Jump to content

GAOPDXSERV.SYS - Help Removing this Virus with RootRepeal


Recommended Posts

Hi

I am having a lot of problems with a nasty virus on my Laptop. I've been getting advice and trying different options and programs to get rid of this virus, which you can read on the link below. It will give you insight as to the different methods I have tried thus far. The individual who was helping me on that board asked me to come here:

http://www.bleepingcomputer.com/forums/topic212353.html

At this point, I have run GMER, MalwareBytes, DDS and Root Repeal. I will post the latest logs.

MalwareBytes is now showing up "malicious virus" free ... but when I run GMER, this gaopdxserv.sys is still appearing. I have run RootRepeal but I don't see it in the log and I have no clue what to delete.

Can someone please help me?

Here are the logs:

GMER 1.0.15.14944 - http://www.gmer.net

Rootkit scan 2009-03-21 16:17:28

Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

SSDT 872A1400 ZwAlertResumeThread

SSDT 872A14C0 ZwAlertThread

SSDT 87205E70 ZwAllocateVirtualMemory

SSDT 870B6608 ZwConnectPort

SSDT 872059F8 ZwCreateMutant

SSDT 87205180 ZwCreateThread

SSDT 87205CD0 ZwFreeVirtualMemory

SSDT 87205AC8 ZwImpersonateAnonymousToken

SSDT 872A1340 ZwImpersonateThread

SSDT 871C82C8 ZwMapViewOfSection

SSDT 87205938 ZwOpenEvent

SSDT 871F12F0 ZwOpenProcessToken

SSDT 870B7810 ZwOpenThreadToken

SSDT 872195B0 ZwResumeThread

SSDT 871A5C88 ZwSetContextThread

SSDT 870B78E0 ZwSetInformationProcess

SSDT 8719EDF0 ZwSetInformationThread

SSDT 87205878 ZwSuspendProcess

SSDT 8719ECA8 ZwSuspendThread

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8CFA7F20]

SSDT 870B76C8 ZwTerminateThread

SSDT 870B5C88 ZwUnmapViewOfSection

SSDT 87205DA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 30D 81C85904 8 Bytes [00, 14, 2A, 87, C0, 14, 2A, ...]

.text ntoskrnl.exe!KeInsertQueue + 321 81C85918 4 Bytes [70, 5E, 20, 87]

.text ntoskrnl.exe!KeInsertQueue + 3B1 81C859A8 4 Bytes [08, 66, 0B, 87]

.text ntoskrnl.exe!KeInsertQueue + 3E5 81C859DC 4 Bytes [F8, 59, 20, 87]

.text ntoskrnl.exe!KeInsertQueue + 411 81C85A08 4 Bytes [80, 51, 20, 87] {ADC BYTE [ECX+0x20], 0x87}

.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[2304] ntdll.dll!DbgBreakPoint 76E27DFE 1 Byte [90]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device InCDFs.sys (InCD File System Driver/Nero AG)

---- Services - GMER 1.0.15 ----

Service system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys (*** hidden *** ) [sYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrchcrmtxriwjqvhvojeqmaiibquprvro.dll

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys

Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrchcrmtxriwjqvhvojeqmaiibquprvro.dll

