Help - Search - Members - Calendar
Full Version: Another Security Tool/Can't Run MBAM Challenge
Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs
MidKnight
Oct 24 2009, 10:19 PM
Salutations!

Apologies for my timing; it looks like you're pretty swamped with this problem about now. I've been following other threads and it appears most solutions are very situation-specific, hence the new thread. Security Tool started cropping up a few days ago and despite removals by MBAM, it progressively got worse. At the moment, I cannot access the net on my computer and MBAM will shut-down as soon as it begins a scan. Then, the MBAM executable is locked, and running it gives an access denied error. I have seen several random number processes that I've shut down, as well as a b.exe and g.exe. Keep popping back up, though.

Here's the kicker, though. I can't run HijackThis to grab a logfile, either. It shuts down while making a log and then locks the executable like MBAM. Any suggestions?

(a google thank-yous in advance!)
MidKnight
Oct 27 2009, 06:47 PM
Anyone have any suggestions? I know you're backed up right now (Security Tool is popping up everywhere!), but I figured I'd bump once in case this slipped through the cracks. I'm thinking about beginning the arduous task of backing up files and blowing the machine away if it might be easier.
chamber
Oct 27 2009, 06:53 PM
Download ComboFix from one of these locations:


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
MidKnight
Oct 31 2009, 06:30 PM
When attempting to run ComboFix, I get a ton of errors reading: "Windows cannot find 32788R22FWJF\iexplore.exe", as well as errors stating it can't find hidec.exe, and n.pif in the same directory. I have tried renaming ComboFix, as well as running it in Safe Mode with no success.
chamber
Nov 2 2009, 10:41 AM
Hi sorry for the delay,

I had pretty bad internet problems and couldn't get online over the weekend.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Please download Win32Diag from one of the links below and save it to your Desktop.

Link 1
Link 2
Link 3

  1. Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
  2. A black command prompt window shall appear.
  3. It will now begin to scan. This may take a while, please be paitent until the scan is complete.
  4. Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
  5. A log file called Win32KDiag.txt will be created on your desktop.
  6. Please copy and paste the contents of that log file here in your next reply please.
MidKnight
Nov 7 2009, 01:42 AM
No worries! I've been unfortunately busy over the past week or so and I haven't had a chance to do much with this. exehelp would not run - - executing it did nothing. Win32Diag did, however, run (the first program that has). Here is the log:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9.tmp\ZAP9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBF7.tmp\ZAPBF7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\downloader\{75FD47F9-0C23-4503-88C3-97A89DEB80AB}\{75FD47F9-0C23-4503-88C3-97A89DEB80AB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2008-04-14 07:42:22 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-14 07:42:22 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\registry\registry

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Resources\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ServicePackFiles\i386\lang\lang

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ServicePackFiles\ServicePackCache\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system\WINDOWS\SYSTEM\SYSTEM

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 06:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-14 06:00:00 56320 C:\System Volume Information\_restore{DFD562A2-E605-4A13-BEE9-77B8BA762FFB}\RP54\A0020208.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2008-04-13 18:12:40 218112 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-14 07:42:42 218112 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-14 07:42:42 218112 C:\WINDOWS\system32\wbem\wmiprvse.exe ()



Found mount point : C:\WINDOWS\TVScriptApp\_Run\STBDisk\STBDisk

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TVScriptApp\_Run\Transmit\Transmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TVScriptApp\_Run\UpdateDir\UpdateDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

chamber
Nov 7 2009, 11:01 AM
Hi,

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. When finished, it will produce a report for you.
  9. Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
MidKnight
Nov 7 2009, 04:26 PM
Hi, Chamber. First of all, thanks for your help thus far; what you guys do out here is amazing. I followed the new steps for Win32Diag and ran it again. I then followed the steps for the new Combo-Fix, but I received the same errors I mentioned in Post #4. sad.gif

Here is the log for the re-running of Win32Diag:

Running from: C:\Documents and Settings\Administrator\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9.tmp\ZAP9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9.tmp\ZAP9.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBF7.tmp\ZAPBF7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPBF7.tmp\ZAPBF7.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\downloader\{75FD47F9-0C23-4503-88C3-97A89DEB80AB}\{75FD47F9-0C23-4503-88C3-97A89DEB80AB}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\downloader\{75FD47F9-0C23-4503-88C3-97A89DEB80AB}\{75FD47F9-0C23-4503-88C3-97A89DEB80AB}

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\registry\registry

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\registry\registry

Found mount point : C:\WINDOWS\Resources\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\Cursors\Cursors

Found mount point : C:\WINDOWS\ServicePackFiles\i386\lang\lang

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ServicePackFiles\i386\lang\lang

Found mount point : C:\WINDOWS\ServicePackFiles\ServicePackCache\i386\i386

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ServicePackFiles\ServicePackCache\i386\i386

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system\WINDOWS\SYSTEM\SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system\WINDOWS\SYSTEM\SYSTEM

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:00:00 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 06:00:00 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\TVScriptApp\_Run\STBDisk\STBDisk

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TVScriptApp\_Run\STBDisk\STBDisk

Found mount point : C:\WINDOWS\TVScriptApp\_Run\Transmit\Transmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TVScriptApp\_Run\Transmit\Transmit

Found mount point : C:\WINDOWS\TVScriptApp\_Run\UpdateDir\UpdateDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TVScriptApp\_Run\UpdateDir\UpdateDir

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

chamber
Nov 7 2009, 04:35 PM
Hi,

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

CODE
Begin copying here:
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .


Next



Delete the copy of ComboFix that you have and redownload it.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  7. Double click on combo-Fix.exe & follow the prompts.
  8. When finished, it will produce a report for you.
  9. Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
MidKnight
Nov 7 2009, 05:25 PM
Avenger ran, and I have a log. I found instructions on OTL here , but it errored out, stating that "2099/1/1 isn't a valid date." Combo-Fix still has the same errors.

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
chamber
Nov 7 2009, 05:36 PM
Download avz4.zip from HERE
  1. Unzip it to your desktop to a folder named avz4
  2. Double click on AVZ.exe to run it.
  3. Run an update by clicking the Auto Update button on the Right of the Log window:
  4. Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again


  1. Start AVZ.
  2. Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
  3. Click on the Execute selected scripts.
  4. Automatic scanning, healing and system check will be executed.
  5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  7. All applications will work properly after the system restart.


When restarted

  1. Start AVZ.
  2. Choose from the menu "File" => "Standard scripts " and mark the Advanced System Analysis" check box.
  3. Click on the "Execute selected scripts".
  4. A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.


Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
MidKnight
Nov 7 2009, 09:00 PM
Ran the scans and attached the two zip files!

Click to view attachment
Click to view attachment
chamber
Nov 9 2009, 08:46 AM
Sorry for the delay,

AVZ FIX

  1. Double click on AVZ.exe
  2. Click File > Custom scripts
  3. Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
    CODE
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    QuarantineFile('C:\WINDOWS\msb.exe','');
    BC_DeleteFile('C:\WINDOWS\msb.exe');
    BC_ImportDeletedList;
    BC_Activate;
    ExecuteRepair(13);
    ExecuteSysClean;
    end.

  4. Note: When you run the script, your PC will be restarted
  5. Click Run
  6. Restart your PC if it doesn't do it automatically.




  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
MidKnight
Nov 9 2009, 06:10 PM
AVZ ran successfully. OTL still throws the same error it did last time. When "Looking for newly created files: C:\WINDOWS\System32\rutemada...", I get an error that states "2099/1/1 12:00 is not a valid date and time." I can click OK, but the program seems to hang after that.
chamber
Nov 9 2009, 07:15 PM
Can you try it in safe mode for me?
MidKnight
Nov 9 2009, 07:49 PM
Hey, Chamber. I just tried running it in Safe Mode and I ran into the same error. If it helps diagnose things, I've noticed another problem cropping up on the comp - my page file/memory usage is slowly increasing over time and it isn't tied to any particular process.

