PDA

View Full Version : Virus deletes Spybot, Avast, etc.



usufructs
2009-09-30, 23:50
Picked up a nasty virus. It deletes the exe files (and some others) for Spybot, Avast and other anti-virus/spyware utilities when you try to use them. If I try uninstall the program, download it again and then reinstall it, the virus will delete the files again (I've looked in the file folders - first the files are there, then you run the program and then they're gone).

I've actually been able to have avast run a search of my hard drive during the booting phase, but unfortunately it didn't pick up the virus.

I've tried a system restore to a point before the infection. Couldn't get the system restore to work in normal mode. It worked in safe mode, but the virus remains.

Any thoughts????

Many thanks.

ken545
2009-10-05, 01:53
Hi,

Welcome to the forum.


Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to the desktop:

Doubleclick the drweb-cureit icon to start the program.
press start
Allow the program to run the initial express scan
This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.

Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
Once the scan is complete, on the menu bar, click file and choose report list.
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Close Dr.Web Cureit.
Please post the Dr.Web.txt report in your next reply

usufructs
2009-10-05, 02:28
Thanks for your help Ken.

The malware appears to be affecting Dr. Web CureIt.

The first time I ran it, the express scan finished (with no viruses found) and I was able to start the complete scan, but the program abruptly closed shortly thereafter.

The second time I ran it, I got the fatal blue screen error (in vista) about halfway through the express scan.

After a restart of my computer, I tried it again. For an unknown reason the brightness of my screen has been effected on the start up - now it's much darker. I ran the program again, finished the express scan (with no viruses found) and I was able to start the complete scan, but again the program closed shortly thereafter.

ken545
2009-10-05, 02:51
Not sure whats going on, lets check further.

Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)

Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

usufructs
2009-10-05, 03:06
The program did not give me the option of checking the boxes listed, so I did individual scans for each item of the checked boxes.

For the Drivers:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 19:59
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS
Address: 0x8BB8F000 Size: 57344 File Visible: - Signed: -
Status: -

Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x80694000 Size: 286720 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x81C07000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x805B5000 Size: 294912 File Visible: - Signed: -
Status: -

Name: ApsHM86.sys
Image Path: C:\Windows\System32\DRIVERS\ApsHM86.sys
Address: 0x87B57000 Size: 32768 File Visible: - Signed: -
Status: -

Name: Apsx86.sys
Image Path: C:\Windows\System32\DRIVERS\Apsx86.sys
Address: 0x87B67000 Size: 122880 File Visible: - Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\Windows\system32\DRIVERS\aswFsBlk.sys
Address: 0x8C9B1000 Size: 32768 File Visible: - Signed: -
Status: -

Name: aswMonFlt.sys
Image Path: C:\Windows\system32\DRIVERS\aswMonFlt.sys
Address: 0x8C99A000 Size: 94208 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\Windows\System32\Drivers\aswRdr.SYS
Address: 0x8C008000 Size: 15136 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\Windows\System32\Drivers\aswSP.SYS
Address: 0x8C92E000 Size: 94208 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\Windows\System32\Drivers\aswTdi.SYS
Address: 0x8B000000 Size: 33632 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x822DE000 Size: 32768 File Visible: - Signed: -
Status: -

Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x822E6000 Size: 122880 File Visible: - Signed: -
Status: -

Name: athr.sys
Image Path: C:\Windows\system32\DRIVERS\athr.sys
Address: 0x8BA9B000 Size: 933888 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\Windows\system32\DRIVERS\BATTC.SYS
Address: 0x80724000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8C7E5000 Size: 28672 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x8048C000 Size: 32768 File Visible: - Signed: -
Status: -

Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0xA99CA000 Size: 102400 File Visible: - Signed: -
Status: -

Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x954F0000 Size: 57344 File Visible: - Signed: -
Status: -

Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0xAD302000 Size: 90112 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x8BCD2000 Size: 98304 File Visible: - Signed: -
Status: -

Name: CHDRT32.sys
Image Path: C:\Windows\system32\drivers\CHDRT32.sys
Address: 0x8C13C000 Size: 237568 File Visible: - Signed: -
Status: -

Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x804D5000 Size: 917504 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x87BCC000 Size: 135168 File Visible: - Signed: -
Status: -

Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80494000 Size: 266240 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\Windows\system32\DRIVERS\CmBatt.sys
Address: 0x8BCC8000 Size: 14208 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: C:\Windows\system32\DRIVERS\compbatt.sys
Address: 0x80721000 Size: 10496 File Visible: - Signed: -
Status: -

Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8C945000 Size: 53248 File Visible: - Signed: -
Status: -

Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x87BED000 Size: 36864 File Visible: - Signed: -
Status: -

Name: csc.sys
Image Path: C:\Windows\system32\drivers\csc.sys
Address: 0x8C8BC000 Size: 372736 File Visible: - Signed: -
Status: -

Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8C917000 Size: 94208 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x87BBB000 Size: 69632 File Visible: - Signed: -
Status: -

Name: DLABMFSM.SYS
Image Path: C:\Windows\System32\DLA\DLABMFSM.SYS
Address: 0x8C9ED000 Size: 28160 File Visible: - Signed: -
Status: -

Name: DLABOIOM.SYS
Image Path: C:\Windows\System32\DLA\DLABOIOM.SYS
Address: 0x8C9F4000 Size: 25568 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: C:\Windows\System32\Drivers\DLACDBHM.SYS
Address: 0x8BCD0000 Size: 5952 File Visible: - Signed: -
Status: -

Name: DLADResM.SYS
Image Path: C:\Windows\System32\DLA\DLADResM.SYS
Address: 0x8C9CD000 Size: 2496 File Visible: - Signed: -
Status: -

Name: DLAIFS_M.SYS
Image Path: C:\Windows\System32\DLA\DLAIFS_M.SYS
Address: 0x8C9CE000 Size: 98144 File Visible: - Signed: -
Status: -

Name: DLAOPIOM.SYS
Image Path: C:\Windows\System32\DLA\DLAOPIOM.SYS
Address: 0x8C9E6000 Size: 19840 File Visible: - Signed: -
Status: -

Name: DLAPoolM.SYS
Image Path: C:\Windows\System32\DLA\DLAPoolM.SYS
Address: 0x8C9EB000 Size: 7616 File Visible: - Signed: -
Status: -

Name: DLARTL_M.SYS
Image Path: C:\Windows\System32\Drivers\DLARTL_M.SYS
Address: 0x8C7EC000 Size: 21216 File Visible: - Signed: -
Status: -

Name: DLAUDF_M.SYS
Image Path: C:\Windows\System32\DLA\DLAUDF_M.SYS
Address: 0xA9824000 Size: 91232 File Visible: - Signed: -
Status: -

Name: DLAUDFAM.SYS
Image Path: C:\Windows\System32\DLA\DLAUDFAM.SYS
Address: 0xA980E000 Size: 86848 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x8C1A3000 Size: 151552 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: C:\Windows\System32\Drivers\DRVMCDB.SYS
Address: 0x8235E000 Size: 90752 File Visible: - Signed: -
Status: -