---- EOF - GMER 1.0.15 ----

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/21 21:48

Program Version: Version 1.2.3.0

Windows Version: Windows Vista SP1

==================================================

Drivers-------------------

Name: 1394BUS.SYS

Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS

Address: 0x8C328000 Size: 57344 File Visible: -

Status: -

Name: acpi.sys

Image Path: C:\Windows\system32\drivers\acpi.sys

Address: 0x8262D000 Size: 286720 File Visible: -

Status: -

Name: ACPI_HAL

Image Path: \Driver\ACPI_HAL

Address: 0x81C18000 Size: 3842048 File Visible: -

Status: -

Name: afd.sys

Image Path: C:\Windows\system32\drivers\afd.sys

Address: 0x8CE7B000 Size: 294912 File Visible: -

Status: -

Name: AGRSM.sys

Image Path: C:\Windows\system32\DRIVERS\AGRSM.sys

Address: 0x8CC02000 Size: 1161888 File Visible: -

Status: -

Name: atapi.sys

Image Path: C:\Windows\system32\drivers\atapi.sys

Address: 0x8277C000 Size: 32768 File Visible: -

Status: -

Name: ataport.SYS

Image Path: C:\Windows\system32\drivers\ataport.SYS

Address: 0x82784000 Size: 122880 File Visible: -

Status: -

Name: ATMFD.DLL

Image Path: C:\Windows\System32\ATMFD.DLL

Address: 0x95250000 Size: 311296 File Visible: -

Status: -

Name: BATTC.SYS

Image Path: C:\Windows\system32\DRIVERS\BATTC.SYS

Address: 0x826C7000 Size: 40960 File Visible: -

Status: -

Name: Beep.SYS

Image Path: C:\Windows\System32\Drivers\Beep.SYS

Address: 0x8CD3B000 Size: 28672 File Visible: -

Status: -

Name: BOOTVID.dll

Image Path: C:\Windows\system32\BOOTVID.dll

Address: 0x8247B000 Size: 32768 File Visible: -

Status: -

Name: bowser.sys

Image Path: C:\Windows\system32\DRIVERS\bowser.sys

Address: 0x8DA4A000 Size: 102400 File Visible: -

Status: -

Name: cdd.dll

Image Path: C:\Windows\System32\cdd.dll

Address: 0x95240000 Size: 57344 File Visible: -

Status: -

Name: cdfs.sys

Image Path: C:\Windows\system32\DRIVERS\cdfs.sys

Address: 0xAB636000 Size: 90112 File Visible: -

Status: -

Name: cdrom.sys

Image Path: C:\Windows\system32\DRIVERS\cdrom.sys

Address: 0x8C3DC000 Size: 98304 File Visible: -

Status: -

Name: CI.dll

Image Path: C:\Windows\system32\CI.dll

Address: 0x824C4000 Size: 917504 File Visible: -

Status: -

Name: CLASSPNP.SYS

Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS

Address: 0x880DB000 Size: 135168 File Visible: -

Status: -

Name: CLFS.SYS

Image Path: C:\Windows\system32\CLFS.SYS

Address: 0x82483000 Size: 266240 File Visible: -

Status: -

Name: CmBatt.sys

Image Path: C:\Windows\system32\DRIVERS\CmBatt.sys

Address: 0x8C37E000 Size: 14208 File Visible: -

Status: -

Name: compbatt.sys

Image Path: C:\Windows\system32\DRIVERS\compbatt.sys

Address: 0x826C4000 Size: 10496 File Visible: -

Status: -

Name: crashdmp.sys

Image Path: C:\Windows\System32\Drivers\crashdmp.sys

Address: 0x8D860000 Size: 53248 File Visible: -

Status: -

Name: crcdisk.sys

Image Path: C:\Windows\system32\drivers\crcdisk.sys

Address: 0x880FC000 Size: 36864 File Visible: -

Status: -

Name: dfsc.sys

Image Path: C:\Windows\System32\Drivers\dfsc.sys

Address: 0x8D808000 Size: 94208 File Visible: -

Status: -

Name: disk.sys

Image Path: C:\Windows\system32\drivers\disk.sys

Address: 0x880CA000 Size: 69632 File Visible: -

Status: -

Name: drmk.sys

Image Path: C:\Windows\system32\drivers\drmk.sys

Address: 0x8CAF0000 Size: 151552 File Visible: -

Status: -

Name: dump_atapi.sys

Image Path: C:\Windows\System32\Drivers\dump_atapi.sys

Address: 0x8D878000 Size: 32768 File Visible: No

Status: -

Name: dump_dumpata.sys

Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys

Address: 0x8D86D000 Size: 45056 File Visible: No

Status: -

Name: Dxapi.sys

Image Path: C:\Windows\System32\drivers\Dxapi.sys

Address: 0x8D880000 Size: 40960 File Visible: -

Status: -

Name: dxgkrnl.sys

Image Path: C:\Windows\System32\drivers\dxgkrnl.sys

Address: 0x8C1EE000 Size: 651264 File Visible: -

Status: -

Name: ecache.sys

Image Path: C:\Windows\System32\drivers\ecache.sys

Address: 0x880A3000 Size: 159744 File Visible: -

Status: -

Name: eeCtrl.sys

Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

Address: 0x8CB97000 Size: 385024 File Visible: -

Status: -

Name: EraserUtilRebootDrv.sys

Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

Address: 0x8CFD1000 Size: 118784 File Visible: -

Status: -

Name: fastfat.SYS

Image Path: C:\Windows\System32\Drivers\fastfat.SYS

Address: 0xAB679000 Size: 163840 File Visible: -

Status: -

Name: fileinfo.sys

Image Path: C:\Windows\system32\drivers\fileinfo.sys

Address: 0x827D4000 Size: 65536 File Visible: -

Status: -

Name: fltmgr.sys

Image Path: C:\Windows\system32\drivers\fltmgr.sys

Address: 0x827A2000 Size: 204800 File Visible: -

Status: -

Name: Fs_Rec.SYS

Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS

Address: 0x8CD2B000 Size: 36864 File Visible: -

Status: -

Name: fwpkclnt.sys

Image Path: C:\Windows\System32\drivers\fwpkclnt.sys

Address: 0x87EC8000 Size: 110592 File Visible: -

Status: -

Name: GEARAspiWDM.sys

Image Path: C:\Windows\System32\Drivers\GEARAspiWDM.sys

Address: 0x8C3F4000 Size: 28672 File Visible: -

Status: -

Name: hal.dll

Image Path: C:\Windows\system32\hal.dll

Address: 0x81FC2000 Size: 208896 File Visible: -

Status: -

Name: HDAudBus.sys

Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys

Address: 0x8C29A000 Size: 73728 File Visible: -

Status: -

Name: HTTP.sys

Image Path: C:\Windows\system32\drivers\HTTP.sys

Address: 0x8D9C2000 Size: 438272 File Visible: -

Status: -

Name: i8042prt.sys

Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys

Address: 0x8C382000 Size: 77824 File Visible: -

Status: -

Name: IDSvix86.sys

Image Path: C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20090311.001\IDSvix86.sys