QUOTE (chamber @ Nov 9 2009, 01:15 PM) *
Can you try it in safe mode for me?

chamber
Nov 10 2009, 10:24 AM
Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
MidKnight
Nov 11 2009, 01:48 AM
Just tried running DDS. It opens an immediately an error occurs reading "An unknown error occured. The program will be terminated". Spelling mistake and all. It does seem like it's seeing it as a screensaver file. I really caught a hell of a bug, didn't I?
chamber
Nov 11 2009, 06:45 PM
Where is the spelling mistake?

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
MidKnight
Nov 12 2009, 04:14 AM
Spelling error was "occured" (should be occurred).

RootRepeal errored out when running. It read:
RootRepeal Error
Attempt to read from address: 0x00bb7000

The official rootrepeal_crash log file reads the following:

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000005
Exception Address: 0x7c8f5e69
Attempt to read from address: 0x00bb7000
chamber
Nov 12 2009, 08:50 AM
Ok,

Hi there and sorry for the delay I will need a fresh look at your system and what are your current symptoms

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Rename it to OTS.com
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.com to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Approved Shell Extensions
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - Drivers32
    • Reg - File Associations
    • Reg - NetSvcs
    • Reg - SafeBoot Minimal
    • Reg - SafeBoot Network
    • Reg - Shell Spawning
    • Reg - Uninstall List
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under the Custom Scans box at the bottom left paste the following in

    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
MidKnight
Nov 13 2009, 01:17 AM
Unfortunately, I can't get it to run. I'm getting the same invalid date message.
chamber
Nov 13 2009, 03:45 PM
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
MidKnight
Nov 15 2009, 05:46 PM
GMER crashes both during regular startup and in safe mode. It's the standard windows error message, "[characters].exe has encountered a problem..." etc.
chamber
Nov 17 2009, 08:44 AM
I need to get a fresh look with this,

Please download Win32Diag from one of the links below and save it to your Desktop.

Link 1
Link 2
Link 3

  1. Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
  2. A black command prompt window shall appear.
  3. It will now begin to scan. This may take a while, please be paitent until the scan is complete.
  4. Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
  5. A log file called Win32KDiag.txt will be created on your desktop.
  6. Please copy and paste the contents of that log file here in your next reply please.



Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
MidKnight
Nov 18 2009, 12:57 AM
Win32Diag looks like it wasn't able to complete properly. The log is as follows:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


The log for SysProt DID successfully run. It is as follows:

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 856
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 888
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 952
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1120
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1136
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1228
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1360
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1472
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1580
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\BCMWLTRY.EXE
PID: 1836
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1884
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 160
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 192
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
PID: 228
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 312
Hidden: No
Window Visible: No

Name: C:\WINDOWS\Runservice.exe
PID: 440
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\IoctlSvc.exe
PID: 464
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\PnkBstrA.exe
PID: 484
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\PSIService.exe
PID: 516
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 680
Hidden: No
Window Visible: No

Name: C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PID: 764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wdfmgr.exe
PID: 824
Hidden: No
Window Visible: No

Name: C:\Program Files\Viewpoint\Common\ViewpointService.exe
PID: 1176
Hidden: No
Window Visible: No

Name: C:\Program Files\Linksys\WUSB54GSCv2\WLService.exe
PID: 1532
Hidden: No
Window Visible: No

Name: C:\Program Files\Linksys\WUSB54GSCv2\WUSB54GSC.exe
PID: 1440
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ZuneBusEnum.exe
PID: 1640
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 640
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 3008
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\VTTimer.exe
PID: 1664
Hidden: No
Window Visible: No

Name: C:\Applications\Google\Gmail Notifier\gnotify.exe
PID: 1776
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 1788
Hidden: No
Window Visible: No

Name: C:\Applications\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
PID: 2132
Hidden: No
Window Visible: No

Name: C:\Program Files\Logitech\iTouch\iTouch.exe
PID: 2156
Hidden: No
Window Visible: No

Name: C:\Program Files\Lexmark 2400 Series\ezprint.exe
PID: 2268
Hidden: No
Window Visible: No

