Jump to content
Sign in to follow this  
jmdoane42

Google Results Hijacked (Resolved)

Recommended Posts

I have been fighting this for a week now. The google results for all my web browsers have been hijacked and redirect to random webpages. But even more worrysome is the apparent rootkit activity that appears to be infecting my system with numerous viruses. I have run both superantispyware (found some viruses) and Malwarebytes (found many more viruses). I am continuing to run Mbam every night and so far it is coming up clean. I have also run Combofix several times as well as TDSSkiller. TDSSkiller never detects anything, however Combofix always says that "Winlogon.exe" and "explorer.exe" have been infected. It restores them from the backup, however upon doing a fresh run of combofix it again says that those files have been infected. Throughout all of this the google results hijack remains. Please help!

Share this post


Link to post
Share on other sites

I have been fighting this for a week now. The google results for all my web browsers have been hijacked and redirect to random webpages. But even more worrysome is the apparent rootkit activity that appears to be infecting my system with numerous viruses. I have run both superantispyware (found some viruses) and Malwarebytes (found many more viruses). I am continuing to run Mbam every night and so far it is coming up clean. I have also run Combofix several times as well as TDSSkiller. TDSSkiller never detects anything, however Combofix always says that "Winlogon.exe" and "explorer.exe" have been infected. It restores them from the backup, however upon doing a fresh run of combofix it again says that those files have been infected. Throughout all of this the google results hijack remains. Please help!

 

This can get right dirty to repair.

 

Did you see something like the below example?

------- Sigcheck -------

 

[-] 2008-04-14 . DBC2AD0271AF0185DEBACF77B7AE33D0 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

 

[-] 2008-04-14 . 0E7BAEF2047AA9CF2F0D21B243E1B0D8 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

 

From what you explain, and without being able to see any CF logs, you will probably need to replace winlogon.exe and explorer.exe. And this is just a guess from what I'm piecing together.

 

Do you have access to your XP installation disk?

 

It's also probably your best bet to start a new topic Here in our HJT forum.

Share this post


Link to post
Share on other sites

I don't have the XP disk. The computer is fairly old and I've lost most of the disks it came with. I promise though that this is not a pirated copy of Windows. From what I can tell, Combofix is replacing those files from some sort of backup, but they immediately get reinfected. Or am I interpreting this wrong? Anyway, here is the last CF log:

 

 

 

 

ComboFix 10-10-14.04 - HP_Owner 10/17/2010 6:00:48.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.608 [GMT -5:00]

Running from: C:\downloads\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\winlogon.exe . . . is infected!!

 

Infected copy of C:\WINDOWS\explorer.exe was found and disinfected

Restored copy from - C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

 

.

((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))

.

 

2010-10-17 09:26:34 . 2010-10-17 09:26:34 -------- d-----w- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes

2010-10-17 09:26:28 . 2010-04-29 20:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-10-17 09:26:27 . 2010-10-17 09:26:31 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2010-10-17 09:26:27 . 2010-10-17 09:26:27 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2010-10-17 09:26:27 . 2010-04-29 20:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2010-10-15 13:29:35 . 2010-10-15 13:29:38 -------- d-----w- C:\Documents and Settings\Administrator.BEEBO

2010-10-15 12:04:39 . 2010-10-15 12:04:56 -------- d-----w- C:\WINDOWS\ERUNT

2010-10-15 11:59:51 . 2010-10-15 12:42:04 -------- d-----w- C:\SDFix

2010-10-15 11:05:23 . 2010-10-15 11:05:43 -------- d-----w- C:\Documents and Settings\HP_Owner\backup

2010-10-15 10:29:45 . 2010-10-15 10:29:45 -------- d-----w- C:\Documents and Settings\Guest\Local Settings\Application Data\LightScribe

2010-10-15 09:58:55 . 2010-10-15 09:58:55 0 ----a-w- C:\WINDOWS\Rjuzeziw.bin

2010-10-14 23:00:51 . 2010-10-15 00:12:20 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Update

2010-10-14 23:00:28 . 2010-10-14 23:01:39 0 ----a-w- C:\WINDOWS\system32\drivers\aszvkk.sys

2010-10-14 10:37:44 . 2004-08-04 04:00:00 25088 ----a-w- C:\WINDOWS\system32\shfolder.dll

2010-09-27 03:53:33 . 2009-05-18 18:17:00 26600 ----a-w- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

2010-09-27 03:53:33 . 2008-04-17 17:12:54 107368 ----a-w- C:\WINDOWS\system32\GEARAspi.dll

2010-09-27 03:52:34 . 2010-09-27 03:52:34 -------- d-----w- C:\Program Files\iPod

2010-09-27 03:52:25 . 2010-09-27 03:53:29 -------- d-----w- C:\Program Files\iTunes

2010-09-27 03:52:25 . 2010-09-27 03:53:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-09-27 03:49:19 . 2010-09-27 03:49:19 159744 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-09-27 03:49:19 . 2010-09-27 03:49:18 159744 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-09-27 03:49:19 . 2010-09-27 03:49:18 159744 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-09-27 03:46:53 . 2010-09-27 03:46:54 -------- d-----w- C:\Program Files\Apple Software Update

2010-09-27 03:46:26 . 2010-04-20 01:47:44 3062048 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll

2010-09-27 03:46:26 . 2010-04-20 01:47:42 41984 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys

2010-09-27 03:45:46 . 2010-09-27 03:45:49 -------- d-----w- C:\Program Files\Bonjour

2010-09-24 11:10:03 . 2010-02-04 15:01:14 74072 ----a-w- C:\WINDOWS\system32\XAPOFX1_4.dll

2010-09-24 11:10:03 . 2010-02-04 15:01:14 528216 ----a-w- C:\WINDOWS\system32\XAudio2_6.dll

2010-09-24 11:10:02 . 2010-02-04 15:01:14 238936 ----a-w- C:\WINDOWS\system32\xactengine3_6.dll

2010-09-24 11:10:01 . 2010-02-04 15:01:14 22360 ----a-w- C:\WINDOWS\system32\X3DAudio1_7.dll

2010-09-19 23:23:58 . 2010-10-15 18:55:56 -------- d-----w- C:\Program Files\PeerBlock

2010-09-19 06:09:27 . 2010-09-19 06:09:27 -------- d-----w- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\The Lord of the Rings Online

2010-09-19 01:09:54 . 2010-10-15 10:39:38 -------- d-----w- C:\Program Files\Pando Networks

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

------- Sigcheck -------

 

[-] 2008-04-14 00:12:39 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512 (xpsp.080413-2113)] . . C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

[-] 2004-08-04 04:00:00 . B9C7CEF5B9303E38D53C32503BEAA51C . 502272 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS\system32\winlogon.exe

 

[-] 2008-04-14 00:12:19 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512 (xpsp.080413-2105)] . . C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe

[-] 2007-06-13 11:26:03 . 4F5B2DD41273073A79FD30BAEDE1A06D . 1033216 . . [6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)] . . C:\WINDOWS\explorer.exe

[7] 2007-06-13 11:26:03 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)] . . C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

[7] 2004-08-04 04:00:00 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [bU]

"Mwaqiresoxiwuv"="C:\WINDOWS\dinepnv2.dll" [bU]

"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\HP_Owner\OctoshapeClient.exe" [bU]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00:00 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DNS7reminder"="C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [bU]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [bU]

"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 16:43:18 248040]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [bU]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [bU]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [bU]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 12:00:48 33648]

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 17:08:30 935288]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47:52 57344]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 04:32:54 61440]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2009-09-28 00:19:46 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-09-28 00:19:46 13918208]

"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [bU]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 16:18:50 49152]

"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [bU]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 04:00:00 455168]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 04:00:00 455168]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:00:00 59392]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 04:00:00 208952]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 13:43:46 233472]

"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 11:53:26 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 16:01:56 88209]

"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 11:42:30 659456]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 14:54:32 253952]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-09-08 16:17:42 421888]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04:38 52736]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-09-24 07:10:52 421160]

"UniUploader"="C:\Program Files\UniUploader\UniUploader.exe" [bU]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 09:08:38 35696]

"Idoziyuhaxovabuy"="C:\WINDOWS\ekekalegetekola.dll" [bU]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 15:13:36 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21:42 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

avgrsstx.dll [bU]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\eMule\\emule.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=

"C:\\WINDOWS\\system32\\dpnsvr.exe"=

"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\WINDOWS\\system32\\java.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\Program Files\\Tortun\\gui.exe"=

"C:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Vuze\\Azureus.exe"=

"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=

 

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25:50 AM 12872]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30:10 PM 67656]

S2 EZWINIT;EZWINIT;C:\WINDOWS\system32\drivers\ezwinit.sys [7/13/2005 12:12:58 PM 14494]

S2 EZWINIT2;EZWINIT2;C:\WINDOWS\system32\drivers\ezwinit2.sys [8/15/2005 9:19:10 PM 14720]

S2 EZWRITE2;EZWRITE2;C:\WINDOWS\system32\drivers\ezwrite2.sys [8/15/2005 9:19:10 PM 16680]

S2 EZWRITER;EZWRITER;C:\WINDOWS\system32\drivers\ezwriter.sys [7/13/2005 12:12:58 PM 16680]

S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [5/10/2010 4:34:31 AM 23456]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]

S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [3/11/2006 10:02:44 PM 642560]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://www.comcast.net/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cab

FF - ProfilePath - C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xl77vwge.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll

 

---- FIREFOX POLICIES ----

C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver]

"ImagePath"="\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-823039715-3564483165-4056858657-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’e*’B*’ ’N*’9 ’x*’9 ]

"Order"=hex:08,00,00,00,02,00,00,00,9e,00,00,00,01,00,00,00,01,00,00,00,92,00,

00,00,00,00,00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,31,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="C:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"=expand:"iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"=expand:"iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(684)

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

.