Address: 0x8CB51000 Size: 286720 File Visible: -

Status: -

Name: igdkmd32.sys

Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys

Address: 0x8BC09000 Size: 6180864 File Visible: -

Status: -

Name: InCDFs.sys

Image Path: C:\Windows\system32\drivers\InCDFs.sys

Address: 0x8CD82000 Size: 112384 File Visible: -

Status: -

Name: InCDPass.sys

Image Path: C:\Windows\system32\drivers\InCDPass.sys

Address: 0x8BC00000 Size: 31360 File Visible: -

Status: -

Name: InCDrec.SYS

Image Path: C:\Windows\System32\Drivers\InCDrec.SYS

Address: 0x8CD7F000 Size: 10624 File Visible: -

Status: -

Name: InCDRm.sys

Image Path: C:\Windows\system32\drivers\InCDRm.sys

Address: 0x88377000 Size: 33792 File Visible: -

Status: -

Name: intelide.sys

Image Path: C:\Windows\system32\drivers\intelide.sys

Address: 0x8272A000 Size: 28672 File Visible: -

Status: -

Name: intelppm.sys

Image Path: C:\Windows\system32\DRIVERS\intelppm.sys

Address: 0x88139000 Size: 61440 File Visible: -

Status: -

Name: jrasvktk.sys

Image Path: C:\Users\Mehnaz\AppData\Local\Temp\jrasvktk.sys

Address: 0xAB653000 Size: 81664 File Visible: No

Status: -

Name: kbdclass.sys

Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys

Address: 0x8C395000 Size: 45056 File Visible: -

Status: -

Name: kdcom.dll

Image Path: C:\Windows\system32\kdcom.dll

Address: 0x82402000 Size: 32768 File Visible: -

Status: -

Name: ks.sys

Image Path: C:\Windows\system32\DRIVERS\ks.sys

Address: 0x8C895000 Size: 172032 File Visible: -

Status: -

Name: ksecdd.sys

Image Path: C:\Windows\System32\Drivers\ksecdd.sys

Address: 0x87C00000 Size: 462848 File Visible: -

Status: -

Name: lltdio.sys

Image Path: C:\Windows\system32\DRIVERS\lltdio.sys

Address: 0x8D96B000 Size: 65536 File Visible: -

Status: -

Name: LPCFilter.sys

Image Path: C:\Windows\system32\DRIVERS\LPCFilter.sys

Address: 0x826AB000 Size: 40960 File Visible: -

Status: -

Name: luafv.sys

Image Path: C:\Windows\system32\drivers\luafv.sys

Address: 0x8D899000 Size: 110592 File Visible: -

Status: -

Name: mcupdate_GenuineIntel.dll

Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll

Address: 0x8240A000 Size: 393216 File Visible: -

Status: -

Name: modem.sys

Image Path: C:\Windows\system32\drivers\modem.sys

Address: 0x8CD1E000 Size: 53248 File Visible: -

Status: -

Name: monitor.sys

Image Path: C:\Windows\system32\DRIVERS\monitor.sys

Address: 0x8D88A000 Size: 61440 File Visible: -

Status: -

Name: mouclass.sys

Image Path: C:\Windows\system32\DRIVERS\mouclass.sys

Address: 0x8C3CD000 Size: 45056 File Visible: -

Status: -

Name: mountmgr.sys

Image Path: C:\Windows\System32\drivers\mountmgr.sys

Address: 0x8276C000 Size: 65536 File Visible: -

Status: -

Name: mpsdrv.sys

Image Path: C:\Windows\System32\drivers\mpsdrv.sys

Address: 0x8DA63000 Size: 86016 File Visible: -

Status: -

Name: mrxdav.sys

Image Path: C:\Windows\system32\drivers\mrxdav.sys

Address: 0x8DA78000 Size: 131072 File Visible: -

Status: -

Name: mrxsmb.sys

Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys

Address: 0x8DA98000 Size: 126976 File Visible: -

Status: -

Name: mrxsmb10.sys

Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys

Address: 0x8DAB7000 Size: 233472 File Visible: -

Status: -

Name: mrxsmb20.sys

Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys

Address: 0x8DAF0000 Size: 98304 File Visible: -

Status: -

Name: Msfs.SYS

Image Path: C:\Windows\System32\Drivers\Msfs.SYS

Address: 0x8CD9E000 Size: 45056 File Visible: -

Status: -

Name: msisadrv.sys

Image Path: C:\Windows\system32\drivers\msisadrv.sys

Address: 0x8267C000 Size: 32768 File Visible: -

Status: -

Name: msiscsi.sys

Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys

Address: 0x88380000 Size: 188416 File Visible: -

Status: -

Name: msrpc.sys

Image Path: C:\Windows\system32\drivers\msrpc.sys

Address: 0x87D7C000 Size: 176128 File Visible: -

Status: -

Name: mssmbios.sys

Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys

Address: 0x8C8BF000 Size: 40960 File Visible: -

Status: -

Name: mup.sys

Image Path: C:\Windows\System32\Drivers\mup.sys

Address: 0x88094000 Size: 61440 File Visible: -

Status: -

Name: NAVENG.SYS

Image Path: C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090317.006\NAVENG.SYS

