trojan/malware problem, MBAM not finding it

[yoo_doo_right]

I have some sort of trojan/malware that is giving me occassional pop-ups and more constant redirects form search engine results, both google and yahoo, and in both firefox and IE. when the problem first showed up, ran avg, ad-aware, spybot, and then MBAM. removed some things, but still giving me problems with the popups/redirects, gave housecall a shot too but it didn't find anything. then my trojan/malware installed "Vista Security" which I immediately recognized as malware and got removed by MBAM. dunno what to do at this point, nothing in the hijackthis log looks suspicious, at least not like anything I've encountered before, so I'm handing it off to you guys.

ran DDS fine, but GMER crashes. posting the DDS log and the latest MBAM log below. thanks to anyone who can help

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by Ryan at 2:28:09.49 on Sun 03/28/2010

Internet Explorer: 8.0.6001.18882

Microsoft

[Maniac]

Hello yoo_doo_right! Welcome to MalwareBytes' Anti-malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we

begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

[yoo_doo_right]

ComboFix 10-03-29.02 - Ryan 03/30/2010 2:26.1.2 - x86

Microsoft

[Maniac]

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

* MalwareBytes' Anti-Malware log

* HijackThis log (new)

[yoo_doo_right]

Malwarebytes' Anti-Malware 1.44

Database version: 3925

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18882

3/30/2010 4:04:13 AM

mbam-log-2010-03-30 (04-04-13).txt

Scan type: Quick Scan

Objects scanned: 112292

Time elapsed: 10 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:05:25 AM, on 3/30/2010

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe

C:\Windows\System32\WLTRAY.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Windows\sttray.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Simplify Media\SimplifyMedia.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\Explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [simplify Media] "C:\Program Files\Simplify Media\SimplifyMedia.exe"

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--

End of file - 6087 bytes

[Maniac]

Your version of MBAM is 1.44 , but the latest is 1.45 , so:

Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

Restart your computer (very important).

Download and run this utility. mbam-clean.exe

It will ask to restart your computer (please allow it to).

Download the latest version 1.45 from: here

Update it and perform a Quick scan.

Post your log file

[yoo_doo_right]

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3935

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18882

3/30/2010 9:42:33 PM

mbam-log-2010-03-30 (21-42-33).txt

Scan type: Quick scan

Objects scanned: 103537

Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

[yoo_doo_right]

GMER crashes, even in safe mode.

[Maniac]

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

[yoo_doo_right]

RootRepeal got partway through then froze up.

[Maniac]

You kidding me...

Please download Sysprot Antirootkit

Unzip it into a folder on your desktop.

• Double-Click Sysprot.exe to start the program.
  
• Click on the log tab.
  
• In the Write to log box select all items.
  
• Click on the Create Log button on the Bottom Right.
  
• After a few seconds a new windows should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted too.
  
• Open the text file and copy/paste the log here
  

[yoo_doo_right]

I think my computer has some general issues beyond trojans/malware, I'd just format and re-install my OS but unfortunately I don't have the disc for Microsoft Office anymore.

anyway I'll give that one a shot when I get home tonight.

[Maniac]

We are making progress, so not worth it to reinstall. Please try with SysProt.

[yoo_doo_right]

SysProt AntiRootkit v1.0.1.0

by swatkat

********************************************************************************

**********

********************************************************************************

**********

Process:

Name: [system Idle Process]

