sys
21:38:27.0531 2920  AsIO - ok
21:38:27.0609 2920  [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
21:38:27.0640 2920  aspnet_state - ok
21:38:27.0656 2920  [ D320732BCF5FF856120BD06855C66867 ] asusgsb         C:\WINDOWS\system32\drivers\asusgsb.sys
21:38:27.0656 2920  asusgsb ( UnsignedFile.Multi.Generic ) - warning
21:38:27.0656 2920  asusgsb - detected UnsignedFile.Multi.Generic (1)
21:38:27.0687 2920  [ B3B881EB81013AAC11594A5400ADA47A ] asuskbnt        C:\WINDOWS\system32\drivers\atkkbnt.sys
21:38:27.0687 2920  asuskbnt ( UnsignedFile.Multi.Generic ) - warning
21:38:27.0687 2920  asuskbnt - detected UnsignedFile.Multi.Generic (1)
21:38:27.0703 2920  [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:38:27.0812 2920  AsyncMac - ok
21:38:27.0828 2920  [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
21:38:27.0953 2920  atapi - ok
21:38:27.0953 2920  Atdisk - ok
21:38:27.0984 2920  [ F6A30CF0E7280415DDEA40B0262339C6 ] ATKKeyboardService C:\WINDOWS\ATKKBService.exe
21:38:28.0109 2920  ATKKeyboardService ( UnsignedFile.Multi.Generic ) - warning
21:38:28.0109 2920  ATKKeyboardService - detected UnsignedFile.Multi.Generic (1)
21:38:28.0140 2920  [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:38:28.0265 2920  Atmarpc - ok
21:38:28.0296 2920  [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
21:38:28.0406 2920  AudioSrv - ok
21:38:28.0421 2920  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
21:38:28.0546 2920  audstub - ok
21:38:28.0578 2920  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
21:38:28.0687 2920  Beep - ok
21:38:28.0718 2920  [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS            C:\WINDOWS\system32\qmgr.dll
21:38:28.0843 2920  BITS - ok
21:38:28.0890 2920  [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
21:38:28.0906 2920  Bonjour Service - ok
21:38:28.0937 2920  [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser         C:\WINDOWS\System32\browser.dll
21:38:29.0046 2920  Browser - ok
21:38:29.0046 2920  catchme - ok
21:38:29.0078 2920  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
21:38:29.0203 2920  cbidf2k - ok
21:38:29.0218 2920  [ 6163ED60B684BAB19D3352AB22FC48B2 ] CCDECODE        C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:38:29.0359 2920  CCDECODE - ok
21:38:29.0359 2920  cd20xrnt - ok
21:38:29.0375 2920  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
21:38:29.0484 2920  Cdaudio - ok
21:38:29.0515 2920  [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
21:38:29.0625 2920  Cdfs - ok
21:38:29.0656 2920  [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:38:29.0765 2920  Cdrom - ok
21:38:29.0765 2920  Changer - ok
21:38:29.0781 2920  [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc           C:\WINDOWS\system32\cisvc.exe
21:38:29.0890 2920  CiSvc - ok
21:38:29.0890 2920  [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
21:38:30.0015 2920  ClipSrv - ok
21:38:30.0062 2920  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:38:30.0109 2920  clr_optimization_v2.0.50727_32 - ok
21:38:30.0125 2920  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:38:30.0156 2920  clr_optimization_v4.0.30319_32 - ok
21:38:30.0171 2920  CmdIde - ok
21:38:30.0171 2920  COMSysApp - ok
21:38:30.0171 2920  Cpqarray - ok
21:38:30.0203 2920  [ C2EB4539A4F6AB6EDD01BDC191619975 ] cpuz135         C:\WINDOWS\system32\drivers\cpuz135_x32.sys
21:38:30.0203 2920  cpuz135 - ok
21:38:30.0234 2920  [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
21:38:30.0359 2920  CryptSvc - ok
21:38:30.0359 2920  dac2w2k - ok
21:38:30.0359 2920  dac960nt - ok
21:38:30.0390 2920  [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
21:38:30.0484 2920  DcomLaunch - ok
21:38:30.0515 2920  [ CB6CA3E5261D65F6F809EED23BF167AA ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
21:38:30.0640 2920  Dhcp - ok
21:38:30.0640 2920  [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
21:38:30.0765 2920  Disk - ok
21:38:30.0765 2920  dmadmin - ok
21:38:30.0812 2920  [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
21:38:30.0953 2920  dmboot - ok
21:38:30.0968 2920  [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
21:38:31.0093 2920  dmio - ok
21:38:31.0109 2920  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
21:38:31.0234 2920  dmload - ok
21:38:31.0250 2920  [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver        C:\WINDOWS\System32\dmserver.dll
21:38:31.0359 2920  dmserver - ok
21:38:31.0375 2920  [ A6F881284AC1150E37D9AE47FF601267 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
21:38:31.0500 2920  DMusic - ok
21:38:31.0515 2920  [ 7379DE06FD196E396A00AA97B990C00D ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
21:38:31.0640 2920  Dnscache - ok
21:38:31.0640 2920  dpti2o - ok
21:38:31.0656 2920  [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
21:38:31.0765 2920  drmkaud - ok
21:38:31.0796 2920  [ 20747E2CD3AE1F390FEB8B18B522AAC8 ] DS1410D         C:\WINDOWS\system32\drivers\DS1410D.SYS
21:38:31.0796 2920  DS1410D ( UnsignedFile.Multi.Generic ) - warning
21:38:31.0796 2920  DS1410D - detected UnsignedFile.Multi.Generic (1)
21:38:31.0828 2920  [ C0C7CECCB6C85994C2BC92D58E52D3F2 ] dtsoftbus01     C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
21:38:31.0828 2920  dtsoftbus01 - ok
21:38:31.0843 2920  [ 0DAF3544804650526751C478AECCCE63 ] EIO             C:\WINDOWS\system32\drivers\EIO.sys
21:38:31.0843 2920  EIO ( UnsignedFile.Multi.Generic ) - warning
21:38:31.0843 2920  EIO - detected UnsignedFile.Multi.Generic (1)
21:38:31.0859 2920  [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc           C:\WINDOWS\System32\ersvc.dll
21:38:31.0968 2920  ERSvc - ok
21:38:31.0968 2920  esgiguard - ok
21:38:32.0000 2920  [ 37561F8D4160D62DA86D24AE41FAE8DE ] Eventlog        C:\WINDOWS\system32\services.exe
21:38:32.0062 2920  Eventlog - ok
21:38:32.0078 2920  [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem     C:\WINDOWS\system32\es.dll
21:38:32.0109 2920  EventSystem - ok
21:38:32.0140 2920  [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
21:38:32.0250 2920  Fastfat - ok
21:38:32.0281 2920  [ E7518DC542D3EBDCB80EDD98462C7821 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
21:38:32.0390 2920  FastUserSwitchingCompatibility - ok
21:38:32.0406 2920  [ CED2E8396A8838E59D8FD529C680E02C ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
21:38:32.0531 2920  Fdc - ok
21:38:32.0546 2920  [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
21:38:32.0656 2920  Fips - ok
21:38:32.0671 2920  [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:38:32.0765 2920  Flpydisk - ok
21:38:32.0796 2920  [ 157754F0DF355A9E0A6F54721914F9C6 ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:38:32.0906 2920  FltMgr - ok
21:38:32.0953 2920  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:38:32.0953 2920  FontCache3.0.0.0 - ok
21:38:32.0968 2920  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:38:33.0078 2920  Fs_Rec - ok