Name: C:\WINDOWS\soundman.exe
PID: 2292
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lxcrcoms.exe
PID: 2400
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 2404
Hidden: No
Window Visible: No

Name: C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
PID: 2472
Hidden: No
Window Visible: No

Name: C:\Program Files\DL Software\D-Color\dcolor.exe
PID: 2504
Hidden: No
Window Visible: No

Name: C:\Program Files\RocketDock\RocketDock.exe
PID: 2996
Hidden: No
Window Visible: No

Name: C:\Program Files\DisplayFusion\DisplayFusion.exe
PID: 3192
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 3412
Hidden: No
Window Visible: No

Name: C:\Program Files\VisualTaskTips\VisualTaskTips.exe
PID: 3440
Hidden: No
Window Visible: No

Name: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PID: 3456
Hidden: No
Window Visible: No

Name: C:\Applications\DAEMON Tools\daemon.exe
PID: 3464
Hidden: No
Window Visible: No

Name: C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
PID: 2052
Hidden: No
Window Visible: No

Name: C:\Program Files\Launchy\Launchy.exe
PID: 2320
Hidden: No
Window Visible: No

Name: C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
PID: 2424
Hidden: No
Window Visible: No

Name: C:\Applications\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
PID: 2700
Hidden: No
Window Visible: No

Name: C:\Program Files\Samurize\Client.exe
PID: 1820
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
PID: 2976
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Administrator\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
PID: 2084
Hidden: No
Window Visible: No

Name: C:\Applications\Mozilla Firefox\firefox.exe
PID: 2588
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 3856
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\notepad.exe
PID: 3260
Hidden: No
Window Visible: Yes

Name: C:\Applications\WinRAR\WinRAR.exe
PID: 3172
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Administrator\Desktop\SysProt\SysProt.exe
PID: 2816
Hidden: No
Window Visible: Yes

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \??\c:\documents and settings\administrator\desktop\sysprot\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: A90E5000
Module End: A90F0000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BA5A8000
Module End: BA5AA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BA4B8000
Module End: BA4BB000
Hidden: No

Module Name: spzb.sys
Service Name: ---
Module Base: B9EA9000
Module End: B9FA7000
Hidden: Yes