PID: 0

Hidden: No

Window Visible: No

Name: System

PID: 4

Hidden: No

Window Visible: No

Name: C:\Windows\System32\smss.exe

PID: 488

Hidden: No

Window Visible: No

Name: C:\Windows\System32\csrss.exe

PID: 564

Hidden: No

Window Visible: No

Name: C:\Windows\System32\wininit.exe

PID: 616

Hidden: No

Window Visible: No

Name: C:\Windows\System32\csrss.exe

PID: 628

Hidden: No

Window Visible: No

Name: C:\Windows\System32\services.exe

PID: 660

Hidden: No

Window Visible: No

Name: C:\Windows\System32\lsass.exe

PID: 688

Hidden: No

Window Visible: No

Name: C:\Windows\System32\lsm.exe

PID: 696

Hidden: No

Window Visible: No

Name: C:\Windows\System32\winlogon.exe

PID: 736

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 884

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 948

Hidden: No

Window Visible: No

Name: C:\Windows\System32\Ati2evxx.exe

PID: 1072

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1096

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1120

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1140

Hidden: No

Window Visible: No

Name: C:\Windows\System32\audiodg.exe

PID: 1240

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1264

Hidden: No

Window Visible: No

Name: C:\Windows\System32\SLsvc.exe

PID: 1288

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1316

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1464

Hidden: No

Window Visible: No

Name: C:\Windows\System32\Ati2evxx.exe

PID: 1628

Hidden: No

Window Visible: No

Name: C:\Windows\System32\WLTRYSVC.EXE

PID: 1676

Hidden: No

Window Visible: No

Name: C:\Windows\System32\BCMWLTRY.EXE

PID: 1688

Hidden: No

Window Visible: No

Name: C:\Windows\System32\spoolsv.exe

PID: 1812

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 1840

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PID: 380

Hidden: No

Window Visible: No

Name: C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

PID: 540

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgwdsvc.exe

PID: 568

Hidden: No

Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe

PID: 876

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

PID: 1052

Hidden: No

Window Visible: No

Name: C:\Windows\System32\CTSVCCDA.EXE

PID: 1896

Hidden: No

Window Visible: No

Name: C:\Windows\System32\dwm.exe

PID: 1904

Hidden: No

Window Visible: Yes

Name: C:\Windows\explorer.exe

PID: 2024

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 2112

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

PID: 2172

Hidden: No

Window Visible: No

Name: C:\Windows\System32\taskeng.exe

PID: 2532

Hidden: No

Window Visible: No

Name: C:\Windows\System32\taskeng.exe

PID: 2564

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 2748

Hidden: No

Window Visible: No

Name: C:\Windows\System32\svchost.exe

PID: 2796

Hidden: No

Window Visible: No

Name: C:\Windows\System32\SearchIndexer.exe

PID: 2836

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgnsx.exe

PID: 2964

Hidden: No

Window Visible: No

Name: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

PID: 3068

Hidden: No

Window Visible: Yes

Name: C:\Windows\System32\WLTRAY.EXE

PID: 3088

Hidden: No

Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

PID: 3152

Hidden: No

Window Visible: No

Name: C:\Windows\sttray.exe

PID: 3196

Hidden: No

Window Visible: No

Name: C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

PID: 3208

Hidden: No

Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

PID: 3252

Hidden: No

Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe

PID: 3260

Hidden: No

Window Visible: No

Name: C:\Program Files\DellSupport\DSAgnt.exe

PID: 3268

Hidden: No

Window Visible: No

Name: C:\Program Files\Simplify Media\SimplifyMedia.exe

PID: 3460

Hidden: No

Window Visible: No

Name: C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe

PID: 3512

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgrsx.exe

PID: 3572

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgchsvx.exe

PID: 3580

Hidden: No

Window Visible: No

Name: C:\Program Files\AVG\AVG9\avgcsrvx.exe

PID: 3648

Hidden: No

Window Visible: No

Name: C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

PID: 2436

Hidden: No

Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe

PID: 3048

Hidden: No

Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnscfg.exe

PID: 1744

Hidden: No

Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnetwk.exe

PID: 2928

Hidden: No

Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

PID: 2208

Hidden: No

Window Visible: No

Name: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

PID: 984

Hidden: No

Window Visible: No

Name: C:\Windows\System32\wuauclt.exe

PID: 5344

Hidden: No

Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe

PID: 5864

Hidden: No

Window Visible: No

Name: C:\Windows\System32\taskmgr.exe

PID: 4820

Hidden: No

Window Visible: Yes

Name: C:\Users\Ryan\Desktop\SysProt\SysProt.exe

PID: 5900

Hidden: No

Window Visible: Yes

Name: C:\Windows\System32\SearchProtocolHost.exe

PID: 5404

Hidden: No

Window Visible: No

Name: C:\Windows\System32\SearchFilterHost.exe

PID: 4492

Hidden: No

Window Visible: No

********************************************************************************

**********

********************************************************************************

**********

Kernel Modules:

Module Name: \??\C:\Users\Ryan\Desktop\SysProt\SysProtDrv.sys

Service Name: SysProtDrv.sys

Module Base: 9CA51000

Module End: 9CA5C000

Hidden: No

Module Name: C:\Windows\system32\ntkrnlpa.exe

Service Name: ---

Module Base: 81C12000

Module End: 81FCB000

Hidden: No

Module Name: C:\Windows\system32\hal.dll

Service Name: ---

Module Base: 81FCB000

Module End: 81FFE000

Hidden: No

Module Name: C:\Windows\system32\kdcom.dll

Service Name: ---

Module Base: 8040B000

Module End: 80413000

Hidden: No

Module Name: C:\Windows\system32\mcupdate_GenuineIntel.dll

Service Name: ---

Module Base: 80413000

Module End: 80473000

Hidden: No

Module Name: C:\Windows\system32\PSHED.dll

Service Name: ---

Module Base: 80473000

Module End: 80484000

Hidden: No

Module Name: C:\Windows\system32\BOOTVID.dll

Service Name: ---

Module Base: 80484000

Module End: 8048C000

Hidden: No

Module Name: C:\Windows\system32\CLFS.SYS

Service Name: CLFS

Module Base: 8048C000

Module End: 804CD000

Hidden: No

Module Name: C:\Windows\system32\CI.dll

Service Name: ---

Module Base: 804CD000

Module End: 805AD000

Hidden: No

Module Name: C:\Windows\system32\drivers\Wdf01000.sys

Service Name: Wdf01000

Module Base: 80608000

Module End: 80684000

Hidden: No

Module Name: C:\Windows\system32\drivers\WDFLDR.SYS

Service Name: ---

Module Base: 80684000

Module End: 80691000

Hidden: No

Module Name: C:\Windows\system32\drivers\acpi.sys

Service Name: ACPI

Module Base: 80691000

Module End: 806D7000

Hidden: No

Module Name: C:\Windows\system32\drivers\WMILIB.SYS

Service Name: ---

Module Base: 806D7000

Module End: 806E0000

Hidden: No

Module Name: C:\Windows\system32\drivers\msisadrv.sys

Service Name: msisadrv

Module Base: 806E0000

Module End: 806E8000

Hidden: No

Module Name: C:\Windows\system32\drivers\pci.sys

Service Name: pci

Module Base: 806E8000

Module End: 8070F000

Hidden: No

Module Name: C:\Windows\System32\drivers\partmgr.sys

Service Name: partmgr

Module Base: 8070F000

Module End: 8071E000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\compbatt.sys

Service Name: Compbatt

Module Base: 8071E000

Module End: 80721000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\BATTC.SYS

Service Name: BattC

Module Base: 80721000

Module End: 8072B000

Hidden: No

Module Name: C:\Windows\system32\drivers\volmgr.sys

Service Name: volmgr

Module Base: 8072B000

Module End: 8073A000

Hidden: No

Module Name: C:\Windows\System32\drivers\volmgrx.sys

Service Name: volmgrx

Module Base: 8073A000

Module End: 80784000

Hidden: No

Module Name: C:\Windows\system32\drivers\intelide.sys

Service Name: intelide

Module Base: 80784000

Module End: 8078B000

Hidden: No

Module Name: C:\Windows\system32\drivers\PCIIDEX.SYS

Service Name: ---

Module Base: 8078B000

Module End: 80799000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\pciide.sys

Service Name: pciide

Module Base: 80799000

Module End: 807A0000

Hidden: No

Module Name: C:\Windows\System32\drivers\mountmgr.sys

Service Name: MountMgr

Module Base: 807A0000

Module End: 807B0000

Hidden: No

Module Name: C:\Windows\system32\drivers\atapi.sys

Service Name: atapi

Module Base: 807B0000

Module End: 807B8000

Hidden: No

Module Name: C:\Windows\system32\drivers\ataport.SYS

Service Name: ---

Module Base: 807B8000

Module End: 807D6000

Hidden: No

Module Name: C:\Windows\system32\drivers\fltmgr.sys

Service Name: FltMgr

Module Base: 805AD000

Module End: 805DF000

Hidden: No

Module Name: C:\Windows\system32\drivers\fileinfo.sys

Service Name: FileInfo

Module Base: 807D6000

Module End: 807E6000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\Lbd.sys