Name: DRVNDDM.SYS
Image Path: C:\Windows\System32\Drivers\DRVNDDM.SYS
Address: 0x8C9C2000 Size: 42496 File Visible: - Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x82B14000 Size: 851968 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x8C952000 Size: 40960 File Visible: - Signed: -
Status: -

Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x8B6EF000 Size: 651264 File Visible: - Signed: -
Status: -

Name: e1y6032.sys
Image Path: C:\Windows\system32\DRIVERS\e1y6032.sys
Address: 0x8B7A4000 Size: 237568 File Visible: - Signed: -
Status: -

Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x87B94000 Size: 159744 File Visible: - Signed: -
Status: -

Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x8234E000 Size: 65536 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x8231C000 Size: 204800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8C7F4000 Size: 36864 File Visible: - Signed: -
Status: -

Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x82AF9000 Size: 110592 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
Address: 0x8BCEA000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x81FC0000 Size: 208896 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8BA0E000 Size: 577536 File Visible: - Signed: -
Status: -

Name: HECI.sys
Image Path: C:\Windows\system32\DRIVERS\HECI.sys
Address: 0x8B79A000 Size: 40832 File Visible: - Signed: -
Status: -

Name: HSX_CNXT.sys
Image Path: C:\Windows\system32\DRIVERS\HSX_CNXT.sys
Address: 0x8C70C000 Size: 741376 File Visible: - Signed: -
Status: -

Name: HSX_DPV.sys
Image Path: C:\Windows\system32\DRIVERS\HSX_DPV.sys
Address: 0x8C60A000 Size: 1056768 File Visible: - Signed: -
Status: -

Name: HSXHWAZL.sys
Image Path: C:\Windows\system32\DRIVERS\HSXHWAZL.sys
Address: 0x829B0000 Size: 249856 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0xA9942000 Size: 438272 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys
Address: 0x8BC60000 Size: 77824 File Visible: - Signed: -
Status: -

Name: iaStor.sys
Image Path: C:\Windows\system32\DRIVERS\iaStor.sys
Address: 0x8220E000 Size: 851968 File Visible: - Signed: -
Status: -

Name: ibmpmdrv.sys
Image Path: C:\Windows\system32\DRIVERS\ibmpmdrv.sys
Address: 0x8BCCC000 Size: 16000 File Visible: - Signed: -
Status: -

Name: igdkmd32.sys
Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys
Address: 0x8B00B000 Size: 7225344 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x82BEF000 Size: 61440 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x8BC73000 Size: 45056 File Visible: - Signed: -
Status: -

Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x80404000 Size: 28672 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x8C0B5000 Size: 172032 File Visible: - Signed: -
Status: -

Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x8237F000 Size: 462848 File Visible: - Signed: -
Status: -

Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0xA98EB000 Size: 65536 File Visible: - Signed: -
Status: -

Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0x8C97F000 Size: 110592 File Visible: - Signed: -
Status: -

Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x8040B000 Size: 458752 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\Windows\system32\DRIVERS\mdmxsdk.sys
Address: 0xACB25000 Size: 12672 File Visible: - Signed: -
Status: -

Name: modem.sys
Image Path: C:\Windows\system32\drivers\modem.sys
Address: 0x8C7C1000 Size: 53248 File Visible: - Signed: -
Status: -

Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x8C95C000 Size: 61440 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x8BCAF000 Size: 45056 File Visible: - Signed: -
Status: -

Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x807B4000 Size: 65536 File Visible: - Signed: -
Status: -

Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0xA99E3000 Size: 86016 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\Windows\system32\drivers\mrxdav.sys
Address: 0xACA09000 Size: 135168 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0xACA2A000 Size: 126976 File Visible: - Signed: -
Status: -

Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0xACA49000 Size: 233472 File Visible: - Signed: -
Status: -

Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0xACA82000 Size: 98304 File Visible: - Signed: -
Status: -

Name: msahci.sys
Image Path: C:\Windows\system32\drivers\msahci.sys
Address: 0x82304000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8BDEE000 Size: 45056 File Visible: - Signed: -
Status: -

Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x806E3000 Size: 32768 File Visible: - Signed: -
Status: -

Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x8BCF6000 Size: 192512 File Visible: - Signed: -
Status: -

Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x8290C000 Size: 176128 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x8C0DF000 Size: 40960 File Visible: - Signed: -
Status: -

Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x87B85000 Size: 61440 File Visible: - Signed: -
Status: -

Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x82801000 Size: 1093632 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x8BD88000 Size: 45056 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys
Address: 0xA9925000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x8BD93000 Size: 143360 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8C12B000 Size: 69632 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8C84D000 Size: 57344 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8C805000 Size: 204800 File Visible: - Signed: -
Status: -

Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x82937000 Size: 241664 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8BC00000 Size: 57344 File Visible: - Signed: -
Status: -

Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8C8B0000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x87A0E000 Size: 1114112 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x81C07000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8C600000 Size: 28672 File Visible: - Signed: -
Status: -

Name: nwifi.sys
Image Path: C:\Windows\system32\DRIVERS\nwifi.sys
Address: 0xA98FB000 Size: 172032 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: C:\Windows\system32\DRIVERS\ohci1394.sys
Address: 0x8BB7F000 Size: 62208 File Visible: - Signed: -
Status: -

Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8C837000 Size: 90112 File Visible: - Signed: -
Status: -

Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x80712000 Size: 61440 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x806EB000 Size: 159744 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x8230E000 Size: 57344 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: C:\Windows\system32\DRIVERS\pcmcia.sys
Address: 0x80787000 Size: 184320 File Visible: - Signed: -
Status: -

Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0xAD206000 Size: 909312 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x81C07000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x8C176000 Size: 184320 File Visible: - Signed: -
Status: -

Name: psadd.sys
Image Path: C:\Windows\system32\DRIVERS\psadd.sys
Address: 0x8C0A5000 Size: 23424 File Visible: - Signed: -
Status: -

Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x8047B000 Size: 69632 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: C:\Windows\System32\Drivers\PxHelp20.sys
Address: 0x82375000 Size: 37376 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8BA00000 Size: 36864 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x8BD71000 Size: 94208 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x8BDB6000 Size: 61440 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x8BDC5000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x8BDD9000 Size: 86016 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x81C07000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x8C874000 Size: 245760 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x8C1F5000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\Windows\system32\DRIVERS\rdpdr.sys
Address: 0x8C00C000 Size: 561152 File Visible: - Signed: -
Status: -

Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x8C000000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\Windows\system32\DRIVERS\rimmptsk.sys
Address: 0x8BBB7000 Size: 69632 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\Windows\system32\DRIVERS\rimsptsk.sys
Address: 0x8BBC8000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\Windows\system32\DRIVERS\rixdptsk.sys
Address: 0x8BC0E000 Size: 335872 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAD355000 Size: 49152 File Visible: No Signed: -
Status: -

Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0xA992F000 Size: 77824 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\Windows\system32\DRIVERS\sdbus.sys
Address: 0x8BB9D000 Size: 106496 File Visible: - Signed: -
Status: -

Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0xAD2E4000 Size: 40960 File Visible: - Signed: -
Status: -

Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x807DA000 Size: 81920 File Visible: - Signed: -
Status: -

Name: smiif32.sys
Image Path: C:\Windows\system32\DRIVERS\smiif32.sys
Address: 0x8C8BA000 Size: 6784 File Visible: - Signed: -
Status: -

Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x87B5F000 Size: 32768 File Visible: - Signed: -
Status: -

Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0xA983B000 Size: 720896 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0xACAC1000 Size: 311296 File Visible: - Signed: -
Status: -

Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0xACA9A000 Size: 159744 File Visible: - Signed: -
Status: -

Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0xA99AD000 Size: 118784 File Visible: - Signed: -
Status: -

Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x8BD25000 Size: 266240 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x8C0B3000 Size: 4992 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\Windows\system32\DRIVERS\SynTP.sys
Address: 0x8BC7E000 Size: 189696 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x82A0F000 Size: 958464 File Visible: - Signed: -
Status: -

Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0xAD2EE000 Size: 49152 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x8BD66000 Size: 45056 File Visible: - Signed: -
Status: -

Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x807C4000 Size: 90112 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x8C095000 Size: 65536 File Visible: - Signed: -
Status: -

Name: tpm.sys
Image Path: C:\Windows\system32\drivers\tpm.sys
Address: 0x8BCBA000 Size: 57344 File Visible: - Signed: -
Status: -

Name: Tppwr32v.sys
Image Path: C:\Windows\System32\drivers\Tppwr32v.sys
Address: 0x8C86E000 Size: 24576 File Visible: - Signed: -
Status: -

Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x954D0000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x87BF6000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x82BE4000 Size: 45056 File Visible: - Signed: -
Status: -

Name: tvtfilter.sys
Image Path: C:\Windows\system32\DRIVERS\tvtfilter.sys
Address: 0x8C9B9000 Size: 33536 File Visible: - Signed: -
Status: -

Name: Tvti2c.sys
Image Path: C:\Windows\system32\DRIVERS\Tvti2c.sys
Address: 0x8C0AB000 Size: 30592 File Visible: - Signed: -
Status: -

Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x8C0E9000 Size: 53248 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\Windows\system32\DRIVERS\usbccgp.sys
Address: 0x8C7CE000 Size: 94208 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\Windows\system32\DRIVERS\USBD.SYS
Address: 0x8BCAD000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8B7E9000 Size: 61440 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x8C0F6000 Size: 217088 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x82972000 Size: 253952 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x8B7DE000 Size: 45056 File Visible: - Signed: -
Status: -

Name: usbvideo.sys
Image Path: C:\Windows\System32\Drivers\usbvideo.sys
Address: 0x8C1C8000 Size: 134016 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x8C1E9000 Size: 49152 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS
Address: 0x8BBDC000 Size: 135168 File Visible: - Signed: -
Status: -

Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x8072E000 Size: 61440 File Visible: - Signed: -
Status: -

Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x8073D000 Size: 303104 File Visible: - Signed: -
Status: -

Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x87B1E000 Size: 233472 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x8C85B000 Size: 77824 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x8B78E000 Size: 49152 File Visible: - Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x8060B000 Size: 507904 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x80687000 Size: 53248 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0x952B0000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x952B0000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\Windows\win32k.sys:1
Address: 0x8C96B000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\Windows\win32k.sys:2
Address: 0x8C970000 Size: 61440 File Visible: No Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\Windows\system32\DRIVERS\wmiacpi.sys
Address: 0x8BCED000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\Windows\system32\drivers\WMILIB.SYS
Address: 0x806DA000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x81C07000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: xaudio.sys
Image Path: C:\Windows\system32\DRIVERS\xaudio.sys
Address: 0xAD2FA000 Size: 32768 File Visible: - Signed: -
Status: -

For the processes:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 20:00
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\svchost.exe
PID: 124 Status: -

Path: C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PID: 452 Status: -

Path: C:\Windows\System32\smss.exe
PID: 536 Status: -

Path: C:\Windows\System32\csrss.exe
PID: 652 Status: -

Path: C:\Windows\System32\wininit.exe
PID: 696 Status: -

Path: C:\Windows\System32\csrss.exe
PID: 704 Status: -

Path: C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PID: 732 Status: -

Path: C:\Windows\System32\services.exe
PID: 740 Status: -

Path: C:\Windows\System32\lsass.exe
PID: 756 Status: -

Path: C:\Windows\System32\lsm.exe
PID: 764 Status: -

Path: C:\Windows\System32\winlogon.exe
PID: 788 Status: -

Path: C:\Program Files\Lenovo\System Update\SUService.exe
PID: 848 Status: -

Path: C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
PID: 944 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 952 Status: -

Path: C:\Windows\System32\ibmpmsvc.exe
PID: 1024 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1076 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1120 Status: -

Path: C:\Windows\System32\SearchFilterHost.exe
PID: 1180 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1248 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1268 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1316 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1396 Status: -

Path: C:\Windows\System32\audiodg.exe
PID: 1452 Status: Locked to the Windows API!

Path: C:\Windows\System32\svchost.exe
PID: 1484 Status: -

Path: C:\Windows\System32\SLsvc.exe
PID: 1596 Status: -

Path: C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PID: 1632 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1652 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1756 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1760 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 1780 Status: -

Path: C:\Windows\System32\wlanext.exe
PID: 1892 Status: -

Path: C:\Windows\System32\spoolsv.exe
PID: 1984 Status: -

Path: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PID: 2084 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 2248 Status: -

Path: C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PID: 2292 Status: -

Path: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PID: 2340 Status: -

Path: C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PID: 2364 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 2416 Status: -