**************************************************************************

.

Completion time: 2010-10-17 06:11:12 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-17 11:11:11

ComboFix2.txt 2010-10-17 10:54:27

ComboFix3.txt 2010-10-15 18:51:33

 

Pre-Run: 117,307,875,328 bytes free

Post-Run: 117,277,511,680 bytes free

 

- - End Of File - - 8E3842E11FB026658DE55D5A4D33C196

Share this post


Link to post
Share on other sites

Let me mention that it can be very dangerous to use some tools and scanners without proper direction.

 

ComboFix is not able to find a clean copy of winlogon.exe to replace. So what ever it is thats patched the system file is not totally being deleted or quarantined..

 

I'm not seeing an output log I would normally see when it mentions rootkit....So not sure whats up there...

 

Let's do this:

 

Download and run HAMeb_check.exe

Post the contents of the resulting log.

 

=========================================================

Locate the ComboFix icon you have on your desktop > right click and select delete.

 

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

 

Download ComboFix from either of these locations:

Link 1

Link 2

Or from

http://www.infospyware.net/antimalware/combofix/ <- English

 

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::

C:\WINDOWS\Rjuzeziw.bin

C:\WINDOWS\system32\drivers\aszvkk.sys

C:\WINDOWS\dinepnv2.dll

C:\WINDOWS\ekekalegetekola.dll

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mwaqiresoxiwuv"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Idoziyuhaxovabuy"=-

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

 

Chrome:

Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

 

  • Please make all files and folders VISIBLE:
  • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
  • Choose to "Show hidden files and folders."
  • Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
  • Close the window with "OK".
Please go to: VirusTotal
  • Posted Image

     

     

     

     

  • Click the Browse button and search for the following file: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

 

Also please have the next files scanned.

 

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

 

=========================================================

 

In your next reply post:

HAMeb_check.txt

Files info requested scanned

new ComboFix.txt

Also give me a description how the computer is behaving now.

Edited by Juliet
typo

Share this post


Link to post
Share on other sites

I also located a topic by you at BleepingComputer. If a helper has answered that topic you should continue with them.

Share this post


Link to post
Share on other sites

Yes I had originally posted in BleepingComputer on Friday night. However, after not receiving a response over the weekend I started examining the other help requests on the board and found that they are very backed up and typically are not able to respond for 6 -7 days. I thought I would try here as well. I greatly appreciate your time and if you don't mind continuing to help I will ask them to close my topic over at BleepingComputer.

 

I should mention that every time I have run combofix it usually crashes during the last step where it is generating the log, with a memory read error concerning "winlogon.exe". I have to reboot the mention and upon reboot I usually get a message saying that "winlogon.exe" has generated a fatal exception and needs to be closed. However the machine continues to boot up normally. But anyway, I'm guessing that's why the combofix log doesn't look exactly how you would expect it to.

 

I ran the HAMeb first here is the log:

 

C:\Documents and Settings\HP_Owner\Desktop\HAMeb_check.exe

Tue 10/19/2010 at 18:43:44.73

Account active

No

Local Group Memberships ~~ Checking profile list ~~No HelpAssistant profile in registry ~~

Checking for HelpAssistant directories ~~none found ~~

Checking mbr ~~Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.netdevice: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

kernel: MBR read successfully

user & kernel MBR OK ~~ Checking for termsrv32.dll ~~termsrv32.dll was not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll ~~ Checking firewall ports ~~[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List][HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

 

 

I then reran combofix by dragging the script you gave me, it crashed again at the end with the same memory exception with "winlogon.exe." but here is the log it generated:

 

ComboFix 10-10-18.06 - HP_Owner 10/19/2010 18:47:31.6.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.547 [GMT -5:00]

Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt

FILE ::

"C:\WINDOWS\dinepnv2.dll"

"C:\WINDOWS\ekekalegetekola.dll"

"C:\WINDOWS\Rjuzeziw.bin"

"C:\WINDOWS\system32\drivers\aszvkk.sys"

 

.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

.C:\WINDOWS\Rjuzeziw.bin

C:\WINDOWS\system32\drivers\aszvkk.sysC:\WINDOWS\system32\winlogon.exe . . . is infected!!Infected copy of C:\WINDOWS\explorer.exe was found and disinfected

Restored copy from - C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe .

 

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))

.2010-10-18 23:05:41 . 2010-10-18 23:05:41 -------- d-----w- C:\Program Files\Common Files\Adobe AIR

2010-10-18 10:07:09 . 2010-10-18 10:07:09 -------- d-----w- C:\Documents and Settings\All Users\Application Data\McAfee

2010-10-17 09:26:34 . 2010-10-17 09:26:34 -------- d-----w- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes

2010-10-17 09:26:28 . 2010-04-29 20:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-10-17 09:26:27 . 2010-10-17 09:26:31 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2010-10-17 09:26:27 . 2010-10-17 09:26:27 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2010-10-17 09:26:27 . 2010-04-29 20:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2010-10-15 13:29:35 . 2010-10-15 13:29:38 -------- d-----w- C:\Documents and Settings\Administrator.BEEBO

2010-10-15 12:04:39 . 2010-10-15 12:04:56 -------- d-----w- C:\WINDOWS\ERUNT

2010-10-15 11:59:51 . 2010-10-15 12:42:04 -------- d-----w- C:\SDFix

2010-10-15 11:05:23 . 2010-10-15 11:05:43 -------- d-----w- C:\Documents and Settings\HP_Owner\backup

2010-10-15 10:29:45 . 2010-10-15 10:29:45 -------- d-----w- C:\Documents and Settings\Guest\Local Settings\Application Data\LightScribe

2010-10-14 23:00:51 . 2010-10-15 00:12:20 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Update

2010-10-14 10:37:44 . 2004-08-04 04:00:00 25088 ----a-w- C:\WINDOWS\system32\shfolder.dll

2010-09-27 03:53:33 . 2009-05-18 18:17:00 26600 ----a-w- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys

2010-09-27 03:53:33 . 2008-04-17 17:12:54 107368 ----a-w- C:\WINDOWS\system32\GEARAspi.dll

2010-09-27 03:52:34 . 2010-09-27 03:52:34 -------- d-----w- C:\Program Files\iPod

2010-09-27 03:52:25 . 2010-09-27 03:53:29 -------- d-----w- C:\Program Files\iTunes

2010-09-27 03:52:25 . 2010-09-27 03:53:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-09-27 03:49:19 . 2010-09-27 03:49:19 159744 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-09-27 03:49:19 . 2010-09-27 03:49:18 159744 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-09-27 03:49:19 . 2010-09-27 03:49:18 159744 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-09-27 03:46:53 . 2010-09-27 03:46:54 -------- d-----w- C:\Program Files\Apple Software Update

2010-09-27 03:46:26 . 2010-04-20 01:47:44 3062048 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll

2010-09-27 03:46:26 . 2010-04-20 01:47:42 41984 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys

2010-09-27 03:45:46 . 2010-09-27 03:45:49 -------- d-----w- C:\Program Files\Bonjour

2010-09-24 11:10:03 . 2010-02-04 15:01:14 74072 ----a-w- C:\WINDOWS\system32\XAPOFX1_4.dll

2010-09-24 11:10:03 . 2010-02-04 15:01:14 528216 ----a-w- C:\WINDOWS\system32\XAudio2_6.dll

2010-09-24 11:10:02 . 2010-02-04 15:01:14 238936 ----a-w- C:\WINDOWS\system32\xactengine3_6.dll

2010-09-24 11:10:01 . 2010-02-04 15:01:14 22360 ----a-w- C:\WINDOWS\system32\X3DAudio1_7.dll

2010-09-22 23:10:52 . 2010-09-22 23:10:52 103864 ----a-w- C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.------- Sigcheck -------

[-] 2008-04-14 00:12:39 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512 (xpsp.080413-2113)] . . C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

[-] 2004-08-04 04:00:00 . B9C7CEF5B9303E38D53C32503BEAA51C . 502272 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS\system32\winlogon.exe

[-] 2008-04-14 00:12:19 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512 (xpsp.080413-2105)] . . C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe

[-] 2007-06-13 11:26:03 . 4F5B2DD41273073A79FD30BAEDE1A06D . 1033216 . . [6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)] . . C:\WINDOWS\explorer.exe

[7] 2007-06-13 11:26:03 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)] . . C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe

[7] 2004-08-04 04:00:00 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [bU]

"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\HP_Owner\OctoshapeClient.exe" [bU]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00:00 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DNS7reminder"="C:\Program Files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [bU]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [bU]