21:38:33.0093 2920  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:38:33.0203 2920  Ftdisk - ok
21:38:33.0218 2920  [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM     C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:38:33.0218 2920  GEARAspiWDM - ok
21:38:33.0234 2920  [ 77EBF3E9386DAA51551AF429052D88D0 ] giveio          C:\WINDOWS\system32\giveio.sys
21:38:33.0250 2920  giveio ( UnsignedFile.Multi.Generic ) - warning
21:38:33.0250 2920  giveio - detected UnsignedFile.Multi.Generic (1)
21:38:33.0265 2920  [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:38:33.0375 2920  Gpc - ok
21:38:33.0421 2920  [ F5F9C3B3B11344D8752026237D75E960 ] gupdate         C:\Program Files\Google\Update\GoogleUpdate.exe
21:38:33.0437 2920  gupdate ( UnsignedFile.Multi.Generic ) - warning
21:38:33.0437 2920  gupdate - detected UnsignedFile.Multi.Generic (1)
21:38:33.0453 2920  [ F5F9C3B3B11344D8752026237D75E960 ] gupdatem        C:\Program Files\Google\Update\GoogleUpdate.exe
21:38:33.0453 2920  gupdatem ( UnsignedFile.Multi.Generic ) - warning
21:38:33.0453 2920  gupdatem - detected UnsignedFile.Multi.Generic (1)
21:38:33.0500 2920  [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:38:33.0609 2920  helpsvc - ok
21:38:33.0609 2920  HidServ - ok
21:38:33.0640 2920  [ 1DE6783B918F540149AA69943BDFEBA8 ] HidUsb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:38:33.0750 2920  HidUsb - ok
21:38:33.0765 2920  hpn - ok
21:38:33.0781 2920  [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
21:38:33.0828 2920  HTTP - ok
21:38:33.0859 2920  [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
21:38:33.0984 2920  HTTPFilter - ok
21:38:33.0984 2920  i2omgmt - ok
21:38:33.0984 2920  i2omp - ok
21:38:34.0000 2920  [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:38:34.0109 2920  i8042prt - ok
21:38:34.0171 2920  [ ED21E90353BC1BDEA54685AC8170E7FA ] IDriverT        C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
21:38:34.0187 2920  IDriverT ( UnsignedFile.Multi.Generic ) - warning
21:38:34.0187 2920  IDriverT - detected UnsignedFile.Multi.Generic (1)
21:38:34.0218 2920  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:38:34.0281 2920  idsvc - ok
21:38:34.0312 2920  [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
21:38:34.0437 2920  Imapi - ok
21:38:34.0453 2920  [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService    C:\WINDOWS\system32\imapi.exe
21:38:34.0562 2920  ImapiService - ok
21:38:34.0578 2920  ini910u - ok
21:38:34.0578 2920  IntelIde - ok
21:38:34.0609 2920  [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:38:34.0718 2920  Ip6Fw - ok
21:38:34.0734 2920  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:38:34.0843 2920  IpFilterDriver - ok
21:38:34.0843 2920  [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:38:34.0953 2920  IpInIp - ok
21:38:34.0968 2920  [ B5A8E215AC29D24D60B4D1250EF05ACE ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:38:35.0078 2920  IpNat - ok
21:38:35.0109 2920  [ FE56897B27ED266F9C4E7D90A0B5DA47 ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
21:38:35.0140 2920  iPod Service - ok
21:38:35.0171 2920  [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:38:35.0281 2920  IPSec - ok
21:38:35.0296 2920  [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
21:38:35.0359 2920  IRENUM - ok
21:38:35.0375 2920  [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:38:35.0468 2920  isapnp - ok
21:38:35.0484 2920  [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:38:35.0609 2920  Kbdclass - ok
21:38:35.0625 2920  [ D93CAD07C5683DB066B0B2D2D3790EAD ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
21:38:35.0718 2920  kmixer - ok
21:38:35.0734 2920  [ 674D3E5A593475915DC6643317192403 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
21:38:35.0765 2920  KSecDD - ok
21:38:35.0796 2920  [ 93D32468D34E000CB3407947D1D6E22A ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
21:38:35.0906 2920  lanmanserver - ok
21:38:35.0937 2920  [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
21:38:35.0968 2920  lanmanworkstation - ok
21:38:35.0968 2920  lbrtfdc - ok
21:38:36.0000 2920  [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
21:38:36.0093 2920  LmHosts - ok
21:38:36.0109 2920  [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
21:38:36.0218 2920  Messenger - ok
21:38:36.0312 2920  [ 8200AB837172F76316B146F7C51DC305 ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
21:38:36.0312 2920  Microsoft Office Groove Audit Service ( UnsignedFile.Multi.Generic ) - warning
21:38:36.0312 2920  Microsoft Office Groove Audit Service - detected UnsignedFile.Multi.Generic (1)
21:38:36.0328 2920  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
21:38:36.0437 2920  mnmdd - ok
21:38:36.0468 2920  [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
21:38:36.0578 2920  mnmsrvc - ok
21:38:36.0593 2920  [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
21:38:36.0703 2920  Modem - ok
21:38:36.0703 2920  [ 34E1F0031153E491910E12551400192C ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:38:36.0812 2920  Mouclass - ok
21:38:36.0828 2920  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:38:36.0937 2920  mouhid - ok
21:38:36.0937 2920  [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
21:38:37.0046 2920  MountMgr - ok
21:38:37.0046 2920  mraid35x - ok
21:38:37.0062 2920  [ 46EDCC8F2DB2F322C24F48785CB46366 ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:38:37.0171 2920  MRxDAV - ok
21:38:37.0187 2920  [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:38:37.0234 2920  MRxSmb - ok
21:38:37.0265 2920  [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
21:38:37.0359 2920  MSDTC - ok
21:38:37.0375 2920  [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
21:38:37.0500 2920  Msfs - ok
21:38:37.0500 2920  MSIServer - ok
21:38:37.0515 2920  [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:38:37.0625 2920  MSKSSRV - ok
21:38:37.0640 2920  [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:38:37.0734 2920  MSPCLOCK - ok
21:38:37.0750 2920  [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
21:38:37.0843 2920  MSPQM - ok
21:38:37.0875 2920  [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:38:37.0984 2920  mssmbios - ok
21:38:37.0984 2920  [ BF13612142995096AB084F2DB7F40F77 ] MSTEE           C:\WINDOWS\system32\drivers\MSTEE.sys
21:38:38.0093 2920  MSTEE - ok
21:38:38.0109 2920  [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor        C:\WINDOWS\system32\DRIVERS\ASACPI.sys
21:38:38.0140 2920  MTsensor - ok
21:38:38.0156 2920  [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
21:38:38.0250 2920  Mup - ok
21:38:38.0281 2920  [ 5C8DC6429C43DC6177C1FA5B76290D1A ] NABTSFEC        C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:38:38.0390 2920  NABTSFEC - ok
21:38:38.0406 2920  [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
21:38:38.0515 2920  NDIS - ok
21:38:38.0515 2920  [ 520CE427A8B298F54112857BCF6BDE15 ] NdisIP          C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:38:38.0640 2920  NdisIP - ok