Path: C:\Windows\System32\TPHDEXLG.exe
PID: 2452 Status: -

Path: C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
PID: 2504 Status: -

Path: C:\Windows\System32\SearchProtocolHost.exe
PID: 2568 Status: -

Path: C:\Program Files\Windows Media Player\wmpnscfg.exe
PID: 2732 Status: -

Path: C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
PID: 2756 Status: -

Path: C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
PID: 2864 Status: -

Path: C:\Windows\System32\taskeng.exe
PID: 2876 Status: -

Path: C:\Windows\System32\dwm.exe
PID: 2900 Status: -

Path: C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PID: 3064 Status: -

Path: C:\Windows\System32\svchost.exe
PID: 3220 Status: -

Path: C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
PID: 3248 Status: -

Path: C:\Windows\System32\taskeng.exe
PID: 3300 Status: -

Path: C:\Program Files\Windows Defender\MSASCui.exe
PID: 3320 Status: -

Path: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PID: 3328 Status: -

Path: C:\Windows\System32\TpShocks.exe
PID: 3336 Status: -

Path: C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PID: 3344 Status: -

Path: C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
PID: 3352 Status: -

Path: C:\Windows\System32\hkcmd.exe
PID: 3368 Status: -

Path: C:\Windows\System32\igfxpers.exe
PID: 3376 Status: -

Path: C:\Windows\System32\rundll32.exe
PID: 3384 Status: -

Path: C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
PID: 3400 Status: -

Path: C:\Program Files\Google\Gmail Notifier\gnotify.exe
PID: 3408 Status: -

Path: C:\Windows\explorer.exe
PID: 3460 Status: -

Path: C:\Windows\System32\SearchIndexer.exe
PID: 3484 Status: -

Path: C:\Windows\System32\igfxsrvc.exe
PID: 3556 Status: -

Path: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PID: 3568 Status: -

Path: C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PID: 3608 Status: -

Path: C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PID: 3624 Status: -

Path: C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
PID: 3824 Status: -

Path: C:\Windows\System32\drivers\XAudio.exe
PID: 3988 Status: -

Path: C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
PID: 4072 Status: -

Path: C:\Program Files\Windows Media Player\wmpnetwk.exe
PID: 4224 Status: -

Path: C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PID: 4328 Status: -

Path: C:\Users\My Computer\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
PID: 4960 Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 5180 Status: -

Path: C:\Users\My Computer\Desktop\RootRepeal.exe
PID: 5868 Status: -

Path: C:\Windows\System32\wuauclt.exe
PID: 6028 Status: -

For the ssdt:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 20:00
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAddDriverEntry
Status: Not hooked

#: 011 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 012 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 013 Function Name: NtAlertResumeThread
Status: Not hooked

#: 014 Function Name: NtAlertThread
Status: Not hooked

#: 015 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 016 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 017 Function Name: NtAllocateUuids
Status: Not hooked

#: 018 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 019 Function Name: NtAlpcAcceptConnectPort
Status: Not hooked

#: 020 Function Name: NtAlpcCancelMessage
Status: Not hooked

#: 021 Function Name: NtAlpcConnectPort
Status: Not hooked

#: 022 Function Name: NtAlpcCreatePort
Status: Not hooked

#: 023 Function Name: NtAlpcCreatePortSection
Status: Not hooked

#: 024 Function Name: NtAlpcCreateResourceReserve
Status: Not hooked

#: 025 Function Name: NtAlpcCreateSectionView
Status: Not hooked

#: 026 Function Name: NtAlpcCreateSecurityContext
Status: Not hooked

#: 027 Function Name: NtAlpcDeletePortSection
Status: Not hooked

#: 028 Function Name: NtAlpcDeleteResourceReserve
Status: Not hooked

#: 029 Function Name: NtAlpcDeleteSectionView
Status: Not hooked

#: 030 Function Name: NtAlpcDeleteSecurityContext
Status: Not hooked

#: 031 Function Name: NtAlpcDisconnectPort
Status: Not hooked

#: 032 Function Name: NtAlpcImpersonateClientOfPort
Status: Not hooked

#: 033 Function Name: NtAlpcOpenSenderProcess
Status: Not hooked

#: 034 Function Name: NtAlpcOpenSenderThread
Status: Not hooked

#: 035 Function Name: NtAlpcQueryInformation
Status: Not hooked

#: 036 Function Name: NtAlpcQueryInformationMessage
Status: Not hooked

#: 037 Function Name: NtAlpcRevokeSecurityContext
Status: Not hooked

#: 038 Function Name: NtAlpcSendWaitReceivePort
Status: Not hooked

#: 039 Function Name: NtAlpcSetInformation
Status: Not hooked

#: 040 Function Name: NtApphelpCacheControl
Status: Not hooked

#: 041 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 042 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 043 Function Name: NtCallbackReturn
Status: Not hooked

#: 044 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 045 Function Name: NtCancelIoFile
Status: Not hooked

#: 046 Function Name: NtCancelTimer
Status: Not hooked

#: 047 Function Name: NtClearEvent
Status: Not hooked

#: 048 Function Name: NtClose
Status: Not hooked

#: 049 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 050 Function Name: NtCompactKeys
Status: Not hooked

#: 051 Function Name: NtCompareTokens
Status: Not hooked

#: 052 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 053 Function Name: NtCompressKey
Status: Not hooked

#: 054 Function Name: NtConnectPort
Status: Not hooked

#: 055 Function Name: NtContinue
Status: Not hooked

#: 056 Function Name: NtCreateDebugObject
Status: Not hooked

#: 057 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 058 Function Name: NtCreateEvent
Status: Not hooked

#: 059 Function Name: NtCreateEventPair
Status: Not hooked

#: 060 Function Name: NtCreateFile
Status: Not hooked

#: 061 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 062 Function Name: NtCreateJobObject
Status: Not hooked

#: 063 Function Name: NtCreateJobSet
Status: Not hooked

#: 064 Function Name: NtCreateKey
Status: Not hooked

#: 065 Function Name: NtCreateKeyTransacted
Status: Not hooked

#: 066 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 067 Function Name: NtCreateMutant
Status: Not hooked

#: 068 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 069 Function Name: NtCreatePrivateNamespace
Status: Not hooked

#: 070 Function Name: NtCreatePagingFile
Status: Not hooked

#: 071 Function Name: NtCreatePort
Status: Not hooked

#: 072 Function Name: NtCreateProcess
Status: Not hooked

#: 073 Function Name: NtCreateProcessEx
Status: Not hooked

#: 074 Function Name: NtCreateProfile
Status: Not hooked

#: 075 Function Name: NtCreateSection
Status: Not hooked

#: 076 Function Name: NtCreateSemaphore
Status: Not hooked

#: 077 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 078 Function Name: NtCreateThread
Status: Not hooked