Service Name: Lbd

Module Base: 807E6000

Module End: 807F5000

Hidden: No

Module Name: C:\Windows\System32\Drivers\PxHelp20.sys

Service Name: PxHelp20

Module Base: 807F5000

Module End: 807FE000

Hidden: No

Module Name: C:\Windows\System32\Drivers\ksecdd.sys

Service Name: KSecDD

Module Base: 82201000

Module End: 82272000

Hidden: No

Module Name: C:\Windows\system32\drivers\ndis.sys

Service Name: NDIS

Module Base: 82272000

Module End: 8237D000

Hidden: No

Module Name: C:\Windows\system32\drivers\NETIO.SYS

Service Name: ---

Module Base: 823A8000

Module End: 823E2000

Hidden: No

Module Name: C:\Windows\System32\drivers\tcpip.sys

Service Name: Tcpip

Module Base: 85C02000

Module End: 85CEB000

Hidden: No

Module Name: C:\Windows\System32\drivers\fwpkclnt.sys

Service Name: ---

Module Base: 85CEB000

Module End: 85D06000

Hidden: No

Module Name: C:\Windows\System32\Drivers\Ntfs.sys

Service Name: Ntfs

Module Base: 85E08000

Module End: 85F17000

Hidden: No

Module Name: C:\Windows\system32\drivers\volsnap.sys

Service Name: volsnap

Module Base: 85F17000

Module End: 85F50000

Hidden: No

Module Name: C:\Windows\System32\Drivers\spldr.sys

Service Name: spldr

Module Base: 85F50000

Module End: 85F58000

Hidden: No

Module Name: C:\Windows\System32\Drivers\mup.sys

Service Name: Mup

Module Base: 85F58000

Module End: 85F67000

Hidden: No

Module Name: C:\Windows\System32\drivers\ecache.sys

Service Name: Ecache

Module Base: 85F67000

Module End: 85F8E000

Hidden: No

Module Name: C:\Windows\system32\drivers\disk.sys

Service Name: disk

Module Base: 85F8E000

Module End: 85F9F000

Hidden: No

Module Name: C:\Windows\system32\drivers\CLASSPNP.SYS

Service Name: ---

Module Base: 85F9F000

Module End: 85FC0000

Hidden: No

Module Name: C:\Windows\system32\drivers\crcdisk.sys

Service Name: crcdisk

Module Base: 85FC0000

Module End: 85FC9000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tunnel.sys

Service Name: tunnel

Module Base: 85FE9000

Module End: 85FF4000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tunmp.sys

Service Name: tunmp

Module Base: 85FF4000

Module End: 85FFD000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\intelppm.sys

Service Name: intelppm

Module Base: 85D06000

Module End: 85D15000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\wmiacpi.sys

Service Name: WmiAcpi

Module Base: 85D15000

Module End: 85D1E000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\CmBatt.sys

Service Name: CmBatt

Module Base: 85E00000

Module End: 85E04000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\atikmdag.sys

Service Name: atikmdag

Module Base: 89808000

Module End: 89EB5000

Hidden: No

Module Name: C:\Windows\System32\drivers\dxgkrnl.sys

Service Name: DXGKrnl

Module Base: 89EB5000

Module End: 89F54000

Hidden: No

Module Name: C:\Windows\System32\drivers\watchdog.sys

Service Name: ---

Module Base: 89F54000

Module End: 89F61000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HDAudBus.sys

Service Name: HDAudBus

Module Base: 89F61000

Module End: 89F73000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\bcmwl6.sys

Service Name: BCM43XX

Module Base: 89F73000

Module End: 89FF9000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbuhci.sys

Service Name: usbuhci

Module Base: 85D1E000

Module End: 85D29000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\USBPORT.SYS

Service Name: ---

Module Base: 85D29000

Module End: 85D67000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbehci.sys

Service Name: usbehci

Module Base: 85D67000

Module End: 85D76000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\bcm4sbxp.sys

Service Name: bcm4sbxp

Module Base: 85D76000

Module End: 85D86000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ohci1394.sys

Service Name: ohci1394

Module Base: 85D86000

Module End: 85D96000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\1394BUS.SYS

Service Name: ---

Module Base: 85D96000

Module End: 85DA4000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\sdbus.sys

Service Name: sdbus

Module Base: 85DA4000

Module End: 85DBE000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rimmptsk.sys

Service Name: rimmptsk

Module Base: 85DBE000

Module End: 85DCC000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rimsptsk.sys

Service Name: rimsptsk

Module Base: 85DCC000

Module End: 85DE0000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rixdptsk.sys

Service Name: rismxdp

Module Base: 8A206000

Module End: 8A257000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\i8042prt.sys

Service Name: i8042prt

Module Base: 8A257000

Module End: 8A26A000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\SynTP.sys

Service Name: SynTP

Module Base: 8A26A000

Module End: 8A295000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\USBD.SYS

Service Name: ---

Module Base: 8A295000

Module End: 8A297000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mouclass.sys

Service Name: mouclass

Module Base: 8A297000

Module End: 8A2A2000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\kbdclass.sys

Service Name: kbdclass

Module Base: 8A2A2000

Module End: 8A2AD000

Hidden: No

Module Name: C:\Windows\system32\drivers\iviaspi.sys

Service Name: Iviaspi

Module Base: 8A2AD000

Module End: 8A2B0000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\cdrom.sys

Service Name: cdrom

Module Base: 8A2B0000

Module End: 8A2C8000

Hidden: No

Module Name: C:\Windows\System32\Drivers\GEARAspiWDM.sys

Service Name: GEARAspiWDM

Module Base: 8A2C8000

Module End: 8A2CE000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\serscan.sys

Service Name: StillCam

Module Base: 8A2CE000

Module End: 8A2D6000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\msiscsi.sys

Service Name: iScsiPrt

Module Base: 8A2D6000

Module End: 8A304000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\storport.sys

Service Name: ---

Module Base: 8A304000

Module End: 8A345000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\TDI.SYS

Service Name: ---

Module Base: 8A345000

Module End: 8A350000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rasl2tp.sys

Service Name: Rasl2tp

Module Base: 8A350000

Module End: 8A367000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndistapi.sys

Service Name: NdisTapi

Module Base: 8A367000

Module End: 8A372000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndiswan.sys

Service Name: NdisWan

Module Base: 8A372000

Module End: 8A395000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\raspppoe.sys