21:38:38.0656 2920  [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:38:38.0765 2920  NdisTapi - ok
21:38:38.0781 2920  [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:38:38.0875 2920  Ndisuio - ok
21:38:38.0906 2920  [ 0B90E255A9490166AB368CD55A529893 ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:38:39.0015 2920  NdisWan - ok
21:38:39.0015 2920  [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
21:38:39.0109 2920  NDProxy - ok
21:38:39.0125 2920  [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
21:38:39.0234 2920  NetBIOS - ok
21:38:39.0234 2920  [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
21:38:39.0359 2920  NetBT - ok
21:38:39.0375 2920  [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE          C:\WINDOWS\system32\netdde.exe
21:38:39.0468 2920  NetDDE - ok
21:38:39.0484 2920  [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
21:38:39.0578 2920  NetDDEdsdm - ok
21:38:39.0609 2920  [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon        C:\WINDOWS\system32\lsass.exe
21:38:39.0718 2920  Netlogon - ok
21:38:39.0734 2920  [ DAB9E6C7105D2EF49876FE92C524F565 ] Netman          C:\WINDOWS\System32\netman.dll
21:38:39.0859 2920  Netman - ok
21:38:39.0875 2920  [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
21:38:39.0906 2920  NetTcpPortSharing - ok
21:38:39.0921 2920  [ 097722F235A1FB698BF9234E01B52637 ] Nla             C:\WINDOWS\System32\mswsock.dll
21:38:39.0968 2920  Nla - ok
21:38:40.0000 2920  [ F6C40E0A565EE3CE5AEEB325E10054F2 ] nmwcd           C:\WINDOWS\system32\drivers\ccdcmb.sys
21:38:40.0140 2920  nmwcd - ok
21:38:40.0171 2920  [ 2A394E9E1FA3565E4B2FEA470FFE4D6B ] nmwcdc          C:\WINDOWS\system32\drivers\ccdcmbo.sys
21:38:40.0218 2920  nmwcdc - ok
21:38:40.0250 2920  [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
21:38:40.0343 2920  Npfs - ok
21:38:40.0375 2920  [ B78BE402C3F63DD55521F73876951CDD ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
21:38:40.0531 2920  Ntfs - ok
21:38:40.0546 2920  [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
21:38:40.0640 2920  NtLmSsp - ok
21:38:40.0671 2920  [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
21:38:40.0812 2920  NtmsSvc - ok
21:38:40.0828 2920  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
21:38:40.0921 2920  Null - ok
21:38:41.0187 2920  [ 68B8C35782FFD20973524F748234B5A9 ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:38:41.0703 2920  nv - ok
21:38:41.0718 2920  [ A545DF28F75BCB109A3AADBB07552B12 ] NVENETFD        C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
21:38:41.0734 2920  NVENETFD - ok
21:38:41.0765 2920  [ EA41F641420F3D8271804D287C1EF461 ] nvnetbus        C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
21:38:41.0796 2920  nvnetbus - ok
21:38:41.0828 2920  [ FFD30DAAF62D605069F6EB42D2E807C3 ] NVSvc           C:\WINDOWS\system32\nvsvc32.exe
21:38:41.0828 2920  NVSvc - ok
21:38:41.0890 2920  [ 210EE09CB9C2655E55BD48D851369DC1 ] nvUpdatusService C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
21:38:41.0968 2920  nvUpdatusService - ok
21:38:41.0984 2920  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:38:42.0093 2920  NwlnkFlt - ok
21:38:42.0109 2920  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:38:42.0218 2920  NwlnkFwd - ok
21:38:42.0296 2920  [ 1F0E05DFF4F5A833168E49BE1256F002 ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:38:42.0312 2920  odserv - ok
21:38:42.0359 2920  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:38:42.0359 2920  ose - ok
21:38:42.0375 2920  [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
21:38:42.0484 2920  Parport - ok
21:38:42.0500 2920  [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
21:38:42.0593 2920  PartMgr - ok
21:38:42.0625 2920  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
21:38:42.0718 2920  ParVdm - ok
21:38:42.0718 2920  [ 8086D9979234B603AD5BC2F5D890B234 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
21:38:42.0828 2920  PCI - ok
21:38:42.0828 2920  PCIDump - ok
21:38:42.0843 2920  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
21:38:42.0921 2920  PCIIde - ok
21:38:42.0953 2920  [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
21:38:43.0062 2920  Pcmcia - ok
21:38:43.0062 2920  PDCOMP - ok
21:38:43.0062 2920  PDFRAME - ok
21:38:43.0078 2920  PDRELI - ok
21:38:43.0078 2920  PDRFRAME - ok
21:38:43.0078 2920  perc2 - ok
21:38:43.0078 2920  perc2hib - ok
21:38:43.0109 2920  [ 37561F8D4160D62DA86D24AE41FAE8DE ] PlugPlay        C:\WINDOWS\system32\services.exe
21:38:43.0140 2920  PlugPlay - ok
21:38:43.0156 2920  [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
21:38:43.0250 2920  PolicyAgent - ok
21:38:43.0265 2920  [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:38:43.0359 2920  PptpMiniport - ok
21:38:43.0390 2920  [ 0D97D88720A4087EC93AF7DBB303B30A ] Processor       C:\WINDOWS\system32\DRIVERS\processr.sys
21:38:43.0500 2920  Processor - ok
21:38:43.0500 2920  [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
21:38:43.0593 2920  ProtectedStorage - ok
21:38:43.0593 2920  [ 48671F327553DCF1D27F6197F622A668 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
21:38:43.0687 2920  PSched - ok
21:38:43.0703 2920  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:38:43.0796 2920  Ptilink - ok
21:38:43.0812 2920  ql1080 - ok
21:38:43.0812 2920  Ql10wnt - ok
21:38:43.0812 2920  ql12160 - ok
21:38:43.0812 2920  ql1240 - ok
21:38:43.0828 2920  ql1280 - ok
21:38:43.0828 2920  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:38:43.0921 2920  RasAcd - ok
21:38:43.0937 2920  [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto         C:\WINDOWS\System32\rasauto.dll
21:38:44.0046 2920  RasAuto - ok
21:38:44.0062 2920  [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:38:44.0140 2920  Rasl2tp - ok
21:38:44.0156 2920  [ 41A3C11E3517C962C9B44893BCEC3B34 ] RasMan          C:\WINDOWS\System32\rasmans.dll
21:38:44.0265 2920  RasMan - ok
21:38:44.0281 2920  [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:38:44.0375 2920  RasPppoe - ok
21:38:44.0375 2920  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
21:38:44.0468 2920  Raspti - ok
21:38:44.0484 2920  [ 29D66245ADBA878FFF574CD66ABD2884 ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:38:44.0609 2920  Rdbss - ok
21:38:44.0609 2920  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:38:44.0703 2920  RDPCDD - ok
21:38:44.0734 2920  [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:38:44.0843 2920  rdpdr - ok
21:38:44.0875 2920  [ D4F5643D7714EF499AE9527FDCD50894 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
21:38:44.0984 2920  RDPWD - ok
21:38:45.0015 2920  [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
21:38:45.0109 2920  RDSessMgr - ok
21:38:45.0140 2920  [ B31B4588E4086D8D84ADBF9845C2402B ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
21:38:45.0234 2920  redbook - ok
21:38:45.0250 2920  [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
21:38:45.0343 2920  RemoteAccess - ok