#: 079 Function Name: NtCreateTimer
Status: Not hooked

#: 080 Function Name: NtCreateToken
Status: Not hooked

#: 081 Function Name: NtCreateTransaction
Status: Not hooked

#: 082 Function Name: NtOpenTransaction
Status: Not hooked

#: 083 Function Name: NtQueryInformationTransaction
Status: Not hooked

#: 084 Function Name: NtQueryInformationTransactionManager
Status: Not hooked

#: 085 Function Name: NtPrePrepareEnlistment
Status: Not hooked

#: 086 Function Name: NtPrepareEnlistment
Status: Not hooked

#: 087 Function Name: NtCommitEnlistment
Status: Not hooked

#: 088 Function Name: NtReadOnlyEnlistment
Status: Not hooked

#: 089 Function Name: NtRollbackComplete
Status: Not hooked

#: 090 Function Name: NtRollbackEnlistment
Status: Not hooked

#: 091 Function Name: NtCommitTransaction
Status: Not hooked

#: 092 Function Name: NtRollbackTransaction
Status: Not hooked

#: 093 Function Name: NtPrePrepareComplete
Status: Not hooked

#: 094 Function Name: NtPrepareComplete
Status: Not hooked

#: 095 Function Name: NtCommitComplete
Status: Not hooked

#: 096 Function Name: NtSinglePhaseReject
Status: Not hooked

#: 097 Function Name: NtSetInformationTransaction
Status: Not hooked

#: 098 Function Name: NtSetInformationTransactionManager
Status: Not hooked

#: 099 Function Name: NtSetInformationResourceManager
Status: Not hooked

#: 100 Function Name: NtCreateTransactionManager
Status: Not hooked

#: 101 Function Name: NtOpenTransactionManager
Status: Not hooked

#: 102 Function Name: NtRenameTransactionManager
Status: Not hooked

#: 103 Function Name: NtRollforwardTransactionManager
Status: Not hooked

#: 104 Function Name: NtRecoverEnlistment
Status: Not hooked

#: 105 Function Name: NtRecoverResourceManager
Status: Not hooked

#: 106 Function Name: NtRecoverTransactionManager
Status: Not hooked

#: 107 Function Name: NtCreateResourceManager
Status: Not hooked

#: 108 Function Name: NtOpenResourceManager
Status: Not hooked

#: 109 Function Name: NtGetNotificationResourceManager
Status: Not hooked

#: 110 Function Name: NtQueryInformationResourceManager
Status: Not hooked

#: 111 Function Name: NtCreateEnlistment
Status: Not hooked

#: 112 Function Name: NtOpenEnlistment
Status: Not hooked

#: 113 Function Name: NtSetInformationEnlistment
Status: Not hooked

#: 114 Function Name: NtQueryInformationEnlistment
Status: Not hooked

#: 115 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 116 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 117 Function Name: NtDebugContinue
Status: Not hooked

#: 118 Function Name: NtDelayExecution
Status: Not hooked

#: 119 Function Name: NtDeleteAtom
Status: Not hooked

#: 120 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 121 Function Name: NtDeleteDriverEntry
Status: Not hooked

#: 122 Function Name: NtDeleteFile
Status: Not hooked

#: 123 Function Name: NtDeleteKey
Status: Not hooked

#: 124 Function Name: NtDeletePrivateNamespace
Status: Not hooked

#: 125 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 126 Function Name: NtDeleteValueKey
Status: Not hooked

#: 127 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 128 Function Name: NtDisplayString
Status: Not hooked

#: 129 Function Name: NtDuplicateObject
Status: Not hooked

#: 130 Function Name: NtDuplicateToken
Status: Not hooked

#: 131 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 132 Function Name: NtEnumerateDriverEntries
Status: Not hooked

#: 133 Function Name: NtEnumerateKey
Status: Not hooked

#: 134 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 135 Function Name: NtEnumerateTransactionObject
Status: Not hooked

#: 136 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 137 Function Name: NtExtendSection
Status: Not hooked

#: 138 Function Name: NtFilterToken
Status: Not hooked

#: 139 Function Name: NtFindAtom
Status: Not hooked

#: 140 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 141 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 142 Function Name: NtFlushKey
Status: Not hooked

#: 143 Function Name: NtFlushProcessWriteBuffers
Status: Not hooked

#: 144 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 145 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 146 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 147 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 148 Function Name: NtFreezeRegistry
Status: Not hooked

#: 149 Function Name: NtFreezeTransactions
Status: Not hooked

#: 150 Function Name: NtFsControlFile
Status: Not hooked

#: 151 Function Name: NtGetContextThread
Status: Not hooked

#: 152 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 153 Function Name: NtGetNlsSectionPtr
Status: Not hooked

#: 154 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 155 Function Name: NtGetWriteWatch
Status: Not hooked

#: 156 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 157 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 158 Function Name: NtImpersonateThread
Status: Not hooked

#: 159 Function Name: NtInitializeNlsFiles
Status: Not hooked

#: 160 Function Name: NtInitializeRegistry
Status: Not hooked

#: 161 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 162 Function Name: NtIsProcessInJob
Status: Not hooked

#: 163 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 164 Function Name: NtListenPort
Status: Not hooked

#: 165 Function Name: NtLoadDriver
Status: Not hooked

#: 166 Function Name: NtLoadKey
Status: Not hooked

#: 167 Function Name: NtLoadKey2
Status: Not hooked

#: 168 Function Name: NtLoadKeyEx
Status: Not hooked

#: 169 Function Name: NtLockFile
Status: Not hooked

#: 170 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 171 Function Name: NtLockRegistryKey
Status: Not hooked

#: 172 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 173 Function Name: NtMakePermanentObject
Status: Not hooked

#: 174 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 175 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 176 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 177 Function Name: NtMapViewOfSection
Status: Not hooked

#: 178 Function Name: NtModifyBootEntry
Status: Not hooked

#: 179 Function Name: NtModifyDriverEntry
Status: Not hooked

#: 180 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 181 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 182 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 183 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 184 Function Name: NtOpenEvent
Status: Not hooked

#: 185 Function Name: NtOpenEventPair
Status: Not hooked

#: 186 Function Name: NtOpenFile
Status: Not hooked

#: 187 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 188 Function Name: NtOpenJobObject
Status: Not hooked

#: 189 Function Name: NtOpenKey
Status: Not hooked

#: 190 Function Name: NtOpenKeyTransacted
Status: Not hooked

#: 191 Function Name: NtOpenMutant
Status: Not hooked

#: 192 Function Name: NtOpenPrivateNamespace
Status: Not hooked

#: 193 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 194 Function Name: NtOpenProcess
Status: Not hooked

#: 195 Function Name: NtOpenProcessToken
Status: Not hooked

#: 196 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 197 Function Name: NtOpenSection
Status: Not hooked

#: 198 Function Name: NtOpenSemaphore
Status: Not hooked

#: 199 Function Name: NtOpenSession
Status: Not hooked

#: 200 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 201 Function Name: NtOpenThread
Status: Not hooked

#: 202 Function Name: NtOpenThreadToken
Status: Not hooked

#: 203 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 204 Function Name: NtOpenTimer
Status: Not hooked

#: 205 Function Name: NtPlugPlayControl
Status: Not hooked

#: 206 Function Name: NtPowerInformation
Status: Not hooked

#: 207 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 208 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 209 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 210 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 211 Function Name: NtPulseEvent
Status: Not hooked

#: 212 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 213 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 214 Function Name: NtQueryBootOptions
Status: Not hooked

#: 215 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 216 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 217 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 219 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 220 Function Name: NtQueryDriverEntryOrder
Status: Not hooked

#: 221 Function Name: NtQueryEaFile
Status: Not hooked

#: 222 Function Name: NtQueryEvent
Status: Not hooked

#: 223 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 224 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 225 Function Name: NtQueryInformationFile
Status: Not hooked