Module Name: \WINDOWS\System32\Drivers\WMILIB.SYS
Service Name: ---
Module Base: BA5AA000
Module End: BA5AC000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: B9E91000
Module End: B9EA9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B9E63000
Module End: B9E91000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B9E52000
Module End: B9E63000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA0A8000
Module End: BA0B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PCIIde.sys
Service Name: PCIIde
Module Base: BA670000
Module End: BA671000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\PCIIDEX.SYS
Service Name: ---
Module Base: BA328000
Module End: BA32F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ViaIde.sys
Service Name: ViaIde
Module Base: BA5AC000
Module End: BA5AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA0B8000
Module End: BA0C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B9E33000
Module End: B9E52000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BA5AE000
Module End: BA5B0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B9E0D000
Module End: B9E33000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\videX32.sys
Service Name: videX32
Module Base: BA330000
Module End: BA338000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BA338000
Module End: BA33D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sfsync02.sys
Service Name: sfsync02
Module Base: BA340000
Module End: BA346000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA0C8000
Module End: BA0D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B9DF5000
Module End: B9E0D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA0D8000
Module End: BA0E1000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA0E8000
Module End: BA0F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: B9DD5000
Module End: B9DF5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B9DC3000
Module End: B9DD5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\xfilt.sys
Service Name: xfilt
Module Base: BA348000
Module End: BA350000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA0F8000
Module End: BA101000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B9DAC000
Module End: B9DC3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: B9D99000
Module End: B9DAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B9D0C000
Module End: B9D99000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B9CDF000
Module End: B9D0C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\uagp35.sys
Service Name: uagp35
Module Base: BA108000
Module End: BA113000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sfhlp02.sys
Service Name: sfhlp02
Module Base: BA350000
Module End: BA358000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sfdrv01.sys
Service Name: sfdrv01
Module Base: B9CCE000
Module End: B9CDF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B9CB4000
Module End: B9CCE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: BA238000
Module End: BA241000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: B8DF1000
Module End: B91A7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B8DDD000
Module End: B8DF1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: BA3C0000
Module End: BA3C6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B8DB9000
Module End: B8DDD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BA3C8000
Module End: BA3D0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: B89C9000
Module End: B8DB9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B8944000
Module End: B8968000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BA248000
Module End: BA257000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ks.sys
Service Name: ---
Module Base: B8921000
Module End: B8944000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
Service Name: FETND5BV
Module Base: BA258000
Module End: BA263000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Service Name: ---
Module Base: B88BC000
Module End: B8921000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: BA268000
Module End: BA278000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: BA57C000
Module End: BA580000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: B88A8000
Module End: B88BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BA79A000
Module End: BA79B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA278000
Module End: BA285000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BA580000
Module End: BA583000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B8891000
Module End: B88A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BA288000
Module End: BA293000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BA298000
Module End: BA2A4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BA418000
Module End: BA41D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B8880000
Module End: B8891000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BA2A8000
Module End: BA2B1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BA420000
Module End: BA425000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BA428000
Module End: BA42D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B8850000
Module End: B8880000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BA2B8000
Module End: BA2C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BA430000
Module End: BA436000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BA438000
Module End: BA43E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BA62E000
Module End: BA630000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B87F2000
Module End: B8850000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: BIOS
Module Base: B91C7000
Module End: B91CB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\zumbus.sys
Service Name: zumbus
Module Base: BA2C8000
Module End: BA2D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Service Name: ---
Module Base: BA2D8000
Module End: BA2E5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\wdf01000.sys
Service Name: Wdf01000
Module Base: B8776000
Module End: B87F2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BA308000
Module End: BA312000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BA138000
Module End: BA147000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BA632000
Module End: BA634000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BA148000
Module End: BA158000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BA158000
Module End: BA167000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BA448000
Module End: BA44F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BA636000
Module End: BA638000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BA76C000
Module End: BA76D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BA638000
Module End: BA63A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgclean.sys
Service Name: AvgClean
Module Base: BA768000
Module End: BA769000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BA468000
Module End: BA46F000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BA470000
Module End: BA476000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BA63A000
Module End: BA63C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BA63C000
Module End: BA63E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BA478000
Module End: BA47D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BA480000
Module End: BA488000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B9C80000
Module End: B9C83000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: AC659000
Module End: AC66C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: AC600000
Module End: AC659000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: AC5D8000
Module End: AC600000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: AC5B2000
Module End: AC5D8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA178000
Module End: BA181000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: B9C6C000
Module End: B9C6F000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: AC590000
Module End: AC5B2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA188000
Module End: BA191000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: AC565000
Module End: AC590000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: AC4F5000
Module End: AC565000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA1A8000
Module End: BA1B3000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\BS_I2cIo.sys
Service Name: BS_I2cIo
Module Base: BA498000
Module End: BA4A0000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\BIOS.sys
Service Name: ---
Module Base: B94CD000
Module End: B94D1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\BANTExt.sys
Service Name: BANTExt
Module Base: BA7DF000
Module End: BA7E0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avg7core.sys
Service Name: Avg7Core
Module Base: AC42C000
Module End: AC4F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: B94C5000
Module End: B94C8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: BA1B8000
Module End: BA1C1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WUSB54GSCV2.sys
Service Name: WUSB54GSCV2
Module Base: AC3FB000
Module End: AC42C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: BA4A0000
Module End: BA4A7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B94BD000
Module End: B94C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: BA550000
Module End: BA554000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avg7rsw.sys
Service Name: Avg7RsW
Module Base: BA664000
Module End: BA666000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avg7rsxp.sys
Service Name: Avg7RsXP
Module Base: BA4B0000
Module End: BA4B7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA218000
Module End: BA228000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AC31B000
Module End: AC333000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5C4000
Module End: BA5C6000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: AC690000
Module End: AC693000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BA368000
Module End: BA36D000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BA7F2000
Module End: BA7F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\atinavt2.sys
Service Name: ATIAVAIW
Module Base: AC2CA000
Module End: AC2F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\BdaSup.SYS
Service Name: ---
Module Base: B94D1000
Module End: B94D4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Service Name: AegisP
Module Base: BA3F0000
Module End: BA3F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
Service Name: MDC8021X
Module Base: A9F86000
Module End: A9F8A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: A9F7E000
Module End: A9F82000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: A9CB5000
Module End: A9CE2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: BA5B4000
Module End: BA5B6000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\aspi32.sys
Service Name: Aspi32
Module Base: BA400000
Module End: BA405000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgtdi.sys
Service Name: AvgTdi
Module Base: BA5BA000
Module End: BA5BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: A9AAB000
Module End: A9AFD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: A9A46000
Module End: A9A5B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: A9C2D000
Module End: A9C3C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: A939D000
Module End: A93DE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ZDPSp50.sys
Service Name: ZDPSp50
Module Base: BA360000
Module End: BA365000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\PCANDIS5.SYS
Service Name: PCANDIS5
Module Base: A8ED5000
Module End: A8ED9000
Hidden: No