"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 16:43:18 248040]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [bU]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [bU]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [bU]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 12:00:48 33648]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 20:28:22 577536]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47:52 57344]

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 04:32:54 61440]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2009-09-28 00:19:46 86016]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-09-28 00:19:46 13918208]

"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [bU]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 16:18:50 49152]

"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [bU]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 04:00:00 455168]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 04:00:00 455168]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:00:00 59392]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 04:00:00 208952]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 13:43:46 233472]

"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 11:53:26 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 16:01:56 88209]

"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 11:42:30 659456]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 14:54:32 253952]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-09-08 16:17:42 421888]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 09:04:38 52736]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-09-24 07:10:52 421160]

"UniUploader"="C:\Program Files\UniUploader\UniUploader.exe" [bU]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 09:47:04 35760]

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 04:07:44 932288][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 15:13:36 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21:42 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

avgrsstx.dll [bU][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"helpsvc"=2 (0x2)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\eMule\\emule.exe"=

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=

"C:\\WINDOWS\\system32\\dpnsvr.exe"=

"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"C:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\WINDOWS\\system32\\java.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\WINDOWS\\system32\\fxsclnt.exe"=

"C:\\Program Files\\Tortun\\gui.exe"=

"C:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Vuze\\Azureus.exe"=

"C:\\Program Files\\Java\\jre6\\bin\\java.exe"=R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25:50 AM 12872]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30:10 PM 67656]

S2 EZWINIT;EZWINIT;C:\WINDOWS\system32\drivers\ezwinit.sys [7/13/2005 12:12:58 PM 14494]

S2 EZWINIT2;EZWINIT2;C:\WINDOWS\system32\drivers\ezwinit2.sys [8/15/2005 9:19:10 PM 14720]

S2 EZWRITE2;EZWRITE2;C:\WINDOWS\system32\drivers\ezwrite2.sys [8/15/2005 9:19:10 PM 16680]

S2 EZWRITER;EZWRITER;C:\WINDOWS\system32\drivers\ezwriter.sys [7/13/2005 12:12:58 PM 16680]

S3 DrvAgent32;DrvAgent32;C:\WINDOWS\system32\drivers\DrvAgent32.sys [5/10/2010 4:34:31 AM 23456]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]

S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [9/19/2010 6:23:58 PM 18544]

S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [3/11/2006 10:02:44 PM 642560]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://www.comcast.net/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cab

FF - ProfilePath - C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xl77vwge.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll---- FIREFOX POLICIES ----

C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

-EOF-

 

Finally I scanned the three files you asked me to:

 

Here is the analysis for the winlogon.exe in the "software distribution" folder:Compact Print results

AntivirusVersionLast UpdateResultAhnLab-V32010.10.20.002010.10.19-

AntiVir7.10.12.2522010.10.19-

Antiy-AVL2.0.3.72010.10.19-

Authentium5.2.0.52010.10.19-

Avast4.8.1351.02010.10.19-

Avast55.0.594.02010.10.19-

AVG9.0.0.8512010.10.20-

BitDefender7.22010.10.20-

CAT-QuickHeal11.002010.10.19-

ClamAV0.96.2.0-git2010.10.19-

Comodo64452010.10.19-

DrWeb5.0.2.033002010.10.20-

Emsisoft5.0.0.502010.10.20-

eSafe7.0.17.02010.10.19-

eTrust-Vet36.1.79212010.10.19-

F-Prot4.6.2.1172010.10.19-

F-Secure9.0.16160.02010.10.19-

Fortinet4.2.249.02010.10.19-

GData212010.10.20-

IkarusT3.1.1.90.02010.10.19-

Jiangmin13.0.9002010.10.19-

K7AntiVirus9.66.27892010.10.19-

Kaspersky7.0.0.1252010.10.19-

McAfee5.400.0.11582010.10.20-

McAfee-GW-Edition2010.1C2010.10.19-

Microsoft1.63012010.10.19-NOD3255462010.10.19-

Norman6.06.072010.10.19-

nProtect2010-10-19.012010.10.19-

Panda10.0.2.72010.10.20-

PCTools7.0.3.52010.10.20-

Prevx3.02010.10.20-

Rising22.70.01.042010.10.19-

Sophos4.58.02010.10.20-

Sunbelt70962010.10.19-

SUPERAntiSpyware4.40.0.10062010.10.20-

Symantec20101.2.0.1612010.10.20-

TheHacker6.7.0.1.0602010.10.19-

TrendMicro9.120.0.10042010.10.19-

TrendMicro-HouseCall9.120.0.10042010.10.20-

VBA323.12.14.12010.10.19-ViRobot2010.10.19.41012010.10.19-

VirusBuster12.69.7.02010.10.19-Additional informationShow all MD5 : ed0ef0a136dec83df69f04118870003eSHA1 : f77a7cd78877527023ebfb35e83b75ef59d3df07SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e

 

 

Here is the analysis for winlogon.exe in the "system32" folder:

 

AntivirusVersionLast UpdateResult

AhnLab-V32010.10.20.002010.10.19-

AntiVir7.10.12.2522010.10.19TR/Spy.502272.10

Antiy-AVL2.0.3.72010.10.19Trojan/Win32.Patched.gen

Authentium5.2.0.52010.10.19W32/Bamital.

CAvast4.8.1351.02010.10.19Win32:Bamital-

AEAvast55.0.594.02010.10.19Win32:Bamital-

AEAVG9.0.0.8512010.10.20-

BitDefender7.22010.10.20Trojan.Patched.GMCAT-

QuickHeal11.002010.10.19-

lamAV0.96.2.0-git2010.10.19-

Comodo64452010.10.19-DrWeb5.0.2.033002010.10.20Win32.Dat.10

Emsisoft5.0.0.502010.10.20Trojan.Win32.Patched!IKeSafe7.0.17.02010.10.19-

eTrust-Vet36.1.79212010.10.19Win32/Bamital.

APF-Prot4.6.2.1172010.10.19W32/Bamital.

CF-Secure9.0.16160.02010.10.19Trojan.Patched.

GMFortinet4.2.249.02010.10.19-GData212010.10.20Trojan.Patched.

GMIkarusT3.1.1.90.02010.10.19Trojan.Win32.PatchedJiangmin13.0.9002010.10.19Backdoor/Poison.

lrwK7AntiVirus9.66.27892010.10.19-Kaspersky7.0.0.1252010.10.19Trojan.Win32.Patched.

klMcAfee5.400.0.11582010.10.20W32/Bamital.

aMcAfee-GW-Edition2010.1C2010.10.19-

Microsoft1.63012010.10.19Virus:Win32/Bamital.

FNOD3255462010.10.19-

Norman6.06.072010.10.19W32/Patched.

XnProtect2010-10-19.012010.10.19Virus/W32.BamitalPanda10.0.2.72010.10.20-PCTools7.0.3.52010.10.20Trojan.BamitalPrevx3.02010.10.20-Rising22.70.01.042010.10.19-

Sophos4.58.02010.10.20Troj/Patched-O

Sunbelt70962010.10.19Virus.Win32.Bamital.c (v)

SUPERAntiSpyware4.40.0.10062010.10.20-

Symantec20101.2.0.1612010.10.20Trojan.Bamital!inf

TheHacker6.7.0.1.0602010.10.19-

TrendMicro9.120.0.10042010.10.19-

TrendMicro-HouseCall9.120.0.10042010.10.20-VBA323.12.14.12010.10.19-ViRobot2010.10.19.41012010.10.19Win32.Patched.AF.CVirusBuster12.69.7.02010.10.19-Additional informationShow all MD5 : b9c7cef5b9303e38d53c32503beaa51cSHA1 : c7a8ff705da17e437a408923ad23cafa7c90b246SHA256: 93fe2a9dab1bffdfdd233dda50187ca5993f3ed84a8b87b29f798f091958f8d3

 

And here is the analysis for explorer.exe in the sp2qfe folder:

 

AhnLab-V32010.10.20.002010.10.19-

AntiVir7.10.12.2522010.10.19-

Antiy-AVL2.0.3.72010.10.19-

Authentium5.2.0.52010.10.19-

Avast4.8.1351.02010.10.19-

Avast55.0.594.02010.10.19-

AVG9.0.0.8512010.10.20-

BitDefender7.22010.10.20-CAT-QuickHeal11.002010.10.19-

ClamAV0.96.2.0-git2010.10.19-

Comodo64452010.10.19-

DrWeb5.0.2.033002010.10.20-

Emsisoft5.0.0.502010.10.20-eSafe7.0.17.02010.10.19-

eTrust-Vet36.1.79212010.10.19-

F-Prot4.6.2.1172010.10.19-

F-Secure9.0.16160.02010.10.19-

Fortinet4.2.249.02010.10.19-GData212010.10.20-

IkarusT3.1.1.90.02010.10.19-Jiangmin13.0.9002010.10.19-

K7AntiVirus9.66.27892010.10.19-

Kaspersky7.0.0.1252010.10.19-

McAfee5.400.0.11582010.10.20-

McAfee-GW-Edition2010.1C2010.10.19-

Microsoft1.63012010.10.19-

NOD3255462010.10.19-

Norman6.06.072010.10.19-

nProtect2010-10-19.012010.10.19-

Panda10.0.2.72010.10.20

-PCTools7.0.3.52010.10.20-

Prevx3.02010.10.20-Rising22.70.01.042010.10.19-

Sophos4.58.02010.10.20-

Sunbelt70962010.10.19-

SUPERAntiSpyware4.40.0.10062010.10.20-

Symantec20101.2.0.1612010.10.20-

TheHacker6.7.0.1.0602010.10.19-

TrendMicro9.120.0.10042010.10.19-

TrendMicro-HouseCall9.120.0.10042010.10.20-VBA323.12.14.12010.10.19-ViRobot2010.10.19.41012010.10.19-VirusBuster12.69.7.0

 

Again I really appreciate your time. I have to go to work now but I will check back in tomorrow.