#: 226 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 227 Function Name: NtQueryInformationPort
Status: Not hooked

#: 228 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 229 Function Name: NtQueryInformationThread
Status: Not hooked

#: 230 Function Name: NtQueryInformationToken
Status: Not hooked

#: 231 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 232 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 233 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 234 Function Name: NtQueryKey
Status: Not hooked

#: 235 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 236 Function Name: NtQueryMutant
Status: Not hooked

#: 237 Function Name: NtQueryObject
Status: Not hooked

#: 238 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 239 Function Name: NtQueryOpenSubKeysEx
Status: Not hooked

#: 240 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 241 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 242 Function Name: NtQuerySection
Status: Not hooked

#: 243 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 244 Function Name: NtQuerySemaphore
Status: Not hooked

#: 245 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 246 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 247 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 248 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 249 Function Name: NtQuerySystemTime
Status: Not hooked

#: 250 Function Name: NtQueryTimer
Status: Not hooked

#: 251 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 252 Function Name: NtQueryValueKey
Status: Not hooked

#: 253 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 254 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 255 Function Name: NtQueueApcThread
Status: Not hooked

#: 256 Function Name: NtRaiseException
Status: Not hooked

#: 257 Function Name: NtRaiseHardError
Status: Not hooked

#: 258 Function Name: NtReadFile
Status: Not hooked

#: 259 Function Name: NtReadFileScatter
Status: Not hooked

#: 260 Function Name: NtReadRequestData
Status: Not hooked

#: 261 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 262 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 263 Function Name: NtReleaseMutant
Status: Not hooked

#: 264 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 265 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 266 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 267 Function Name: NtRenameKey
Status: Not hooked

#: 268 Function Name: NtReplaceKey
Status: Not hooked

#: 269 Function Name: NtReplacePartitionUnit
Status: Not hooked

#: 270 Function Name: NtReplyPort
Status: Not hooked

#: 271 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 272 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 273 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 274 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 275 Function Name: NtRequestPort
Status: Not hooked

#: 276 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 277 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 278 Function Name: NtResetEvent
Status: Not hooked

#: 279 Function Name: NtResetWriteWatch
Status: Not hooked

#: 280 Function Name: NtRestoreKey
Status: Not hooked

#: 281 Function Name: NtResumeProcess
Status: Not hooked

#: 282 Function Name: NtResumeThread
Status: Not hooked

#: 283 Function Name: NtSaveKey
Status: Not hooked

#: 284 Function Name: NtSaveKeyEx
Status: Not hooked

#: 285 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 286 Function Name: NtSecureConnectPort
Status: Not hooked

#: 287 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 288 Function Name: NtSetBootOptions
Status: Not hooked

#: 289 Function Name: NtSetContextThread
Status: Not hooked

#: 290 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 291 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 292 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 293 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 294 Function Name: NtSetDriverEntryOrder
Status: Not hooked

#: 295 Function Name: NtSetEaFile
Status: Not hooked

#: 296 Function Name: NtSetEvent
Status: Not hooked

#: 297 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 298 Function Name: NtSetHighEventPair
Status: Not hooked

#: 299 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 300 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 301 Function Name: NtSetInformationFile
Status: Not hooked

#: 302 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 303 Function Name: NtSetInformationKey
Status: Not hooked

#: 304 Function Name: NtSetInformationObject
Status: Not hooked

#: 305 Function Name: NtSetInformationProcess
Status: Not hooked

#: 306 Function Name: NtSetInformationThread
Status: Not hooked

#: 307 Function Name: NtSetInformationToken
Status: Not hooked

#: 308 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 309 Function Name: NtSetIoCompletion
Status: Not hooked

#: 310 Function Name: NtSetLdtEntries
Status: Not hooked

#: 311 Function Name: NtSetLowEventPair
Status: Not hooked

#: 312 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 313 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 314 Function Name: NtSetSecurityObject
Status: Not hooked

#: 315 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 316 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 317 Function Name: NtSetSystemInformation
Status: Not hooked

#: 318 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 319 Function Name: NtSetSystemTime
Status: Not hooked

#: 320 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 321 Function Name: NtSetTimer
Status: Not hooked

#: 322 Function Name: NtSetTimerResolution
Status: Not hooked

#: 323 Function Name: NtSetUuidSeed
Status: Not hooked

#: 324 Function Name: NtSetValueKey
Status: Not hooked

#: 325 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 326 Function Name: NtShutdownSystem
Status: Not hooked

#: 327 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 328 Function Name: NtStartProfile
Status: Not hooked

#: 329 Function Name: NtStopProfile
Status: Not hooked

#: 330 Function Name: NtSuspendProcess
Status: Not hooked

#: 331 Function Name: NtSuspendThread
Status: Not hooked

#: 332 Function Name: NtSystemDebugControl
Status: Not hooked

#: 333 Function Name: NtTerminateJobObject
Status: Not hooked

#: 334 Function Name: NtTerminateProcess
Status: Not hooked

#: 335 Function Name: NtTerminateThread
Status: Not hooked

#: 336 Function Name: NtTestAlert
Status: Not hooked

#: 337 Function Name: NtThawRegistry
Status: Not hooked

#: 338 Function Name: NtThawTransactions
Status: Not hooked

#: 339 Function Name: NtTraceEvent
Status: Not hooked

#: 340 Function Name: NtTraceControl
Status: Not hooked

#: 341 Function Name: NtTranslateFilePath
Status: Not hooked

#: 342 Function Name: NtUnloadDriver
Status: Not hooked

#: 343 Function Name: NtUnloadKey
Status: Not hooked

#: 344 Function Name: NtUnloadKey2
Status: Not hooked

#: 345 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 346 Function Name: NtUnlockFile
Status: Not hooked

#: 347 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 348 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 349 Function Name: NtVdmControl
Status: Not hooked

#: 350 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 351 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 352 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 353 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 354 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 355 Function Name: NtWriteFile
Status: Not hooked

#: 356 Function Name: NtWriteFileGather
Status: Not hooked

#: 357 Function Name: NtWriteRequestData
Status: Not hooked

#: 358 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 359 Function Name: NtYieldExecution
Status: Not hooked

#: 360 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 361 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 362 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 363 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 364 Function Name: NtQueryPortInformationProcess
Status: Not hooked