Service Name: RasPppoe

Module Base: 8A395000

Module End: 8A3A4000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\raspptp.sys

Service Name: PptpMiniport

Module Base: 8A3A4000

Module End: 8A3B8000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rassstp.sys

Service Name: RasSstp

Module Base: 8A3B8000

Module End: 8A3CD000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\termdd.sys

Service Name: TermDD

Module Base: 8A3CD000

Module End: 8A3DD000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\swenum.sys

Service Name: swenum

Module Base: 8A3DD000

Module End: 8A3DF000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ks.sys

Service Name: ---

Module Base: 8A60E000

Module End: 8A638000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mssmbios.sys

Service Name: mssmbios

Module Base: 8A638000

Module End: 8A642000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\umbus.sys

Service Name: umbus

Module Base: 8A642000

Module End: 8A64F000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\usbhub.sys

Service Name: usbhub

Module Base: 8A64F000

Module End: 8A683000

Hidden: No

Module Name: C:\Windows\System32\Drivers\NDProxy.SYS

Service Name: NDProxy

Module Base: 8A683000

Module End: 8A694000

Hidden: No

Module Name: C:\Windows\system32\drivers\stwrt.sys

Service Name: STHDA

Module Base: 8A694000

Module End: 8A737000

Hidden: No

Module Name: C:\Windows\system32\drivers\portcls.sys

Service Name: ---

Module Base: 8A737000

Module End: 8A764000

Hidden: No

Module Name: C:\Windows\system32\drivers\drmk.sys

Service Name: ---

Module Base: 8A764000

Module End: 8A789000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HSXHWAZL.sys

Service Name: HSXHWAZL

Module Base: 8A789000

Module End: 8A7C6000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HSX_DPV.sys

Service Name: HSF_DPV

Module Base: 8A802000

Module End: 8A905000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\HSX_CNXT.sys

Service Name: winachsf

Module Base: 8A905000

Module End: 8A9B9000

Hidden: No

Module Name: C:\Windows\system32\drivers\modem.sys

Service Name: Modem

Module Base: 8A9B9000

Module End: 8A9C6000

Hidden: No

Module Name: C:\Windows\System32\Drivers\Beep.SYS

Service Name: Beep

Module Base: 8A9D6000

Module End: 8A9DD000

Hidden: No

Module Name: C:\Windows\System32\drivers\vga.sys

Service Name: vga

Module Base: 8A9DD000

Module End: 8A9E9000

Hidden: No

Module Name: C:\Windows\System32\drivers\VIDEOPRT.SYS

Service Name: ---

Module Base: 8A7C6000

Module End: 8A7E7000

Hidden: No

Module Name: C:\Windows\System32\DRIVERS\RDPCDD.sys

Service Name: RDPCDD

Module Base: 8A9E9000

Module End: 8A9F1000

Hidden: No

Module Name: C:\Windows\system32\drivers\rdpencdd.sys

Service Name: RDPENCDD

Module Base: 8A9F1000

Module End: 8A9F9000

Hidden: No

Module Name: C:\Windows\System32\Drivers\Npfs.SYS

Service Name: Npfs

Module Base: 8A7F2000

Module End: 8A800000

Hidden: No

Module Name: C:\Windows\System32\DRIVERS\rasacd.sys

Service Name: RasAcd

Module Base: 8A600000

Module End: 8A609000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\tdx.sys

Service Name: tdx

Module Base: 8A3DF000

Module End: 8A3F5000

Hidden: No

Module Name: C:\Windows\System32\Drivers\avgtdix.sys

Service Name: AvgTdiX

Module Base: 8AA06000

Module End: 8AA40000

Hidden: No

Module Name: C:\Windows\System32\DRIVERS\netbt.sys

Service Name: netbt

Module Base: 8AA40000

Module End: 8AA72000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\smb.sys

Service Name: Smb

Module Base: 8AA72000

Module End: 8AA86000

Hidden: No

Module Name: C:\Windows\system32\drivers\afd.sys

Service Name: AFD

Module Base: 8AA86000

Module End: 8AACE000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\pacer.sys

Service Name: PSched

Module Base: 8AACE000

Module End: 8AAE4000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\netbios.sys

Service Name: NetBIOS

Module Base: 8AAE4000

Module End: 8AAF2000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\wanarp.sys

Service Name: Wanarp

Module Base: 8AAF2000

Module End: 8AB05000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rdbss.sys