 

Edit: Oh almost forgot to comment on system status: The google redirect problem remains. I could find no evidence of proxy servers in either browser (firefox and IE)

Sorry those file analysis look messy, wasn't sure how to post them other than just copy/paste. But the general result seems to be that the winlogon.exe in the system32 folder is infected with Bamital.win32.trojan and the other 2 files are clean.

Edited by Juliet
housekeeping.

Share this post


Link to post
Share on other sites

I need to make sure you can access the recovery console on the machine?

I still have more research to do and will be asking a colleague to take a look, very possible those infected files will have to be replaced within the Recovery Console.

 

Also, is this machine SP2?

 

Please download Rootkit Unhooker and save it on your desktop.

http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE

 

* Disable your security programs

* Double click RKUnhookerLE.exe to run it

* Click the Report tab, then click Scan

* Check Drivers and Stealth Code,

* Uncheck the rest, then click OK

* When prompted to Select Disks for Scan, make sure C:\ is checked and click OK

* Wait till the scanner has finished then go File > Save Report

* Save the report somewhere you can find it. Click Close

* Copy the entire contents of the report and paste it in your next reply.

 

Note - You may get this warning, it is ok, just ignore it:

 

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Please download MBRCheck by ad_13 and save it to your desktop.

 

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

 

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

 

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Yes I believe I can access recovery console, although I'm not sure how to use it. I tried it once and it brought me to a simple command prompt in the windows directory.

 

Yes, it is running SP2.

 

Here is the rootkit unhooker log:

 

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 2)

Number of processors #1

==============================================

>Drivers

==============================================

0xF610B000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 4124672 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xF6531000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3891200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xBD182000 C:\WINDOWS\System32\ati3duag.dll 3821568 bytes (ATI Technologies Inc. , ati3duag.dll)

0xBD527000 C:\WINDOWS\System32\ativvaxx.dll 2670592 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2057728 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2057728 bytes

0x804D7000 RAW 2057728 bytes

0x804D7000 WMIxWDM 2057728 bytes

0xBF800000 Win32k 1847296 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBD065000 C:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xF724E000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xBD0FE000 C:\WINDOWS\System32\atikvmag.dll 540672 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xA85A7000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xA874D000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xBD012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xF5FFE000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)

0xF736C000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF7221000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA573D000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xA8616000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xA8725000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF60E7000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xA853B000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF64FA000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF60C4000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xA8703000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xA8641000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)

0xA8586000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)

0x806CE000 ACPI_HAL 131968 bytes

0x806CE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF7304000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF733C000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF7206000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF7324000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xA8523000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xA5EAB000 C:\WINDOWS\system32\drivers\tmcomm.sys 98304 bytes (Trend Micro Inc., TrendMicro Common Module)

0xF72DB000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF6099000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xA5CB6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF60B0000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xF651D000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA87A5000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF72F2000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF735B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF6088000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xA5F1B000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF75CB000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)

0xF76FB000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xF759B000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)

0xF76EB000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF750B000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xF76DB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xA60EB000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF68F7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF76AB000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)

0xF751B000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xF76CB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF74DB000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF75BB000 C:\WINDOWS\system32\DRIVERS\HPZid412.sys 53248 bytes (HP, IEEE-1284.4-1999 Driver (Windows 2000))

0xF770B000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF755B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF74BB000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF752B000 gagp30kx.sys 49152 bytes (Microsoft Corporation, MS Generic AGPv3.0 Filter for K8/9 Processor Platforms)

0xF6967000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF76BB000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF74AB000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF6977000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF6937000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xA62AB000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)

0xF74FB000 SISAGPX.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter)

0xF6947000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF74CB000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF757B000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF75AB000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xF749B000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF6957000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF68E7000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xA5948000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF74EB000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF758B000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF776B000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF787B000 C:\WINDOWS\system32\DRIVERS\sisnic.sys 32768 bytes (SiS Corporation, SiS PCI Fast Ethernet Adapter Driver)

0xF777B000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xF7753000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xF771B000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF7873000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF7793000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)

0xF7783000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)

0xF7863000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0xF779B000 C:\WINDOWS\system32\DRIVERS\HPZius12.sys 24576 bytes (HP, 1284.4<->Usb Datalink Driver (Windows 2000))

0xF785B000 C:\WINDOWS\system32\drivers\iviaspi.sys 24576 bytes (InterVideo, Inc., InterVideo ASPI Shell)

0xF7883000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF78A3000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF7773000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)

0xF775B000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF7763000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF7723000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF7893000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF789B000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF788B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF786B000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF77A3000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF718E000 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 16384 bytes (HP, IEEE-1284.4-1999 Print Class Driver)

0xF69C0000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xA6203000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF714E000 C:\WINDOWS\system32\DRIVERS\PS2.sys 16384 bytes (Hewlett-Packard Company, PS2 SYS)

0xF718A000 C:\WINDOWS\system32\DRIVERS\Sacm2A.sys 16384 bytes ( , NDIS 5.0 Driver)

0xF7152000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF71BA000 C:\WINDOWS\system32\DRIVERS\srvkp.sys 16384 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager)

0xF7196000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)

0xF78AB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF716E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF719A000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xF7192000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xF714A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF715A000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)

0xF71C2000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF79EB000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF79F3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF79E9000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF799B000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF79ED000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF79EF000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF79E3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF79E7000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF799D000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7BCF000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7B23000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7B9A000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7A63000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

0x055F0000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 102400 bytes

0x05EE0000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 1150976 bytes

0x00DC0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 118784 bytes

0x01340000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 118784 bytes

0x06930000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 118784 bytes

0x062C0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 135168 bytes

0x056B0000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 151552 bytes

0x05A50000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 1740800 bytes

0x05C00000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 217088 bytes

0x056E0000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 233472 bytes

0x00F90000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 28672 bytes

0x011D0000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 28672 bytes

0x04C50000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x047E0000 Hidden Image-->DEM.OS.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x03780000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x00E40000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x00E70000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x03FE0000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04030000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04010000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04070000 Hidden Image-->AEM.Plugin.WinMessages.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x041A0000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04190000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04520000 Hidden Image-->CLI.Caste.HydraVision.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04730000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x047D0000 Hidden Image-->DEM.OS.I0602.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04810000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04860000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x049C0000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x048A0000 Hidden Image-->ResourceManagement.Foundation.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04B60000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04BF0000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04C10000 Hidden Image-->AEM.Plugin.REG.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04E60000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04CA0000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04D00000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04D40000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04D30000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04EB0000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04EC0000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x05640000 Hidden Image-->Branding.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x050C0000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x050E0000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x051B0000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x051D0000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x05430000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x055E0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x055C0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x05610000 Hidden Image-->atixclib.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x05630000 Hidden Image-->CLI.Caste.HydraVision.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x06100000 Hidden Image-->CLI.Caste.HydraVision.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 28672 bytes

0x04760000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 299008 bytes

0x01310000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 36864 bytes

0x01320000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 36864 bytes

0x00E10000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x01370000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x036C0000 Hidden Image-->AxInterop.WBOCXLib.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x037B0000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x03890000 Hidden Image-->Interop.WBOCXLib.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04480000 Hidden Image-->CLI.Caste.HydraVision.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x047C0000 Hidden Image-->ACE.Graphics.DisplaysManager.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04C80000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04DB0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04D90000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04E20000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04E80000 Hidden Image-->CLI.Aspect.VPURecover.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04ED0000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x04EE0000 Hidden Image-->CLI.Aspect.SmartGart.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x05620000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 36864 bytes

0x05C40000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 372736 bytes

0x06690000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 372736 bytes

0x05550000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 413696 bytes

0x05730000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 413696 bytes

0x063F0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 446464 bytes

0x00DF0000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 45056 bytes

0x00E60000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 45056 bytes

0x00E30000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x00EB0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x03790000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x04D10000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x04C70000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x04DA0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x04E00000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 45056 bytes

0x041B0000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x86B84AC8 ] PID: 592, 454656 bytes

0x06600000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 462848 bytes

0x05200000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 503808 bytes

0x05CC0000 Hidden Image-->ResourceManagement.Foundation.Implementation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 512000 bytes

0x03760000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x03750000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x037A0000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x03FF0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x04180000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x04C60000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x04D60000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x04DC0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x05440000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x051C0000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x05290000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 53248 bytes

0x053A0000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 552960 bytes

0x066F0000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 602112 bytes

0x04F90000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 61440 bytes

0x04DD0000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 61440 bytes

0x04E50000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 61440 bytes

0x04F20000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 61440 bytes

0x00E70000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x86BC6468 ] PID: 1892, 69632 bytes