Address: 0xAB621000 Size: 82400 File Visible: -

Status: -

Name: NAVEX15.SYS

Image Path: C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090317.006\NAVEX15.SYS

Address: 0xAB54C000 Size: 869440 File Visible: -

Status: -

Name: ndis.sys

Image Path: C:\Windows\system32\drivers\ndis.sys

Address: 0x87C71000 Size: 1093632 File Visible: -

Status: -

Name: ndistapi.sys

Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys

Address: 0x8C81D000 Size: 45056 File Visible: -

Status: -

Name: ndisuio.sys

Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys

Address: 0x8D9A5000 Size: 40960 File Visible: -

Status: -

Name: ndiswan.sys

Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys

Address: 0x8C828000 Size: 143360 File Visible: -

Status: -

Name: NDProxy.SYS

Image Path: C:\Windows\System32\Drivers\NDProxy.SYS

Address: 0x8C90A000 Size: 69632 File Visible: -

Status: -

Name: netbios.sys

Image Path: C:\Windows\system32\DRIVERS\netbios.sys

Address: 0x8CF0B000 Size: 57344 File Visible: -

Status: -

Name: netbt.sys

Image Path: C:\Windows\System32\DRIVERS\netbt.sys

Address: 0x8CEC3000 Size: 204800 File Visible: -

Status: -

Name: NETIO.SYS

Image Path: C:\Windows\system32\drivers\NETIO.SYS

Address: 0x87DA7000 Size: 237568 File Visible: -

Status: -

Name: NETw4v32.sys

Image Path: C:\Windows\system32\DRIVERS\NETw4v32.sys

Address: 0x88148000 Size: 2289664 File Visible: -

Status: -

Name: Npfs.SYS

Image Path: C:\Windows\System32\Drivers\Npfs.SYS

Address: 0x8CDA9000 Size: 57344 File Visible: -

Status: -

Name: nsiproxy.sys

Image Path: C:\Windows\system32\drivers\nsiproxy.sys

Address: 0x8CFC7000 Size: 40960 File Visible: -

Status: -

Name: Ntfs.sys

Image Path: C:\Windows\System32\Drivers\Ntfs.sys

Address: 0x87EE3000 Size: 1110016 File Visible: -

Status: -

Name: ntoskrnl.exe

Image Path: C:\Windows\system32\ntoskrnl.exe

Address: 0x81C18000 Size: 3842048 File Visible: -

Status: -

Name: Null.SYS

Image Path: C:\Windows\System32\Drivers\Null.SYS

Address: 0x8CD34000 Size: 28672 File Visible: -

Status: -

Name: nwifi.sys

Image Path: C:\Windows\system32\DRIVERS\nwifi.sys

Address: 0x8D97B000 Size: 172032 File Visible: -

Status: -

Name: ohci1394.sys

Image Path: C:\Windows\system32\DRIVERS\ohci1394.sys

Address: 0x8C318000 Size: 61952 File Visible: -

Status: -

Name: pacer.sys

Image Path: C:\Windows\system32\DRIVERS\pacer.sys

Address: 0x8CEF5000 Size: 90112 File Visible: -

Status: -

Name: partmgr.sys

Image Path: C:\Windows\System32\drivers\partmgr.sys

Address: 0x826B5000 Size: 61440 File Visible: -

Status: -

Name: pci.sys

Image Path: C:\Windows\system32\drivers\pci.sys

Address: 0x82684000 Size: 159744 File Visible: -

Status: -

Name: PCIIDEX.SYS

Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS

Address: 0x82731000 Size: 57344 File Visible: -

Status: -

Name: pcmcia.sys

Image Path: C:\Windows\system32\DRIVERS\pcmcia.sys

Address: 0x8273F000 Size: 184320 File Visible: -

Status: -

Name: peauth.sys

Image Path: C:\Windows\system32\drivers\peauth.sys

Address: 0xAB40F000 Size: 909312 File Visible: -

Status: -

Name: PnpManager

Image Path: \Driver\PnpManager

Address: 0x81C18000 Size: 3842048 File Visible: -

Status: -

Name: portcls.sys

Image Path: C:\Windows\system32\drivers\portcls.sys

Address: 0x8CAC3000 Size: 184320 File Visible: -

Status: -

Name: PSHED.dll

Image Path: C:\Windows\system32\PSHED.dll

Address: 0x8246A000 Size: 69632 File Visible: -

Status: -

Name: PxHelp20.sys

Image Path: C:\Windows\System32\Drivers\PxHelp20.sys

Address: 0x827E4000 Size: 36320 File Visible: -

Status: -

Name: rasacd.sys

Image Path: C:\Windows\System32\DRIVERS\rasacd.sys

Address: 0x8CDB7000 Size: 36864 File Visible: -

Status: -

Name: rasl2tp.sys

Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys

Address: 0x8C806000 Size: 94208 File Visible: -

Status: -

Name: raspppoe.sys

Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys

Address: 0x8C84B000 Size: 61440 File Visible: -

Status: -

Name: raspptp.sys

Image Path: C:\Windows\system32\DRIVERS\raspptp.sys

Address: 0x8C85A000 Size: 81920 File Visible: -

Status: -

Name: rassstp.sys

Image Path: C:\Windows\system32\DRIVERS\rassstp.sys

Address: 0x8C86E000 Size: 86016 File Visible: -

Status: -

Name: RAW

Image Path: \FileSystem\RAW

Address: 0x81C18000 Size: 3842048 File Visible: -

Status: -

Name: rdbss.sys

Image Path: C:\Windows\system32\DRIVERS\rdbss.sys

Address: 0x8CB15000 Size: 245760 File Visible: -

