brew Posted July 29, 2009 ID:103944 Share Posted July 29, 2009 Making zero progress in removing Trojan.TDSS. Any help is much appreciated.Please reference this thread - http://www.malwarebytes.org/forums/index.p...=19420&st=0 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 31, 2009 ID:104560 Share Posted July 31, 2009 Hello brew,If you are not being helped elsewhere at any other forum, and you desire continued help here, do the following.One of the things I'll ask for is that you only post to this thread, and make no changes on your own, and not run any other tools or programs without checking here with me.You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!If you are a casual viewer, do NOT try this on your system! If you are not brew and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.1. Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. 2. Take out the trash (temporary files & temporary internet files) Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.Start ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser, do this also:Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program. ATF-Cleaner should be run per the above in every user-login account {User Profile} =Next, also do this:1. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.=Download The Avenger by Swandog46 from here.Unzip/extract it to a folder on your desktop.Double click on avenger.exe to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:C:\WINDOWS\system32\a99k.binC:\WINDOWS\system32\drivers\geyekrclkkmxow.sysc:\windows\system32\geyekrkcxxccqt.dllc:\windows\system32\drivers\msqpdxserv.sys c:\windows\system32\TDSSweat.datC:\WINDOWS\system32\drivers\TDSSmqlt.sys C:\windows\system32\drivers\tdssserv.sysC:\WINDOWS\system32\drivers\TDSSmact.sysC:\WINDOWS\system32\TDSSfpmp.dllC:\WINDOWS\system32\TDSSwpyd.dat C:\WINDOWS\system32\TDSStkdv.log C:\WINDOWS\system32\TDSSotxb.dll C:\WINDOWS\system32\TDSScrrn.dll C:\WINDOWS\system32\TDSSbvqh.dll C:\WINDOWS\system32\TDSSjnmx.dllc:\windows\system32\TDSShrxr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlrvd.datc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSoiqt.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSrtqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllc:\windows\system32\TDSSmtve.datc:\windows\system32\TDSSnirj.datC:\WINDOWS\SYSTEM32\TDSSixgp.dllC:\WINDOWS\SYSTEM32\TDSSproc.logC:\WINDOWS\SYSTEM32\TDSSwkod.logc:\windows\sysguard.exec:\windows\system32\sdra64.exe Drivers to delete:geyekrclkkmxowgeyekrclkkmxow.sysgxvxcservovfsthxUACd.sysUACdgaopdxserv.sysgaopdxservgaopdxltdsstdssservTDSSserv.SYSService_TDSSSERV.SYSLegacy_TDSSSERV.SYSmsqpdxserv.sysmsqpdxserv Folders to delete:C:\recyclerD:\recyclere:\recyclerf:\recyclerg:\recyclerh:\recyclerIn the avenger window, click the Paste Script from Clipboard icon, button. :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.=Next, Download SysProt Antirootkit from the link below: >> here <<It is at the bottom of the page under "Attachments".Unzip it into a folder on your desktop.Double click Sysprot.exe to start the program.Click on the Log tab.In the Write to log box select all items.Click on the Create Log button on the bottom right.After a few seconds a new window should appear.Select Scan Root Drive. Click on the Start button.When it is complete a new window will appear to indicate that the scan is finished.The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.=Reply with copy of C:\Avenger.txtand the Sysprot log Link to post Share on other sites More sharing options...
brew Posted July 31, 2009 Author ID:104642 Share Posted July 31, 2009 Thank You so much for taking the time to help me out. It is very much appreciated!Out of frustration, I did try to make some repairs on my own prior to your post. I have a drive attached with Vista on it. I booted to that drive and deleted the geyekrk....... files from the windows/system32 folder on the xp drive. There were 4-5 of them. I also deleted 1 geyekrk....... file from the windows/system32/drivers folder. MBAM no longer reports the Trojan.TDSS. It does however, see 2 new problems that it cannot get rid of. I have included the MBAM log also. I will not make any future repair attemps without your direction.I have followed all of your outlined steps and have included the logs - Avenger LogLogfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: file "C:\WINDOWS\system32\a99k.bin" not found!Deletion of file "C:\WINDOWS\system32\a99k.bin" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\drivers\geyekrclkkmxow.sys" not found!Deletion of file "C:\WINDOWS\system32\drivers\geyekrclkkmxow.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\geyekrkcxxccqt.dll" not found!Deletion of file "c:\windows\system32\geyekrkcxxccqt.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSweat.dat" not found!Deletion of file "c:\windows\system32\TDSSweat.dat" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\windows\system32\drivers\tdssserv.sys" not found!Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSStkdv.log" not found!Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSShrxr.dll" not found!Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSkkbi.log" not found!Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSlrvd.dat" not found!Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSlxwp.dll" not found!Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSnmxh.log" not found!Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSoiqt.dll" not found!Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSrhyp.log" not found!Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSrtqp.dll" not found!Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSsihc.dll" not found!Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSxfum.dll" not found!Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSmtve.dat" not found!Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\TDSSnirj.dat" not found!Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\sysguard.exe" not found!Deletion of file "c:\windows\sysguard.exe" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "c:\windows\system32\sdra64.exe" not found!Deletion of file "c:\windows\system32\sdra64.exe" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\geyekrclkkmxow" not found!Deletion of driver "geyekrclkkmxow" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\geyekrclkkmxow.sys" not found!Deletion of driver "geyekrclkkmxow.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv" not found!Deletion of driver "gxvxcserv" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthx" not found!Deletion of driver "ovfsthx" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!Deletion of driver "UACd.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd" not found!Deletion of driver "UACd" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys" not found!Deletion of driver "gaopdxserv.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!Deletion of driver "gaopdxserv" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxl" not found!Deletion of driver "gaopdxl" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!Deletion of driver "tdss" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!Deletion of driver "tdssserv" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!Deletion of driver "TDSSserv.SYS" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!Deletion of driver "Service_TDSSSERV.SYS" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!Deletion of driver "Legacy_TDSSSERV.SYS" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!Deletion of driver "msqpdxserv.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!Deletion of driver "msqpdxserv" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFolder "C:\recycler" deleted successfully.Folder "D:\recycler" deleted successfully.Error: could not open folder "e:\recycler"Deletion of folder "e:\recycler" failed!Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not existFolder "f:\recycler" deleted successfully.Folder "g:\recycler" deleted successfully.Error: could not open folder "h:\recycler"Deletion of folder "h:\recycler" failed!Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not existCompleted script processing.*******************Finished! Terminate.Sysprot LogSysProt AntiRootkit v1.0.1.0by swatkat************************************************************************************************************************************************************************************Process:Name: [system Idle Process]PID: 0Hidden: NoWindow Visible: NoName: SystemPID: 4Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\smss.exePID: 956Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\csrss.exePID: 1508Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\winlogon.exePID: 1696Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\services.exePID: 1900Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\lsass.exePID: 1912Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\nvsvc32.exePID: 284Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 532Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 612Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 776Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 932Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 1156Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 1280Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\spoolsv.exePID: 1528Hidden: NoWindow Visible: NoName: C:\Program Files\Creative\Shared Files\CTAudSvc.exePID: 1596Hidden: NoWindow Visible: NoName: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exePID: 652Hidden: NoWindow Visible: NoName: C:\Program Files\Bonjour\mDNSResponder.exePID: 716Hidden: NoWindow Visible: NoName: C:\PROGRA~1\COMMON~1\stardock\SDMCP.exePID: 2032Hidden: NoWindow Visible: NoName: C:\WINDOWS\explorer.exePID: 684Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\notepad.exePID: 1128Hidden: NoWindow Visible: YesName: C:\WINDOWS\system32\nvraidservice.exePID: 1928Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\Ctxfihlp.exePID: 316Hidden: NoWindow Visible: NoName: C:\Program Files\Zune\ZuneLauncher.exePID: 332Hidden: NoWindow Visible: NoName: C:\Program Files\iTunes\iTunesHelper.exePID: 460Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\CTxfispi.exePID: 484Hidden: NoWindow Visible: NoName: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exePID: 2012Hidden: NoWindow Visible: NoName: C:\Program Files\Internet Download Manager\IDMan.exePID: 924Hidden: NoWindow Visible: NoName: C:\Program Files\R-Wipe&Clean\rwiped.exePID: 1056Hidden: NoWindow Visible: NoName: C:\Program Files\Microsoft ActiveSync\wcescomm.exePID: 1096Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\ctfmon.exePID: 1104Hidden: NoWindow Visible: NoName: C:\PROGRA~1\MICROS~1\rapimgr.exePID: 1568Hidden: NoWindow Visible: NoName: C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exePID: 372Hidden: NoWindow Visible: NoName: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exePID: 1668Hidden: NoWindow Visible: NoName: C:\Autodesk Network License Manager\lmgrd.exePID: 1724Hidden: NoWindow Visible: NoName: C:\Program Files\Java\jre6\bin\jqs.exePID: 1804Hidden: NoWindow Visible: NoName: C:\Autodesk Network License Manager\adskflex.exePID: 2052Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\PnkBstrA.exePID: 2396Hidden: NoWindow Visible: NoName: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exePID: 2464Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\svchost.exePID: 2480Hidden: NoWindow Visible: NoName: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exePID: 2492Hidden: NoWindow Visible: NoName: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exePID: 2772Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\TUProgSt.exePID: 2792Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\ZuneBusEnum.exePID: 2908Hidden: NoWindow Visible: NoName: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exePID: 3056Hidden: NoWindow Visible: NoName: C:\Program Files\iPod\bin\iPodService.exePID: 1572Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\wbem\wmiprvse.exePID: 700Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\alg.exePID: 2672Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\wbem\unsecapp.exePID: 2744Hidden: NoWindow Visible: NoName: C:\Program Files\Internet Download Manager\IEMonitor.exePID: 3472Hidden: NoWindow Visible: NoName: C:\WINDOWS\system32\wuauclt.exePID: 3780Hidden: NoWindow Visible: NoName: C:\Program Files\Internet Explorer\iexplore.exePID: 1716Hidden: NoWindow Visible: NoName: C:\Program Files\Internet Explorer\iexplore.exePID: 2324Hidden: NoWindow Visible: NoName: C:\Documents and Settings\me\Desktop\SysProt\SysProt.exePID: 2392Hidden: NoWindow Visible: Yes************************************************************************************************************************************************************************************Kernel Modules:Module Name: \??\C:\Documents and Settings\me\Desktop\SysProt\SysProtDrv.sysService Name: SysProtDrv.sysModule Base: B4512000Module End: B451D000Hidden: NoModule Name: \WINDOWS\system32\TUKERNEL.EXEService Name: ---Module Base: 804D7000Module End: 8070D280Hidden: NoModule Name: \WINDOWS\system32\hal.dllService Name: ---Module Base: 8070E000Module End: 8072E380Hidden: NoModule Name: \WINDOWS\system32\KDCOM.DLLService Name: ---Module Base: F7987000Module End: F7989000Hidden: NoModule Name: \WINDOWS\system32\BOOTVID.dllService Name: ---Module Base: F7897000Module End: F789A000Hidden: NoModule Name: mghavho.sysService Name: ---Module Base: F7487000Module End: F7496000Hidden: YesModule Name: C:\WINDOWS\system32\drivers\ACPI.sysService Name: ACPIModule Base: F7438000Module End: F7466000Hidden: NoModule Name: \WINDOWS\system32\DRIVERS\WMILIB.SYSService Name: ---Module Base: F7989000Module End: F798B000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\pci.sysService Name: PCIModule Base: F7427000Module End: F7438000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\isapnp.sysService Name: isapnpModule Base: F7497000Module End: F74A0000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ohci1394.sysService Name: ohci1394Module Base: F74A7000Module End: F74B6000Hidden: NoModule Name: \WINDOWS\system32\DRIVERS\1394BUS.SYSService Name: ---Module Base: F74B7000Module End: F74C4000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\pciide.sysService Name: PCIIdeModule Base: F7A4F000Module End: F7A50000Hidden: NoModule Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYSService Name: ---Module Base: F7707000Module End: F770E000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\MountMgr.sysService Name: MountMgrModule Base: F74C7000Module End: F74D2000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ftdisk.sysService Name: DiskModule Base: F7408000Module End: F7427000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\dmload.sysService Name: dmloadModule Base: F798B000Module End: F798D000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\dmio.sysService Name: dmioModule Base: F73E2000Module End: F7408000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\nvraid.sysService Name: nvraidModule Base: F73CD000Module End: F73E2000Hidden: NoModule Name: \WINDOWS\system32\drivers\CLASSPNP.SYSService Name: ---Module Base: F74D7000Module End: F74E4000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\PartMgr.sysService Name: PartMgrModule Base: F770F000Module End: F7714000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\VolSnap.sysService Name: VolSnapModule Base: F74E7000Module End: F74F4000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\atapi.sysService Name: atapiModule Base: F73B5000Module End: F73CD000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\nvatabus.sysService Name: nvatabusModule Base: F739C000Module End: F73B5000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\SI3132.sysService Name: SI3132Module Base: F738B000Module End: F739C000Hidden: NoModule Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYSService Name: ScsiPortModule Base: F7373000Module End: F738B000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\disk.sysService Name: ---Module Base: F74F7000Module End: F7500000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\fltmgr.sysService Name: FltMgrModule Base: F733A000Module End: F735A000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\sr.sysService Name: srModule Base: F7328000Module End: F733A000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\PxHelp20.sysService Name: PxHelp20Module Base: F7717000Module End: F771C000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\SiWinAcc.sysService Name: SiFilterModule Base: F789B000Module End: F789E000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\KSecDD.sysService Name: KSecDDModule Base: F72FB000Module End: F7312000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\WudfPf.sysService Name: WudfPfModule Base: F72E8000Module End: F72FB000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\Ntfs.sysService Name: NtfsModule Base: F725B000Module End: F72E8000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\NDIS.sysService Name: NDISModule Base: F722E000Module End: F725B000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\Mup.sysService Name: MupModule Base: F7213000Module End: F722E000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ABIT-IO.sysService Name: ABIT-IOModule Base: F7727000Module End: F772D000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\processr.sysService Name: ProcessorModule Base: F7567000Module End: F7570000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sysService Name: nvModule Base: F6A14000Module End: F71CB000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYSService Name: ---Module Base: F6A00000Module End: F6A14000Hidden: NoModule Name: C:\WINDOWS\System32\drivers\pivot.sysService Name: pivotModule Base: F7577000Module End: F7581000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\usbohci.sysService Name: usbohciModule Base: F77CF000Module End: F77D4000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYSService Name: ---Module Base: F69DD000Module End: F6A00000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\usbehci.sysService Name: usbehciModule Base: F77FF000Module End: F7806000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\imapi.sysService Name: ImapiModule Base: F7587000Module End: F7592000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\cdrom.sysService Name: CdromModule Base: F7597000Module End: F75A7000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\redbook.sysService Name: redbookModule Base: F75A7000Module End: F75B6000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ks.sysService Name: ---Module Base: F69BA000Module End: F69DD000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sysService Name: GEARAspiWDMModule Base: F75B7000Module End: F75C1000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ctaud2k.sysService Name: ctaud2kModule Base: F693A000Module End: F69BA000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\portcls.sysService Name: ---Module Base: F6916000Module End: F693A000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\drmk.sysService Name: ---Module