0x00E80000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 69632 bytes

0x03690000 Hidden Image-->CLI.Component.SkinFactory.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 69632 bytes

0x04740000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 69632 bytes

0x04B40000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 69632 bytes

0x04F00000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 69632 bytes

0x06200000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 724992 bytes

0x04C30000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 77824 bytes

0x04CE0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 77824 bytes

0x04E30000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 77824 bytes

0x06530000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 806912 bytes

0x06860000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 823296 bytes

0x00E50000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 86016 bytes

0x04CB0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 86016 bytes

0x05690000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 86016 bytes

0x03730000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 94208 bytes

0x04840000 Hidden Image-->ATIDEMOS.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 94208 bytes

0x04F60000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x86B84AC8 ] PID: 592, 94208 bytes

 

 

 

And here is MBRcheck(received no warnings):

 

 

 

MBRCheck, version 1.2.3

© 2010, AD

 

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 2 (build 2600)

Logical Drives Mask: 0x0000079c

 

Kernel Drivers (total 128):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806CE000 \WINDOWS\system32\hal.dll

0xF799B000 \WINDOWS\system32\KDCOM.DLL

0xF78AB000 \WINDOWS\system32\BOOTVID.dll

0xF736C000 ACPI.sys

0xF799D000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF735B000 pci.sys

0xF749B000 isapnp.sys

0xF7A63000 pciide.sys

0xF771B000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF74AB000 MountMgr.sys

0xF733C000 ftdisk.sys

0xF7723000 PartMgr.sys

0xF74BB000 VolSnap.sys

0xF7324000 atapi.sys

0xF74CB000 disk.sys

0xF74DB000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7304000 fltMgr.sys

0xF72F2000 sr.sys

0xF74EB000 PxHelp20.sys

0xF72DB000 KSecDD.sys

0xF724E000 Ntfs.sys

0xF7221000 NDIS.sys

0xF74FB000 SISAGPX.sys

0xF750B000 ohci1394.sys

0xF751B000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF7206000 Mup.sys

0xF752B000 gagp30kx.sys

0xF75CB000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xF76AB000 \SystemRoot\system32\DRIVERS\AmdK8.sys

0xF6531000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF651D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF76BB000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF715A000 \SystemRoot\system32\drivers\pfc.sys

0xF785B000 \SystemRoot\system32\drivers\iviaspi.sys

0xF76CB000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF76DB000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF64FA000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7863000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0xF610B000 \SystemRoot\system32\drivers\ALCXWDM.SYS

0xF60E7000 \SystemRoot\system32\drivers\portcls.sys

0xF76EB000 \SystemRoot\system32\drivers\drmk.sys

0xF786B000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xF60C4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7873000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF787B000 \SystemRoot\system32\DRIVERS\sisnic.sys

0xF76FB000 \SystemRoot\system32\DRIVERS\serial.sys

0xF7152000 \SystemRoot\system32\DRIVERS\serenum.sys

0xF60B0000 \SystemRoot\system32\DRIVERS\parport.sys

0xF770B000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF714E000 \SystemRoot\system32\DRIVERS\PS2.sys

0xF7883000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7BCF000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF755B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF714A000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF6099000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF6977000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF6967000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF788B000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF6088000 \SystemRoot\system32\DRIVERS\psched.sys

0xF6957000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7893000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF789B000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF6947000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF78A3000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF79E3000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF5FFE000 \SystemRoot\system32\DRIVERS\update.sys

0xF69C0000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF6937000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF68F7000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF79E7000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF79E9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7B9A000 \SystemRoot\System32\Drivers\Null.SYS

0xF79EB000 \SystemRoot\System32\Drivers\Beep.SYS

0xF7753000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF775B000 \SystemRoot\System32\drivers\vga.sys

0xF79ED000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF79EF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7763000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF776B000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF71C2000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA87A5000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA874D000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA8725000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA8703000 \SystemRoot\System32\drivers\afd.sys

0xF68E7000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF71BA000 \SystemRoot\system32\DRIVERS\srvkp.sys

0xA8641000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

0xF7773000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

0xA8616000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA85A7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF757B000 \SystemRoot\System32\Drivers\Fips.SYS

0xA8586000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF758B000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xF759B000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xF777B000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xF719A000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xF75AB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xF7783000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xF7196000 \SystemRoot\system32\DRIVERS\usbscan.sys

0xF7793000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xF779B000 \SystemRoot\system32\DRIVERS\HPZius12.sys

0xF7192000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xF75BB000 \SystemRoot\system32\DRIVERS\HPZid412.sys

0xF718E000 \SystemRoot\system32\DRIVERS\HPZipr12.sys

0xF718A000 \SystemRoot\system32\DRIVERS\Sacm2A.sys

0xA853B000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xA8523000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79F3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF716E000 \SystemRoot\System32\drivers\Dxapi.sys

0xF77A3000 \SystemRoot\System32\watchdog.sys

0xBD000000 \SystemRoot\System32\drivers\dxg.sys

0xF7B23000 \SystemRoot\System32\drivers\dxgthk.sys

0xBD012000 \SystemRoot\System32\ati2dvag.dll

0xBD065000 \SystemRoot\System32\ati2cqag.dll

0xBD0FE000 \SystemRoot\System32\atikvmag.dll

0xBD182000 \SystemRoot\System32\ati3duag.dll

0xBD527000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xA6203000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA62AB000 \SystemRoot\system32\DRIVERS\secdrv.sys

0xA5EAB000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys

0xA5F1B000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xA5CB6000 \SystemRoot\system32\drivers\wdmaud.sys

0xA60EB000 \SystemRoot\system32\drivers\sysaudio.sys

0xA573D000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

 

Processes (total 34):

0 System Idle Process

4 System

716 C:\WINDOWS\system32\smss.exe

808 csrss.exe

840 C:\WINDOWS\system32\winlogon.exe

892 C:\WINDOWS\system32\services.exe

904 C:\WINDOWS\system32\lsass.exe

1080 C:\WINDOWS\system32\svchost.exe

1132 svchost.exe

1264 C:\WINDOWS\system32\svchost.exe

1316 svchost.exe

1608 C:\WINDOWS\system32\spoolsv.exe

1676 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1720 C:\Program Files\Bonjour\mDNSResponder.exe

1776 C:\Program Files\Java\jre6\bin\jqs.exe

1856 C:\WINDOWS\system32\snmp.exe

652 alg.exe

1244 C:\WINDOWS\explorer.exe

1476 C:\Program Files\Common Files\Java\Java Update\jusched.exe

1624 C:\WINDOWS\soundman.exe

1760 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

1892 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

1920 C:\WINDOWS\AGRSMMSG.exe

1948 C:\WINDOWS\system32\hphmon06.exe

276 C:\WINDOWS\system\hpsysdrv.exe

304 C:\Program Files\iTunes\iTunesHelper.exe

540 C:\WINDOWS\system32\ctfmon.exe

592 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

1304 C:\Program Files\iPod\bin\iPodService.exe

2060 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

2160 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

3028 C:\Program Files\Mozilla Thunderbird\thunderbird.exe

3144 C:\Program Files\Internet Explorer\IEXPLORE.EXE

4056 C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe

 

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`be32e000 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

 

PhysicalDrive0 Model Number: WDCWD2000BB-22GUA0, Rev: 08.02D08

 

Size Device Name MBR Status

--------------------------------------------

186 GB \\.\PhysicalDrive0 Legit MBR code detected

SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972

 

 

Done!

 

 

 

 

I need to make sure you can access the recovery console on the machine?

I still have more research to do and will be asking a colleague to take a look, very possible those infected files will have to be replaced within the Recovery Console.

 

Also, is this machine SP2?

 

Please download Rootkit Unhooker and save it on your desktop.

http://www.rootkit.c...KUnhookerLE.EXE

 

* Disable your security programs

* Double click RKUnhookerLE.exe to run it

* Click the Report tab, then click Scan

* Check Drivers and Stealth Code,

* Uncheck the rest, then click OK

* When prompted to Select Disks for Scan, make sure C:\ is checked and click OK

* Wait till the scanner has finished then go File > Save Report

* Save the report somewhere you can find it. Click Close

* Copy the entire contents of the report and paste it in your next reply.

 

Note - You may get this warning, it is ok, just ignore it:

 

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Please download MBRCheck by ad_13 and save it to your desktop.

 

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

 

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

 

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Share this post


Link to post
Share on other sites

Hi,

 

Juliet asked if I'd stop by to lend a hand.

 

First let's see if you have any replacements on the machine that we can use. if not, we'll have you download SP3 and extract them from there

 

Please do the following:

 

 

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

     

    :filefind
    *explorer*
    *winlogon*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

 

NEXT

 

Download the SP3 package to your desktop from here http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

 

download it to your desktop. Leave it for now, We may need this to extract Explorer and winlogon from, so we can replace those files if replacements aren't already on the machine, once we have replaced the infected files, then you should update your computer as well as MicroSoft has stopped supporting SP2.