Service Name: rdbss

Module Base: 8AB05000

Module End: 8AB41000

Hidden: No

Module Name: C:\Windows\system32\drivers\nsiproxy.sys

Service Name: nsiproxy

Module Base: 8AB41000

Module End: 8AB4B000

Hidden: No

Module Name: C:\Windows\System32\Drivers\dfsc.sys

Service Name: DfsC

Module Base: 8AB4B000

Module End: 8AB62000

Hidden: No

Module Name: C:\Windows\System32\Drivers\avgmfx86.sys

Service Name: AvgMfx86

Module Base: 8AB62000

Module End: 8AB68000

Hidden: No

Module Name: C:\Windows\System32\Drivers\avgldx86.sys

Service Name: AvgLdx86

Module Base: 8AB68000

Module End: 8AB9C000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\cdfs.sys

Service Name: cdfs

Module Base: 8AB9C000

Module End: 8ABB2000

Hidden: No

Module Name: C:\Windows\System32\Drivers\crashdmp.sys

Service Name: ---

Module Base: 8ABB2000

Module End: 8ABBF000

Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys

Service Name: ---

Module Base: 8ABBF000

Module End: 8ABCA000

Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys

Service Name: ---

Module Base: 8ABCA000

Module End: 8ABD2000

Hidden: Yes

Module Name: C:\Windows\System32\drivers\Dxapi.sys

Service Name: ---

Module Base: 8ABD2000

Module End: 8ABDC000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\monitor.sys

Service Name: monitor

Module Base: 8ABDC000

Module End: 8ABEB000

Hidden: No

Module Name: C:\Windows\system32\drivers\luafv.sys

Service Name: luafv

Module Base: 85FC9000

Module End: 85FE4000

Hidden: No

Module Name: C:\Windows\system32\drivers\spsys.sys

Service Name: ---

Module Base: 9500F000

Module End: 950BE000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\lltdio.sys

Service Name: lltdio

Module Base: 950BE000

Module End: 950CE000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\nwifi.sys

Service Name: NativeWifiP

Module Base: 950CE000

Module End: 950F8000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\ndisuio.sys

Service Name: Ndisuio

Module Base: 950F8000

Module End: 95102000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\rspndr.sys

Service Name: rspndr

Module Base: 95102000

Module End: 95115000

Hidden: No

Module Name: C:\Windows\system32\drivers\HTTP.sys

Service Name: HTTP

Module Base: 95115000

Module End: 95182000

Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srvnet.sys

Service Name: srvnet

Module Base: 95182000

Module End: 9519F000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\bowser.sys

Service Name: bowser

Module Base: 9519F000

Module End: 951B8000

Hidden: No

Module Name: C:\Windows\System32\drivers\mpsdrv.sys

Service Name: mpsdrv

Module Base: 951B8000

Module End: 951CD000

Hidden: No

Module Name: C:\Windows\system32\drivers\mrxdav.sys

Service Name: MRxDAV

Module Base: 951CD000

Module End: 951ED000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb.sys

Service Name: mrxsmb

Module Base: 85DE0000

Module End: 85DFF000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb10.sys

Service Name: mrxsmb10

Module Base: 9680D000

Module End: 96846000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mrxsmb20.sys

Service Name: mrxsmb20

Module Base: 96846000

Module End: 9685E000

Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srv2.sys

Service Name: srv2

Module Base: 9685E000

Module End: 96885000

Hidden: No

Module Name: C:\Windows\System32\DRIVERS\srv.sys

Service Name: srv

Module Base: 96885000

Module End: 968D3000

Hidden: No

Module Name: \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys

Service Name: dsunidrv

Module Base: 968D3000

Module End: 968D5000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\mdmxsdk.sys