Base: F75C7000Module End: F75D6000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ctoss2k.sysService Name: ossrvModule Base: F68E2000Module End: F6916000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ctprxy2k.sysService Name: ctprxy2kModule Base: F7877000Module End: F787F000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\nic1394.sysService Name: NIC1394Module Base: F75D7000Module End: F75E7000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\nvnetbus.sysService Name: nvnetbusModule Base: F75E7000Module End: F75F0000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\NVNRM.SYSService Name: ---Module Base: F67DD000Module End: F68E2000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYSService Name: ---Module Base: F678A000Module End: F67DD000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ASACPI.sysService Name: MTsensorModule Base: F7999000Module End: F799B000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\audstub.sysService Name: audstubModule Base: F7B99000Module End: F7B9A000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sysService Name: Rasl2tpModule Base: F75F7000Module End: F7604000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sysService Name: NdisTapiModule Base: F7967000Module End: F796A000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sysService Name: NdisWanModule Base: F66D3000Module End: F66EA000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sysService Name: RasPppoeModule Base: F7607000Module End: F7612000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\raspptp.sysService Name: PptpMiniportModule Base: F7617000Module End: F7623000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\TDI.SYSService Name: ---Module Base: F77BF000Module End: F77C4000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\psched.sysService Name: PSchedModule Base: F66C2000Module End: F66D3000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\msgpc.sysService Name: GpcModule Base: F7627000Module End: F7630000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ptilink.sysService Name: PtilinkModule Base: F77EF000Module End: F77F4000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\raspti.sysService Name: RasptiModule Base: F7807000Module End: F780C000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\PdiPorts.sysService Name: PdiPortsModule Base: F797F000Module End: F7982000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\rdpdr.sysService Name: rdpdrModule Base: F6669000Module End: F669A000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\termdd.sysService Name: TermDDModule Base: F7637000Module End: F7641000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sysService Name: KbdclassModule Base: F785F000Module End: F7865000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\mouclass.sysService Name: MouclassModule Base: F786F000Module End: F7875000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\SaiNtBus.sysService Name: SaiNtBusModule Base: F7887000Module End: F788E000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\swenum.sysService Name: swenumModule Base: F79A3000Module End: F79A5000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\update.sysService Name: UpdateModule Base: F6635000Module End: F6669000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sysService Name: mssmbiosModule Base: F71DF000Module End: F71E3000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\a347bus.sysService Name: a347busModule Base: F71D7000Module End: F71DA000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\zumbus.sysService Name: zumbusModule Base: F7647000Module End: F7651000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYSService Name: ---Module Base: F7657000Module End: F7664000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\wdf01000.sysService Name: Wdf01000Module Base: F65B9000Module End: F6635000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\windrvr6.sysService Name: WinDriver6Module Base: F658D000Module End: F65B9000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\NDProxy.SYSService Name: NDProxyModule Base: F7667000Module End: F7671000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\SaiMini.sysService Name: SaiMiniModule Base: F795F000Module End: F7963000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYSService Name: ---Module Base: F7677000Module End: F7680000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYSService Name: ---Module Base: F780F000Module End: F7816000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\mouhid.sysService Name: mouhidModule Base: F66BE000Module End: F66C1000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sysService Name: kbdhidModule Base: F66B6000Module End: F66BA000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\usbhub.sysService Name: usbhubModule Base: F7687000Module End: F7696000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\USBD.SYSService Name: ---Module Base: F79B3000Module End: F79B5000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\NVENETFD.sysService Name: NVENETFDModule Base: F76A7000Module End: F76B4000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ha20x2k.sysService Name: ha20x2kModule Base: EDFA3000Module End: EE0C5000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\emupia2k.sysService Name: emupiaModule Base: EDF74000Module End: EDFA3000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ctsfm2k.sysService Name: ctsfm2kModule Base: EDF4B000Module End: EDF74000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\ctac32k.sysService Name: ctac32kModule Base: EDEAF000Module End: EDF4B000Hidden: NoModule Name: C:\WINDOWS\system32\CTHWIUT.DLLService Name: CTHWIUT.DLLModule Base: EDE9A000Module End: EDEAF000Hidden: NoModule Name: C:\WINDOWS\system32\CT20XUT.DLLService Name: CT20XUT.DLLModule Base: EDE6E000Module End: EDE9A000Hidden: NoModule Name: C:\WINDOWS\system32\CTEXFIFX.DLLService Name: CTEXFIFX.DLLModule Base: EDD27000Module End: EDE6E000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYSService Name: Cdr4_xpModule Base: F76D7000Module End: F76E2000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Cdralw2k.SYSService Name: Cdralw2kModule Base: F77E7000Module End: F77EE000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\pwd_2k.SYSService Name: pwd_2kModule Base: EDD0A000Module End: EDD27000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYSService Name: Fs_RecModule Base: F79CF000Module End: F79D1000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Null.SYSService Name: NullModule Base: F7B37000Module End: F7B38000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Beep.SYSService Name: BeepModule Base: F79D3000Module End: F79D5000Hidden: NoModule Name: C:\WINDOWS\System32\drivers\vga.sysService Name: VgaSaveModule Base: F784F000Module End: F7855000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\mnmdd.SYSService Name: mnmddModule Base: F79D7000Module End: F79D9000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sysService Name: RDPCDDModule Base: F79DB000Module End: F79DD000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\cdudf_xp.SYSService Name: cdudf_xpModule Base: EDCA4000Module End: EDCEA000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYSService Name: DVDVRRdr_xpModule Base: EDC6F000Module End: EDC92000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Msfs.SYSService Name: MsfsModule Base: F778F000Module End: F7794000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Npfs.SYSService Name: NpfsModule Base: F779F000Module End: F77A7000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\UDFReadr.SYSService Name: UDFReadrModule Base: EDC04000Module End: EDC35000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\rasacd.sysService Name: RasAcdModule Base: F66B2000Module End: F66B5000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ipsec.sysService Name: IPSecModule Base: EDBDF000Module End: EDBF2000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\tcpip.sysService Name: TcpipModule Base: EDB87000Module End: EDBDF000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\netbt.sysService Name: NetBTModule Base: EDB5F000Module End: EDB87000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\ipnat.sysService Name: IpNatModule Base: EDB3E000Module End: EDB5F000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\wanarp.sysService Name: WanarpModule Base: F76F7000Module End: F7700000Hidden: NoModule Name: C:\WINDOWS\System32\drivers\ws2ifsl.sysService Name: WS2IFSLModule Base: F669A000Module End: F669D000Hidden: NoModule Name: C:\WINDOWS\System32\drivers\afd.sysService Name: AFDModule Base: EDAF4000Module End: EDB16000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\arp1394.sysService Name: Arp1394Module Base: F7547000Module End: F7556000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\netbios.sysService Name: NetBIOSModule Base: F7557000Module End: F7560000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\rdbss.sysService Name: RdbssModule Base: EDAC9000Module End: EDAF4000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\PQIMount.SYSService Name: PQIMountModule Base: F7507000Module End: F7510000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sysService Name: MRxSmbModule Base: EDA0A000Module End: EDA79000Hidden: NoModule Name: \??\C:\Program Files\UltraISO\drivers\ISODrive.sysService Name: ISODriveModule Base: ED9F3000Module End: EDA0A000Hidden: NoModule Name: \??\C:\WINDOWS\system32\drivers\ikhlayer.sysService Name: ikhlayerModule Base: F677A000Module End: F6787000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Fips.SYSService Name: FipsModule Base: F676A000Module End: F6773000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\AsIO.sysService Name: AsIOModule Base: F79E3000Module End: F79E5000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sysService Name: usbccgpModule Base: F783F000Module End: F7847000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\LHidUsbK.SysService Name: LHidUsbKModule Base: F673A000Module End: F6743000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYSService Name: USBSTORModule Base: F77A7000Module End: F77AE000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\hidusb.sysService Name: HidUsbModule Base: EDAA5000Module End: EDAA8000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\LHidKE.SysService Name: LHidKeModule Base: F77B7000Module End: F77BE000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\LMouKE.SysService Name: LMouKEModule Base: ED9BA000Module End: ED9CB000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\Cdfs.SYSService Name: CdfsModule Base: F672A000Module End: F673A000Hidden: NoModule Name: \SystemRoot\System32\Drivers\dump_nvraid.sysService Name: ---Module Base: ED9A5000Module End: ED9BA000Hidden: YesModule Name: \SystemRoot\System32\Drivers\dump_CLASSPNP.SYSService Name: ---Module Base: F671A000Module End: F6727000Hidden: YesModule Name: C:\WINDOWS\System32\drivers\Dxapi.sysService Name: ---Module Base: EDA81000Module End: EDA84000Hidden: NoModule Name: C:\WINDOWS\System32\watchdog.sysService Name: ---Module Base: F777F000Module End: F7784000Hidden: NoModule Name: C:\WINDOWS\System32\drivers\dxgthk.sysService Name: ---Module Base: F7B2E000Module End: F7B2F000Hidden: NoModule Name: \??\C:\WINDOWS\system32\Drivers\GDFSHK.SYSService Name: GdFsHookModule Base: F774F000Module End: F7756000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\RadProbe.sysService Name: RadProbeModule Base: F77C7000Module End: F77CC000Hidden: NoModule Name: \??\C:\WINDOWS\system32\Drivers\GDTDI.SYSService Name: GdTdiModule Base: B8690000Module End: B869D000Hidden: NoModule Name: C:\WINDOWS\system32\DRIVERS\LANPkt.sysService Name: LANPktModule Base: F79ED000Module End: F79EF000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sysService Name: NdisuioModule Base: B85DC000Module End: B85E0000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sysService Name: MRxDAVModule Base: B8374000Module End: B83A0000Hidden: NoModule Name: \??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sysService Name: BCMNTIOModule Base: F7ADE000Module End: F7ADF000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\wdmaud.sysService Name: wdmaudModule Base: B826F000Module End: B8284000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\sysaudio.sysService Name: sysaudioModule Base: B83C0000Module End: B83CF000Hidden: NoModule Name: \??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sysService Name: MAPMEMModule Base: F7ADC000Module End: F7ADD000Hidden: NoModule Name: C:\WINDOWS\System32\DRIVERS\srv.sysService Name: SrvModule Base: B4BCA000Module End: B4C1C000Hidden: NoModule Name: \??\C:\WINDOWS\system32\drivers\PfModNT.sysService Name: PfDetNTModule Base: B4B8B000Module End: B4BA2000Hidden: NoModule Name: \??\C:\WINDOWS\system32\drivers\symlcbrd.sysService Name: symlcbrdModule Base: F7777000Module End: F777D000Hidden: NoModule Name: C:\WINDOWS\System32\Drivers\HTTP.sysService Name: HTTPModule Base: B47B2000Module End: B47F3000Hidden: NoModule Name: C:\WINDOWS\system32\drivers\kmixer.sysService Name: kmixerModule Base: B425C000Module End: B4287000Hidden: No************************************************************************************************************************************************************************************No SSDT Hooks found************************************************************************************************************************************************************************************Kernel Hooks:Hooked Function: PsTerminateSystemThreadAt Address: 8057BF6DJump To: 8057A427Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWaitForKeyedEventAt Address: 806487CFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReleaseKeyedEventAt Address: 80648534Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenKeyedEventAt Address: 80581E8FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateKeyedEventAt Address: 805C7D14Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwYieldExecutionAt Address: 804FB131Jump To: 804DC052Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWriteVirtualMemoryAt Address: 8057E5E7Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWriteRequestDataAt Address: 80588EBDJump To: 80588B06Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWriteFileGatherAt Address: 805D62F5Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWriteFileAt Address: 805780DCJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWaitLowEventPairAt Address: 8064772AJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWaitHighEventPairAt Address: 80647794Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWaitForSingleObjectAt Address: 80565311Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWaitForMultipleObjectsAt Address: 80565878Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwWaitForDebugEventAt Address: 806587E2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwVdmControlAt Address: 805B3927Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwUnmapViewOfSectionAt Address: 80572EBEJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwUnlockVirtualMemoryAt Address: 806257DCJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwUnlockFileAt Address: 8058A317Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwUnloadKeyExAt Address: 8064C22FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwUnloadKeyAt Address: 8064C032Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwUnloadDriverAt Address: 8061845EJump To: 80530A6EModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwTranslateFilePathAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwTraceEventAt Address: 80544D9FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwTestAlertAt Address: 8057B32DJump To: 804E6199Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwTerminateThreadAt Address: 8057A921Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwTerminateProcessAt Address: 80582C6FJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwTerminateJobObjectAt Address: 8062E679Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSystemDebugControlAt Address: 806480C0Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSuspendThreadAt Address: 805DF825Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSuspendProcessAt Address: 8062DD46Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwStopProfileAt Address: 80647F85Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwStartProfileAt Address: 80647DA7Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSignalAndWaitForSingleObjectAt Address: 80515F2BJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwShutdownSystemAt Address: 80645584Jump To: 80665527Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetVolumeInformationFileAt Address: 806160AAJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetValueKeyAt Address: 80574C24Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetUuidSeedAt Address: 805A70BDJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetTimerResolutionAt Address: 805DFBAFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetTimerAt Address: 804E57A2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetThreadExecutionStateAt Address: 805DF529Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetSystemTimeAt Address: 80645E12Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetSystemPowerStateAt Address: 80665531Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetSystemInformationAt Address: 8059EEE0Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetSystemEnvironmentValueAt Address: 8064719BJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetSecurityObjectAt Address: 8059A1BEJump To: 8059A16FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetQuotaInformationFileAt Address: 80615B72Jump To: 80617E60Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetLowWaitHighEventPairAt Address: 806477FDJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetLowEventPairAt Address: 806478E0Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetLdtEntriesAt Address: 8062CE5DJump To: 8062CBB3Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetIoCompletionAt Address: 80577D0BJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetIntervalProfileAt Address: 80647B42Jump To: 8054890FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationTokenAt Address: 805A466EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationThreadAt Address: 80575740Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationProcessAt Address: 8056BD0FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationObjectAt Address: 80586E01Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationKeyAt Address: 8064C462Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationJobObjectAt Address: 805A72C4Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationFileAt Address: 80577E36Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetInformationDebugObjectAt Address: 80658A94Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetHighWaitLowEventPairAt Address: 8064786FJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetHighEventPairAt Address: 8064794AJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetEventBoostPriorityAt Address: 80575B78Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetEventAt Address: 8056849FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetEaFileAt Address: 80615818Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetDefaultUILanguageAt Address: 805AA7BFJump To: 8057F1D5Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetDefaultLocaleAt Address: 805AA838Jump To: 8057F7B6Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetDefaultHardErrorPortAt Address: 805D15BFJump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetDebugFilterStateAt Address: 8065AC57Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetContextThreadAt Address: 8062C16DJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetBootOptionsAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSetBootEntryOrderAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSecureConnectPortAt Address: 805859D4Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSaveMergedKeysAt Address: 8064BF8AJump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSaveKeyExAt Address: 8064BEB8Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwSaveKeyAt Address: 8064BE22Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwResumeThreadAt Address: 8057B83FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwResumeProcessAt Address: 8062DDA1Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRestoreKeyAt Address: 8064BD7BJump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwResetWriteWatchAt Address: 8053AF32Jump To: 8053B148Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwResetEventAt Address: 8059AD39Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRequestWakeupLatencyAt Address: 8062A36AJump To: 805878E1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRequestWaitReplyPortAt Address: 80576EC1Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRequestPortAt Address: 805DC8F1Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRequestDeviceWakeupAt Address: 8062A56CJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReplyWaitReplyPortAt Address: 806218D9Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReplyWaitReceivePortExAt Address: 8056996EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReplyWaitReceivePortAt Address: 80569E62Jump To: 80569967Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReplyPortAt Address: 8057D4F8Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReplaceKeyAt Address: 8064D25AJump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRenameKeyAt Address: 8064CD44Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRemoveProcessDebugAt Address: 8065911BJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRemoveIoCompletionAt Address: 80566079Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReleaseSemaphoreAt Address: 8058919DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReleaseMutantAt Address: 80565610Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRegisterThreadTerminatePortAt Address: 8057B93EJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReadVirtualMemoryAt Address: 8057E495Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReadRequestDataAt Address: 80588CD0Jump To: 80588B06Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReadFileScatterAt Address: 805D66BFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwReadFileAt Address: 8057122FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRaiseHardErrorAt Address: 806464CAJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwRaiseExceptionAt Address: 804E2066Jump To: 80506365Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueueApcThreadAt Address: 80586F5AJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryVolumeInformationFileAt Address: 80570F92Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryVirtualMemoryAt Address: 8056C2FAJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryValueKeyAt Address: 8056B0C2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryTimerResolutionAt Address: 80584578Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryTimerAt Address: 8059330DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySystemTimeAt Address: 80592ACFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySystemInformationAt Address: 8057C4B4Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySystemEnvironmentValueAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySymbolicLinkObjectAt Address: 8057EC37Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySemaphoreAt Address: 8064678EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySecurityObjectAt Address: 805DA9F2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQuerySectionAt Address: 8057DCE9Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryQuotaInformationFileAt Address: 80615B8EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryPerformanceCounterAt Address: 805665B8Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryOpenSubKeysAt Address: 8064CB05Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryObjectAt Address: 8057FC66Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryMutantAt Address: 80647999Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryMultipleValueKeyAt Address: 8064C8FFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryKeyAt Address: 8056EB78Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryIoCompletionAt Address: 80614F0BJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryIntervalProfileAt Address: 80648012Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInstallUILanguageAt Address: 80586EDCJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationTokenAt Address: 8056C76DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationThreadAt Address: 80566281Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationProcessAt Address: 8056BC3EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationPortAt Address: 806217FAJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationJobObjectAt Address: 8058150DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationFileAt Address: 80572411Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryInformationAtomAt Address: 805D3637Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryFullAttributesFileAt Address: 8057D035Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryEventAt Address: 8057EF77Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryEaFileAt Address: 806152CBJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryDirectoryObjectAt Address: 80584D36Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryDirectoryFileAt Address: 805744E1Jump To: 80574211Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryDefaultUILanguageAt Address: 8057F32AJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryDefaultLocaleAt Address: 80565D31Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryDebugFilterStateAt Address: 804F8E5EJump To: 80528235Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryBootOptionsAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryBootEntryOrderAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwQueryAttributesFileAt Address: 805715CDJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwPulseEventAt Address: 8059ECBBJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwProtectVirtualMemoryAt Address: 8057404CJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwPrivilegedServiceAuditAlarmAt Address: 805A6F11Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwPrivilegeObjectAuditAlarmAt Address: 805D85E2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwPrivilegeCheckAt Address: 805DAB57Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwPowerInformationAt Address: 80598520Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwPlugPlayControlAt Address: 805D9051Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenTimerAt Address: 80647466Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenThreadTokenExAt Address: 8056BA0BJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenThreadTokenAt Address: 8056BAA9Jump To: 8056BA04Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenThreadAt Address: 8058897EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenSymbolicLinkObjectAt Address: 8057EDC6Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenSemaphoreAt Address: 805D78B5Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenSectionAt Address: 805776A2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenProcessTokenExAt Address: 8056C1F9Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenProcessTokenAt Address: 8056C009Jump To: 8056C1F2Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenProcessAt Address: 80573CA0Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenObjectAuditAlarmAt Address: 805DCB3BJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenMutantAt Address: 8057A03DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenKeyAt Address: 80567B05Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenJobObjectAt Address: 8062E4DEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenIoCompletionAt Address: 80614E4AJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenFileAt Address: 80570D05Jump To: 80570BF3Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenEventPairAt Address: 80647630Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenEventAt Address: 80586CCCJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwOpenDirectoryObjectAt Address: 8057EEFAJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwNotifyChangeMultipleKeysAt Address: 8058C211Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwNotifyChangeKeyAt Address: 8058C168Jump To: 8058C20AModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwNotifyChangeDirectoryFileAt Address: 8058CE31Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwModifyBootEntryAt Address: 80647466Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwMapViewOfSectionAt Address: 80573303Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwMapUserPhysicalPagesScatterAt Address: 806248E3Jump To: 804D959CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwMapUserPhysicalPagesAt Address: 8062440FJump To: 804D959CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwMakeTemporaryObjectAt Address: 8059D9C6Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwMakePermanentObjectAt Address: 8059D7D2Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLockVirtualMemoryAt Address: 805AC13EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLockRegistryKeyAt Address: 805D0866Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLockProductActivationKeysAt Address: 805ACCD1Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLockFileAt Address: 8058A1B7Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLoadKey2At Address: 805AAB45Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLoadKeyAt Address: 805AACFDJump To: 805AAB3EModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwLoadDriverAt Address: 805A08F3Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwListenPortAt Address: 805A6DDDJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwIsSystemResumeAutomaticAt Address: 8062A5D6Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwIsProcessInJobAt Address: 8062E15FJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwInitiatePowerActionAt Address: 8062A3A2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwInitializeRegistryAt Address: 8059F828Jump To: 804DCDECModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwImpersonateThreadAt Address: 8057E7FEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwImpersonateClientOfPortAt Address: 80588511Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwImpersonateAnonymousTokenAt Address: 805963FAJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwGetWriteWatchAt Address: 8053AA89Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwGetPlugPlayEventAt Address: 8059C085Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwGetDevicePowerStateAt Address: 8062A5D6Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwGetContextThreadAt Address: 805DF7DDJump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFsControlFileAt Address: 80579AC5Jump To: 8057986AModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFreeVirtualMemoryAt Address: 805686D1Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFreeUserPhysicalPagesAt Address: 806252D8Jump To: 804D959CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFlushVirtualMemoryAt Address: 80599A21Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFlushKeyAt Address: 805DA2D7Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFlushInstructionCacheAt Address: 80577981Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFlushBuffersFileAt Address: 8058C3FFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFindAtomAt Address: 805DC5D9Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwFilterTokenAt Address: 805ACAFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwExtendSectionAt Address: 80623D27Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwEnumerateValueKeyAt Address: 8057EB2FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwEnumerateKeyAt Address: 8056EE6FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwEnumerateBootEntriesAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDuplicateTokenAt Address: 8057D7FFJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDuplicateObjectAt Address: 80573ABDJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDisplayStringAt Address: 805BAED0Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeviceIoControlFileAt Address: 8057BFA0Jump To: 8057986AModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeleteValueKeyAt Address: 8058EA01Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeleteObjectAuditAlarmAt Address: 80638708Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeleteKeyAt Address: 80590F7FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeleteFileAt Address: 805D3C86Jump To: 804E87B9Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeleteBootEntryAt Address: 80647466Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDeleteAtomAt Address: 80589361Jump To: 80577300Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDelayExecutionAt Address: 805655A5Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDebugContinueAt Address: 8065917AJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwDebugActiveProcessAt Address: 80659045Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateWaitablePortAt Address: 8059ED72Jump To: 805961A9Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateTokenAt Address: 805A4AD9Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateTimerAt Address: 8059A850Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateThreadAt Address: 8057B1CCJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateSymbolicLinkObjectAt Address: 8059D4E2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateSemaphoreAt Address: 805747D6Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateSectionAt Address: 80564422Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateProfileAt Address: 80647B60Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateProcessExAt Address: 80580421Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateProcessAt Address: 805AD351Jump To: 8058041AModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreatePortAt Address: 805963BFJump To: 805961A9Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreatePagingFileAt Address: 805B77C2Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateNamedPipeFileAt Address: 8057F060Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateMutantAt Address: 80579F8FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateMailslotFileAt Address: 805D5229Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateKeyAt Address: 8056E76BJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateJobSetAt Address: 8062E286Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateJobObjectAt Address: 805A716DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateIoCompletionAt Address: 80592BEEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateFileAt Address: 80570D73Jump To: 80570BF3Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateEventPairAt Address: 8064753FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateEventAt Address: 8056AC6FJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateDirectoryObjectAt Address: 8059E7D1Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCreateDebugObjectAt Address: 80657EA4Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwContinueAt Address: 804E200EJump To: 804E5FA6Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwConnectPortAt Address: 805894CCJump To: 805859CAModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCompressKeyAt Address: 8064D167Jump To: 80573C2CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCompleteConnectPortAt Address: 80586A83Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCompareTokensAt Address: 80588F0DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCompactKeysAt Address: 8064CEDCJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCloseObjectAuditAlarmAt Address: 80592433Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCloseAt Address: 80566B61Jump To: 80566AC1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwClearEventAt Address: 80568473Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCancelTimerAt Address: 804FA00EJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCancelIoFileAt Address: 805C5AA3Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwCancelDeviceWakeupRequestAt Address: 80647466Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAssignProcessToJobObjectAt Address: 8059E456Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAreMappedFilesTheSameAt Address: 805D532FJump To: 804E72CFModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAllocateVirtualMemoryAt Address: 80567DA7Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAllocateUuidsAt Address: 805D8773Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAllocateUserPhysicalPagesAt Address: 80624F04Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAllocateLocallyUniqueIdAt Address: 8058A6D1Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAlertThreadAt Address: 80579BE1Jump To: 80563D68Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAlertResumeThreadAt Address: 8062DDDBJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAdjustPrivilegesTokenAt Address: 80591FC5Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAdjustGroupsTokenAt Address: 80635C9AJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAddBootEntryAt Address: 80646EFEJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAddAtomAt Address: 805755A5Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckByTypeResultListAndAuditAlarmByHandleAt Address: 806386E2Jump To: 805926A1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckByTypeResultListAndAuditAlarmAt Address: 80638697Jump To: 805926A1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckByTypeResultListAt Address: 806364F8Jump To: 8056FADDModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckByTypeAndAuditAlarmAt Address: 80592A6DJump To: 805926A1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckByTypeAt Address: 805870A8Jump To: 