Share this post


Link to post
Share on other sites

Here's the systemlook log:

 

SystemLook 04.09.10 by jpshortstuff

Log created at 18:34 on 20/10/2010 by HP_Owner

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "*explorer* "

C:\ComboFix\explorer.exe.ND_ --a---- 42 bytes [23:51 19/10/2010] [23:51 19/10/2010] 689289188496F908DD375271D8F501CD

C:\Documents and Settings\Administrator.BEEBO\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk --a---- 779 bytes [13:29 15/10/2010] [03:41 15/10/2004] 421127ED3F5290FCD6D85BDDF62276AB

C:\Documents and Settings\Administrator.BEEBO\Start Menu\Programs\Internet Explorer.lnk --a---- 767 bytes [13:29 15/10/2010] [03:41 15/10/2004] 70C1F99BF99073644AD2E2C72E9BEDED

C:\Documents and Settings\Administrator.BEEBO\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [13:29 15/10/2010] [03:36 15/10/2004] 0764C03EE8D2271F92ED9E72E4B81B91

C:\Documents and Settings\All Users\Start Menu\Programs\Online Services\MSN Explorer.lnk --a---- 1869 bytes [11:16 26/02/2005] [11:16 26/02/2005] 625A9A21E397C45801517B1379BBFAD6

C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk --a---- 779 bytes [18:13 03/05/2005] [03:41 15/10/2004] 421127ED3F5290FCD6D85BDDF62276AB

C:\Documents and Settings\Default User\Start Menu\Programs\Internet Explorer.lnk --a---- 767 bytes [18:13 03/05/2005] [03:41 15/10/2004] 70C1F99BF99073644AD2E2C72E9BEDED

C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [03:36 15/10/2004] [03:36 15/10/2004] 0764C03EE8D2271F92ED9E72E4B81B91

C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk --a---- 790 bytes [23:49 22/11/2007] [23:50 22/11/2007] 7BE33666840B9A77879FBA2B7E9D2C26

C:\Documents and Settings\Guest\Start Menu\Programs\Internet Explorer.lnk --a---- 778 bytes [23:49 22/11/2007] [23:50 22/11/2007] 4FD9D0A88975E3962A2782B8528F7EAB

C:\Documents and Settings\Guest\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [23:49 22/11/2007] [03:36 15/10/2004] 0764C03EE8D2271F92ED9E72E4B81B91

C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk --a---- 790 bytes [18:15 03/05/2005] [18:15 03/05/2005] 7DBB80BD4F807D059F055653197A0F98

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\9Y6LT2NQ\strange explorer[1].PNG --a---- 20103 bytes [12:37 20/10/2010] [12:37 20/10/2010] 714C55EE7B188AEB53DC5CF9E2E5989E

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Internet Explorer.lnk --a---- 778 bytes [18:15 03/05/2005] [18:15 03/05/2005] BBD3BF9ABF1605628E8BB55163D2AEF6

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [18:15 03/05/2005] [03:36 15/10/2004] 0764C03EE8D2271F92ED9E72E4B81B91

C:\emulation\MameUI32\snap\explorer.png --a---- 1870 bytes [18:54 04/12/2006] [21:25 28/09/2005] 5EC9BA525039E025A4988390B2911DA6

C:\Program Files\ATI Technologies\ATI.ACE\Skins\CATALYST_Quicksilver\explorer_bg.bmp --a---- 376 bytes [22:53 25/08/2006] [22:53 25/08/2006] 9B0486CC57A2217BE01127D3B373D86F

C:\Program Files\ATI Technologies\ATI.ACE\Skins\CATALYST_SteelBlue\explorer_bg.bmp --a---- 376 bytes [22:53 25/08/2006] [22:53 25/08/2006] 9B0486CC57A2217BE01127D3B373D86F

C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip --a---- 20394 bytes [02:48 07/03/2006] [02:48 07/03/2006] B469409C2B2A33C542190B720E11BD79

C:\Program Files\Online Services\Use MSN Explorer to sign up for Internet Access (US only).lnk --a---- 1717 bytes [03:35 15/10/2004] [11:16 26/02/2005] 70F20F74CE0DFF0E46A4A7394368D2FA

C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir --a---- 1033216 bytes [04:00 04/08/2004] [11:26 13/06/2007] 4F5B2DD41273073A79FD30BAEDE1A06D

C:\WINDOWS\explorer.exe --a---- 1033216 bytes [04:00 04/08/2004] [11:26 13/06/2007] 4F5B2DD41273073A79FD30BAEDE1A06D

C:\WINDOWS\explorer.scf --a---- 80 bytes [04:00 04/08/2004] [04:00 04/08/2004] A3975A7D2C98B30A2AE010754FFB9392

C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658

C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [07:02 15/08/2007] [04:00 04/08/2004] A0732187050030AE399B241436565E64

C:\WINDOWS\I386\EXPLORER.EX_ --a---- 359533 bytes [04:00 04/08/2004] [04:00 04/08/2004] 4F061B12F3D5457315A0314954E7EF46

C:\WINDOWS\I386\EXPLORER.SC_ --a---- 181 bytes [04:00 04/08/2004] [04:00 04/08/2004] BC5B38879C56DFBC05C8B5C43AC4D739

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe --a---- 1033728 bytes [23:09 29/08/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk --a---- 779 bytes [18:14 03/05/2005] [03:41 15/10/2004] 421127ED3F5290FCD6D85BDDF62276AB

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Internet Explorer.lnk --a---- 767 bytes [18:14 03/05/2005] [03:41 15/10/2004] 70C1F99BF99073644AD2E2C72E9BEDED

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Windows Explorer.lnk --a---- 1487 bytes [03:36 15/10/2004] [03:36 15/10/2004] 0764C03EE8D2271F92ED9E72E4B81B91

 

Searching for "*winlogon*"

C:\ComboFix\winlogon.exe.ND_ --a---- 14 bytes [23:51 19/10/2010] [23:51 19/10/2010] 786634D07265024A4A0812DA59B6B2EB

C:\Documents and Settings\All Users\Application Data\SecTaskMan\_winlogon1557AA07 --a---- 36231 bytes [22:54 18/10/2010] [22:54 18/10/2010] 04674C7A763D9113A549FED66A7BF97F

C:\hp\bin\winlogon.reg --a---- 278 bytes [11:38 26/02/2005] [13:49 23/10/2001] 329635F24C2EB6E4B850598AC7CC7AA4

C:\WINDOWS\I386\WINLOGON.EX_ --a---- 261115 bytes [04:00 04/08/2004] [04:00 04/08/2004] F41C4F5745589D0BB8268C02B71594CA

C:\WINDOWS\pchealth\ERRORREP\UserDumps\winlogon.exe.20101015-182645-00.hdmp --a---- 7185568 bytes [18:26 15/10/2010] [18:26 15/10/2010] 33B2BE7BD14D49772CA4C8931A8EA508

C:\WINDOWS\pchealth\ERRORREP\UserDumps\winlogon.exe.20101015-182645-00.mdmp --a--c- 75039 bytes [18:26 15/10/2010] [18:26 15/10/2010] 2DC735D6E07A4ACBF4C8C86741FA1561

C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe --a---- 507904 bytes [23:11 29/08/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [04:00 04/08/2004] [04:00 04/08/2004] B9C7CEF5B9303E38D53C32503BEAA51C

 

-= EOF =-

 

 

Yes I had disabled windows updates about a year ago, and I mean all of them even the system critical ones. In retrospect probably not a good idea but at the time whatever new update they were installing on my system was reeking absolute havoc. Some sort of software conflict with something else I was running. Had to use a restore point to even make the computer usable. I guess I will try and figure out how to turn updates back on and hopefully whatever software conflict they were causing will be resolved by now.

Share this post


Link to post
Share on other sites

OK

 

good,

 

there are suitable replacements available

 

please do the following:

 

 

Go to Start > Run type cmd into the open run box and hit enter.

 

This will open the command prompt window.

 

Now type in the following red text exactly as seen at the command prompt.

expand C:\WINDOWS\i386\explorer.ex_ C:\explorer.exe

expand C:\WINDOWS\i386\winlogon.ex_ C:\winlogon.exe

 

 

(take note of the spaces, especially the space between .ex_ and C:\ - it needs to be there)

 

Please let me know that the command executed properly - you should see something like "expanded to {xxxxxx} bytes, {xx}% increase"

 

(if you did not get this message do not continue but report back with the error message)

 

If you received verification the files expanded successfully please do the following:

 

 

 

We need to boot into the recovery console -

 

Restart your computer

 

Before Windows loads, you will be prompted to choose which Operating System to start (be fast you only have a couple of seconds)

 

Use the up and down arrow key to select Microsoft Windows Recovery Console

 

You must now enter which Windows installation to log onto. (usually 1) Type 1 and press enter.

 

When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER

 

A command prompt will open:

 

At the C:\Windows prompt, type the following bolded text, and press Enter:

ren C:\windows\explorer.exe explorer.bad

ren C:\windows\system32\winlogon.exe winlogon.bad

copy C:\explorer.exe C:\windows\explorer.exe

copy C:\winlogon.exe C:\windows\system32\winlogon.exe

take note of the spaces

 

make sure you get the message that the file(s) were copied successfully.

 

 

If you did not get a message that the files were copied successfully you will have to name explorer.bad & winlogon.bad back to .exe or the computer will not boot.