#: 365 Function Name: NtGetCurrentProcessorNumber
Status: Not hooked

#: 366 Function Name: NtWaitForMultipleObjects32
Status: Not hooked

#: 367 Function Name: NtGetNextProcess
Status: Not hooked

#: 368 Function Name: NtGetNextThread
Status: Not hooked

#: 369 Function Name: NtCancelIoFileEx
Status: Not hooked

#: 370 Function Name: NtCancelSynchronousIoFile
Status: Not hooked

#: 371 Function Name: NtRemoveIoCompletionEx
Status: Not hooked

#: 372 Function Name: NtRegisterProtocolAddressInformation
Status: Not hooked

#: 373 Function Name: NtPropagationComplete
Status: Not hooked

#: 374 Function Name: NtPropagationFailed
Status: Not hooked

#: 375 Function Name: NtCreateWorkerFactory
Status: Not hooked

#: 376 Function Name: NtReleaseWorkerFactoryWorker
Status: Not hooked

#: 377 Function Name: NtWaitForWorkViaWorkerFactory
Status: Not hooked

#: 378 Function Name: NtSetInformationWorkerFactory
Status: Not hooked

#: 379 Function Name: NtQueryInformationWorkerFactory
Status: Not hooked

#: 380 Function Name: NtWorkerFactoryWorkerReady
Status: Not hooked

#: 381 Function Name: NtShutdownWorkerFactory
Status: Not hooked

#: 382 Function Name: NtCreateThreadEx
Status: Not hooked

#: 383 Function Name: NtCreateUserProcess
Status: Not hooked

#: 384 Function Name: NtQueryLicenseValue
Status: Not hooked

#: 385 Function Name: NtMapCMFModule
Status: Not hooked

#: 386 Function Name: NtIsUILanguageComitted
Status: Not hooked

#: 387 Function Name: NtFlushInstallUILanguage
Status: Not hooked

#: 388 Function Name: NtGetMUIRegistryInfo
Status: Not hooked

#: 389 Function Name: NtAcquireCMFViewOwnership
Status: Not hooked

#: 390 Function Name: NtReleaseCMFViewOwnership
Status: Not hooked

For the hidden services:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 20:00
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Hidden Services
-------------------

ken545
2009-10-05, 03:35
Hi,

Your infected with a nasty Rootkit ++max

This is difficult to remove but can be done, we will do it one step at a time as to not overwhelm you.

Your going to download this program to your desktop, and after you run it leave it there.

Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

usufructs
2009-10-05, 03:45
The program did not give the option to press any key to close the program, but it did produce the win32diag.txt file.

Running from: C:\Users\My Computer\Desktop\Win32kDiag.exe

Log file at : C:\Users\My Computer\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3255.tmp\ZAP3255.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP862F.tmp\ZAP862F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6AF.tmp\ZAPD6AF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE4F1.tmp\ZAPE4F1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF42D.tmp\ZAPF42D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-10-04 20:35:01 12 C:\Windows\bthservsdp.dat ()

ken545
2009-10-05, 11:42
Next step

Click Start>Run and type the following bolded text into the Run box and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it has finished, post the log it produces.

usufructs
2009-10-05, 14:39
Here it is (from the win32kdiag.txt file):

Running from: C:\Users\My Computer\Desktop\win32kdiag.exe

Log file at : C:\Users\My Computer\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Found mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3255.tmp\ZAP3255.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3255.tmp\ZAP3255.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP862F.tmp\ZAP862F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP862F.tmp\ZAP862F.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6AF.tmp\ZAPD6AF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6AF.tmp\ZAPD6AF.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE4F1.tmp\ZAPE4F1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE4F1.tmp\ZAPE4F1.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF42D.tmp\ZAPF42D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF42D.tmp\ZAPF42D.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Cannot access: C:\Windows\bthservsdp.dat

Attempting to restore permissions of : C:\Windows\bthservsdp.dat

Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Cannot access: C:\Windows\CSC\v2.0.6\pq

Attempting to restore permissions of : C:\Windows\CSC\v2.0.6\pq

Cannot access: C:\Windows\CSC\v2.0.6\temp\ea-{b4f895a1-a1b7-11dd-aa63-c12232bcde07}

Attempting to restore permissions of : C:\Windows\CSC\v2.0.6\temp\ea-{b4f895a1-a1b7-11dd-aa63-c12232bcde07}

Found mount point : C:\Windows\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ftpcache\ftpcache

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002105501100000000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002105501100000000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\90404A0900063D11C8EF10054038389C\11.0.8173\11.0.8173

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\90404A0900063D11C8EF10054038389C\11.0.8173\11.0.8173

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ModemLogs\ModemLogs

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PIF\PIF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixas\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SQL9_KB948109_ENU\hotfixas\files\files

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixdts\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SQL9_KB948109_ENU\hotfixdts\files\files

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixns\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SQL9_KB948109_ENU\hotfixns\files\files

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixrs\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SQL9_KB948109_ENU\hotfixrs\files\files

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixsql\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SQL9_KB948109_ENU\hotfixsql\files\files

Found mount point : C:\Windows\SQL9_KB948109_ENU\hotfixtools\files\files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SQL9_KB948109_ENU\hotfixtools\files\files

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment

Cannot access: C:\Windows\System32\cngaudit.dll

Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll

[2] 2006-11-02 05:46:03 11776 C:\Windows\System32\cngaudit(51).dll (Microsoft Corporation)

[1] 2006-11-02 05:46:03 61952 C:\Windows\System32\cngaudit.dll ()

ken545
2009-10-05, 14:42
Hi,

What we're doing is chipping away at this Rootkit so that we can get the tool that will remove this to work.

Run this program, wont take but a minute

Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

usufructs
2009-10-05, 15:27
No "error deleting file" message. Here is the log:

exeHelper by Raktor - 09
Build 20090925
Run at 08:26:43 on 10/05/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

ken545
2009-10-05, 15:45
Ok, now we are going to run Combofix, be sure to follow the instructions for disabling all AV and for renaming it.


Its important that you follow these instructions and rename Combofix as this Rootkit infection will stop it from running if its not renamed.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

usufructs
2009-10-06, 02:55
Back from work...

Combofix says that I have avast running, but it is not running in the system tray, or the Task Manager (processes tab), or under msconfig (services tab - it says "stopped"). I also can't uninstall the program - I think the malware is preventing me from doing this.

Should I go ahead with combofix?

usufructs
2009-10-06, 03:34
Update: I hit the "X" button in the upper right corner of the Combofix box to get out of the program, but it went through with it anyway. Combofix detected rootkit activity and said it had to reboot. Then, upon the reboot, it started to scan, then it said it need to reboot again. It did this about 10 times until I finally broke the cycle.