8056FADDModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckAndAuditAlarmAt Address: 80589487Jump To: 805926A1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ZwAccessCheckAt Address: 8056FE10Jump To: 8056FADDModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetThreadWin32ThreadAt Address: 8057ABC8Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetThreadHardErrorsAreDisabledAt Address: 80508EF5Jump To: 805081E8Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetProcessWindowStationAt Address: 80580F13Jump To: 804D9050Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetProcessSecurityPortAt Address: 8059AA1FJump To: 806079E7Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetProcessPriorityByClassAt Address: 80568EA0Jump To: 804E7F31Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetLoadImageNotifyRoutineAt Address: 8062BDEAJump To: 806437BCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetLegoNotifyRoutineAt Address: 805B63DEJump To: 805D8391Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetCreateThreadNotifyRoutineAt Address: 8062BCC8Jump To: 806437BCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetCreateProcessNotifyRoutineAt Address: 8062BBF9Jump To: 806438CCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsSetContextThreadAt Address: 8062BF99Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsRevertToSelfAt Address: 8062BB37Jump To: 8058764EModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsRestoreImpersonationAt Address: 8058841EJump To: 8057598FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsRemoveLoadImageNotifyRoutineAt Address: 8062BE5EJump To: 806438CCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsRemoveCreateThreadNotifyRoutineAt Address: 8062BD37Jump To: 806438CCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsReferencePrimaryTokenAt Address: 80563250Jump To: 805631ECModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsLookupThreadByThreadIdAt Address: 8057734EJump To: 80565BDBModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsLookupProcessThreadByCidAt Address: 80576D9FJump To: 80565BDBModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsLookupProcessByProcessIdAt Address: 80573E3BJump To: 80565BDBModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsIsThreadTerminatingAt Address: 804E6EEEJump To: 805277F7Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsIsSystemThreadAt Address: 80506DEAJump To: 804E4167Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsImpersonateClientAt Address: 805759CDJump To: 8056323BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetThreadSessionIdAt Address: 80577322Jump To: 804E739FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetThreadIdAt Address: 804E5A47Jump To: 804D8F05Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetThreadFreezeCountAt Address: 8051558BJump To: 804F3434Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetProcessSessionIdAt Address: 80503271Jump To: 804E739FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetProcessSecurityPortAt Address: 805DBB16Jump To: 8054A807Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetProcessImageFileNameAt Address: 80505A1CJump To: 804F90BCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetProcessExitTimeAt Address: 8059AD04Jump To: 8058B58CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetProcessDebugPortAt Address: 804F74B9Jump To: 804EC598Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetProcessCreateTimeQuadPartAt Address: 804FE857Jump To: 804EE170Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetCurrentThreadAt Address: 804E4A3AJump To: 804DBD32Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetCurrentProcessSessionIdAt Address: 804E73D7Jump To: 804E739FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetCurrentProcessAt Address: 804E466AJump To: 804E3661Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsGetContextThreadAt Address: 805DF668Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsDereferencePrimaryTokenAt Address: 80580DC4Jump To: 804D9050Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsDereferenceImpersonationTokenAt Address: 8062BAB9Jump To: 804D9050Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsCreateSystemThreadAt Address: 8057BDD3Jump To: 8057AC92Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsCreateSystemProcessAt Address: 8062BF62Jump To: 80580817Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsChargePoolQuotaAt Address: 804FB851Jump To: 804E6D0DModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: PsAssignImpersonationTokenAt Address: 8057584DJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObSetSecurityObjectByPointerAt Address: 8059A2B3Jump To: 804D9023Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObSetSecurityDescriptorInfoAt Address: 805D7C4AJump To: 80564F3FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObSetHandleAttributesAt Address: 8057AA9AJump To: 8057AAF9Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObReleaseObjectSecurityAt Address: 80564EC2Jump To: 80564F9AModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObReferenceSecurityDescriptorAt Address: 8059AD04Jump To: 8058B58CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObReferenceObjectByNameAt Address: 80585FF4Jump To: 8056343EModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObReferenceObjectByHandleAt Address: 80563DA3Jump To: 80563D00Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObQueryObjectAuditingByHandleAt Address: 8058DB75Jump To: 80565BDBModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObQueryNameStringAt Address: 8057FD98Jump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObOpenObjectByPointerAt Address: 8056BB98Jump To: 804E9889Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObOpenObjectByNameAt Address: 805671E4Jump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObMakeTemporaryObjectAt Address: 8059D956Jump To: 804E35D4Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObLogSecurityDescriptorAt Address: 80576536Jump To: 80576665Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObGetObjectSecurityAt Address: 80564DC1Jump To: 80564F3FModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObFindHandleForObjectAt Address: 805D7AD0Jump To: 80573BCDModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObDereferenceObjectAt Address: 8053C35FJump To: 804D9050Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObCreateObjectAt Address: 805646EBJump To: 804E20D2Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObCloseHandleAt Address: 8056A065Jump To: 80566AC1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObCheckObjectAccessAt Address: 80564E01Jump To: 80564D96Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObCheckCreateObjectAccessAt Address: 8058A750Jump To: 80564D96Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ObAssignSecurityAt Address: 805766B4Jump To: 805761E9Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeTerminateThreadAt Address: 804F9DB7Jump To: 804E40AEModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeSetEventAt Address: 804E39C9Jump To: 804DB77CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeResetEventAt Address: 804E68FBJump To: 804DB77CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeInitializeTimerExAt Address: 804FA3DDJump To: 804FA39DModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeInitializeTimerAt Address: 804FA3DDJump To: 804FA39DModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeInitializeSemaphoreAt Address: 804EA55AJump To: 804E5D23Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeInitializeEventAt Address: 804E87AAJump To: 804E6341Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeInitializeDeviceQueueAt Address: 80512709Jump To: 804DA5C4Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeDetachProcessAt Address: 804EB8F0Jump To: 804EB869Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeAttachProcessAt Address: 804EB97FJump To: 804EB7DAModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeAreApcsDisabledAt Address: 80516489Jump To: 804EBF2DModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KeAcquireInterruptSpinLockAt Address: 80532082Jump To: 804DA5D4Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KdEnableDebuggerAt Address: 80531A85Jump To: 80531B42Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: KdDisableDebuggerAt Address: 80531A0CJump To: 80531B42Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoQueryVolumeInformationAt Address: 805B77AAJump To: 8057F949Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoQueryFileInformationAt Address: 8057FA78Jump To: 8057F949Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoQueryFileDosDeviceNameAt Address: 80614CE4Jump To: 8057FA86Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoQueryDeviceDescriptionAt Address: 805AD8EAJump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoOpenDeviceRegistryKeyAt Address: 805A7773Jump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoOpenDeviceInterfaceRegistryKeyAt Address: 805B4799Jump To: 804E35D4Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoIsSystemThreadAt Address: 80506DEAJump To: 804E4167Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetDiskDeviceObjectAt Address: 8052DA07Jump To: 804E6429Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetDeviceObjectPointerAt Address: 80593117Jump To: 804DCFCCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetDeviceInterfacesAt Address: 805AD21CJump To: 805D93E7Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetDeviceInterfaceAliasAt Address: 8061881FJump To: 805D9A7CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetCurrentProcessAt Address: 804E466AJump To: 804E3661Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetConfigurationInformationAt Address: 805A5DD0Jump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoGetAttachedDeviceReferenceAt Address: 805068DBJump To: 804E8445Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoFreeMdlAt Address: 804ED80AJump To: 804E20F2Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoFreeIrpAt Address: 804E859AJump To: 804E243BModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoEnumerateDeviceObjectListAt Address: 8051061CJump To: 804D9023Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoDetachDeviceAt Address: 8052D2AEJump To: 8066A01EModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoDeleteSymbolicLinkAt Address: 805C1AF8Jump To: 804DD0A8Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoDeleteDriverAt Address: 80580DC4Jump To: 804D9050Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoDeleteDeviceAt Address: 80508374Jump To: 8059D924Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoCreateSynchronizationEventAt Address: 805C5D82Jump To: 804DC978Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoCreateSymbolicLinkAt Address: 805A5FFAJump To: 804DCACCModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoCreateStreamFileObjectExAt Address: 8052D155Jump To: 804F050AModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoCreateStreamFileObjectAt Address: 80614D56Jump To: 8052D133Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoCreateFileSpecifyDeviceObjectHintAt Address: 80579790Jump To: 805709A9Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoCreateFileAt Address: 80570BF3Jump To: F71D75F7Module Name: C:\WINDOWS\system32\DRIVERS\a347bus.sysHooked Function: IoCancelIrpAt Address: 80504EDCJump To: 804E6429Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoAttachDeviceByPointerAt Address: 8052DE4FJump To: 8050B6F2Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExFreeToPagedLookasideListAt Address: 804E9819Jump To: 804E20F2Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExFreePoolAt Address: 8054B0B4Jump To: 8054A807Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExEnumHandleTableAt Address: 805D7A76Jump To: 80563CC1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExAllocatePoolWithTagPriorityAt Address: 804EA841Jump To: 804EA7A1Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExAllocatePoolWithQuotaTagAt Address: 804E6BDFJump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExAllocatePoolWithQuotaAt Address: 80545CE3Jump To: 804E6B9CModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: ExAllocatePoolAt Address: 8050B2FEJump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: Kei386EoiHelperAt Address: 804DF090Jump To: 804E52DDModule Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoReadPartitionTableAt Address: 805B9921Jump To: 8054A944Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: IoAssignDriveLettersAt Address: 805BC024Jump To: 805A5DB0Module Name: \WINDOWS\system32\TUKERNEL.EXEHooked Function: SysenterAt Address: ---Jump To: 804DE6F0Module Name: \WINDOWS\system32\TUKERNEL.EXE************************************************************************************************************************************************************************************No IRP Hooks found************************************************************************************************************************************************************************************Ports:Local Address: BS.HSD1.WA.COMCAST.NET.:NETBIOS-SSNRemote Address: 0.0.0.0:0Type: TCPProcess: SystemState: LISTENINGLocal Address: BS:27015Remote Address: LOCALHOST:1026Type: TCPProcess: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeState: ESTABLISHEDLocal Address: BS:27015Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeState: LISTENINGLocal Address: BS:7438Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Program Files\Microsoft ActiveSync\wcescomm.exeState: LISTENINGLocal Address: BS:5679Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Program Files\Microsoft ActiveSync\wcescomm.exeState: LISTENINGLocal Address: BS:5354Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Program Files\Bonjour\mDNSResponder.exeState: LISTENINGLocal Address: BS:5152Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Program Files\Java\jre6\bin\jqs.exeState: LISTENINGLocal Address: BS:1043Remote Address: 0.0.0.0:0Type: TCPProcess: C:\WINDOWS\system32\alg.exeState: LISTENINGLocal Address: BS:1026Remote Address: LOCALHOST:27015Type: TCPProcess: C:\Program Files\iTunes\iTunesHelper.exeState: ESTABLISHEDLocal Address: BS:27000Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Autodesk Network License Manager\lmgrd.exeState: LISTENINGLocal Address: BS:2080Remote Address: 0.0.0.0:0Type: TCPProcess: C:\Autodesk Network License Manager\adskflex.exeState: LISTENINGLocal Address: BS:990Remote Address: 0.0.0.0:0Type: TCPProcess: C:\PROGRA~1\MICROS~1\rapimgr.exeState: LISTENINGLocal Address: BS:MICROSOFT-DSRemote Address: 0.0.0.0:0Type: TCPProcess: SystemState: LISTENINGLocal Address: BS:EPMAPRemote Address: 0.0.0.0:0Type: TCPProcess: C:\WINDOWS\system32\svchost.exeState: LISTENINGLocal Address: BS.HSD1.WA.COMCAST.NET.:5353Remote Address: NAType: UDPProcess: C:\Program Files\Bonjour\mDNSResponder.exeState: NALocal Address: BS.HSD1.WA.COMCAST.NET.:1900Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\svchost.exeState: NALocal Address: BS.HSD1.WA.COMCAST.NET.:138Remote Address: NAType: UDPProcess: SystemState: NALocal Address: BS.HSD1.WA.COMCAST.NET.:NETBIOS-NSRemote Address: NAType: UDPProcess: SystemState: NALocal Address: BS.HSD1.WA.COMCAST.NET.:123Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\svchost.exeState: NALocal Address: BS:44301Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\PnkBstrA.exeState: NALocal Address: BS:1900Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\svchost.exeState: NALocal Address: BS:1049Remote Address: NAType: UDPProcess: C:\Program Files\Internet Explorer\iexplore.exeState: NALocal Address: BS:123Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\svchost.exeState: NALocal Address: BS:54388Remote Address: NAType: UDPProcess: C:\Program Files\Bonjour\mDNSResponder.exeState: NALocal Address: BS:4500Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\lsass.exeState: NALocal Address: BS:1900Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\ZuneBusEnum.exeState: NALocal Address: BS:1037Remote Address: NAType: UDPProcess: C:\Autodesk Network License Manager\adskflex.exeState: NALocal Address: BS:1025Remote Address: NAType: UDPProcess: C:\Program Files\Bonjour\mDNSResponder.exeState: NALocal Address: BS:500Remote Address: NAType: UDPProcess: C:\WINDOWS\system32\lsass.exeState: NALocal Address: BS:MICROSOFT-DSRemote Address: NAType: UDPProcess: SystemState: NA************************************************************************************************************************************************************************************Hidden files/folders:Object: C:\Documents and Settings\me\My Documents\Downloads\Programs\vmware\VMWare v6.0.2 plus extrasStatus: Access deniedObject: C:\Documents and Settings\me\My Documents\Downloads\Programs\vmwareStatus: Access deniedMBAM LogMalwarebytes' Anti-Malware 1.39Database version: 2534Windows 5.1.2600 Service Pack 27/30/2009 8:33:23 PMmbam-log-2009-07-30 (20-33-19).txtScan type: Quick ScanObjects scanned: 98753Time elapsed: 6 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.c:\documents and settings\me\Desktop\avenger.exe (Trojan.Agnet) -> No action taken.C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 31, 2009 ID:104693 Share Posted July 31, 2009 You will want to print out or copy these instructions to Notepad for offline reference!If you are a casual viewer, do NOT try this on your system! If you are not brew and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.=We're going to remove only 2 of the drivers tagged by MBAM. (Avenger is not a bogey & is indeed ok.)Double click on avenger.exe to run The Avenger.Click OK.Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.Files to delete:C:\WINDOWS\system32\drivers\mrxdavv.sysC:\WINDOWS\system32\kwave.sys Drivers to delete:mrxdavvkwave Folders to delete:I:\recyclerJ:\recyclerK:\recyclerL:\recyclerM:\recyclern:\recyclerIn the avenger window, click the Paste Script from Clipboard icon, button. :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.Click the Execute button.You will be asked Are you sure you want to execute the current script?.Click Yes.You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.Click Yes.Your PC will now be rebooted.Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.and then reboot the system again.= Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsIf you have a prior copy of Combofix, delete it now !Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on Combo-Fix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.IF you should see a message like this: then, be sure to write down fully and also copy that into your next reply here and then await for my response.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.------------------------------------------------------- A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.=RE-Enable your AntiVirus and AntiSpyware applications.=Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Reply with copy of C:\Avenger.txtC:\Combofix.txtLog.txtInfo.txtand advise, How is your system now ? Link to post Share on other sites More sharing options...