Status: -

Name: RDPCDD.sys

Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys

Address: 0x8CD6F000 Size: 32768 File Visible: -

Status: -

Name: rdpencdd.sys

Image Path: C:\Windows\system32\drivers\rdpencdd.sys

Address: 0x8CD77000 Size: 32768 File Visible: -

Status: -

Name: rootrepeal.sys

Image Path: C:\Windows\system32\drivers\rootrepeal.sys

Address: 0xAB74D000 Size: 45056 File Visible: No

Status: -

Name: rspndr.sys

Image Path: C:\Windows\system32\DRIVERS\rspndr.sys

Address: 0x8D9AF000 Size: 77824 File Visible: -

Status: -

Name: RTKVHDA.sys

Image Path: C:\Windows\system32\drivers\RTKVHDA.sys

Address: 0x8C91B000 Size: 1733952 File Visible: -

Status: -

Name: Rtlh86.sys

Image Path: C:\Windows\system32\DRIVERS\Rtlh86.sys

Address: 0x8C2AC000 Size: 81920 File Visible: -

Status: -

Name: SASDIFSV.SYS

Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

Address: 0x8CFC0000 Size: 28672 File Visible: -

Status: -

Name: SASENUM.SYS

Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

Address: 0xAB64C000 Size: 20480 File Visible: -

Status: -

Name: SASKUTIL.sys

Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

Address: 0x8CF9F000 Size: 135168 File Visible: -

Status: -

Name: sdbus.sys

Image Path: C:\Windows\system32\DRIVERS\sdbus.sys

Address: 0x8C364000 Size: 106496 File Visible: -

Status: -

Name: secdrv.SYS

Image Path: C:\Windows\System32\Drivers\secdrv.SYS

Address: 0xAB4ED000 Size: 40960 File Visible: -

Status: -

Name: smb.sys

Image Path: C:\Windows\system32\DRIVERS\smb.sys

Address: 0x8CE67000 Size: 81920 File Visible: -

Status: -

Name: SPBBCDrv.sys

Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

Address: 0x8CF36000 Size: 430080 File Visible: -

Status: -

Name: spldr.sys

Image Path: C:\Windows\System32\Drivers\spldr.sys

Address: 0x8808C000 Size: 32768 File Visible: -

Status: -

Name: spsys.sys

Image Path: C:\Windows\system32\drivers\spsys.sys

Address: 0x8D8BC000 Size: 716800 File Visible: -

Status: -

Name: SRTSP.SYS

Image Path: C:\Windows\System32\Drivers\SRTSP.SYS

Address: 0xAB503000 Size: 299008 File Visible: -

Status: -

Name: SRTSPX.SYS

Image Path: C:\Windows\System32\Drivers\SRTSPX.SYS

Address: 0x8CF2C000 Size: 36992 File Visible: -

Status: -

Name: srv.sys

Image Path: C:\Windows\System32\DRIVERS\srv.sys

Address: 0x8DB2F000 Size: 311296 File Visible: -

Status: -

Name: srv2.sys

Image Path: C:\Windows\System32\DRIVERS\srv2.sys

Address: 0x8DB08000 Size: 159744 File Visible: -

Status: -

Name: srvnet.sys

Image Path: C:\Windows\System32\DRIVERS\srvnet.sys

Address: 0x8DA2D000 Size: 118784 File Visible: -

Status: -

Name: storport.sys

Image Path: C:\Windows\system32\DRIVERS\storport.sys

Address: 0x883AE000 Size: 266240 File Visible: -

Status: -

Name: swenum.sys

Image Path: C:\Windows\system32\DRIVERS\swenum.sys

Address: 0x8C893000 Size: 4992 File Visible: -

Status: -

Name: SYMDNS.SYS

Image Path: C:\Windows\System32\Drivers\SYMDNS.SYS

Address: 0x8CE2E000 Size: 6144 File Visible: -

Status: -

Name: SYMEVENT.SYS

Image Path: C:\Windows\system32\Drivers\SYMEVENT.SYS

Address: 0x8CE03000 Size: 151552 File Visible: -

Status: -

Name: SYMFW.SYS

Image Path: C:\Windows\System32\Drivers\SYMFW.SYS

Address: 0x8CE3B000 Size: 139392 File Visible: -

Status: -

Name: SYMIDS.SYS

Image Path: C:\Windows\System32\Drivers\SYMIDS.SYS

Address: 0x8CE5E000 Size: 33280 File Visible: -

Status: -

Name: SYMNDISV.SYS

Image Path: C:\Windows\System32\Drivers\SYMNDISV.SYS

Address: 0x8CE30000 Size: 45056 File Visible: -

Status: -

Name: SYMREDRV.SYS

Image Path: C:\Windows\System32\Drivers\SYMREDRV.SYS

Address: 0x8CE28000 Size: 20992 File Visible: -

Status: -

Name: SYMTDI.SYS

Image Path: C:\Windows\System32\Drivers\SYMTDI.SYS

Address: 0x8CDD6000 Size: 181248 File Visible: -

Status: -

Name: SynTP.sys

Image Path: C:\Windows\system32\DRIVERS\SynTP.sys

Address: 0x8C3A0000 Size: 175360 File Visible: -

Status: -

Name: tcpip.sys

Image Path: C:\Windows\System32\drivers\tcpip.sys

Address: 0x87DE1000 Size: 946176 File Visible: -

Status: -

Name: tcpipreg.sys

Image Path: C:\Windows\System32\drivers\tcpipreg.sys

Address: 0xAB4F7000 Size: 49152 File Visible: -

Status: -

Name: tdcmdpst.sys

Image Path: C:\Windows\system32\DRIVERS\tdcmdpst.sys

Address: 0x8C3D8000 Size: 16128 File Visible: -

Status: -

Name: TDI.SYS

Image Path: C:\Windows\system32\DRIVERS\TDI.SYS

Address: 0x883EF000 Size: 45056 File Visible: -

Status: -

Name: tdx.sys