Service Name: mdmxsdk

Module Base: 968D5000

Module End: 968D9000

Hidden: No

Module Name: C:\Windows\system32\drivers\peauth.sys

Service Name: PEAUTH

Module Base: 968D9000

Module End: 969B7000

Hidden: No

Module Name: \??\C:\Windows\system32\Drivers\SBKUPNT.SYS

Service Name: SBKUPNT

Module Base: 969B7000

Module End: 969BB000

Hidden: No

Module Name: C:\Windows\System32\Drivers\secdrv.SYS

Service Name: secdrv

Module Base: 969BB000

Module End: 969C5000

Hidden: No

Module Name: C:\Windows\System32\drivers\tcpipreg.sys

Service Name: tcpipreg

Module Base: 969C5000

Module End: 969D1000

Hidden: No

Module Name: C:\Windows\system32\DRIVERS\xaudio.sys

Service Name: XAudio

Module Base: 969D1000

Module End: 969D9000

Hidden: No

Module Name: C:\Windows\System32\Drivers\fastfat.SYS

Service Name: fastfat

Module Base: 9CA0F000

Module End: 9CA37000

Hidden: No

Module Name: \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

Service Name: DSproct

Module Base: 9CA37000

Module End: 9CA39000

Hidden: No

Module Name: \??\C:\Windows\system32\drivers\rootrepeal.sys

Service Name: rootrepeal

Module Base: 9CA45000

Module End: 9CA51000

Hidden: Yes

Module Name: C:\Windows\System32\Drivers\Null.SYS

Service Name: Null

Module Base: 8A9CF000

Module End: 8A9D6000

Hidden: No

Module Name: C:\Windows\System32\Drivers\Msfs.SYS

Service Name: Msfs

Module Base: 8A7E7000

Module End: 8A7F2000

Hidden: No

********************************************************************************

**********

********************************************************************************

**********

No SSDT Hooks found

********************************************************************************

**********

********************************************************************************

**********

No Kernel Hooks found

********************************************************************************

**********

********************************************************************************

**********

No IRP Hooks found

********************************************************************************

**********

********************************************************************************

**********

Ports:

Local Address: RYAN-PC.AUSTIN.RR.COM:51971

Remote Address: 174.37.40.187-STATIC.REVERSE.SOFTLAYER.COM:HTTPS

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: ESTABLISHED

Local Address: RYAN-PC.AUSTIN.RR.COM:51970

Remote Address: 174.37.40.187-STATIC.REVERSE.SOFTLAYER.COM:HTTPS

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:51969

Remote Address: 174.37.40.187-STATIC.REVERSE.SOFTLAYER.COM:HTTPS

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:51951

Remote Address: PZ-IN-F100.1E100.NET:HTTP

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:51950

Remote Address: YW-IN-F105.1E100.NET:HTTP

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:51949

Remote Address: YW-IN-F105.1E100.NET:HTTP

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:51948

Remote Address: GX-IN-F138.1E100.NET:HTTP

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:51943

Remote Address: GX-IN-F100.1E100.NET:HTTP

Type: TCP

Process: [system Idle Process]