 

Once you are done type exit to leave the recovery console and reboot.

 

 

 

Now re-run ComboFix - allow it to update if it requests to do so.

 

Print out these instructions before you start > if you have any questions about this procedure, please ask.

Share this post


Link to post
Share on other sites

NICE! Well for once combofix gave me no infection warnings and for the first time it ran to it's completion without crashing the system. I have to go to work shortly but I will check back here tomorrow as I'm sure there is more work to do. At least this gives me some peace of mind. Thanks! :)

 

Here is the combofix log:

 

ComboFix 10-10-18.06 - HP_Owner 10/20/2010 19:08:33.7.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.633 [GMT -5:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\explorer.exe

C:\winlogon.exe

.

---- Previous Run -------

.

c:\windows\Rjuzeziw.bin

c:\windows\system32\drivers\aszvkk.sys

 

-- Previous Run --

 

c:\windows\system32\winlogon.exe . . . is infected!!

 

c:\windows\system32\winlogon.exe . . . is infected!!

 

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

 

--------

 

.

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))

.

 

2010-10-21 00:01 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32\winlogon.exe

2010-10-21 00:00 . 2004-08-04 05:56 1032192 ----a-w- c:\windows\explorer.exe

2010-10-20 12:42 . 2010-10-20 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-10-18 23:05 . 2010-10-18 23:05 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-10-18 10:07 . 2010-10-18 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-10-17 09:26 . 2010-10-17 09:26 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2010-10-17 09:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-17 09:26 . 2010-10-17 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-17 09:26 . 2010-10-17 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-10-17 09:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-15 13:29 . 2010-10-15 13:29 -------- d-----w- c:\documents and settings\Administrator.BEEBO

2010-10-15 12:04 . 2010-10-15 12:04 -------- d-----w- c:\windows\ERUNT

2010-10-15 11:59 . 2010-10-15 12:42 -------- d-----w- C:\SDFix

2010-10-15 11:05 . 2010-10-15 11:05 -------- d-----w- c:\documents and settings\HP_Owner\backup

2010-10-15 10:29 . 2010-10-15 10:29 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\LightScribe

2010-10-14 23:00 . 2010-10-15 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-10-14 10:37 . 2004-08-04 04:00 25088 ----a-w- c:\windows\system32\shfolder.dll

2010-09-27 03:53 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-09-27 03:53 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2010-09-27 03:52 . 2010-09-27 03:52 -------- d-----w- c:\program files\iPod

2010-09-27 03:52 . 2010-09-27 03:53 -------- d-----w- c:\program files\iTunes

2010-09-27 03:52 . 2010-09-27 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-09-27 03:49 . 2010-09-27 03:49 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-09-27 03:49 . 2010-09-27 03:49 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-09-27 03:49 . 2010-09-27 03:49 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-09-27 03:46 . 2010-09-27 03:46 -------- d-----w- c:\program files\Apple Software Update

2010-09-27 03:46 . 2010-04-20 01:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-27 03:46 . 2010-04-20 01:47 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-09-27 03:45 . 2010-09-27 03:45 -------- d-----w- c:\program files\Bonjour

2010-09-24 11:10 . 2010-02-04 15:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-09-24 11:10 . 2010-02-04 15:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-09-24 11:10 . 2010-02-04 15:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-09-24 11:10 . 2010-02-04 15:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

((((((((((((((((((((((((((((( SnapShot@2010-10-17_10.50.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-18 23:05 . 2010-10-18 23:05 28160 c:\windows\Installer\4fe871e.msi

+ 2010-10-18 10:07 . 2010-10-18 10:07 232912 c:\windows\system32\Macromed\Flash\FlashUtil10k_Plugin.exe

+ 2010-01-27 01:07 . 2010-10-18 10:07 5969360 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2010-10-18 23:07 . 2010-10-18 23:07 3940864 c:\windows\Installer\4fe8817.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [bU]

"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\HP_Owner\OctoshapeClient.exe" [bU]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [bU]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [bU]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [bU]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [bU]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [bU]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [bU]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"AutoTBar"="c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [bU]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"UniUploader"="c:\program files\UniUploader\UniUploader.exe" [bU]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

avgrsstx.dll [bU]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"helpsvc"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Tortun\\gui.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

 

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 67656]

S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [7/13/2005 12:12 PM 14494]

S2 EZWINIT2;EZWINIT2;c:\windows\system32\drivers\ezwinit2.sys [8/15/2005 9:19 PM 14720]

S2 EZWRITE2;EZWRITE2;c:\windows\system32\drivers\ezwrite2.sys [8/15/2005 9:19 PM 16680]

S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [7/13/2005 12:12 PM 16680]

S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [5/10/2010 4:34 AM 23456]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/11/2006 10:02 PM 642560]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://www.comcast.net/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cab

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xl77vwge.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver]

"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-823039715-3564483165-4056858657-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’e*’B*’ ’N*’9 ’x*’9 ]

"Order"=hex:08,00,00,00,02,00,00,00,9e,00,00,00,01,00,00,00,01,00,00,00,92,00,

00,00,00,00,00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,31,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"=expand:"iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"=expand:"iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(692)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2010-10-20 19:16:06

ComboFix-quarantined-files.txt 2010-10-21 00:16

ComboFix2.txt 2010-10-17 11:11

ComboFix3.txt 2010-10-17 10:54

ComboFix4.txt 2010-10-15 18:51

 

Pre-Run: 110,150,250,496 bytes free

Post-Run: 110,153,596,928 bytes free

 

- - End Of File - - AF744CDE3B1A09A5BF0214B0045FE01E

Share this post


Link to post
Share on other sites

Good

 

I like to copy those files and put them in the DLLCACHE for insurance, just so they are handy if anything like this happens again so please do the following:

 

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

 

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

 

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

 

FCopy::
c:\windows\system32\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe
c:\windows\explorer.exe | c:\windows\system32\dllcache\explorer.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

 

Here's how to do that:

 

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

 

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Share this post


Link to post
Share on other sites

Ok, that's taken care of. I wasn't sure if you wanted to see the combofix log again but I will go ahead and post it. Also I checked Google in both Firefox and IE and they both seem fine!

 

 

 

ComboFix 10-10-20.03 - HP_Owner 10/21/2010 5:01.8.1 - x86

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

--------------- FCopy ---------------

 

c:\windows\system32\winlogon.exe --> c:\windows\system32\dllcache\winlogon.exe

c:\windows\explorer.exe --> c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))

.

 

2010-10-21 10:01 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32\dllcache\winlogon.exe

2010-10-21 10:01 . 2004-08-04 05:56 1032192 ----a-w- c:\windows\system32\dllcache\explorer.exe

2010-10-21 00:01 . 2004-08-04 05:56 502272 ------w- c:\windows\system32\winlogon.exe

2010-10-21 00:00 . 2004-08-04 05:56 1032192 ------w- c:\windows\explorer.exe

2010-10-20 12:42 . 2010-10-20 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-10-18 23:05 . 2010-10-18 23:05 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-10-18 10:07 . 2010-10-18 10:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-10-17 09:26 . 2010-10-17 09:26 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2010-10-17 09:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-17 09:26 . 2010-10-17 09:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-17 09:26 . 2010-10-17 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-10-17 09:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-15 13:29 . 2010-10-15 13:29 -------- d-----w- c:\documents and settings\Administrator.BEEBO

2010-10-15 12:04 . 2010-10-15 12:04 -------- d-----w- c:\windows\ERUNT

2010-10-15 11:59 . 2010-10-15 12:42 -------- d-----w- C:\SDFix

2010-10-15 11:05 . 2010-10-15 11:05 -------- d-----w- c:\documents and settings\HP_Owner\backup

2010-10-15 10:29 . 2010-10-15 10:29 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\LightScribe

2010-10-14 23:00 . 2010-10-15 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

2010-10-14 10:37 . 2004-08-04 04:00 25088 ----a-w- c:\windows\system32\shfolder.dll

2010-09-27 03:53 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2010-09-27 03:53 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2010-09-27 03:52 . 2010-09-27 03:52 -------- d-----w- c:\program files\iPod

2010-09-27 03:52 . 2010-09-27 03:53 -------- d-----w- c:\program files\iTunes

2010-09-27 03:52 . 2010-09-27 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-09-27 03:49 . 2010-09-27 03:49 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll

2010-09-27 03:49 . 2010-09-27 03:49 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll

2010-09-27 03:49 . 2010-09-27 03:49 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll

2010-09-27 03:46 . 2010-09-27 03:46 -------- d-----w- c:\program files\Apple Software Update

2010-09-27 03:46 . 2010-04-20 01:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-09-27 03:46 . 2010-04-20 01:47 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-09-27 03:45 . 2010-09-27 03:45 -------- d-----w- c:\program files\Bonjour

2010-09-24 11:10 . 2010-02-04 15:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-09-24 11:10 . 2010-02-04 15:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-09-24 11:10 . 2010-02-04 15:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-09-24 11:10 . 2010-02-04 15:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2010-09-22 23:10 . 2010-09-22 23:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

 

((((((((((((((((((((((((((((( SnapShot@2010-10-17_10.50.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-18 23:05 . 2010-10-18 23:05 28160 c:\windows\Installer\4fe871e.msi