Image Path: C:\Windows\system32\DRIVERS\tdx.sys

Address: 0x8CDC0000 Size: 90112 File Visible: -

Status: -

Name: termdd.sys

Image Path: C:\Windows\system32\DRIVERS\termdd.sys

Address: 0x8C883000 Size: 65536 File Visible: -

Status: -

Name: tifm21.sys

Image Path: C:\Windows\system32\drivers\tifm21.sys

Address: 0x8C336000 Size: 188416 File Visible: -

Status: -

Name: tos_sps32.sys

Image Path: C:\Windows\system32\DRIVERS\tos_sps32.sys

Address: 0x88041000 Size: 307200 File Visible: -

Status: -

Name: TSDDD.dll

Image Path: C:\Windows\System32\TSDDD.dll

Address: 0x95220000 Size: 36864 File Visible: -

Status: -

Name: tunmp.sys

Image Path: C:\Windows\system32\DRIVERS\tunmp.sys

Address: 0x88130000 Size: 36864 File Visible: -

Status: -

Name: tunnel.sys

Image Path: C:\Windows\system32\DRIVERS\tunnel.sys

Address: 0x88125000 Size: 45056 File Visible: -

Status: -

Name: TVALZ_O.SYS

Image Path: C:\Windows\system32\DRIVERS\TVALZ_O.SYS

Address: 0x8803C000 Size: 16768 File Visible: -

Status: -

Name: umbus.sys

Image Path: C:\Windows\system32\DRIVERS\umbus.sys

Address: 0x8C8C9000 Size: 53248 File Visible: -

Status: -

Name: usbccgp.sys

Image Path: C:\Windows\system32\DRIVERS\usbccgp.sys

Address: 0x8D81F000 Size: 94208 File Visible: -

Status: -

Name: USBD.SYS

Image Path: C:\Windows\system32\DRIVERS\USBD.SYS

Address: 0x8C3CB000 Size: 8192 File Visible: -

Status: -

Name: usbehci.sys

Image Path: C:\Windows\system32\DRIVERS\usbehci.sys

Address: 0x8C309000 Size: 61440 File Visible: -

Status: -

Name: usbhub.sys

Image Path: C:\Windows\system32\DRIVERS\usbhub.sys

Address: 0x8C8D6000 Size: 212992 File Visible: -

Status: -

Name: USBPORT.SYS

Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS

Address: 0x8C2CB000 Size: 253952 File Visible: -

Status: -

Name: usbuhci.sys

Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys

Address: 0x8C2C0000 Size: 45056 File Visible: -

Status: -

Name: usbvideo.sys

Image Path: C:\Windows\System32\Drivers\usbvideo.sys

Address: 0x8D83F000 Size: 132352 File Visible: -

Status: -

Name: UVCFTR_S.SYS

Image Path: C:\Windows\system32\DRIVERS\UVCFTR_S.SYS

Address: 0x8D836000 Size: 36864 File Visible: -

Status: -

Name: vga.sys

Image Path: C:\Windows\System32\drivers\vga.sys

Address: 0x8CD42000 Size: 49152 File Visible: -

Status: -

Name: VIDEOPRT.SYS

Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS

Address: 0x8CD4E000 Size: 135168 File Visible: -

Status: -

Name: volmgr.sys

Image Path: C:\Windows\system32\drivers\volmgr.sys

Address: 0x826D1000 Size: 61440 File Visible: -

Status: -

Name: volmgrx.sys

Image Path: C:\Windows\System32\drivers\volmgrx.sys

Address: 0x826E0000 Size: 303104 File Visible: -

Status: -

Name: volsnap.sys

Image Path: C:\Windows\system32\drivers\volsnap.sys

Address: 0x88003000 Size: 233472 File Visible: -

Status: -

Name: wanarp.sys

Image Path: C:\Windows\system32\DRIVERS\wanarp.sys

Address: 0x8CF19000 Size: 77824 File Visible: -

Status: -

Name: watchdog.sys

Image Path: C:\Windows\System32\drivers\watchdog.sys

Address: 0x8C28D000 Size: 53248 File Visible: -

Status: -

Name: Wdf01000.sys

Image Path: C:\Windows\system32\drivers\Wdf01000.sys

Address: 0x825A4000 Size: 507904 File Visible: -

Status: -

Name: WDFLDR.SYS

Image Path: C:\Windows\system32\drivers\WDFLDR.SYS

Address: 0x82620000 Size: 53248 File Visible: -

Status: -

Name: Win32k

Image Path: \Driver\Win32k

Address: 0x95000000 Size: 2105344 File Visible: -

Status: -

Name: win32k.sys

Image Path: C:\Windows\System32\win32k.sys

Address: 0x95000000 Size: 2105344 File Visible: -

Status: -

Name: WMILIB.SYS

Image Path: C:\Windows\system32\drivers\WMILIB.SYS

Address: 0x82673000 Size: 36864 File Visible: -

Status: -

Name: WMIxWDM

Image Path: \Driver\WMIxWDM

Address: 0x81C18000 Size: 3842048 File Visible: -

Status: -

Malwarebytes' Anti-Malware 1.34

Database version: 1863

Windows 6.0.6001 Service Pack 1

21/03/2009 7:33:02 PM

mbam-log-2009-03-21 (19-33-02).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 182495

Time elapsed: 2 hour(s), 30 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/21 21:48

Program Version: Version 1.2.3.0

Windows Version: Windows Vista SP1

==================================================

Hidden/Locked Files-------------------

Path: C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector

Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\System Volume Information\{df5c6fc6-162a-11de-9752-001b381a31dc}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c

.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5

6e60dc5df.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053

e8c6967ba9d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949

b06671d08ae.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365

.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a

620671dde41.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8

.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e2

0e9863b4.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c

at

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc

0ea08098.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.

cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd

a6db.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a898

0e994a5d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003

bc63e949f6.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\df4c00155bfca5da82320089743bb386e8df43312c8d8b8112418980a2440f2d.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\4a4e6de1088e614f7694727d621129512819bdecdb46cc6ebb7c1f192dfe380e.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\4bde3906e1ad59953a7d8592ff3860dd7fadc4e12abe4b5c828645390461a3aa.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16651_none_3fe50116c43e1596\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16721_none_400572c0c425beea\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3fd0636ec44d63f6\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20788_none_40553023dd6dba94\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.1638

6_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\RENDER~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20885_none_4052312bdd706bb6\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20949_none_408173e9dd4c5e75\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18000_none_42004f0ec13d017b\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18032_none_41e1dfdec15387fc\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18112_none_41f7819cc1434d41\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_41c472dec16924fb\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22132_none_426b7ca9da7127c6\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22233_none_426c7ed9da703e44\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22299_none_4231a10dda9b7df4\WGXINS~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6001.18131_none_966249e6a135884c\$$DeleteMe.WindowsCodecs.dll.01c9a3f034fce6fc.0000

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF

Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL

Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl

Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: C:\Windows\System32\wbem\Logs\WMITracing.log

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Temp\PendingDeletes\sortkey.nlp

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Temp\PendingDeletes\sorttbls.nlp

Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config

Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SYSTEM~1.DLL

Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Status: Locked to the Windows API!

Link to post
Share on other sites

Hi ya,

I believe the CLB driver has been purged from your system despite the conflicting data in the reports.

Things that suggest CLB is RIP

RootRepeal is not seeing any hidden driver or files

GMER is reporting the hidden service entry* but no hidden files

*This entry will remain on a machine until it is removed by purpose used ARKtool/fix

The only bothersome thing is your MBAM database used is out of date.

Now CLB sometimes prevent MBAM from updating and or running so this is normaly a pointer to it being active on a system.

So lets find out for sure of whats going on :(

Open GMER again and scan and goto the following entry only.

Service system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys (*** hidden *** ) [sYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

Right click on it and select *delete service* and then Reboot.

On Reboot try to see if MBAM will update to most recent DB 1882

Next rescan with GMER to see if the Hidden service entry remains.

Thanks in advance.

Link to post
Share on other sites

I ran GMER again and right-clicked on the file specified. An error message came up saying, "failed, couldn't find the specified location" .... I'm running GMER again, after rebooting, and will post the log results here.