brew Posted August 3, 2009 Author ID:105606 Share Posted August 3, 2009 I appologize for the delay in responding. I was away for a couple days.Ran the steps as directed. ComboFix would not run under Combo-Fix so had to rename to ComboFix1. Below are all logs as requested.MBAM is still seeing mrxdavv.sys and Kwave.sys. Mbam log also follows.Avenger LogLogfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows XP*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Error: file "C:\WINDOWS\system32\drivers\mrxdavv.sys" not found!Deletion of file "C:\WINDOWS\system32\drivers\mrxdavv.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\WINDOWS\system32\kwave.sys" not found!Deletion of file "C:\WINDOWS\system32\kwave.sys" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\mrxdavv" not found!Deletion of driver "mrxdavv" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: registry key "\Registry\Machine\System\CurrentControlSet\Services\kwave" not found!Deletion of driver "kwave" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existFolder "I:\recycler" deleted successfully.Error: could not open folder "J:\recycler"Deletion of folder "J:\recycler" failed!Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not existFolder "K:\recycler" deleted successfully.Error: could not open folder "L:\recycler"Deletion of folder "L:\recycler" failed!Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not existError: could not open folder "M:\recycler"Deletion of folder "M:\recycler" failed!Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not existError: could not open folder "n:\recycler"Deletion of folder "n:\recycler" failed!Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not existCompleted script processing.*******************Finished! Terminate.ComboFix LogComboFix 09-08-03.02 - me 08/03/2009 12:06.14.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1447 [GMT -7:00]Running from: c:\documents and settings\me\Desktop\ComboFix1.exeAV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\me\Favorites\America's Army .urlc:\windows\system32\drivers\mrxdavv.sysc:\windows\system32\kwave.sys.((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 ))))))))))))))))))))))))))))))).2009-07-31 14:50 . 2009-07-31 14:50 -------- d-----w- C:\rsit2009-07-31 02:48 . 2009-07-31 02:48 -------- d-----w- c:\program files\ERUNT2009-07-30 21:35 . 2009-07-30 21:35 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys2009-07-30 21:30 . 2009-07-30 21:30 -------- d-s---w- C:\Combo-Fix2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\system32\drivers\Si3114r5.sys2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\system32\drivers\SENTINEL.SYS2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\system32\drivers\AsInsHelp32.sys2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\system32\drivers\a347scsi.sys2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\system32\drivers\a347bus.sys2009-07-25 10:35 . 2009-07-25 10:35 8416 ----a-w- c:\windows\BS_DEF.sys2009-07-24 14:09 . 2009-07-24 14:09 -------- d-----w- C:\rootrepeal2009-07-21 14:51 . 2009-07-21 14:51 -------- d-----w- c:\windows\Sun2009-07-16 13:59 . 2009-07-16 13:59 -------- d-----w- c:\program files\ESET2009-07-16 13:28 . 2009-07-16 13:28 -------- d-----w- c:\program files\Java2009-07-16 12:51 . 2009-07-16 12:51 -------- d-----w- c:\program files\CCleaner2009-07-16 01:32 . 2009-07-16 01:32 -------- d-----w- c:\program files\Trend Micro2009-07-16 00:03 . 2009-07-16 00:23 -------- d-----w- C:\123Qoobox2009-07-15 22:26 . 2009-07-15 22:26 -------- d-----w- c:\program files\Sophos2009-07-15 21:42 . 2009-07-15 21:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-03 20:36 . 2009-01-13 17:13 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-08-03 20:36 . 2009-01-13 17:13 19096 ----a-w- c:\windows\system32\drivers\mbam.sys2009-08-03 19:13 . 2007-03-03 01:08 -------- d-----w- c:\documents and settings\me\Application Data\DMCache2009-08-03 19:00 . 2007-02-21 05:24 -------- d-----w- c:\documents and settings\me\Application Data\R-Wipe&Clean2009-08-03 18:54 . 2009-01-13 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-08-03 18:53 . 2009-01-21 23:28 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-07-25 10:35 . 2008-05-08 05:01 -------- d-----w- c:\program files\UltraLeecher2009-07-24 01:56 . 2007-03-09 03:02 -------- d-----w- c:\program files\MagicISO2009-07-16 23:42 . 2007-01-24 06:56 -------- d-----w- c:\program files\CoffeeCup Software2009-07-16 20:19 . 2005-10-21 17:09 -------- d-----w- c:\program files\MasterSplitter2009-07-16 13:28 . 2009-05-28 15:06 410984 ----a-w- c:\windows\system32\deploytk.dll2009-07-16 00:31 . 2005-06-10 11:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee2009-07-12 15:22 . 2009-02-22 00:26 -------- d-----w- c:\documents and settings\me\Application Data\Vidalia2009-07-12 15:22 . 2009-02-22 00:38 -------- d-----w- c:\documents and settings\me\Application Data\tor2009-06-25 00:19 . 2009-06-25 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles2009-06-25 00:17 . 2009-06-25 00:17 -------- d-----w- c:\program files\AGEIA Technologies2009-06-25 00:17 . 2005-06-10 12:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard2009-06-20 21:50 . 2008-10-15 16:15 889360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2009-06-19 18:58 . 2009-06-09 13:48 -------- d-----w- c:\documents and settings\me\Application Data\nHancer2009-06-17 02:02 . 2007-03-31 04:43 138016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys2009-06-17 02:02 . 2007-03-31 04:43 189392 ----a-w- c:\windows\system32\PnkBstrB.exe2009-06-16 19:54 . 2009-06-16 19:54 -------- d-----w- c:\program files\PopCap Games2009-06-12 14:42 . 2009-06-12 14:39 -------- d-----w- c:\program files\nLite2009-06-10 22:53 . 2009-06-06 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AA3DeployClient2009-06-10 22:35 . 2005-09-03 18:16 1984 ----a-w- c:\windows\system32\d3d9caps.dat2009-06-10 16:46 . 2007-04-10 04:13 -------- d-----w- c:\documents and settings\me\Application Data\IDM2009-06-10 15:28 . 2009-06-10 15:28 3510272 ----a-w- c:\windows\system32\nvgames.dll2009-06-10 15:28 . 2009-06-10 15:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll2009-06-10 15:28 . 2009-06-10 15:28 86016 ----a-w- c:\windows\system32\nvmctray.dll2009-06-10 15:28 . 2009-06-10 15:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe2009-06-10 15:28 . 2009-06-10 15:28 143360 ----a-w- c:\windows\system32\nvcolor.exe2009-06-10 15:28 . 2009-06-10 15:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll2009-06-10 15:28 . 2009-06-10 15:28 229376 ----a-w- c:\windows\system32\nvmccs.dll2009-06-10 13:57 . 2009-06-10 13:57 -------- d-----w- c:\documents and settings\me\Application Data\IGN_DLM2009-06-10 13:39 . 2005-06-10 12:01 -------- d--h--w- c:\program files\InstallShield Installation Information2009-06-10 13:38 . 2005-06-10 12:07 -------- d-----w- c:\program files\Symantec2009-06-10 13:28 . 2009-01-29 00:25 -------- d-----w- c:\program files\Jigsaw Puzzle Platinum Edition2009-06-10 13:03 . 2009-06-10 13:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll2009-06-10 13:03 . 2009-06-10 13:03 815104 ----a-w- c:\windows\system32\nvapi.dll2009-06-10 13:03 . 2009-06-10 13:03 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys2009-06-10 13:03 . 2009-06-10 13:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll2009-06-10 13:03 . 2009-06-10 13:03 5908608 ----a-w- c:\windows\system32\nv4_disp.dll2009-06-10 13:03 . 2009-06-10 13:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll2009-06-10 13:03 . 2009-06-10 13:03 1580550 ----a-w- c:\windows\system32\nvdata.bin2009-06-10 13:03 . 2009-06-10 13:03 151552 ----a-w- c:\windows\system32\nvcodins.dll2009-06-10 13:03 . 2009-06-10 13:03 151552 ----a-w- c:\windows\system32\nvcod.dll2009-06-10 13:03 . 2009-06-10 13:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll2009-06-10 13:03 . 2006-12-31 04:30 457248 ----a-w- c:\windows\system32\nvudisp.exe2009-06-09 13:49 . 2006-12-31 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA2009-06-09 13:49 . 2009-06-09 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer2009-06-09 13:34 . 2009-06-09 13:34 -------- d-----w- c:\program files\SystemRequirementsLab2009-06-09 03:54 . 2005-09-28 00:06 -------- d-----w- c:\program files\TuneUp Utilities 20062009-06-09 03:53 . 2006-09-19 13:35 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-06-09 03:53 . 2006-09-19 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-06-09 03:46 . 2006-04-20 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2009-06-09 03:46 . 2006-04-20 13:32 -------- d-----w- c:\program files\Microsoft Visual Studio 82009-06-09 03:44 . 2009-06-09 03:44 -------- d--h--w- c:\program files\Zero G Registry2009-06-09 03:42 . 2007-10-06 16:57 -------- d-----w- c:\program files\IrfanView2009-06-09 03:42 . 2005-06-10 12:01 -------- d-----w- c:\program files\Hewlett-Packard2009-06-09 03:42 . 2006-09-15 06:03 -------- d-----w- c:\program files\IGN2009-06-09 03:28 . 2005-06-10 12:01 -------- d-----w- c:\program files\Fraps2009-06-09 03:27 . 2008-09-09 21:44 -------- d-----w- c:\program files\Exodus2009-06-09 03:27 . 2005-08-12 06:52 -------- d-----w- c:\documents and settings\me\Application Data\Exodus2009-06-09 03:26 . 2007-03-30 02:30 -------- d-----w- c:\program files\DAZ2009-06-09 03:23 . 2005-06-10 11:59 -------- d-----w- c:\program files\ASUS2009-06-09 03:22 . 2005-06-10 12:00 -------- d-----w- c:\program files\Common Files\Adobe2009-06-09 03:22 . 2006-12-26 04:19 -------- d-----w- c:\documents and settings\me\Application Data\Lavasoft2009-06-09 03:21 . 2007-06-27 04:15 -------- d-----w- c:\program files\123Movies2PSP2009-06-08 03:57 . 2006-10-15 10:01 4764 ----a-w- c:\windows\system32\PerfStringBackup.TMP2009-06-08 03:27 . 2009-06-08 03:27 906 ----a-w- C:\fix.bat2009-06-06 02:32 . 2007-03-31 04:43 75064 ----a-w- c:\windows\system32\PnkBstrA.exe2009-06-06 02:17 . 2009-06-06 02:16 -------- d-----w- c:\program files\America's Army test2009-06-06 01:43 . 2008-03-08 22:17 142200 ----a-w- c:\documents and settings\me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-06-06 01:01 . 2009-06-06 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AA2DeployClient2009-06-06 00:41 . 2009-06-06 00:36 280292 ----a-w- c:\documents and settings\All Users\Application Data\America's Army Deploy Client\dcds\patches\AA2DeployInstaller.exe2009-06-04 23:39 . 2006-06-20 12:18 457248 ----a-w- c:\windows\system32\NVUNINST.EXE2009-06-03 22:41 . 2008-05-08 05:02 37472 ----a-w- c:\windows\Fonts\INFOview.fon\infoview.fon2009-06-03 22:41 . 2008-05-08 05:02 -------- d-----w- c:\windows\Fonts\INFOview.fon2009-05-28 18:59 . 2007-08-22 04:46 59160 ----a-w- c:\windows\system32\zlib.dll2009-05-05 20:35 . 2009-05-05 20:35 604416 ----a-w- c:\windows\system32\TUProgSt.exe2009-05-05 20:35 . 2009-05-05 20:35 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe2003-08-27 22:19 . 2005-01-30 19:29 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll2009-07-22 21:00 . 2009-02-22 00:34 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll.((((((((((((((((((((((((((((( SnapShot@2009-07-31_14.44.47 ))))))))))))))))))))))))))))))))))))))))).+ 2009-08-03 19:13 . 2009-08-03 19:13 16384 c:\windows\temp\Perflib_Perfdata_6ec.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2007-04-10 894720]"RWipeD"="c:\program files\R-Wipe&Clean\rwiped.exe" [2007-02-15 32768]"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-04-07 135168]"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-07-11 19968][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoRecentDocsNetHood"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-10-19 293888][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]2005-01-31 23:13 49152 ----a-w- c:\progra~1\COMMON~1\stardock\MCPStub.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Multi]2005-04-17 23:36 90112 ----a-w- c:\program files\Stardock\ThinkDesk\Multiplicity\MultiWin32.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"mixer3"=wdmaud.drv[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt\0sprestrt[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\Program Files\\America's Army test\\System\\ArmyOps.exe"=R0 ABIT-IO;ABIT-IO;c:\windows\system32\drivers\ABIT-IO.SYS [10/13/2005 2:18 AM 7680]R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [10/13/2005 2:19 AM 16640]R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46779]R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [3/6/2005 5:19 PM 3744]R2 FLEXlm Service 1;FLEXlm Service 1;c:\autodesk network license manager\lmgrd.exe [1/29/2005 12:46 PM 659456]R2 GdFsHook;McAfee Privacy Service File Guardian;c:\windows\system32\drivers\gdfshk.sys [9/17/2003 7:00 AM 26816]R2 GdTdi;McAfee Privacy Service Transport Filter;c:\windows\system32\drivers\gdtdi.sys [9/17/2003 7:00 AM 33330]R2 LANPkt;Linksys LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [10/13/2005 5:32 AM 8568]R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [3/6/2005 5:19 PM 3904]R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [11/17/2007 11:02 PM 15896]R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [5/5/2009 1:35 PM 604416]S0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138780]S1 atitray;atitray;\??\c:\program files\Ray Adams\ATI Tray Tools\atitray.sys --> c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [?]S1 BS_DEF;BS_DEF;c:\windows\BS_DEF.sys [7/25/2009 3:35 AM 8416]S1 esihdrv;esihdrv;\??\c:\docume~1\me\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\me\LOCALS~1\Temp\esihdrv.sys [?]S1 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\A.tmp --> c:\windows\system32\A.tmp [?]S1 UltraCrypt;UltraCrypt;c:\program files\UltraLeecher\UltraCrypt.sys [7/25/2009 3:35 AM 8416]S2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE --> c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [?]S2 WinDefend;Windows Defender Service;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [1/15/2005 4:12 PM 5824]S3 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;c:\macromedia\runtime\bin\jrunsvc.exe [3/22/2006 2:00 PM 61440]S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;c:\macromedia\verity\k2\_nti40\bin\k2admin.exe [3/22/2006 1:59 PM 2732608]S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [11/22/2008 10:18 PM 79360]S3 CW50;CW50 Device;c:\windows\system32\drivers\CW50.sys [1/30/2005 12:38 PM 24059]S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [10/13/2005 5:32 AM 11351]S3 GuardDogEXE;McAfee Privacy Service;"c:\program files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE --> c:\program files\McAfee\McAfee Privacy Service\GUARDDOG.EXE [?]S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [4/15/2006 9:03 PM 19020]S3 RTLVLANXP;Linksys VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLANXP.SYS [10/13/2005 5:32 AM 15360]S3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [12/3/2004 4:54 PM 56704][HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP..------- Supplementary Scan -------.uStart Page = hxxp://www.comcast.net/chsi.htmlmSearch Bar = uInternet Settings,ProxyOverride = *.localuSearchURL,(Default) = hxxp://www.google.com/keyword/%sIE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htmIE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htmIE: E&xport to Microsoft Excel - c:\progra~1\MI8C0D~1\Office12\EXCEL.EXE/3000IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmIE: SWF Capture tool - c:\program files\Eltima Software\Flash Decompiler\iebt.htmlTrusted Zone: homeserver.com\stenDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cabFF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\zrm9qe1b.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - about:blankFF - component: c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\zrm9qe1b.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dllFF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll---- FIREFOX POLICIES ----FF - user.js: network.http.max-persistent-connections-per-server - 4FF - user.js: content.max.tokenizing.time - 200000FF - user.js: content.notify.interval - 100000FF - user.js: content.switch.threshold - 650000FF - user.js: nglayout.initialpaint.delay - 300.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-03 12:13Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CTxfiHlp = CTXFIHLP.EXE? scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet019\Services\MEMSWEEP2]"ImagePath"="\??\c:\windows\system32\A.tmp".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-2025429265-2111687655-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]@Denied: (Full) (LocalSystem)[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Elements\1.0\DefaultPreset]@DACL=(02 0000)@="c:\\Program Files\\Adobe\\Premiere Elements 1.0\\Settings\\en_US\\DV - NTSC\\Standard 48kHz.prpreset"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]@Denied: (Full) (Everyone)"scansk"=hex(0):48,c0,14,cc,2e,45,08,38,f7,94,67,21,87,d5,01,06,f2,ff,86,af,1d, d6,80,42,69,be,99,55,3a,b9,2f,85,81,b0,e3,84,64,35,ef,a7,00,00,00,00,00,00,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{64017f5b-2b70-44f0-83e3-a2dc513e5c71}]@Denied: (Full) (Everyone)"Model"=dword:000000b8"Therad"=dword:00000015"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,40,02,13,ad,75,b8,fc,03,0e,19,9b,7e,c0,c3,5d,71,13,89,b2,ee,89,f3,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]@Denied: (Full) (Everyone)"scansk"=hex(0):91,2a,bc,17,b0,c7,f8,44,b1,5a,8b,23,96,15,ff,81,96,f7,82,23,d6, 5f,ba,24,65,7d,73,c1,07,1b,5e,fd,4c,3a,0c,df,0c,99,49,c2,00,00,00,00,00,00,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{bc7f883f-b90e-4416-acc3-432d452bef72}]@Denied: (Full) (Everyone)"Model"=dword:0000005a"Therad"=dword:0000001e"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,5e,47,40,e8,4d,7f,cb,bf,64,f3,e2,01,bd,95,48,9e,2c,fd,f1,78,d9,1d,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]"Version"=hex:2c,06,cf,67,cc,4f,e1,eb,a8,36,28,a1,ed,75,14,aa,7b,d9,d0,cc,0d, d2,af,05,19,c1,7a,96,0d,ac,7e,27,81,4a,da,02,84,9e,ec,c7,43,d7,d9,19,f0,d9,\[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]"OODEFRAG08.00.00.01WORKSTATION"="378430C5F33F3FA6C9DEBFB3740888654B1BF4E1EDC905B16DA7748A36F22987C80A30D277BB132B336C3C47AEC0C972583E70756CA44F202EDD6208764AF34EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667C038D530D6EB3452A6A0AC4980AC7933A6171C11EC38DE3D90A2DB1AC4F113DC312B7F87ABF6F01B16B016794245C0A8EADC31027C8C4E1337067156ECECA4FA595BFAF3E1AD687F3EA5B753C78187B9F8126F2CE56332492095273F63F4AA697BD8DA46A5F95F1F88B3FE5B6F5F56734D43567E63CCEFBD707F94AD45D169FEB1F1557E1898C449276DDD577F28EABCCB61362D0146AE13E3B407DA83539837AD395380AF45FD72DB247B7493ADF5A3EC1F124B1ED0908F49E9FD6562C9E032B005F391B6C4E2B2806EB2449A429D5A3F7622536EEF241B8019B04FF90BE33092EE07DF4A5D3FC581A890B9D63E78B2E323D1A2792CF045027E04FEB8F0B39A3F5592F85D5A530C5DF1D9AEDF7D95A810A4C0F91C14F03FD79B973FDDD8D5F9355AD0CF348852082BAC835E9EDEF4D70DBEC00085B591609EB6B9BDFDA4C77F8764ADBDE83BE4E21101B7E854478C7F377ADC3C3928B5208AD6EF0F04BAF77DDE1D4DFC694A28684C58D654911CC4878124CC1D1081B21FE0C9F2A6AB03C7E9F4F203ACF78F2A87ACE371083E4B7A77EF4B03F4B361D21C7CA22F6084EB8F5F991959CF2A69EFD59695CECF944300FB1C442177A5E6D4804B33C47B74679A1EB0040DCF68BAF10A02A4695DA4789866B227FEBF39B569D34F18881834EBA709AF6E117673E91B7FFC8D70444F61FD2B76D029C896F737C39EAB83BE5071692625D689F4D9624CB7258DC5FCCD7ADC633BE05EF6395AD724E411F059A9768621ACFE50DB8312D855302980E32744574C6B3B128CEF8CDAE95F2CC235757C9AC8FBEC7224A9EB0A21E5266ABA3EC0814683886B36DFC3412E60A61C06BB89350FD9EB3329D8679A86A39102A3C3F8655695B3477F80B80030CD6D56E1D9A7D88BA108862B757D3B1558B8F9A73EF6FDA5C6EEB5D91DA703D0A2B2FEC280E2FBF84195164B332E0F0189AFB9358A4CBE02CE2CF61BD65227166EE9D38733CD8A373D2A40921CFAAFA2CE4EDA99540B8B5A7CA5857C1F7C3EAACF4D4CF14DFD6347AC1F16EC8EEB28F553AEAB0C9F4BBC45B0D58B1B406D8F5C80D90F29790ED8523B935C29BC0AF81AD92FAFA2C42A20F961FDE9785474541CC9D07937391A332128688E79AA6594D234751D5B6DC4F7571722327A4B613B0088371C8A61C42CA446455877348F65894DE55D961740765DEE0A2DE9E8876443B0563A761B34736E7C139B1D8520C6C71FAE101896C347AF1A42D6754641E742483ACE2F6190AC354601EEC921320740"[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]"Version"=hex:2c,06,cf,67,cc,4f,e1,eb,a8,36,28,a1,ed,75,14,aa,7b,d9,d0,cc,0d, d2,af,05,19,c1,7a,96,0d,ac,7e,27,81,4a,da,02,84,9e,ec,c7,43,d7,d9,19,f0,d9,\[HKEY_LOCAL_MACHINE\System\ControlSet019\Enum\HID\Vid_1532&Pid_0101&MI_00\7&59c965e&0&0000\LogConf]@DACL=(02 0000).--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1684)c:\progra~1\COMMON~1\Stardock\mcpstub.dllc:\program files\Stardock\ThinkDesk\Multiplicity\MultiWin32.dll- - - - - - - > 'explorer.exe'(3284)c:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\progra~1\COMMON~1\stardock\MCPCore.dllc:\windows\system32\webcheck.dllc:\windows\system32\hnetcfg.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvsvc32.exec:\program files\Creative\Shared Files\CTAudSvc.exec:\progra~1\COMMON~1\stardock\SDMCP.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Common Files\Portrait Displays\Shared\HookManager.exec:\progra~1\MICROS~1\rapimgr.exec:\program files\Common Files\Symantec Shared\ccSetMgr.exec:\program files\Java\jre6\bin\jqs.exec:\autodesk network license manager\adskflex.exec:\windows\system32\PnkBstrA.exec:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exec:\program files\Webroot\Spy Sweeper\WRSSSDK.exec:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exec:\windows\system32\ZuneBusEnum.exec:\program files\Common Files\Symantec Shared\ccEvtMgr.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\wbem\unsecapp.exe.**************************************************************************.Completion time: 2009-08-03 12:18 - machine was rebootedComboFix-quarantined-files.txt 2009-08-03 19:18ComboFix2.txt 2009-07-31 14:49ComboFix3.txt 2009-07-30 21:11Pre-Run: 20,003,905,536 bytes freePost-Run: 19,896,487,936 bytes free335 --- E O F --- 2008-10-15 15:56Log.txtLogfile of random's system information tool 1.06 (written by random/random)Run by me at 2009-08-03 12:24:57Microsoft Windows XP Professional Service Pack 2System drive C: has 19 GB (13%) free of 142 GBTotal RAM: 2046 MB (69% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:24:57 PM, on 8/3/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\PROGRA~1\COMMON~1\Stardock\SDMCP.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\nvraidservice.exeC:\Program Files\Zune\ZuneLauncher.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exeC:\Program Files\Internet Download Manager\IDMan.exeC:\Program Files\R-Wipe&Clean\rwiped.exeC:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exeC:\Program Files\Microsoft ActiveSync\wcescomm.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\MICROS~1\rapimgr.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Autodesk Network License Manager\lmgrd.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Autodesk Network License Manager\adskflex.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\TUProgSt.exeC:\WINDOWS\system32\ZuneBusEnum.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wbem\unsecapp.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\me\Desktop\RSIT.exeC:\Program Files\Trend Micro\HijackThis\me.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exeO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folderO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onbootO4 - HKCU\..\Run: [RWipeD] C:\Program Files\R-Wipe&Clean\rwiped.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htmO8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI8C0D~1\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.htmlO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cabO16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cabO16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI8C0D~1\Office12\GR99D3~1.DLLO20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dllO20 - Winlogon Notify: Multi - C:\Program Files\Stardock\ThinkDesk\Multiplicity\MultiWin32.dllO22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe (file missing)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\macromedia\runtime\bin\jrunsvc.exeO23 - Service: ColdFusion MX 7 Search Server - Verity, Inc. - C:\macromedia\verity\k2\_nti40\bin\k2admin.exeO23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\DTSRVC.exe (file missing)O23 - Service: FLEXlm Service 1 - Macrovision Corporation - C:\Autodesk Network License Manager\lmgrd.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exeO23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE (file missing)O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exeO23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe (file missing)O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe (file missing)O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exeO23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE (file missing)O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exeO23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exeO23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)O23 - Service: wampapache - Unknown owner - F:\wamp\apache2\bin\Apache.exe (file missing)O23 - Service: wampmysqld - Unknown owner - F:\wamp\mysql\bin\mysqld-nt.exe (file missing)O23 - Service: Windows Defender Service (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)--End of file - 11351 bytes======Registry dump======[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"NVRaidService"=C:\WINDOWS\system32\nvraidservice.exe [2006-04-07 135168]"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2005-07-23 28160]"DT HPW"=C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe [2007-06-29 278528]"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2008-07-11 19968]"Zune Launcher"=C:\Program Files\Zune\ZuneLauncher.exe [2008-11-10 157312]"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]"Adobe Acrobat Speed Launcher"=C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [2008-06-12 37232]"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [2008-06-11 640376]"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-06-10 13758464][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"IDMan"=C:\Program Files\Internet Download Manager\IDMan.exe [2007-04-09 894720]"RWipeD"=C:\Program Files\R-Wipe&Clean\rwiped.exe [2007-02-14 32768]"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLS"="C:\WINDOWS\system32\acaptuser32.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCPClient]C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll [2005-01-31 49152][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Multi]C:\Program Files\Stardock\ThinkDesk\Multiplicity\MultiWin32.dll [2005-04-17 90112][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll [2005-05-10 86016]UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll [2009-03-08 11063808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-10-19 293888][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\svcWRSSSDK][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}][HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]"dontdisplaylastusername"=0"legalnoticecaption"="legalnoticetext"="shutdownwithoutlogon"=1"undockwithoutlogon"=1[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]"NoRecentDocsNetHood"=1"NoDriveAutoRun"=67108863"NoDriveTypeAutoRun"=323"NoDrives"=0[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]"NoDriveAutoRun"="NoDrives"="NoDriveTypeAutoRun"=[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger""C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server""C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger""C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:*:Disabled:ActiveSync RAPI Manager""C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour""C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes""C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test""C:\Program Files\America's Army test\System\ArmyOps.exe"="C:\Program Files\America's Army test\System\ArmyOps.exe:*:Enabled:ArmyOps"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"======List of files/folders created in the last 1 months======2009-08-03 12:23:28 ----SHD---- C:\RECYCLER2009-08-03 12:18:11 ----A---- C:\ComboFix.txt2009-07-31 07:50:43 ----D---- C:\rsit2009-07-31 07:34:02 ----A---- C:\WINDOWS\zip.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\SWXCACLS.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\SWSC.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\SWREG.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\sed.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\PEV.