+ 2010-10-18 10:07 . 2010-10-18 10:07 232912 c:\windows\system32\Macromed\Flash\FlashUtil10k_Plugin.exe

+ 2010-01-27 01:07 . 2010-10-18 10:07 5969360 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2010-10-18 23:07 . 2010-10-18 23:07 3940864 c:\windows\Installer\4fe8817.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [bU]

"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\HP_Owner\OctoshapeClient.exe" [bU]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [bU]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [bU]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [bU]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [bU]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [bU]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-28 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-28 13918208]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [bU]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]

"AutoTBar"="c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [bU]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"UniUploader"="c:\program files\UniUploader\UniUploader.exe" [bU]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

avgrsstx.dll [bU]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"aawservice"=2 (0x2)

"helpsvc"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Tortun\\gui.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

 

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 67656]

S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [7/13/2005 12:12 PM 14494]

S2 EZWINIT2;EZWINIT2;c:\windows\system32\drivers\ezwinit2.sys [8/15/2005 9:19 PM 14720]

S2 EZWRITE2;EZWRITE2;c:\windows\system32\drivers\ezwrite2.sys [8/15/2005 9:19 PM 16680]

S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [7/13/2005 12:12 PM 16680]

S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [5/10/2010 4:34 AM 23456]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/11/2006 10:02 PM 642560]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://www.comcast.net/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cab

FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\xl77vwge.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EverestDriver]

"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-823039715-3564483165-4056858657-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’e*’B*’ ’N*’9 ’x*’9 ]

"Order"=hex:08,00,00,00,02,00,00,00,9e,00,00,00,01,00,00,00,01,00,00,00,92,00,

00,00,00,00,00,00,84,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,72,00,31,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"=expand:"iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"=expand:"iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(856)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WLDAP32.dll

 

- - - - - - - > 'explorer.exe'(3084)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-10-21 05:09:26

ComboFix-quarantined-files.txt 2010-10-21 10:09

ComboFix2.txt 2010-10-21 00:16

ComboFix3.txt 2010-10-17 11:11

ComboFix4.txt 2010-10-17 10:54

ComboFix5.txt 2010-10-21 09:58

 

Pre-Run: 110,154,805,248 bytes free

Post-Run: 110,136,582,144 bytes free

 

- - End Of File - - 9E1BB6D5E4B823DE16B0EC484805AE70

Share this post


Link to post
Share on other sites

Hi,

 

Looks good :)

 

Juliet will want you to intall SP3 at some point, so I'll turn you back over to her to do some final scans

 

Glad to have helped

 

~CB

 

Over to you Juliet :tup:

Share this post


Link to post
Share on other sites

Isn't CatByte awsome!

 

We owe her a world of thanks!

 

Let's do a couple of things and check for any residue or remnant infections.

 

I'm not sure which version of Java you have on your machine so let's check.

 

http://java.com/en/download/ <-- Version 6 Update 22

Make sure you have the most current.

 

 

Then follow:

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, so please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

 

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...n=1260122209224

 

Other available links

Kaspersky

 

Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition

    files.

  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)

    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

Kaspersky log

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

 

 

Let me know if any issues arise.

 

 

Note:

I see you had downloaded and used SDFix. In it's day it was a tool we used very often. It isn't being updated any more nor is it being monitored if issues happened from using the tool.

It would be in your best interest to delete the tool and it's folders, they could be flagged by online scanners in the future.

Edited by Juliet
*added info*

Share this post


Link to post
Share on other sites

Yes thanks CatByte! And Juliet also.

 

I deleted the SDFix folder and ran the online scanner, here is the result:

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, October 22, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, October 21, 2010 17:43:52

Records in database: 4184827

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

H:\

I:\

J:\

K:\

 

Scan statistics:

Objects scanned: 132281

Threats found: 3

Infected objects found: 17

Suspicious objects found: 0

Scan duration: 03:42:11

 

 

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.kl 1

C:\Qoobox\Quarantine\D\Autorun.inf.vir Infected: Worm.Win32.AutoRun.onp 1

C:\RECYCLER\S-1-5-21-823039715-3564483165-4056858657-1009\Dc1\backups\backups.zip Infected: Worm.Win32.AutoRun.nuu 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP12\A0001553.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000111.inf Infected: Worm.Win32.AutoRun.nuu 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000115.inf Infected: Worm.Win32.AutoRun.nuu 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000387.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000388.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000389.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000412.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000503.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000520.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000607.exe Infected: Trojan.Win32.Patched.kl 1

C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP7\A0001108.exe Infected: Trojan.Win32.Patched.kl 1

C:\WINDOWS\explorer.bad Infected: Trojan.Win32.Patched.kl 1

C:\WINDOWS\winlogon.bad Infected: Trojan.Win32.Patched.kl 1

D:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP4\A0000399.inf Infected: Worm.Win32.AutoRun.onp 1

 

Selected area has been scanned.

Share this post


Link to post
Share on other sites

Kaspersky did a good job for us.

We're ready to just about finish this out.

 

 

 

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into --->> Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
C:\RECYCLER\S-1-5-21-823039715-3564483165-4056858657-1009\Dc1\backups\backups.zip
C:\WINDOWS\explorer.bad 
C:\WINDOWS\winlogon.bad 
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

=====================================

 

NEXT**

 

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

 

* Tick on the checkbox - Turn off System Restore on all drives (Make sure to select C: and D: Drive)

* Click Apply

 

Turn it back 'On' by unticking the same checkbox & click OK

 

==========================================================

 

 

Please post the OTM log.

 

 

How's the computer?

Share this post


Link to post
Share on other sites

Computer is working great!

 

Here is the filemover log:

 

All processes killed

========== FILES ==========

C:\RECYCLER\S-1-5-21-823039715-3564483165-4056858657-1009\Dc1\backups\backups.zip moved successfully.

C:\WINDOWS\explorer.bad moved successfully.

C:\WINDOWS\winlogon.bad moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

 

[EMPTYTEMP]

 

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Administrator.BEEBO

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56504 bytes

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 348 bytes

 

User: HP_Owner

->Temp folder emptied: 135485808 bytes

->Temporary Internet Files folder emptied: 10146500 bytes

->Java cache emptied: 1620250 bytes

->FireFox cache emptied: 93319625 bytes

->Flash cache emptied: 4185263 bytes

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 199752 bytes

%systemroot%\System32 .tmp files removed: 475385 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 26606383 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 9247476 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 4126447 bytes

 

Total Files Cleaned = 272.00 mb

 

 

OTM by OldTimer - Version 3.1.16.1 log created on 10222010_072611

 

Files moved on Reboot...

 

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

Good deal, we're ready to rock and roll you right on out of here.

 

Delete the following and tools and associated folders. It's possible they would be flagged in future scans.

HAMeb_check.exe

Rootkit Unhooker

MBRCheck by ad_13

SystemLook

 

======================================

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

 

Go to Start > Run > copy and paste the full text path in the run box

 

ComboFix /Uninstall

 

Note the space between the x and the /U, it needs to be there.

 

============================================

 

Next open OTMoveIt, then click on "CleanUp!".

If you receive a warning from your Firewall please allow...In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OTMoveIt will delete them.

Do not edit anything in that Window!

Don't worry if it displays some tools you didn't download/use.

Click Yes when it asks to Begin cleanup process.

Then reboot your computer.

 

==============================================

 

Download the SP3 package to your desktop from here http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

you should update your computer as well as MicroSoft has stopped supporting SP2.

I think you should update to SP3. It will increase your security and update a whole swathe of system files making your computer more efficient. No way can I explain how many exploits and vulnerabilities are open on a SP2 machine.

 

 

Since the presence of Malware is gone:

 

Your good to go, good job!

 

 

Please take the time to read over a few of my preventive tips.

 

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 3

The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

 

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-

Please note that these products can also be run as free without a licience as a scan on demand scanner.

 

Backup regularly

 

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

 

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

 

Avoid P2P

 

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

 

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter

File sharing infects 500,000 computers

USAToday

infoworld

 

*********************************************

Please read the following safe computing articles..

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

Then consider a password keeper, to keep all your passwords safe.

 

Free Antivirus-AntiSpyware-Firewall Software

 

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

 

Slow Computer May Not Be Malware Related, Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story.

 

How did I get infected in the first place? by TonyKlein

http://www.geekstogo.com/how-did-i-get-infected-in-the-first-place/

 

 

Extra note:

Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Share this post


Link to post
Share on other sites

Wow....okay I'll spare you the gory details but after 5 hours full of failed installs, blue screens of death, and system restores I finally have SP3 installed. Now I remember why I turned off automatic updates in the first place *shudder*.

 

Anyway I sense that these were your final instructions so I just want to say THANK YOU SO MUCH! I think it's awesome that people actually volunteer to do this. I will be sure to return if I ever have another problem but here's hoping that I never have to come back! :P

Share this post


Link to post
Share on other sites

Glad it's finally done.

 

Glad we could help, also, we have other forums that might interest you if the need for help should arise.

 

I will be sure to return if I ever have another problem but here's hoping that I never have to come back!

Don't want you to have problems to return, door is always open :sparkle:

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×