21:38:45.0375 2920  [ 3151427DB7D87107D1C5BE58FAC53960 ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
21:38:45.0468 2920  RemoteRegistry - ok
21:38:45.0500 2920  [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator      C:\WINDOWS\system32\locator.exe
21:38:45.0593 2920  RpcLocator - ok
21:38:45.0625 2920  [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] RpcSs           C:\WINDOWS\System32\rpcss.dll
21:38:45.0687 2920  RpcSs - ok
21:38:45.0687 2920  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
21:38:45.0781 2920  RSVP - ok
21:38:45.0796 2920  [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs           C:\WINDOWS\system32\lsass.exe
21:38:45.0890 2920  SamSs - ok
21:38:45.0921 2920  [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
21:38:46.0015 2920  SCardSvr - ok
21:38:46.0046 2920  [ 92360854316611F6CC471612213C3D92 ] Schedule        C:\WINDOWS\system32\schedsvc.dll
21:38:46.0156 2920  Schedule - ok
21:38:46.0171 2920  [ D26E26EA516450AF9D072635C60387F4 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:38:46.0218 2920  Secdrv - ok
21:38:46.0234 2920  [ B1E0CE09895376871746F36DC5773B4F ] seclogon        C:\WINDOWS\System32\seclogon.dll
21:38:46.0343 2920  seclogon - ok
21:38:46.0343 2920  [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS            C:\WINDOWS\system32\sens.dll
21:38:46.0453 2920  SENS - ok
21:38:46.0468 2920  [ AEBBA7428A6C40CCE3C5ABDE45190B24 ] Sentinel        C:\WINDOWS\System32\Drivers\SENTINEL.SYS
21:38:46.0484 2920  Sentinel ( UnsignedFile.Multi.Generic ) - warning
21:38:46.0484 2920  Sentinel - detected UnsignedFile.Multi.Generic (1)
21:38:46.0500 2920  [ A2D868AEEFF612E70E213C451A70CAFB ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
21:38:46.0609 2920  serenum - ok
21:38:46.0625 2920  [ CD9404D115A00D249F70A371B46D5A26 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
21:38:46.0734 2920  Serial - ok
21:38:46.0750 2920  [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
21:38:46.0859 2920  Sfloppy - ok
21:38:46.0875 2920  [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
21:38:46.0968 2920  SharedAccess - ok
21:38:47.0000 2920  [ E7518DC542D3EBDCB80EDD98462C7821 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
21:38:47.0093 2920  ShellHWDetection - ok
21:38:47.0093 2920  Simbad - ok
21:38:47.0125 2920  [ CA355B308AA537C6B9D67CD3A5485AF9 ] SkypeUpdate     C:\Program Files\Skype\Updater\Updater.exe
21:38:47.0125 2920  SkypeUpdate - ok
21:38:47.0156 2920  [ 5CAEED86821FA2C6139E32E9E05CCDC9 ] SLIP            C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:38:47.0250 2920  SLIP - ok
21:38:47.0281 2920  [ A1FF7D99B199CEA1F3DF371BA70D2780 ] Sntnlusb        C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
21:38:47.0281 2920  Sntnlusb - ok
21:38:47.0281 2920  Sparrow - ok
21:38:47.0312 2920  [ 3FA2E254BFBCE52B3C6F1BF23AAB6911 ] speedfan        C:\WINDOWS\system32\speedfan.sys
21:38:47.0328 2920  speedfan - ok
21:38:47.0343 2920  [ 8E186B8F23295D1E42C573B82B80D548 ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
21:38:47.0453 2920  splitter - ok
21:38:47.0468 2920  [ 7435B108B935E42EA92CA94F59C8E717 ] Spooler         C:\WINDOWS\system32\spoolsv.exe
21:38:47.0578 2920  Spooler - ok
21:38:47.0609 2920  [ E41B6D037D6CD08461470AF04500DC24 ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
21:38:47.0656 2920  sr - ok
21:38:47.0671 2920  [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice       C:\WINDOWS\system32\srsvc.dll
21:38:47.0734 2920  srservice - ok
21:38:47.0750 2920  [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
21:38:47.0796 2920  Srv - ok
21:38:47.0812 2920  [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
21:38:47.0875 2920  SSDPSRV - ok
21:38:47.0890 2920  [ 2773F6C4C4BE8A3B87227934AC8D5B38 ] SSIPDDP         C:\WINDOWS\system32\drivers\SSIPDDP.SYS
21:38:47.0906 2920  SSIPDDP ( UnsignedFile.Multi.Generic ) - warning
21:38:47.0906 2920  SSIPDDP - detected UnsignedFile.Multi.Generic (1)
21:38:47.0921 2920  Steam Client Service - ok
21:38:47.0937 2920  [ D9F6C4F6B1E188ADAFC42B561D9BC2E6 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
21:38:48.0031 2920  stisvc - ok
21:38:48.0046 2920  [ 284C57DF5DC7ABCA656BC2B96A667AFB ] streamip        C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:38:48.0140 2920  streamip - ok
21:38:48.0140 2920  [ 03C1BAE4766E2450219D20B993D6E046 ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
21:38:48.0250 2920  swenum - ok
21:38:48.0265 2920  [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
21:38:48.0375 2920  swmidi - ok
21:38:48.0375 2920  SwPrv - ok
21:38:48.0375 2920  symc810 - ok
21:38:48.0390 2920  symc8xx - ok
21:38:48.0390 2920  sym_hi - ok
21:38:48.0390 2920  sym_u3 - ok
21:38:48.0406 2920  [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
21:38:48.0515 2920  sysaudio - ok
21:38:48.0531 2920  [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
21:38:48.0640 2920  SysmonLog - ok
21:38:48.0671 2920  [ EB4A4187D74A8EFDCBEA3EA2CB1BDFBD ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
21:38:48.0765 2920  TapiSrv - ok
21:38:48.0781 2920  [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:38:48.0828 2920  Tcpip - ok
21:38:48.0843 2920  [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
21:38:48.0953 2920  TDPIPE - ok
21:38:48.0968 2920  [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
21:38:49.0062 2920  TDTCP - ok
21:38:49.0078 2920  [ A540A99C281D933F3D69D55E48727F47 ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
21:38:49.0171 2920  TermDD - ok
21:38:49.0203 2920  [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService     C:\WINDOWS\System32\termsrv.dll
21:38:49.0328 2920  TermService - ok
21:38:49.0343 2920  [ E7518DC542D3EBDCB80EDD98462C7821 ] Themes          C:\WINDOWS\System32\shsvcs.dll
21:38:49.0437 2920  Themes - ok
21:38:49.0468 2920  [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
21:38:49.0515 2920  TlntSvr - ok
21:38:49.0515 2920  TosIde - ok
21:38:49.0546 2920  [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks          C:\WINDOWS\system32\trkwks.dll
21:38:49.0640 2920  TrkWks - ok
21:38:49.0656 2920  [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
21:38:49.0750 2920  Udfs - ok
21:38:49.0750 2920  ultra - ok
21:38:49.0781 2920  [ AFF2E5045961BBC0A602BB6F95EB1345 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
21:38:49.0875 2920  Update - ok
21:38:49.0890 2920  [ 0546477BDE979E33294FE97F6B3DE84A ] upnphost        C:\WINDOWS\System32\upnphost.dll
21:38:49.0953 2920  upnphost - ok
21:38:49.0984 2920  [ 47F5F9D837D80FFD5882A14DB9DA0A67 ] upperdev        C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
21:38:50.0031 2920  upperdev - ok
21:38:50.0031 2920  [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS             C:\WINDOWS\System32\ups.exe
21:38:50.0125 2920  UPS - ok
21:38:50.0156 2920  [ 6E421CCC57059B0186C6259CA3B6DFC9 ] USBAAPL         C:\WINDOWS\system32\Drivers\usbaapl.sys
21:38:50.0187 2920  USBAAPL - ok
21:38:50.0218 2920  [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:38:50.0328 2920  usbccgp - ok
21:38:50.0343 2920  [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:38:50.0453 2920  usbehci - ok
21:38:50.0453 2920  [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:38:50.0562 2920  usbhub - ok
21:38:50.0578 2920  [ BDFE799A8531BAD8A5A985821FE78760 ] usbohci         C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:38:50.0671 2920  usbohci - ok
21:38:50.0687 2920  [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:38:50.0781 2920  usbprint - ok
21:38:50.0812 2920  [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:38:50.0921 2920  usbscan - ok
21:38:50.0937 2920  [ 49106EE29074E6A3D3AC9E24C6D791D8 ] usbser          C:\WINDOWS\system32\DRIVERS\usbser.sys
21:38:51.0046 2920  usbser - ok
21:38:51.0062 2920  [ E44F0D17BE0908B58DCC99CCB99C6C32 ] UsbserFilt      C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
21:38:51.0125 2920  UsbserFilt - ok
21:38:51.0140 2920  [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:38:51.0250 2920  USBSTOR - ok
21:38:51.0265 2920  [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
21:38:51.0359 2920  VgaSave - ok
21:38:51.0359 2920  ViaIde - ok
21:38:51.0375 2920  [ 8643DA4A6C83DA6C10FCAB1E5AB6632D ] Video3D         C:\WINDOWS\system32\Drivers\Video3D32.sys
21:38:51.0390 2920  Video3D ( UnsignedFile.Multi.Generic ) - warning
21:38:51.0390 2920  Video3D - detected UnsignedFile.Multi.Generic (1)
21:38:51.0406 2920  [ EE4660083DEBA849FF6C485D944B379B ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
21:38:51.0484 2920  VolSnap - ok
21:38:51.0531 2920  [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS             C:\WINDOWS\System32\vssvc.exe
21:38:51.0593 2920  VSS - ok
21:38:51.0609 2920  [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time         C:\WINDOWS\system32\w32time.dll
21:38:51.0718 2920  W32Time - ok
21:38:51.0734 2920  [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:38:51.0843 2920  Wanarp - ok
21:38:51.0875 2920  [ D918617B46457B9AC28027722E30F647 ] Wdf01000        C:\WINDOWS\system32\Drivers\wdf01000.sys
21:38:51.0890 2920  Wdf01000 - ok
21:38:51.0890 2920  WDICA - ok
21:38:51.0906 2920  [ 2797F33EBF50466020C430EE4F037933 ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
21:38:52.0000 2920  wdmaud - ok
21:38:52.0015 2920  [ 5D0A442864BFBF3B19DCCA4CD29F6E99 ] WebClient       C:\WINDOWS\System32\webclnt.dll
21:38:52.0109 2920  WebClient - ok
21:38:52.0156 2920  [ F399242A80C4066FD155EFA4CF96658E ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
21:38:52.0250 2920  winmgmt - ok
21:38:52.0281 2920  [ C086483E3DBA8C1C0A687EC8D5B3D4C1 ] WmdmPmSN        C:\WINDOWS\system32\mspmsnsv.dll
21:38:52.0406 2920  WmdmPmSN - ok
21:38:52.0437 2920  [ 1081C185AED0660B2B5F173C3E023B23 ] Wmi             C:\WINDOWS\System32\advapi32.dll
21:38:52.0515 2920  Wmi - ok
21:38:52.0546 2920  [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:38:52.0640 2920  WmiApSrv - ok
21:38:52.0718 2920  [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
21:38:52.0750 2920  WPFFontCache_v0400 - ok
21:38:52.0781 2920  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:38:52.0875 2920  WS2IFSL - ok
21:38:52.0906 2920  [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
21:38:52.0984 2920  wscsvc - ok
21:38:53.0015 2920  [ D5842484F05E12121C511AA93F6439EC ] WSTCODEC        C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:38:53.0109 2920  WSTCODEC - ok
21:38:53.0125 2920  [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
21:38:53.0218 2920  wuauserv - ok
21:38:53.0250 2920  [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
21:38:53.0343 2920  WZCSVC - ok
21:38:53.0359 2920  [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
21:38:53.0453 2920  xmlprov - ok
21:38:53.0453 2920  ================ Scan global ===============================
21:38:53.0484 2920  [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
21:38:53.0484 2920  [ 442D0EAD5534E4ADCF6D4469043C82C0 ] C:\WINDOWS\system32\winsrv.dll
21:38:53.0500 2920  [ 442D0EAD5534E4ADCF6D4469043C82C0 ] C:\WINDOWS\system32\winsrv.dll
21:38:53.0515 2920  [ 37561F8D4160D62DA86D24AE41FAE8DE ] C:\WINDOWS\system32\services.exe
21:38:53.0515 2920  [Global] - ok
21:38:53.0515 2920  ================ Scan MBR ==================================
21:38:53.0531 2920  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
21:38:53.0781 2920  \Device\Harddisk0\DR0 - ok
21:38:53.0781 2920  ================ Scan VBR ==================================
21:38:53.0781 2920  [ 0C434F1380A4DE9AEA521AF697535FE3 ] \Device\Harddisk0\DR0\Partition1
21:38:53.0781 2920  \Device\Harddisk0\DR0\Partition1 - ok
21:38:53.0812 2920  [ 19CD69C4D83898EC287A3F42F9A18690 ] \Device\Harddisk0\DR0\Partition2
21:38:53.0812 2920  \Device\Harddisk0\DR0\Partition2 - ok
21:38:53.0812 2920  ============================================================
21:38:53.0812 2920  Scan finished
21:38:53.0812 2920  ============================================================
21:38:53.0921 2912  Detected object count: 14
21:38:53.0921 2912  Actual detected object count: 14
21:40:29.0015 2912  ALCXWDM ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0015 2912  ALCXWDM ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0015 2912  asusgsb ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0015 2912  asusgsb ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0015 2912  asuskbnt ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0015 2912  asuskbnt ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  ATKKeyboardService ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  ATKKeyboardService ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  DS1410D ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  DS1410D ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  EIO ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  EIO ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  giveio ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  giveio ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  gupdate ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  gupdate ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  gupdatem ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  gupdatem ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0031 2912  Microsoft Office Groove Audit Service ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0031 2912  Microsoft Office Groove Audit Service ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0046 2912  Sentinel ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0046 2912  Sentinel ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0046 2912  SSIPDDP ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0046 2912  SSIPDDP ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:40:29.0046 2912  Video3D ( UnsignedFile.Multi.Generic ) - skipped by user
21:40:29.0046 2912  Video3D ( UnsignedFile.Multi.Generic ) - User select action: Skip 
21:41:28.0468 2740  Deinitialize success
 
 
 
Avast report:
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-10-05 21:42:49
-----------------------------
21:42:49.656    OS Version: Windows 5.1.2600 Service Pack 2
21:42:49.656    Number of processors: 2 586 0x4B02
21:42:49.656    ComputerName: FERDOLE-9A672AF  UserName: Ferdole
21:42:49.843    Initialize success
21:43:15.484    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
21:43:15.484    Disk 0 Vendor: WDC_WD1600AAJS-22PSA0 05.06H05 Size: 152627MB BusType: 3
21:43:15.562    Disk 0 MBR read successfully
21:43:15.562    Disk 0 MBR scan
21:43:15.562    Disk 0 Windows XP default MBR code
21:43:15.562    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        20002 MB offset 63
21:43:15.562    Disk 0 Partition - 00     0F Extended LBA            132614 MB offset 40965750
21:43:15.578    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       132614 MB offset 40965813
21:43:15.578    Disk 0 scanning sectors +312560640
21:43:15.625    Disk 0 scanning C:\WINDOWS\system32\drivers
21:43:19.109    Service scanning
21:43:25.375    Modules scanning
21:43:28.031    Disk 0 trace - called modules:
21:43:28.046    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
21:43:28.046    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d68ab8]
21:43:28.046    3 CLASSPNP.SYS[b80e905b] -> nt!IofCallDriver -> \Device\00000077[0x89d50a30]
21:43:28.046    5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-7[0x89d4dd98]
21:43:28.046    Scan finished successfully
21:44:06.765    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ferdole\Desktop\MBR.dat"
21:44:06.765    The log file has been saved successfully to "C:\Documents and Settings\Ferdole\Desktop\aswMBR.txt"
 
 

Attached Files

  • Attached File  MBR.zip   511bytes   0 downloads

Edited by ferdole, 05 October 2013 - 01:58 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 06 October 2013 - 07:39 AM

Nothing suspicious on your logs.

yesterday I installed a program belonging to Menthor Graphics SDD and now i am encountering some errors, such as NSIS Error when i try to uninstall Revo Uninstaller, i get a runtime Error: "R6002 -floating point support not loaded"

This is what I found for the R6002 error:
http://msdn.microsoft.com/en-us/library/k1x26e0x.aspx
===

when i try to open Revo Uninstaller, a few unexpected processes when i start windows open such a 2* IEXPLORE.EXE.

Just delete the Revo program folder.
You may not be able to use that tool.

What were you trying to remove?
===

  • Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

*/*

If present delete the files in bold.

c:\documents and settings\Ferdole\Start Menu\Programs\Startup\hsrwnvxq.exe 181232 bytes executable
c:\documents and settings\Ferdole\Application Data\Yahoo!\Messenger\Shortcut\adelutza :*.lnk 1860 bytes hidden from API

Restart the computer normally to reset the registry.

If you do not have any other issues with this computer Enable the CD Emulators.
Otherwise let me know what the problems are.

#9 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 06 October 2013 - 08:36 AM

I didn't find the first file....but i managed to delete the revo folder, still didn't get rid of the 2* IEXPLORE.EXE processes that are shown in task manager...

Thank you anyway for you time:D



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 06 October 2013 - 09:31 AM

Download Rootkit Unhooker and save it to your Desktop.

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.
Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • UNcheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait until the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

    Note: You may get the following warning---just ignore it, click OK and continue.
    Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?


#11 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 06 October 2013 - 10:09 AM

I might not be able to reply until Friday...

 

 

Report :

 

 

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.505
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>Drivers
Driver: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB6CB4000
Size: 12558336 bytes
 
Driver: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBD053000
Size: 4497408 bytes
 
Driver: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xB79B9000
Size: 3973120 bytes
 
Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2142208 bytes
 
Driver: PnpManager
Address: 0x804D7000
Size: 2142208 bytes
 
Driver: RAW
Address: 0x804D7000
Size: 2142208 bytes
 
Driver: WMIxWDM
Address: 0x804D7000
Size: 2142208 bytes
 
Driver: Win32k
Address: 0xBF800000
Size: 1851392 bytes
 
Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1851392 bytes
 
Driver: Ntfs.sys
Address: 0xB7E36000
Size: 577536 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB2665000
Size: 454656 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB2772000
Size: 360448 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB118C000
Size: 356352 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB7928000
Size: 303104 bytes
 
Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 286720 bytes
 
Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xACE33000
Size: 266240 bytes
 
Driver: C:\WINDOWS\System32\atkdisp.dll
Address: 0xBD012000
Size: 253952 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys
Address: 0xB6B9A000
Size: 249856 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xB78F1000
Size: 225280 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB6BD7000
Size: 212992 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB6C0B000
Size: 200704 bytes
 
Driver: ACPI.sys
Address: 0xB7F79000
Size: 188416 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB130E000
Size: 184320 bytes
 
Driver: NDIS.sys
Address: 0xB7E09000
Size: 184320 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB26D4000
Size: 180224 bytes
 
Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA9ABD000
Size: 172032 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB2722000
Size: 163840 bytes
 
Driver: dmio.sys
Address: 0xB7F23000
Size: 155648 bytes
 
Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB7995000
Size: 147456 bytes
 
Driver: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xB7972000
Size: 143360 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB7D83000
Size: 143360 bytes
 
Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB2700000
Size: 139264 bytes
 
Driver: ACPI_HAL
Address: 0x806E2000
Size: 134400 bytes
 
Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000
Size: 134400 bytes
 
Driver: fltMgr.sys
Address: 0xB7EEC000
Size: 126976 bytes
 
Driver: ftdisk.sys
Address: 0xB7F49000
Size: 126976 bytes
 
Driver: Mup.sys
Address: 0xB7DEE000
Size: 110592 bytes
 
Driver: atapi.sys
Address: 0xB7F0B000
Size: 98304 bytes
 
Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB264D000
Size: 98304 bytes
 
Driver: KSecDD.sys
Address: 0xB7EC3000
Size: 94208 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB6C75000
Size: 94208 bytes
 
Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB179A000
Size: 86016 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB6C8C000
Size: 81920 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB6CA0000
Size: 81920 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB27CA000
Size: 77824 bytes
 
Driver: C:\WINDOWS\System32\Drivers\SENTINEL.SYS
Address: 0xB12D3000
Size: 77824 bytes
 
Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBD000000
Size: 73728 bytes
 
Driver: sr.sys
Address: 0xB7EDA000
Size: 73728 bytes
 
Driver: pci.sys
Address: 0xB7F68000
Size: 69632 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB6C3C000
Size: 69632 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB8318000
Size: 65536 bytes
 
Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB8308000
Size: 61440 bytes
 
Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB1AAF000
Size: 61440 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB8198000
Size: 61440 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xB82F8000
Size: 57344 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xB80E8000
Size: 53248 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB8128000
Size: 53248 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB8138000
Size: 53248 bytes
 
Driver: VolSnap.sys
Address: 0xB80C8000
Size: 53248 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB8158000
Size: 49152 bytes
 
Driver: C:\WINDOWS\system32\drivers\SSIPDDP.SYS
Address: 0xB1ABF000
Size: 49152 bytes
 
Driver: MountMgr.sys
Address: 0xB80B8000
Size: 45056 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB8148000
Size: 45056 bytes
 
Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB8188000
Size: 40960 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB8178000
Size: 40960 bytes
 
Driver: C:\WINDOWS\system32\drivers\cpuz135_x32.sys
Address: 0xB1403000
Size: 36864 bytes
 
Driver: disk.sys
Address: 0xB80D8000
Size: 36864 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB8258000
Size: 36864 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
Address: 0xB170D000
Size: 36864 bytes
 
Driver: isapnp.sys
Address: 0xB80A8000
Size: 36864 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB8168000
Size: 36864 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB8218000
Size: 36864 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xB81B8000
Size: 36864 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB8208000
Size: 36864 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xB8458000
Size: 32768 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xB8410000
Size: 28672 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xB8328000
Size: 28672 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xB8408000
Size: 28672 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xB8420000
Size: 24576 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xB8418000
Size: 24576 bytes
 
Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xB83F0000
Size: 24576 bytes
 
Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xB8448000
Size: 24576 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xB8450000
Size: 20480 bytes
 
Driver: PartMgr.sys
Address: 0xB8330000
Size: 20480 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xB8430000
Size: 20480 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xB8438000
Size: 20480 bytes
 
Driver: speedfan.sys
Address: 0xB8338000
Size: 20480 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xB8428000
Size: 20480 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xB8400000
Size: 20480 bytes
 
Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xB8470000
Size: 20480 bytes
 
Driver: C:\WINDOWS\system32\drivers\asusgsb.sys
Address: 0xB8578000
Size: 16384 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB859C000
Size: 16384 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xB8568000
Size: 16384 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xB856C000
Size: 16384 bytes
 
Driver: C:\WINDOWS\system32\drivers\atkkbnt.sys
Address: 0xB8570000
Size: 12288 bytes
 
Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xB84B8000
Size: 12288 bytes
 
Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB4A41000
Size: 12288 bytes
 
Driver: C:\WINDOWS\system32\drivers\EIO.sys
Address: 0xB6C5D000
Size: 12288 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB857C000
Size: 12288 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB8560000
Size: 12288 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Video3D32.sys
Address: 0xB8574000
Size: 12288 bytes
 
Driver: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xB6C61000
Size: 12288 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xB85C4000
Size: 8192 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xB85CC000
Size: 8192 bytes
 
Driver: dmload.sys
Address: 0xB85AC000
Size: 8192 bytes
 
Driver: C:\WINDOWS\SYSTEM32\drivers\DS1410D.SYS
Address: 0xB85AE000
Size: 8192 bytes
 
Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85D4000
Size: 8192 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xB85CA000
Size: 8192 bytes
 
Driver: C:\WINDOWS\system32\drivers\jhhhmd.sys
Address: 0xB85F4000
Size: 8192 bytes
 
Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xB85A8000
Size: 8192 bytes
 
Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xB85CE000
Size: 8192 bytes
 
Driver: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xB85B0000
Size: 8192 bytes
 
Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xB85D0000
Size: 8192 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xB85C6000
Size: 8192 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xB85C8000
Size: 8192 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xB85AA000
Size: 8192 bytes
 
Driver: C:\WINDOWS\system32\drivers\AsIO.sys
Address: 0xB87B6000
Size: 4096 bytes
 
Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xB8686000
Size: 4096 bytes
 
Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xB87FA000
Size: 4096 bytes
 
Driver: giveio.sys
Address: 0xB8671000
Size: 4096 bytes
 
Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB87A0000
Size: 4096 bytes
 
Driver: pciide.sys
Address: 0xB8670000
Size: 4096 bytes
 
==============================================
>Stealth
==============================================
>Files
 
Suspect File: C:\Documents and Settings\Ferdole\Start Menu\Programs\Startup\hsrwnvxq.exe Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\AppData.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Cache.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Cookies.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Desktop.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Favorites.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\History.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\LocalAppData.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\LocalSettings.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Music.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\NetHood.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Personal.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Pictures.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\PrintHood.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Profiles.Folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Programs.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Recent.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\SendTo.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\SetPath.bat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\StartMenu.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\StartUp.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\SysPath.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\Templates.folder.dat Status: Hidden
 
 
Suspect File: C:\Qoobox\BackEnv\VikPev00 Status: Hidden
 
==============================================
>Hooks
 
[1028]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1028]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1028]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[1028]svchost.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[1088]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1088]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1088]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1108]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1108]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1108]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[1108]svchost.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[1184]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1184]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1184]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[1184]svchost.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[1240]spoolsv.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1240]spoolsv.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1240]spoolsv.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[1464]cceotb.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[1584]ctfmon.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[1732]GoogleCrashHandler.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1732]GoogleCrashHandler.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1732]GoogleCrashHandler.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[1876]IEXPLORE.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401030 hook handler located in [shimeng.dll]
[1876]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401034 hook handler located in [aclayers.dll]
[1884]IEXPLORE.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00401030 hook handler located in [shimeng.dll]
[1884]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401034 hook handler located in [aclayers.dll]
[1884]IEXPLORE.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[1884]IEXPLORE.EXE-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[1884]IEXPLORE.EXE-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[2052]notepad.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[2052]notepad.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[2052]notepad.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[2344]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[2344]explorer.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[2344]explorer.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[3176]speedfan.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[3372]jewk.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[3372]jewk.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[3372]jewk.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[3372]jewk.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[400]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[400]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[400]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[452]ATKKBService.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[452]ATKKBService.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[452]ATKKBService.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[472]mDNSResponder.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[616]csrss.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[616]csrss.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[616]csrss.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[632]nvsvc32.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[632]nvsvc32.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[632]nvsvc32.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[652]winlogon.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[652]winlogon.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[652]winlogon.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[652]winlogon.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[696]services.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[696]services.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[696]services.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[696]services.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[708]lsass.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[708]lsass.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[708]lsass.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[708]lsass.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[884]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[884]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[884]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[884]svchost.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[932]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[932]svchost.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[932]svchost.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[932]svchost.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]
[968]daemonu.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x7C915CBB hook handler located in [unknown_code_page]
[968]daemonu.exe-->ntdll.dll-->NtQueryDefaultUILanguage, Type: Inline - RelativeJump at address 0x7C90D76E hook handler located in [unknown_code_page]
[968]daemonu.exe-->ntdll.dll-->NtResumeProcess, Type: Inline - RelativeJump at address 0x7C90DB3E hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB9639 hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB615A hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->recvfrom, Type: Inline - RelativeJump at address 0x71AB2D0F hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB428A hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->sendto, Type: Inline - RelativeJump at address 0x71AB2C69 hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4318 hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->WSARecvFrom, Type: Inline - RelativeJump at address 0x71ABF652 hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71AB6233 hook handler located in [unknown_code_page]
[968]daemonu.exe-->ws2_32.dll-->WSASendTo, Type: Inline - RelativeJump at address 0x71AC0A95 hook handler located in [unknown_code_page]


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 06 October 2013 - 12:39 PM

We have to remove this .exe file.
Suspect File: C:\Documents and Settings\Ferdole\Start Menu\Programs\Startup\hsrwnvxq.exe Status: Hidden

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.
  • Once you have downloaded the file, double click the sarsfx icon
  • Review the licence agreement and click on the Accept button
  • The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  • Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  • Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  • Allow the program to scan your computer - please be patient as it may take some time
  • Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  • In the main window, you will see each of the entries found by the scan (if any)
    • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
  • If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  • To clean up these entries click on the Clean up checked items button
  • If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  • Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  • When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now
Thanks

#13 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 11 October 2013 - 02:08 PM

Seems like the external link from Sophos Anti-Rootkit Scanner doen't work.. shoul i try download it from somewhere else?



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 12 October 2013 - 06:43 AM

Just tried it and it's working.

Please try again.

#15 ferdole

ferdole
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 October 2013 - 08:21 AM

I received a Window Explorer don't send error after restart, anyways managed to delete the file ... here is the log

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:20:18, on 12/10/2013
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Ferdole\My Documents\Downloads\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: iToolsBHO - {E1499FE7-129D-4B6E-B681-DDF21E14172C} - C:\Documents and Settings\Ferdole\My Documents\iTools\Plugin\iToolsBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
 
--
End of file - 3832 bytes
 
 
LE: after another startup looks like I don't receive the Windows Explorer don't send error.

Edited by ferdole, 12 October 2013 - 08:57 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users