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\NIRCMD.exe2009-07-31 07:34:02 ----A---- C:\WINDOWS\grep.exe2009-07-31 07:31:59 ----D---- C:\Qoobox2009-07-31 07:28:01 ----A---- C:\avenger.txt2009-07-30 19:55:13 ----D---- C:\Avenger2009-07-30 19:48:11 ----D---- C:\Program Files\ERUNT2009-07-30 14:30:24 ----SD---- C:\Combo-Fix2009-07-24 07:20:05 ----A---- C:\WINDOWS\ntbtlog.txt2009-07-24 07:09:00 ----D---- C:\rootrepeal2009-07-21 07:51:30 ----D---- C:\WINDOWS\Sun2009-07-16 06:59:39 ----D---- C:\Program Files\ESET2009-07-16 06:28:02 ----D---- C:\Program Files\Java2009-07-16 06:27:52 ----D---- C:\Documents and Settings\me\Application Data\Sun2009-07-16 06:20:02 ----D---- C:\WINDOWS\temp2009-07-16 05:51:43 ----D---- C:\Program Files\CCleaner2009-07-15 22:49:46 ----A---- C:\RootRepeal report 07-15-09 (22-49-46).txt2009-07-15 22:49:20 ----A---- C:\RootRepeal report 07-15-09 (22-49-20).txt2009-07-15 20:42:25 ----A---- C:\Boot.bak2009-07-15 20:42:22 ----RASHD---- C:\cmdcons2009-07-15 18:41:15 ----A---- C:\RootRepeal report 07-15-09 (18-41-15).txt2009-07-15 18:32:46 ----D---- C:\Program Files\Trend Micro2009-07-15 17:23:37 ----D---- C:\WINDOWS\ERDNT2009-07-15 17:03:24 ----D---- C:\123Qoobox2009-07-15 15:26:00 ----D---- C:\Program Files\Sophos======List of files/folders modified in the last 1 months======2009-08-03 12:18:12 ----D---- C:\WINDOWS\system32\drivers2009-08-03 12:18:12 ----D---- C:\WINDOWS\system322009-08-03 12:16:40 ----D---- C:\WINDOWS\system32\CatRoot22009-08-03 12:13:52 ----D---- C:\WINDOWS2009-08-03 12:13:52 ----D---- C:\Documents and Settings\me\Application Data\DMCache2009-08-03 12:13:52 ----A---- C:\WINDOWS\system.ini2009-08-03 12:09:00 ----D---- C:\WINDOWS\AppPatch2009-08-03 12:08:59 ----D---- C:\Program Files\Common Files2009-08-03 12:05:39 ----A---- C:\WINDOWS\SchedLgU.Txt2009-08-03 12:04:44 ----D---- C:\WINDOWS\Prefetch2009-08-03 12:00:38 ----D---- C:\Documents and Settings\me\Application Data\R-Wipe&Clean2009-08-03 11:58:22 ----D---- C:\WINDOWS\system32\config2009-08-03 11:54:06 ----D---- C:\Program Files\Malwarebytes' Anti-Malware2009-08-03 08:51:59 ----D---- C:\Program Files\Mozilla Firefox2009-08-02 09:07:20 ----A---- C:\WINDOWS\NeroDigital.ini2009-07-31 07:28:01 ----D---- C:\Program Files2009-07-30 14:30:46 ----SHD---- C:\System Volume Information2009-07-30 14:30:46 ----D---- C:\WINDOWS\system32\Restore2009-07-30 10:21:10 ----D---- C:\flexlm2009-07-25 20:57:31 ----RSHDC---- C:\WINDOWS\system32\dllcache2009-07-25 03:35:23 ----D---- C:\Program Files\UltraLeecher2009-07-23 18:57:10 ----D---- C:\Program Files\WinRAR2009-07-23 18:56:16 ----D---- C:\Program Files\MagicISO2009-07-19 09:34:28 ----RASH---- C:\boot.ini2009-07-19 09:34:28 ----A---- C:\WINDOWS\win.ini2009-07-16 16:42:00 ----D---- C:\Program Files\CoffeeCup Software2009-07-16 13:19:48 ----D---- C:\Program Files\MasterSplitter2009-07-16 06:59:42 ----SD---- C:\WINDOWS\Downloaded Program Files2009-07-16 06:28:14 ----SHD---- C:\WINDOWS\Installer2009-07-16 06:28:14 ----D---- C:\Config.Msi2009-07-16 06:28:03 ----A---- C:\WINDOWS\system32\javaws.exe2009-07-16 06:28:03 ----A---- C:\WINDOWS\system32\javaw.exe2009-07-16 06:28:03 ----A---- C:\WINDOWS\system32\java.exe2009-07-16 06:28:03 ----A---- C:\WINDOWS\system32\deploytk.dll2009-07-15 17:31:28 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee2009-07-15 17:22:47 ----SD---- C:\WINDOWS\Tasks2009-07-13 20:21:33 ----A---- C:\WINDOWS\IfoEdit.INI2009-07-12 08:22:08 ----D---- C:\Documents and Settings\me\Application Data\Vidalia2009-07-12 08:22:05 ----D---- C:\Documents and Settings\me\Application Data\tor2009-07-07 08:10:58 ----A---- C:\WINDOWS\system32\MRT.exe======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======R1 a347bus;a347bus; C:\WINDOWS\system32\DRIVERS\a347bus.sys [2009-07-25 8416]R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2005-12-21 5685]R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2004-11-10 44288]R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2004-11-10 24832]R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2004-04-13 285824]R1 DVDVRRdr_xp;DVDVRRdr_xp; C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2004-04-13 140416]R1 ikhlayer;Kernel Anti-Spyware Driver; \??\C:\WINDOWS\system32\drivers\ikhlayer.sys []R1 ISODrive;ISO DVD/CD-ROM Device Driver; \??\C:\Program Files\UltraISO\drivers\ISODrive.sys []R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]R1 pivot;pivot; C:\WINDOWS\System32\drivers\pivot.sys [2005-12-07 17465]R1 PQIMount;PQIMount; C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 46779]R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2004-04-13 117248]R1 UDFReadr;UDFReadr; C:\WINDOWS\system32\drivers\UDFReadr.sys [2004-04-13 198528]R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]R2 BCMNTIO;BCMNTIO; \??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys []R2 GdFsHook;McAfee Privacy Service File Guardian; \??\C:\WINDOWS\system32\Drivers\GDFSHK.SYS []R2 GdTdi;McAfee Privacy Service Transport Filter; \??\C:\WINDOWS\system32\Drivers\GDTDI.SYS []R2 LANPkt;Linksys LANPkt Protocol Driver; C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2004-03-09 8568]R2 MAPMEM;MAPMEM; \??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys []R2 PfDetNT;PfDetNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []R2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-11-10 40832]R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-04 60800]R3 catchme;catchme; \??\C:\ComboFix1\catchme.sys []R3 CT20XUT.DLL;CT20XUT.DLL; C:\WINDOWS\system32\CT20XUT.DLL [2008-07-15 170520]R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2008-07-15 511000]R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2008-07-15 527384]R3 CTEXFIFX.DLL;CTEXFIFX.DLL; C:\WINDOWS\system32\CTEXFIFX.DLL [2008-07-15 1323544]R3 CTHWIUT.DLL;CTHWIUT.DLL; C:\WINDOWS\system32\CTHWIUT.DLL [2008-07-15 72728]R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2008-07-15 14360]R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2008-07-15 157208]R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2008-07-15 92696]R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]R3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-07-15 1173016]R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-04 9600]R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2005-07-23 26112]R3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2005-07-23 36608]R3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2005-07-23 68864]R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-13 5810]R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-04 61824]R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-06-10 8087712]R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-21 52736]R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-21 18944]R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2008-07-15 127000]R3 PdiPorts;Portrait Displays low level device driver; C:\WINDOWS\System32\Drivers\PdiPorts.sys [2006-11-16 15920]R3 RadProbe;Radeon Probe Driver; C:\WINDOWS\system32\DRIVERS\RadProbe.sys [2005-04-27 20428]R3 SaiMini;SaiMini; C:\WINDOWS\system32\DRIVERS\SaiMini.sys [2004-07-26 15616]R3 SaiNtBus;SaiNtBus; C:\WINDOWS\system32\drivers\SaiNtBus.sys [2004-07-26 26752]R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]R3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2004-09-07 316152]S1 a347scsi;a347scsi; C:\WINDOWS\System32\Drivers\a347scsi.sys [2009-07-25 8416]S1 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2009-07-25 8416]S1 ASInsHelp;ASInsHelp; \??\C:\WINDOWS\system32\drivers\AsInsHelp32.sys []S1 ATITool;ATITool Overclocking Utility; C:\WINDOWS\system32\DRIVERS\ATITool.sys [2005-06-16 28160]S1 atitray;atitray; \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys []S1 BS_DEF;BS_DEF; \??\C:\WINDOWS\BS_DEF.sys []S1 DS1410D;DS1410D; C:\WINDOWS\SYSTEM32\drivers\DS1410D.SYS []S1 esihdrv;esihdrv; \??\C:\DOCUME~1\me\LOCALS~1\Temp\esihdrv.sys []S1 Memctl;Memctl; \??\C:\Program Files\ABIT\ABIT uGuru\Memctl.sys []S1 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\A.tmp []S1 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\Sandra.sys []S1 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2009-07-25 8416]S1 Si3114r5;SiI-3114 SoftRaid 5 Controller; C:\WINDOWS\System32\DRIVERS\Si3114r5.sys [2009-07-25 8416]S1 UltraCrypt;UltraCrypt; \??\C:\Program Files\UltraLeecher\UltraCrypt.sys []S3 Asushwio;Asushwio; \??\C:\WINDOWS\system32\drivers\Asushwio.sys []S3 ATI Remote Wonder II;ATI Remote Wonder II; C:\WINDOWS\system32\drivers\ATIRWVD.SYS [2004-01-23 258044]S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-03 701440]S3 atinevxx;ATI WDM Rage Theater Video NSP; C:\WINDOWS\system32\DRIVERS\atinevxx.sys [2006-01-03 166400]S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2008-07-15 347080]S3 CW50;CW50 Device; C:\WINDOWS\system32\DRIVERS\CW50.sys [2002-07-01 24059]S3 Diag69xp;Diag69xp; C:\WINDOWS\System32\Drivers\Diag69xp.sys [2004-05-24 11351]S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2004-04-13 23680]S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []S3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2006-08-17 765952]S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\system32\drivers\hap16v2k.sys [2006-08-17 154112]S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042mou.Sys [2005-07-23 55040]S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2004-04-13 23680]S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]S3 MVDCODEC;ATI WDM Specialized MVD Codec; C:\WINDOWS\system32\DRIVERS\atinmdxx.sys [2006-01-03 15360]S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]S3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS []S3 pdiddcci;DDC/CI monitor; C:\WINDOWS\System32\DRIVERS\pdiddcci.sys [2007-06-12 11776]S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368]S3 pivotmou;Pivot Mouse/Pointers Filter Driver; \??\C:\WINDOWS\System32\drivers\pivotmou.sys []S3 Razerlow;Razer Copperhead Driver; C:\WINDOWS\System32\Drivers\Razerlow.sys [2005-08-12 19020]S3 RTL8023xp;Linksys EG1032 v3 Instant Gigabit Desktop Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\EG1032xp.sys [2005-01-31 71040]S3 RTLVLANXP;Linksys VLAN Intermediate Driver; C:\WINDOWS\system32\DRIVERS\RTLVLANXP.SYS [2005-01-26 15360]S3 SaiH8000;SaiH8000; C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-12-03 56704]S3 SDdriver;SDdriver; \??\C:\WINDOWS\system32\Drivers\sddriver.sys []S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]S3 Sntnlusb;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2001-06-21 20032]S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2009-03-22 80552]S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2009-03-22 11944]S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2009-03-22 106792]S3 sscdserd;SAMSUNG Mobile Modem Diagnostic Serial Port (WDM); C:\WINDOWS\system32\DRIVERS\sscdserd.sys [2009-03-22 86824]S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]S3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []S3 uisp;Freescale USB JW32 driver; C:\WINDOWS\System32\Drivers\usbicp.sys [2005-12-21 14592]S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-03-26 36864]S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]S3 WinUSB;WinUSB; C:\WINDOWS\system32\DRIVERS\WinUSB.sys [2006-11-02 39368]S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]S3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [2004-11-26 224000]S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-08-27 197752]R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-08-27 164984]R2 CTAudSvcService;Creative Audio Service; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-04-30 417792]R2 FLEXlm Service 1;FLEXlm Service 1; C:\Autodesk Network License Manager\lmgrd.exe [2003-12-10 659456]R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-16 152984]R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-06-10 168004]R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-06-05 75064]R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]R2 svcWRSSSDK;Webroot Spy Sweeper Engine; C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe [2005-08-03 1700864]R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2005-03-06 819352]R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2009-05-05 604416]R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]R2 ZuneBusEnum;Zune Bus Enumerator; C:\WINDOWS\system32\ZuneBusEnum.exe [2008-11-10 60032]R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]S2 Asset Management Daemon;Asset Management Daemon; C:\Program Files\Gateway\EzTune\dtsslsrv.exe []S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe []S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe []S2 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-08-27 78968]S2 DTSRVC;Portrait Displays Display Tune Service; C:\Program Files\Gateway\EzTune\DTSRVC.exe []S2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]S2 NProtectService;Norton Unerase Protection; C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE []S2 RadClock;RadClock; C:\WINDOWS\system32\RadClock.exe [2005-04-27 102400]S2 Speed Disk service;Speed Disk service; C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE []S2 WinDefend;Windows Defender Service; C:\Program Files\Windows Defender\MsMpEng.exe []S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-06-28 72704]S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2009-04-15 79360]S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]S3 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server; C:\macromedia\runtime\bin\jrunsvc.exe [2005-09-09 61440]S3 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server; C:\macromedia\verity\k2\_nti40\bin\k2admin.exe [2005-06-29 2732608]S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-22 79360]S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-05-27 651720]S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]S3 GuardDogEXE;McAfee Privacy Service; C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE /SERVICE []S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2005-02-23 69632]S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe []S3 Norton Ghost;Norton Ghost; C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe [2004-07-29 1269760]S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]S3 SandraDataSrv;Sandra Data Service; C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe []S3 SandraTheSrv;Sandra Service; C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe []S3 SDhelper;PC Tools Spyware Doctor; C:\Program Files\Spyware Doctor\sdhelp.exe [2005-12-20 870624]S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2009-05-05 361216]S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe []S3 wampapache;wampapache; F:\wamp\apache2\bin\Apache.exe -k runservice []S3 wampmysqld;wampmysqld; F:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=F:\wamp\mysql\my.ini wampmysqld []S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-11 483328]S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]S3 x10nets;X10 Device Network Service; C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe []S3 ZuneNetworkSvc;Zune Network Sharing Service; C:\Program Files\Zune\ZuneNss.exe [2008-11-10 5117568]S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service; C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-11-10 243840]S4 GEARSecurity;GEARSecurity; C:\WINDOWS\System32\GEARSec.exe [2004-07-29 53248]S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-02-18 242544]-----------------EOF-----------------cont. next post Link to post Share on other sites More sharing options...