MBAM probably isn't updating because I'm not connected to the internet on the infected computer. I was told that the virus could possibly come back if connection to the internet remains open. I tried loading MBAM onto the desktop and transfer it onto the infected laptop, but it won't open in the laptop. Will try again.

Thanks for your help.

Link to post
Share on other sites

Ok for now it should be ok to briefly connect this pc to the web.See if MBAM updates then pull the plug on the internet connection.

FWIW looking back at your posts at BC then it looks like CLB was vanquished at some point as GMER stopped listing the hidden driver :(

Link to post
Share on other sites

Some very strange things are happening on my laptop.

I did not delete anything, other than the one you mentioned above by right-clicking on that file and having that error message come up about not being able to retrieve the file. *confused*

For starters, the internet connection is back up. For the past week, it's been saying unable to find DHCP, Host Process for Windows Services Stopped Working and was Closed, and an error message from Norton Anti-Virus kept coming up.

Now, when I click on the internet, I am able to come online. Norton Anti-Virus message popped up saying my service needs to be reactivated (so I did that), and that Host Process message is not showing up.

Not sure what happened.

I ran 3 scans including HijackThis. I will post the logs for you to analyze. Oh, one message that popped up during the HijackThis log was that it could not access the Host Files, so if anything needs to be deleted in that, I need to go in and do it myself.

I would appreciate you having a look at these logs and letting me know if anything needs to be deleted.

Thanks

GMER:

GMER 1.0.15.14944 - http://www.gmer.net

Rootkit scan 2009-03-22 13:51:58

Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

SSDT 8714BF40 ZwAlertResumeThread

SSDT 87166E28 ZwAlertThread

SSDT 871AE3D8 ZwAllocateVirtualMemory

SSDT 8714DA60 ZwConnectPort

SSDT 8714BC90 ZwCreateMutant

SSDT 871AE730 ZwCreateThread

SSDT 871B13B8 ZwFreeVirtualMemory

SSDT 8714BD80 ZwImpersonateAnonymousToken

SSDT 8714BE60 ZwImpersonateThread

SSDT 871B12D8 ZwMapViewOfSection

SSDT 8714BAF0 ZwOpenEvent

SSDT 8718E150 ZwOpenProcessToken

SSDT 871AEE48 ZwOpenThreadToken

SSDT 87194770 ZwResumeThread

SSDT 871AED68 ZwSetContextThread

SSDT 871AEF38 ZwSetInformationProcess

SSDT 871AEC78 ZwSetInformationThread

SSDT 8714BA10 ZwSuspendProcess

SSDT 87166F70 ZwSuspendThread

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8D3A5F20]

SSDT 871AEB98 ZwTerminateThread

SSDT 871B1218 ZwUnmapViewOfSection

SSDT 871AE308 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 30D 81C89904 8 Bytes [40, BF, 14, 87, 28, 6E, 16, ...]

.text ntoskrnl.exe!KeInsertQueue + 321 81C89918 4 Bytes [D8, E3, 1A, 87]

.text ntoskrnl.exe!KeInsertQueue + 3B1 81C899A8 4 Bytes [60, DA, 14, 87] {PUSHA ; FICOM DWORD [EDI+EAX*4]}

.text ntoskrnl.exe!KeInsertQueue + 3E5 81C899DC 4 Bytes [90, BC, 14, 87]

.text ntoskrnl.exe!KeInsertQueue + 411 81C89A08 4 Bytes [30, E7, 1A, 87]

.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[1340] ntdll.dll!DbgBreakPoint 77907DFE 1 Byte [90]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device InCDFs.sys (InCD File System Driver/Nero AG)

---- EOF - GMER 1.0.15 ----

MBAM:

Malwarebytes' Anti-Malware 1.34

Database version: 1863

Windows 6.0.6001 Service Pack 1

21/03/2009 7:33:02 PM

mbam-log-2009-03-21 (19-33-02).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 182495

Time elapsed: 2 hour(s), 30 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:25:44 PM, on 21/03/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\ltmoh\ltmoh.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Yahoo!\YOP\yop.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Users\Mehnaz\Program Files\DNA\btdna.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\SUPERAntiSpyware\14e5a4ef-e810-471e-95a5-626793248a3c.exe

C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe

C:\Windows\system32\conime.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O1 - Hosts: ::1 localhost

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe

O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP

O4 - HKLM\..\Run: [sVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL

O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Users\Mehnaz\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\14e5a4ef-e810-471e-95a5-626793248a3c.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.ca/s/v/46.19/uploader2.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/...NPUplden-ca.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 12270 bytes

Link to post
Share on other sites

Hi ya,

CLB driver infection has definetly left the building and normal service is being resumed :(

Your HiJackThis +GMER logs are looking good to go now.

MBAM is still using old Database tho!

Just one last diagnostic log i would like to see so if you could do the following.

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hi,

Looking good :(

Combofix had eeked out an autorun worm but apart from that there is no more signs of infection present.

As i said in my first post it looked like CLB driver was no longer active(Purged=removed) and all we were doing was checking and cleaning up the orphaned values that remained.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.