********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwCreateKey
Address: B9EAA0E0
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

Function Name: ZwEnumerateKey
Address: B9EC7CA2
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

Function Name: ZwEnumerateValueKey
Address: B9EC8030
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

Function Name: ZwOpenKey
Address: B9EAA0C0
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

Function Name: ZwQueryKey
Address: B9EC8108
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

Function Name: ZwQueryValueKey
Address: B9EC7F88
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

Function Name: ZwSetValueKey
Address: B9EC819A
Driver Base: B9EA9000
Driver End: B9FA7000
Driver Name: spzb.sys

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: BA340D60
Hooking Module: C:\WINDOWS\system32\drivers\sfsync02.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: BA340D60
Hooking Module: C:\WINDOWS\system32\drivers\sfsync02.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A967500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AC211F8
Hooking Module: _unknown_

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EAA000
Hooking Module: spzb.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A9DA1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A9DA1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A9DA1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A9DA1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8A9DA1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A9DA1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A86B1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A86B1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A86B1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: BA340D60
Hooking Module: C:\WINDOWS\system32\drivers\sfsync02.sys

Hooked Module: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8A86B1F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aebi5vuw.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A86B1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AC931F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A2E71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A2E71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A2E71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A2E71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8A2E71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A5751F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: BA5BA85A
Hooking Module: C:\WINDOWS\System32\Drivers\avgtdi.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_READ
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_POWER
Jump To: B9EB3A1A
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EC5514
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: \Driver\PCI_PNP9524
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EECAD2
Hooking Module: spzb.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A9AF500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A9AF500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A9AF500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A9AF500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8A9AF500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A9AF500
Hooking Module: _unknown_

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: VALHALLA:1142
Remote Address: 59-125-231-245.HINET-IP.HINET.NET:HTTP
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: SYN_SENT

Local Address: VALHALLA:1140
Remote Address: YO-IN-F106.1E100.NET:HTTPS
Type: TCP
Process: C:\Applications\Google\Gmail Notifier\gnotify.exe
State: ESTABLISHED

Local Address: VALHALLA:1138
Remote Address: YO-IN-F165.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1137
Remote Address: YO-IN-F165.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1136
Remote Address: YO-IN-F165.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1135
Remote Address: YO-IN-F165.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1134
Remote Address: YO-IN-F165.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1132
Remote Address: YO-IN-F165.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1125
Remote Address: PW-IN-F101.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1124
Remote Address: QY-IN-F104.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1123
Remote Address: QY-IN-F104.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1122
Remote Address: VW-IN-F101.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1121
Remote Address: VW-IN-F101.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1118
Remote Address: YO-IN-F147.1E100.NET:HTTP
Type: TCP
Process: C:\WINDOWS\explorer.exe
State: ESTABLISHED

Local Address: VALHALLA:1117
Remote Address: GW-IN-F100.1E100.NET:HTTP
Type: TCP
Process: C:\WINDOWS\explorer.exe
State: ESTABLISHED