State: TIME_WAIT

Local Address: RYAN-PC.AUSTIN.RR.COM:49165

Remote Address: SIMPLIFYMEDIA.COM:HTTPS

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: ESTABLISHED

Local Address: RYAN-PC.AUSTIN.RR.COM:NETBIOS-SSN

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: RYAN-PC:51415

Remote Address: LOCALHOST:51413

Type: TCP

Process: C:\Program Files\Mozilla Firefox\firefox.exe

State: ESTABLISHED

Local Address: RYAN-PC:51413

Remote Address: LOCALHOST:51415

Type: TCP

Process: C:\Program Files\Mozilla Firefox\firefox.exe

State: ESTABLISHED

Local Address: RYAN-PC:51412

Remote Address: LOCALHOST:51411

Type: TCP

Process: C:\Program Files\Mozilla Firefox\firefox.exe

State: ESTABLISHED

Local Address: RYAN-PC:51411

Remote Address: LOCALHOST:51412

Type: TCP

Process: C:\Program Files\Mozilla Firefox\firefox.exe

State: ESTABLISHED

Local Address: RYAN-PC:49200

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

State: LISTENING

Local Address: RYAN-PC:49193

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

State: LISTENING

Local Address: RYAN-PC:49187

Remote Address: LOCALHOST:5354

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: ESTABLISHED

Local Address: RYAN-PC:49177

Remote Address: LOCALHOST:5354

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: ESTABLISHED

Local Address: RYAN-PC:49167

Remote Address: LOCALHOST:5354

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: ESTABLISHED

Local Address: RYAN-PC:49164

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

State: LISTENING

Local Address: RYAN-PC:49157

Remote Address: LOCALHOST:27015

Type: TCP

Process: C:\Program Files\iTunes\iTunesHelper.exe

State: ESTABLISHED

Local Address: RYAN-PC:27015

Remote Address: LOCALHOST:49157

Type: TCP

Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

State: ESTABLISHED

Local Address: RYAN-PC:27015

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

State: LISTENING

Local Address: RYAN-PC:5354

Remote Address: LOCALHOST:49187

Type: TCP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: ESTABLISHED

Local Address: RYAN-PC:5354

Remote Address: LOCALHOST:49177

Type: TCP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: ESTABLISHED

Local Address: RYAN-PC:5354

Remote Address: LOCALHOST:49167

Type: TCP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: ESTABLISHED

Local Address: RYAN-PC:5354

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: LISTENING

Local Address: RYAN-PC:64454

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: LISTENING

Local Address: RYAN-PC:61808

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: LISTENING

Local Address: RYAN-PC:56763

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: LISTENING

Local Address: RYAN-PC:50520

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: LISTENING

Local Address: RYAN-PC:49159

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\services.exe

State: LISTENING

Local Address: RYAN-PC:49156

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\svchost.exe

State: LISTENING

Local Address: RYAN-PC:49155

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\lsass.exe

State: LISTENING

Local Address: RYAN-PC:49154

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\svchost.exe

State: LISTENING

Local Address: RYAN-PC:49153

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\svchost.exe

State: LISTENING

Local Address: RYAN-PC:49152

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\wininit.exe

State: LISTENING

Local Address: RYAN-PC:8087

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: LISTENING

Local Address: RYAN-PC:5357

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: RYAN-PC:MICROSOFT-DS

Remote Address: 0.0.0.0:0

Type: TCP

Process: System

State: LISTENING

Local Address: RYAN-PC:EPMAP

Remote Address: 0.0.0.0:0

Type: TCP

Process: C:\Windows\System32\svchost.exe

State: LISTENING

Local Address: RYAN-PC.AUSTIN.RR.COM:64669

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC.AUSTIN.RR.COM:52310

Remote Address: NA

Type: UDP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: NA

Local Address: RYAN-PC.AUSTIN.RR.COM:5353

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: RYAN-PC.AUSTIN.RR.COM:SSDP

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC.AUSTIN.RR.COM:138

Remote Address: NA

Type: UDP

Process: System

State: NA

Local Address: RYAN-PC.AUSTIN.RR.COM:NETBIOS-NS

Remote Address: NA

Type: UDP

Process: System

State: NA

Local Address: RYAN-PC:64670

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:56510

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:49978

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:SSDP

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:61664

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: RYAN-PC:59874

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\spoolsv.exe

State: NA

Local Address: RYAN-PC:59872

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:57550

Remote Address: NA

Type: UDP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: NA

Local Address: RYAN-PC:54925

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:49152

Remote Address: NA

Type: UDP

Process: C:\Program Files\Bonjour\mDNSResponder.exe

State: NA

Local Address: RYAN-PC:LLMNR

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:IPSEC-MSFT

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:UPNP-DISCOVERY

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:UPNP-DISCOVERY

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:SSDP

Remote Address: NA

Type: UDP

Process: C:\Program Files\Simplify Media\SimplifyMedia.exe

State: NA

Local Address: RYAN-PC:500

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

Local Address: RYAN-PC:123

Remote Address: NA

Type: UDP

Process: C:\Windows\System32\svchost.exe

State: NA

********************************************************************************

**********

********************************************************************************

**********

Hidden files/folders:

Object: C:\System Volume Information\MountPointManagerRemoteDatabase

Status: Access denied

Object: C:\System Volume Information\SPP

Status: Access denied

Object: C:\System Volume Information\tracking.log

Status: Access denied

Object: C:\System Volume Information\{1434bef4-3c99-11df-9811-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3102e7bd-2c49-11df-a78d-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3102e80e-2c49-11df-a78d-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3102e84e-2c49-11df-a78d-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3102e878-2c49-11df-a78d-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3102e8c2-2c49-11df-a78d-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3282b7fd-3bd0-11df-a5d0-00188bceb77b}{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}

Status: Access denied

Object: C:\Users\Ryan\Downloads\v.a - somewhere outside compilation (1983)\04 inspiration for scanners - gred i krogene.mp3

Status: Hidden

Object: C:\Users\Ryan\Downloads\v.a - somewhere outside compilation (1983)\27 de tilf?ldige fra iger - de forbudte.mp3

Status: Hidden

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Status: Access denied

[Maniac]

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Now click on Advanced Settings and select the following:
  

• • Remove found threats
    
  • Scan archives
    
  • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[yoo_doo_right]

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=1

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=3c64f1fdd5107c479d2d2819fb55591d

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-04-03 04:06:34

# local_time=2010-04-02 11:06:34 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.0.6001 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 66624139 66624139 0 0

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=5892 16776574 100 100 31047 106863345 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=174698

# found=4

# cleaned=4

# scan_time=11775

C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan (cleaned - quarantined) 00000000000000000000000000000000 C

C:\Users\Ryan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\7e73370b-51a51f84 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\Ryan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\e1d9b63-20a1fd00 Java/TrojanDownloader.Agent.NAG trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\Ryan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\4fda3169-3a2338b3 a variant of OSX/Exploit.Smid.B trojan (deleted - quarantined) 00000000000000000000000000000000 C

[Maniac]

How are things running now?

[yoo_doo_right]

ever since Combofix got rid of the atapi.sys infection all the symptoms are gone

[Maniac]

Good work! We're done!

Some final steps:

Step 1:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2:

Please locate to:

C:\Program Files\ESET\ESET Online Scanner

run OnlineScannerUninstaller.exe and follow the instructions to successfully remove it from your computer.

Step 3:

Please manually delete: SysProt AntiRootkit ; RootRepeal ; GMER ; DDS ;

Step 4:

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

For slow computer:

http://miekiemoes.blogspot.com/2008/02/hel...er-is-slow.html

Safe surfing!

[yoo_doo_right]

thanks for your assistance

[Maniac]

You're welcome!