brew Posted August 3, 2009 Author ID:105607 Share Posted August 3, 2009 Info.txtinfo.txt logfile of random's system information tool 1.06 2009-08-03 12:24:58======Uninstall list======-->"C:\Program Files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W -->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL-->C:\WINDOWS\UNNMP.exe /UNINSTALL-->MsiExec /X{B83FC356-B7C0-441F-8A4D-D71E088E7974}-->MsiExec.exe /I{983DD781-10DA-4C25-8706-9E152DFCEF90}-->MsiExec.exe /I{C3BC473E-FACD-4BAA-86B9-5FB52DD80495}-->MsiExec.exe /X{57922B53-02D4-4DFC-AC24-A3519DC1F49A}-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x9 /remove-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9 -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9 /remove-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1AE27FE6-05DB-40CB-A29E-2945980ACE27}\setup.exe" -l0x9 -removeonly55mm v7.5 for Adobe Photoshop & Compatible Applications-->C:\WINDOWS\unvise32.exe c:\program files\adobe\adobe photoshop cs3\plug-ins\55mm_v7.5_uninstal.log7-Zip 4.32-->"C:\Program Files\7-Zip\Uninstall.exe"AA Forceclass Install-->C:\Program Files\MasterSplitter\uninstal.exeAcronis True Image Home-->MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}Adobe Acrobat 9 Pro Extended - English, Fran Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 4, 2009 ID:105989 Share Posted August 4, 2009 Hello Brew,Let's do this next:Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.========================================================Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.========================================================Double-click gmer.exe. to start it. The program will begin to run. **Caution**These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security AnalystIf possible rootkit activity is found, you will be asked if you would like to perform a full scan.Click Yes.Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop.If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop.Pleae attach the gmer.txt to your reply:Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and Click Upload. Link to post Share on other sites More sharing options...
brew Posted August 5, 2009 Author ID:106372 Share Posted August 5, 2009 Thanks for the continued help Maurice.I ran gmer and recieved no notice of roortkit activity. I made sure the "showall" tab was unticked and selected scan. The scan was still going strong after 8+ hours when I went to bed, only to discover the pc had rebooted with no sign of the gmer.log file.I re-ran gmer and unticked the "file" box to get the info to you faster (gmer.txt attached). I will rerun the full scan if needed.gmer.txtgmer.txt Link to post Share on other sites More sharing options...
brew Posted August 6, 2009 Author ID:106680 Share Posted August 6, 2009 Tried to re-run the full scan overnight with no success. Recieved a BSOD after several hours with the error - Kernal_Stack_Inpage_Error Link to post Share on other sites More sharing options...
brew Posted August 7, 2009 Author ID:106889 Share Posted August 7, 2009 I believe my issue may be resolved. I ran avira and let it quarantine several files in the windows/system32 and drivers folder. All my scans with MBAM now come back clean.Portion of avira logC:\WINDOWS\ BS_DEF.sys [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4ad9f9e6.qua'!C:\WINDOWS\system32\ wuaumgr.exe [DETECTION] Contains a recognition pattern of the (harmful) BDS/Shark.B back-door program [NOTE] The file was moved to '4adbfa08.qua'!C:\WINDOWS\system32\comdw\ svchost.exe [DETECTION] Is the TR/Drop.Agent.cal.2 Trojan [NOTE] The file was moved to '4addfa09.qua'!C:\WINDOWS\system32\comdw\ winhelper.dll [DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper [NOTE] The file was moved to '4ae8f9fc.qua'!C:\WINDOWS\system32\comdw\ winlogon.dll [DETECTION] Is the TR/PSW.Delf.adm Trojan [NOTE] The file was moved to '4f835df5.qua'!C:\WINDOWS\system32\comoq\ svchost.exe [DETECTION] Is the TR/Drop.Agent.cal.2 Trojan [NOTE] The file was moved to '4f8b10b2.qua'!C:\WINDOWS\system32\comoq\ winhelper.dll [DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper [NOTE] The file was moved to '4faf4815.qua'!C:\WINDOWS\system32\comoq\ winlogon.dll [DETECTION] Is the TR/PSW.Delf.adm Trojan [NOTE] The file was moved to '4f64e82d.qua'!C:\WINDOWS\system32\drivers\ a347bus.sys [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4aaef9c6.qua'!C:\WINDOWS\system32\drivers\ a347scsi.sys [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4ff90b47.qua'!C:\WINDOWS\system32\drivers\ ALCXWDM.SYS [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4abdf9df.qua'!C:\WINDOWS\system32\drivers\ AsInsHelp32.sys [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4ac3fa06.qua'!C:\WINDOWS\system32\drivers\ SENTINEL.SYS [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4ac8f9d8.qua'!C:\WINDOWS\system32\drivers\ Si3114r5.sys [DETECTION] Contains recognition pattern of the RKIT/Agent.8416 root kit [NOTE] The file was moved to '4aadf9fc.qua'!MBAM LogMalwarebytes' Anti-Malware 1.40Database version: 2573Windows 5.1.2600 Service Pack 28/6/2009 4:46:40 PMmbam-log-2009-08-06 (16-46-40).txtScan type: Quick ScanObjects scanned: 114208Time elapsed: 6 minute(s), 48 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 7, 2009 ID:106894 Share Posted August 7, 2009 One question I have for you: You have TuneUp utilities I believe and that has set TUKERNEL as an alternate kernel.Are you aware of that?and for what purpose do you have TuneUp utilities? Link to post Share on other sites More sharing options...
brew Posted August 7, 2009 Author ID:106898 Share Posted August 7, 2009 I Use some of the "utilities" of tuneup utilities, ie. Disk defrag, memory optimizer, process manager, startup manager etc.. I have used version 2007, 2008, and now 2009 with no issues. I am not sure what TUKERNAL is or the purpose of it. I would not hesitate to abandon tuneup utilities if you think it is a security risk. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 8, 2009 ID:107613 Share Posted August 8, 2009 TUKERNEL apparently is an "alternate" kernel to what XP uses. You need to consider not using it.See the 5th reply by mutronics dated 16 Februaryhttp://forum.sysinternals.com/forum_posts.asp?TID=13645Take a look at your Boot.ini to see if there is a mention of TUKERNELTUKERNEL will cause a blockage in your getting XP Service pack 3, which you need to get eventually, and soon (after malware is gone) Link to post Share on other sites More sharing options...
brew Posted August 8, 2009 Author ID:107679 Share Posted August 8, 2009 Maurice,After doing some research, the TUKernal is part of tuneup styler, a program that lets you create and specify custom bootup screens. I have had a custom boot screen for a couple years and haven't thought much about it. It is better explained here - http://www.neowin.net/forum/lofiversion/in...hp/t387432.htmlFirst, you gotta go to TuneUp WinStyle 2 and select the Bootscreen you wanna have, and click on "Install Bootscreen"... What it is going to do, is to compile the file to the System 32 folder as an .exe archive... once you have it as .exe you are able to share your bootscreen and/or add it to another OS by just editing the boot.ini file (ill xlpain that in a few seconds...)Now, Go to X:\WINDOWS\System32\ and look for the file called "TUKernel.exe"This file is the actual Bootscreen you have chosen. Copy and paste to wherever you want/need it.Now, for the boot.ini editing part:If you want to add your Bootscreen to any other OS without having to install TuneUp Utilties, simply follow these easy steps:1 - Go to the partition in which you should boot all of your OSs from. (C:\ most of the times... depends on your installation) and type in the address bar: C:\boot.iniAn ini file should open with junk like this:[boot loader]timeout=5default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows Vista 5231 CTP" /NOEXECUTE=OPTIN /FASTDETECT /USENEWLOADERmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT /TUTAG=O4F3OT /KERNEL=TUKernel.exemulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /NOEXECUTE=OPTIN /FASTDETECT /TUTAG=O4F3OT-BAKc:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /CMDCONSdont get confused by all this junk, this is just all the stuff I got loading on my machine lolnow lets say you got something like this:multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECTall what you have to do is add these words " /KERNEL=TUKernel.exe" right after the "FASTDETECT" string, making sure you leave an space between both words...ONE THING! - You have to copy your bootscreen exe to the SYSTEM32 folder, in order to use it as your bootscreen.You can name it whatever you want.. lets say that you wanna call it MYBOOTSCREEN.exe.... then the string you just moddified should look like this:multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT /KERNEL=MYBOOTSCREEN.exenow simply save and close that inf file... If you get an error, go to Folders Option, uncheck "Hide System Protected Files" and "Do not show Hidden Files" options, click apply, and Ok. Then right click on the boot.ini file that is going to show up on the main C:\ folder after you've disable those two options, and uncheck where it says "Read-Only" if its checked...then save again and close that file.ANOTHER NOTE!Before you close, copy that string and delete the KERNEL part, so you have a loader backup just in case your bootscreen executable is not working or was damaged. Make sure you add something like "BACKUP" within the OS description lines. After you are done doing that, you should have something like this:multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /NOEXECUTE=OPTIN /FASTDETECT /KERNEL=MYBOOTSCREEN.exemulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition BACKUP" /NOEXECUTE=OPTIN /FASTDETECTI have set the boot screen back to default and now the boot.ini reads - [boot loader]timeout=3default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin /tutag=X1I2A6 /usepmtimerI believe I am free of malware as MBAM log comes up clean. What is the next step and/or what logs do you need to see to confirm this?Again, your time and help is much appreciated! Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 8, 2009 ID:107685 Share Posted August 8, 2009 I believe we are very near to closing, but since I'd like to see you in good shape for a successful service pack upgrade....tell me why you left /tutag=X1I2A6 /usepmtimerin your last line of Boot.ini ?I'd have you take those bits out. Link to post Share on other sites More sharing options...
brew Posted August 9, 2009 Author ID:107702 Share Posted August 9, 2009 I didn't make any actual changes to the boot.ini file. All I did was go into tuneup stylizer and select the XP default bootup screen. It removed the reference to tukernal in the boot.ini file.I am not sure what the /tutag=X1I2A6 is so I will remove it manually. I believe the /usepmtimer is part of amd's dual core utility - http://support.amd.com/us/Pages/dynamicDet...&ItemID=153 and would prefer to leave it , if it does not pose a security risk. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 9, 2009 ID:107743 Share Posted August 9, 2009 Hello brew,Good catch on the /usepmtimer in Boot.ini. It is not a security risk.We can now proceed to cleanup the tools. And I have some recommendations below on Service pack 3.=Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exeThis next will delete 2 folders Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::filesC:\WINDOWS\system32\comdwC:\WINDOWS\system32\comoqReturn to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.Close any browser(s) windows that may be open.Using your mouse, click on the red-lettered button Run Fix.Once you see a message box "Fix complete! Click OK to open the fix log."Click the OK buttonThe log will open in Notepad (your default text editor).Save the log. Post a copy of that log in your next reply.Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. =While this thread was underway, over these past number of days, a newer Java runtime has been released.Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 15 -"Click the "Download" button to the right.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u15 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u15-windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xmlWhen all is well, you should see Java Version: 1.6.0_15 from Sun Microsystems Inc.=Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it. (One can download it if needed in future).Go to Control Panel and Add-or-Remove programs.Look for it and click the line for it. Select Change/Remove to de-install it.OK & Exit out of Control PanelI see that you are clear of your original issues. If you have a problem with these steps, or something does not quite work here, do let me know.The following few steps will remove tools we used; followed by advice on staying safer.We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combofix1 ), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.Note the space after x and before the slash mark.The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.Click Start, then click Run.In the command box that opens, type or copy/paste combofix1 /u and then click OK. Please double-click OTL.exe to run it. Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run.Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" }Delete any downloads & any leftovers of Sysprot, as well as RootRepeal, if any still left.I would urge you to plan for and get and apply Windows XP Service Pack 3.See Windows XP Service Pack 3 (SP3): Installation GuideMake a note that your antivirus and anti-malware apps need to be disabled just prior to and during the service pack update. Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.Check in at Windows Update and install any Critical Updates offered.Download and Install Windows Defender by Microsoft (free) if you do not already have it: http://www.microsoft.com/downloads/details...A4-F7F14E605A0D Make certain that Automatic Updates is enabled.How to configure and use Automatic Updates in WinXP: http://support.microsoft.com/kb/306525 Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc.On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:Kaspersky Webscan Online Virus Scanner ESET Online ScannerPanda ActiveScan Trend Micro HousecallF-Secure Online Scanner Read Tony Klein's article How Did I Get Infected In The First Place Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.htmlWe are finished here. Best regards. Link to post Share on other sites More sharing options...
Recommended Posts