Local Address: VALHALLA:1108
Remote Address: VW-IN-F113.1E100.NET:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1093
Remote Address: 209-18-42-10.DCA20.TBONE.RR.COM:HTTP
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1072
Remote Address: 208.43.202.4-STATIC.REVERSE.SOFTLAYER.COM:HTTP
Type: TCP
Process: C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
State: ESTABLISHED

Local Address: VALHALLA:1071
Remote Address: 174.36.30.66-STATIC.REVERSE.SOFTLAYER.COM:HTTPS
Type: TCP
Process: C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
State: CLOSE_WAIT

Local Address: VALHALLA:1070
Remote Address: 174.36.30.67-STATIC.REVERSE.SOFTLAYER.COM:HTTPS
Type: TCP
Process: C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
State: CLOSE_WAIT

Local Address: VALHALLA:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: VALHALLA:10110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
State: LISTENING

Local Address: VALHALLA:8001
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Documents and Settings\Administrator\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
State: LISTENING

Local Address: VALHALLA:5152
Remote Address: LOCALHOST:1080
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: VALHALLA:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: VALHALLA:1085
Remote Address: LOCALHOST:1084
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1084
Remote Address: LOCALHOST:1085
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1079
Remote Address: LOCALHOST:1078
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1078
Remote Address: LOCALHOST:1079
Type: TCP
Process: C:\Applications\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: VALHALLA:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: VALHALLA:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: VALHALLA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: VALHALLA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: VALHALLA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: VALHALLA:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: VALHALLA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:44301
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\PnkBstrA.exe
State: NA

Local Address: VALHALLA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:1141
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:1030
Remote Address: NA
Type: UDP
Process: C:\Applications\Google\Gmail Notifier\gnotify.exe
State: NA

Local Address: VALHALLA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: VALHALLA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\ZuneBusEnum.exe
State: NA

Local Address: VALHALLA:1110
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:1032
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:1031
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: VALHALLA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: VALHALLA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
Hidden files/folders:
Object: C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\Administrator\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Kubus.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Ptakoješter.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\RepülO.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Szpatulkonos.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Waz.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Zabkin.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Zyrafik (1).png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\Creatures\Zyrafik.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\karetatwaz.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\Lovec osudu.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\Mu001.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\PlanetoNic.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\sminionowniec.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\urhajó.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\??ss??a?.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\??d??sa.png
Status: Hidden

Object: C:\Documents and Settings\Administrator\My Documents\My Spore Creations\UFOs\( ;´?`)???ˇˇˇ.png
Status: Hidden

chamber
Nov 19 2009, 09:24 AM
Delete the copy of ComboFix that you have.

Download ComboFix from one of these locations:

Link 1
Link 2

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.
MidKnight
Nov 20 2009, 12:54 AM
I get the same errors from ComboFix as before about not being able to find hidec.exe, etc. Now it can't find ieexplorer.exe as well.
chamber
Nov 20 2009, 08:28 AM
This thing is starting to get my goat! mad.gif

  • Download random's system information tool (RSIT) by random/random from here.
  • It is important that is saved to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
MidKnight
Nov 21 2009, 12:10 AM
Tell me about it! I'm consider myself a pretty tech-savvy person, and I've spent a good deal of time cleaning malware off of other people's machines, but whatever this is is ridiculous. The pop-ups have ceased (through what fix, I don't know), and the only symptom remaining is that some sort of hidden process is increasing my page file slowly over time. After about two hours, the memory leak causes my computer to pretty much lock up. Unfortunately, this also means it has difficulty shutting down/rebooting, as it doesn't seem to be able to kill whatever is causing this. It hangs at the shutting down screen for ages.

And to further compound the problem...RSIT just errored out upon running. AutoIt Error: Line -1: Error: Variable used without being declared.

It's at the point now where at least my computer is usable for a limited time frame, to the point where I can back things up to another hard drive once I can afford one. If we're running out fixes, don't worry about it; you've spent such a long time on this as is! smile.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.