Not sure what is going on here....

ken545
2009-10-06, 04:02
Try running Combofix in Safemode.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

usufructs
2009-10-06, 05:17
Safe Mode worked. Here's the combofix report:

ComboFix 09-10-04.01 - My Computer 10/05/2009 22:00.1.2 - NTFSx86 MINIMAL
Running from: c:\users\My Computer\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1229 [VPS 081107-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 081107-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1453019077-152149087-715725611-1003
c:\$recycle.bin\S-1-5-21-1453019077-152149087-715725611-500
Q:\AUTORUN.INF
S:\Autorun.inf

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 02:05 . 2009-10-06 02:05 -------- d-----w- c:\users\My Computer\AppData\Local\temp
2009-10-06 02:05 . 2009-10-06 02:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-05 23:48 . 2009-10-05 23:49 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-10-04 23:02 . 2009-10-04 23:02 -------- d-----w- c:\users\My Computer\DoctorWeb
2009-10-04 21:00 . 2009-10-04 21:00 -------- d-----w- c:\program files\Trend Micro
2009-10-04 21:00 . 2009-10-05 23:34 -------- d--h--w- c:\windows\PIF
2009-10-04 20:56 . 2009-10-04 20:57 -------- d-----w- c:\program files\ERUNT
2009-10-01 01:29 . 2009-10-01 01:29 -------- d-----w- c:\program files\SpywareBlaster
2009-09-30 11:40 . 2009-10-05 23:47 0 ----a-r- c:\windows\win32k.sys
2009-09-30 03:28 . 2009-09-30 03:28 -------- dc-h--w- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-30 03:28 . 2009-09-30 03:28 -------- d-----w- c:\program files\Lavasoft(1)
2009-09-30 01:30 . 2009-09-30 01:33 -------- d-----w- c:\program files\Spybot
2009-09-11 00:44 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-11 00:44 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 23:44 . 2008-11-06 02:05 -------- d-----w- c:\program files\Alwil Software
2009-10-05 03:28 . 2008-10-24 10:42 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-01 02:23 . 2008-11-06 01:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 01:49 . 2008-11-06 01:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-30 11:39 . 2008-10-24 10:59 -------- d-----w- c:\programdata\Lenovo
2009-09-08 23:48 . 2008-10-31 03:34 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 04:06 . 2009-08-29 04:06 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-08-28 00:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-14 16:27 . 2009-09-08 23:42 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-08 23:42 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-08 23:42 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-08 23:42 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-08 23:42 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-08 23:42 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-08 23:42 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-08 23:42 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-08 23:42 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-08 23:42 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-08 23:42 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-21 21:52 . 2009-07-29 00:14 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 00:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 00:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 00:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-11 23:52 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-11 23:52 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-11 23:52 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-11 23:52 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-11 23:52 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-08 23:42 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-08 23:42 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-08 23:42 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-08 23:42 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-08 23:42 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2008-10-24 10:28 . 2008-10-24 10:27 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-15 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-07-28 632096]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2008-08-07 148768]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"TpShocks"="TpShocks.exe" - c:\windows\System32\TpShocks.exe [2008-06-07 181536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2008-3-17 752168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):1c,cd,03,e5,17,e5,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{764A1B91-8495-4592-9861-DB0EB28B4D82}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3C24D254-B2A2-4F0D-85EB-08819984CB7C}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F694CFD9-9504-4C1C-AD64-6F434E4301A4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{734E7629-36A3-4374-A8CE-ABF89A912A77}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{060AD815-D800-4628-83A2-1F689BF2031D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2DCCA27C-9897-4306-80E5-EED984047BF0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6D75083D-32B8-4C50-A9FA-14C652816AC5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C95BE7CB-85A2-48C8-AAB4-0DC73DF4CB03}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{0DBAEF1D-E0E0-4B83-92A3-32644789917E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{296836AA-3844-43B5-A608-091283D0E9E7}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{465D4F19-FB38-4D5E-ADAB-30B228E85D6E}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{7D08B825-C774-4C69-AC72-ED177A6C1802}c:\\program files\\quicktime\\quicktimeplayer.exe"= UDP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"UDP Query User{978F3D16-C484-4DCA-A7D1-F7E37FA0E888}c:\\program files\\quicktime\\quicktimeplayer.exe"= TCP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player

R1 aswSP;avast! Self Protection; [x]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwr32v.sys [2008-07-28 12080]
R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-05-24 48192]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 51280]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-12 30312]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-07-28 66848]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-03-27 58736]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-05-24 253952]
R3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\5U875.sys [2008-04-22 72448]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-03-27 221824]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-15 1120752]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2008-05-14 114728]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-14 19496]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2009-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1453019077-152149087-715725611-1004Core.job
- c:\users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-15 03:15]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1453019077-152149087-715725611-1004UA.job
- c:\users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-15 03:15]

2009-10-05 c:\windows\Tasks\User_Feed_Synchronization-{7D8398A3-7066-4E4B-B256-78D403AAEBE0}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\fuybdelc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\My Computer\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\My Computer\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1380)
c:\windows\system32\btncopy.dll
.
Completion time: 2009-10-06 22:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 02:09

Pre-Run: 99,658,924,032 bytes free
Post-Run: 99,386,494,976 bytes free

208 --- E O F --- 2009-09-18 01:26




And here's the hijackthis report:

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:11 PM, on 10/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Users\My Computer\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-1453019077-152149087-715725611-1004\..\Run: [Google Update] "C:\Users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1453019077-152149087-715725611-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8518 bytes

ken545
2009-10-06, 11:40
Good Morning,

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Delete both of these files.
C:\32788R22FWJFW.1.tmp
c:\windows\win32k.sys <--Just the one in this folder, the one is system32 is legit




Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean







Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please


How are things running now ??

usufructs
2009-10-06, 14:53
Everything seems to be running okay. I can actually run these programs now, so that is great.

Malwarebytes' log:

Malwarebytes' Anti-Malware 1.41
Database version: 2914
Windows 6.0.6002 Service Pack 2

10/6/2009 7:49:53 AM
mbam-log-2009-10-06 (07-49-53).txt

Scan type: Quick Scan
Objects scanned: 90500
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Hijackthis log:

Malwarebytes' Anti-Malware 1.41
Database version: 2914
Windows 6.0.6002 Service Pack 2

10/6/2009 7:49:53 AM
mbam-log-2009-10-06 (07-49-53).txt

Scan type: Quick Scan
Objects scanned: 90500
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:00 AM, on 10/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Users\My Computer\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ACWlIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWlIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-21-1453019077-152149087-715725611-1004\..\Run: [Google Update] "C:\Users\My Computer\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1453019077-152149087-715725611-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8556 bytes

ken545
2009-10-06, 15:12
:bigthumb::bigthumb:

What we like to do is before we kick you loose is to run a free online virus scanner to make sure we got it all.

Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

usufructs
2009-10-06, 16:20
Thanks for you time and effort, Ken. I really do appreciate it!

I'll run ESET when I get home tonight and post the log.

Thanks again!

usufructs
2009-10-07, 04:59
From ESET - found 1 trojan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=d6d778b99ae28148ab1d140e32a5624c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-07 01:57:41
# local_time=2009-10-06 09:57:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=769 61 100 91 936856318178
# compatibility_mode=5889 61 66 100 539984219652565
# scanned=115266
# found=1
# cleaned=1
# scan_time=1584
C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545
2009-10-07, 11:24
Good Morning,

All ESET found was a backup of what Combofix removed. Looks like your good to go.:bigthumb:

You can delete all the programs we used, exehelper, win32kdiag, RootRepeal.


TFC <--Yours to keep, run it about once aweek to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken