View Full Version : Help Please
Philyteach
2009-10-12, 21:18
Over the last month all 5 of my credit cards have been involved in internet fraud. I'm almost positive that I haven't used them all in the same place for purchases, but I have used all of them from this computer. I am running Avast as my antivirus and malwarebytes for antimalware, but neither seem to have found anything. Vista and all programs are legal copies. Spybot S&D only comes up with cookies. At this point I can't imagine that its not the computer, but I've gone as far as I can by myself.
Thanks in advance for any help you can provide!
Ken
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:04 PM, on 10/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Windows\Explorer.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Windows\WindowsMobile\wmdc.exe
D:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\lcdmon.exe
D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Windows\System32\Ctxfihlp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
D:\Windows\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\System32\mobsync.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - G:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - G:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [amd_dc_opt] D:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "D:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "D:\Users\Ken\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL2 (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = D:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @D:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @D:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nvlsp.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35B66220-D107-423C-83B8-E937AA26A57F}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Google Update Service (gupdate1c9fe8476df90ca) (gupdate1c9fe8476df90ca) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HAVA Service (havasvc) - Monsoon Multimedia Inc. - D:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - D:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\Windows\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - D:\Windows\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - D:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - D:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: SymSnapService - Unknown owner - D:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
--
End of file - 13307 bytes
shelf life
2009-10-16, 00:57
hi Philyteach
A victim of phishing maybe? Your log is a few days old. If you still need help reply to my post.
Philyteach
2009-10-16, 03:17
hi Philyteach
A victim of phishing maybe? Your log is a few days old. If you still need help reply to my post.
If you have time I'd like to go through the process. Right now I'm afraid to use my desktop to pay bills, check bank accounts etc.
shelf life
2009-10-16, 04:11
If your AV, Spybot and Malwarebytes are up to date and coming up clean after a scan then thats at least one good thing. We can get a better look for malware on the machine using a tool. I am pretty sure it runs on Vista, you can try it anyway:
Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection.
Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your next reply.
Philyteach
2009-10-16, 05:01
Thanks for taking the time to give me some help. I've been on the net since gopher, archie, veronica and jughead were the primary tools and this is the first time I've really run into a situation like this that I couldn't figure out. That has me more than a little paranoid. I really appreciate the time you're taking for me.
Ken
DDS (Ver_09-10-13.01) - NTFSx86
Run by Ken at 21:53:40.65 on Thu 10/15/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoftฎ Windows Vista Business 6.0.6002.2.1252.1.1033.18.3327.1553 [GMT -4:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
D:\Windows\system32\wininit.exe
D:\Windows\system32\lsm.exe
D:\Windows\system32\svchost.exe -k DcomLaunch
D:\Windows\system32\nvvsvc.exe
D:\Windows\system32\svchost.exe -k rpcss
D:\Windows\System32\svchost.exe -k secsvcs
D:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
D:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
D:\Windows\system32\svchost.exe -k netsvcs
D:\Program Files\Creative\Shared Files\CTAudSvc.exe
D:\Windows\system32\svchost.exe -k GPSvcGroup
D:\Windows\system32\SLsvc.exe
D:\Windows\system32\svchost.exe -k LocalService
D:\Windows\system32\svchost.exe -k NetworkService
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Windows\system32\WUDFHost.exe
D:\Windows\System32\spoolsv.exe
D:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
D:\Windows\system32\taskeng.exe
D:\Windows\system32\nvvsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Windows\system32\svchost.exe -k bthsvcs
D:\Windows\system32\CISVC.EXE
D:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
D:\Windows\system32\IoctlSvc.exe
D:\Windows\System32\svchost.exe -k HPZ12
D:\Windows\system32\PnkBstrA.exe
D:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
D:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
D:\Windows\system32\svchost.exe -k imgsvc
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
D:\Windows\system32\SearchIndexer.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
D:\Windows\system32\svchost.exe -k WindowsMobile
D:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Windows\system32\taskeng.exe
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Windows\WindowsMobile\wmdc.exe
D:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
D:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Windows\System32\Ctxfihlp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Windows\SYSTEM32\CTXFISPI.EXE
D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
D:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
D:\Windows\system32\wbem\unsecapp.exe
D:\Windows\system32\wbem\wmiprvse.exe
D:\Windows\System32\mobsync.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\SearchProtocolHost.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Windows\system32\DllHost.exe
D:\Windows\system32\DllHost.exe
G:\32 bit dloaded\dds.scr
D:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "d:\users\ken\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [swg] d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] d:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "d:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [<NO NAME>]
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [amd_dc_opt] d:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Launch LgDevAgt] "d:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "d:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "d:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
dRun: [CtxfiReg] CTXFIREG.exe /FAIL2
StartupFolder: d:\users\ken\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - d:\program files\erunt\AUTOBACK.EXE
StartupFolder: d:\users\ken\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - d:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {35B66220-D107-423C-83B8-E937AA26A57F} = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
================= FIREFOX ===================
FF - ProfilePath - d:\users\ken\appdata\roaming\mozilla\firefox\profiles\11lemczo.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: d:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: d:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\microsoft\office live\npOLW.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: d:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: d:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: d:\users\ken\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: g:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 amacpi;Microsoft Away Mode System;d:\windows\system32\drivers\null.sys [2008-6-16 4608]
R0 cfadisk;CompactFlash Filter Driver;d:\windows\system32\drivers\cfadisk.sys [2008-11-9 3712]
R0 nvamacpi;Nvidia Away Mode System;d:\windows\system32\drivers\nvamacpi.sys [2008-7-22 24608]
R0 snapman380;Acronis Snapshots Manager (Build 380);d:\windows\system32\drivers\snman380.sys [2008-11-9 134272]
R0 tdrpman147;Acronis Try&Decide and Restore Points filter (build 147);d:\windows\system32\drivers\tdrpm147.sys [2008-11-9 971232]
R1 aswSP;avast! Self Protection;d:\windows\system32\drivers\aswSP.sys [2009-7-6 114768]
R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [2009-7-6 20560]
R2 aswMonFlt;aswMonFlt;d:\windows\system32\drivers\aswMonFlt.sys [2009-7-6 53328]
R2 havasvc;HAVA Service;d:\program files\monsoon multimedia\hava\common\havasvc.exe [2009-4-30 145408]
R2 IntuitUpdateService;Intuit Update Service;d:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-8-6 269648]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;d:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R2 wlidsvc;Windows Live ID Sign-in Assistant;d:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 CT20XUT.SYS;CT20XUT.SYS;d:\windows\system32\drivers\CT20XUT.sys [2008-5-9 191488]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;d:\windows\system32\drivers\CTEXFIFX.sys [2008-5-9 1360896]
R3 CTHWIUT.SYS;CTHWIUT.SYS;d:\windows\system32\drivers\CTHWIUT.sys [2008-5-9 67072]
R3 havabus;HAVA Bus Enumerator;d:\windows\system32\drivers\havabus.sys [2009-1-13 37376]
R3 havanet;HAVA NDIS Protocol Driver;d:\windows\system32\drivers\havanet.sys [2009-1-13 20480]
R3 HAVATV;Hava Video Device;d:\windows\system32\drivers\HavaTV.sys [2009-4-23 324224]
R3 HavaTV_10;Hava Remote Video Device;d:\windows\system32\drivers\HavaTV_10.sys [2009-4-23 324224]
R3 MBAMProtector;MBAMProtector;d:\windows\system32\drivers\mbam.sys [2009-8-6 19160]
R3 tap0901;TAP-Win32 Adapter V9;d:\windows\system32\drivers\tap0901.sys [2009-7-16 25984]
S2 gupdate1c9fe8476df90ca;Google Update Service (gupdate1c9fe8476df90ca);d:\program files\google\update\GoogleUpdate.exe [2009-7-6 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;d:\program files\common files\creative labs shared\service\CTAELicensing.exe [2008-6-18 79360]
S3 CT20XUT;CT20XUT;d:\windows\system32\drivers\CT20XUT.sys [2008-5-9 191488]
S3 CTEXFIFX;CTEXFIFX;d:\windows\system32\drivers\CTEXFIFX.sys [2008-5-9 1360896]
S3 CTHWIUT;CTHWIUT;d:\windows\system32\drivers\CTHWIUT.sys [2008-5-9 67072]
S3 MotDev;Motorola Inc. USB Device;d:\windows\system32\drivers\motodrv.sys [2007-5-4 42112]
S3 SymSnapService;SymSnapService;"d:\program files\norton ghost\shared\drivers\symsnapservice.exe" --> d:\program files\norton ghost\shared\drivers\SymSnapService.exe [?]
S3 tap0801;TAP-Win32 Adapter V8;d:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S3 uisp;Freescale USB JW32 driver;d:\windows\system32\drivers\USBICP.sys [2008-8-1 14592]
S3 UsbFltr;Razer Copperhead Driver;d:\windows\system32\drivers\copperhd.sys [2008-8-1 11596]
=============== Created Last 30 ================
2009-10-14 04:39 604,672 a------- d:\windows\system32\WMSPDMOD.DLL
2009-10-11 11:30 61,440 a------- d:\windows\system32\ISUSPM.cpl
2009-10-11 11:30 <DIR> --d----- d:\program files\WhiteCanyon
2009-10-10 17:04 <DIR> --d----- d:\programdata\Office Genuine Advantage
2009-10-10 17:04 <DIR> --d----- d:\users\ken\Office Genuine Advantage
2009-10-07 10:08 2,421,760 a------- d:\windows\system32\wucltux.dll
2009-10-07 10:08 87,552 a------- d:\windows\system32\wudriver.dll
2009-10-07 10:08 171,608 a------- d:\windows\system32\wuwebv.dll
2009-10-07 10:08 33,792 a------- d:\windows\system32\wuapp.exe
2009-10-03 02:04 195,440 -------- d:\windows\system32\MpSigStub.exe
2009-09-19 22:51 56,256 a------- d:\windows\system32\BMXStateBkp-{00000004-00000000-00000008-00001102-00000005-002C1102}.rfx
2009-09-19 22:51 56,256 a------- d:\windows\system32\BMXState-{00000004-00000000-00000008-00001102-00000005-002C1102}.rfx
2009-09-19 22:51 1,080 a------- d:\windows\system32\settingsbkup.sfm
2009-09-19 22:51 1,080 a------- d:\windows\system32\settings.sfm
2009-09-19 22:51 796 a------- d:\windows\system32\DVCState-{00000004-00000000-00000008-00001102-00000005-002C1102}.rfx
2009-09-19 22:49 <DIR> --d----- d:\windows\system32\eu-ES
2009-09-19 22:49 <DIR> --d----- d:\windows\system32\ca-ES
2009-09-19 22:49 <DIR> --d----- d:\windows\system32\vi-VN
2009-09-19 15:32 <DIR> --d----- d:\program files\Microsoft Windows 7 Upgrade Advisor
2009-09-19 15:31 <DIR> --d----- d:\windows\system32\EventProviders
2009-09-18 09:50 800,768 a------- d:\windows\system32\advapi32.dll
2009-09-18 09:49 356,864 a------- d:\windows\system32\MediaMetadataHandler.dll
==================== Find3M ====================
2009-10-15 06:26 67,655 a------- d:\programdata\nvModes.dat
2009-10-15 06:26 67,655 a------- d:\progra~3\nvModes.dat
2009-10-15 03:31 4,847 a------- d:\windows\bthservsdp.dat
2009-10-12 13:51 143,360 a------- d:\windows\inf\infstrng.dat
2009-10-12 13:51 86,016 a------- d:\windows\inf\infstor.dat
2009-10-12 13:51 51,200 a------- d:\windows\inf\infpub.dat
2009-10-12 13:41 87,608 a------- d:\users\ken\appdata\roaming\inst.exe
2009-10-12 13:41 47,360 a------- d:\users\ken\appdata\roaming\pcouffin.sys
2009-09-19 22:49 665,600 a------- d:\windows\inf\drvindex.dat
2009-09-19 22:47 444,952 a------- d:\windows\system32\wrap_oal.dll
2009-09-19 22:47 109,080 a------- d:\windows\system32\OpenAL32.dll
2009-09-14 05:29 144,896 a------- d:\windows\system32\drivers\srv2.sys
2009-09-10 14:54 38,224 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- d:\windows\system32\drivers\mbam.sys
2009-09-10 12:48 218,624 a------- d:\windows\system32\msv1_0.dll
2009-09-04 07:41 60,928 a------- d:\windows\system32\msasn1.dll
2009-08-28 22:30 173,056 a------- d:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- d:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- d:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- d:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- d:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- d:\windows\system32\Apphlpdm.dll
2009-08-27 01:22 916,480 a------- d:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- d:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- d:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- d:\windows\system32\ieUnatt.exe
2009-08-17 23:33 1,193,832 a------- d:\windows\system32\FM20.DLL
2009-08-17 21:03 0 a---h--- d:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-08-17 12:05 53,328 a------- d:\windows\system32\drivers\aswMonFlt.sys
2009-08-14 11:53 17,920 a------- d:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- d:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- d:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- d:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- d:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- d:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- d:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- d:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- d:\windows\system32\netiohlp.dll
2009-08-06 02:17 2,859,381 a------- d:\windows\system32\combined.dat
2009-08-06 02:17 286,902 a------- d:\windows\system32\psbbans.dat
2009-08-06 02:17 1,371,975 a------- d:\windows\system32\acibans.dat
2009-08-04 08:34 3,600,456 a------- d:\windows\system32\ntkrnlpa.exe
2009-08-04 08:34 3,548,216 a------- d:\windows\system32\ntoskrnl.exe
2009-08-03 15:07 403,816 a------- d:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- d:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- d:\windows\system32\OGAEXEC.exe
2009-07-25 05:23 411,368 a------- d:\windows\system32\deploytk.dll
2009-07-11 08:07 139,152 a------- d:\users\ken\appdata\roaming\PnkBstrK.sys
2008-06-17 16:29 174 a--sh--- d:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- d:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- d:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- d:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- d:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- d:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- d:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- d:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- d:\windows\inf\perflib\0000\perfc.dat
2009-07-15 03:12 16,384 a--sh--- d:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-15 03:12 32,768 a--sh--- d:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-15 03:12 16,384 a--sh--- d:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-15 03:12 245,760 a--sh--- d:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2006-05-03 05:06 163,328 ---shr-- d:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- d:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- d:\windows\system32\nbDX.dll
============= FINISH: 21:54:08.01 ===============
shelf life
2009-10-17, 00:03
hi,
No problem. your welcome. The good news is I dont recognize any malware in the log. Have you had malware in the past? Have Spybot, Malwarebytes or your AV found and removed anything lately?
Lets get one more tool for another look:
Please download: RootRepeal
http://ad13.geekstogo.com/RootRepeal.exe
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
Philyteach
2009-10-17, 15:44
Not ignoring you, the thing's been scanning for over 14 hours.... I'll post when its finally done.
shelf life
2009-10-18, 20:02
Now way it should take that long to scan. Its probably locked up. We can use another tool.
Philyteach
2009-10-19, 13:49
It locks up on Drivers.
shelf life
2009-10-20, 00:06
ok we will use gmer instead. You can delete the rootrepeal icon from your desktop.
download Gmer to your desktop:
http://gmer.net/download.php
close any running programs.
doubleclick the gmer icon to start Gmer:
if you get a message box that says:
warning!!
Gmer has found system modification or Rootkit Activity.......
It will ask you:
Do you want to fully scan your system?
*select no*
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK
When finished click "Save" to save log to your desktop
Copy/Paste the saved Gmer log in your reply.
Philyteach
2009-10-20, 01:19
Root Repeal just finished. Here's the report. I'll run the other one in a few minutes.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/18 08:12
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Drivers
-------------------
Name: dump_diskdump.sys
Image Path: D:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x97F13000 Size: 40960 File Visible: No Signed: -
Status: -
Name: dump_nvstor32.sys
Image Path: D:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x97F1D000 Size: 151552 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: D:\Windows\system32\drivers\rootrepeal.sys
Address: 0xB84A9000 Size: 49152 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: spwe.sys
Image Path: D:\Windows\System32\Drivers\spwe.sys
Address: 0x8300D000 Size: 1036288 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{52517846-3cd8-11dd-bb32-001617b7db9f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{fa8332eb-3c8f-11dd-9611-001617b7db9f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_fundisc_31bf3856ad364e35_6.0.6000.16386_none_d5cc485ff654f0b7\fundisc(3893).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.0.6000.16386_none_8dae5f9bde99628c\pcasvc(5007).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6000.16386_none_2ef8dd46082c3725\aelupsvc(2768).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6000.16386_none_2ef8dd46082c3725\apphelp(2776).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6001.17052_none_30fba702053decbb\aelupsvc(2768).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_6.0.6000.16386_none_9bf27e417dffb1c4\SmartcardCredentialProvider(5391).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e56470f6587bdb50\authui.dll(3537).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.0.6000.16386_none_0fc795c20d227be9\winmm(6001).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.0.6000.16386_none_b91a4dc121efb9de\adsldpc(2754).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.0.6000.16386_none_6bf60cf7a5bcb6f8\actxprxy(2749).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-atl_31bf3856ad364e35_6.0.6000.16386_none_0508194e1524cd49\atl(2791).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6000.16386_none_3d302b3241f41912\advapi32(2766).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6000.16531_none_7da9b06ab4c05bd4\qmgr(5113).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6000.16386_none_66d578a50d30008b\es(3842).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-c..complus-runtime-qfe_31bf3856ad364e35_6.0.6000.16386_none_c54b08093401333b\clbcatq(2905).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-cabinet_31bf3856ad364e35_6.0.6000.16386_none_91272aa49d5e14a8\cabinet(2866).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.0.6000.16386_none_060580e3adc3c0e6\ole32(4958).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16386_none_c3b2b583f9525e9e\rpcss(5274).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.0.6000.16386_none_733adc6d1b755be4\msdtckrm(4649).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-coreos_31bf3856ad364e35_6.0.6000.16470_none_7f3eefe4f9c0f0c5\imagehlp(4015).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.0.6000.16600_none_d13a0813e822d94a\umpnpmgr(5640).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-credui_31bf3856ad364e35_6.0.6000.16386_none_351f26494a5fd46a\credui(2956).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6000.16425_none_b5977c8799166366\crypt32(2958).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_6.0.6000.16386_none_5f865f6e6937d187\cryptdll(2959).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.0.6000.16386_none_dfd634e65395b379\cryptui(2963).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_6.0.6000.16445_none_239951d960b07637\csrsrv(2975).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.0.6000.16386_none_b2cbbd5f9f880eae\csrss(2976).exe
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-d..ellman_software_csp_31bf3856ad364e35_6.0.6000.16386_none_95e0950b40570db8\dssenh(3500).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_6.0.6000.16386_none_28c51fedaca8b139\ntdsapi(4913).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6000.16512_none_3189b53fe9cd0137\dhcpcsvc(3158).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6000.16512_none_3189b53fe9cd0137\dhcpcsvc6(3159).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6000.16386_none_0bd632e55c66eec6\samlib(5291).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6000.16386_none_0bd632e55c66eec6\samsrv(5292).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6000.16386_none_3bca56653dcbc3cd\dnsapi(3183).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6000.16386_none_3bca56653dcbc3cd\dnsrslvr(3186).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.0.6000.16386_none_b3362c770b8897cc\winrnr(6007).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-duser_31bf3856ad364e35_6.0.6000.16386_none_b45c87d0b7ece25b\duser(3502).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.0.6000.16386_none_4bcc2068e77e1f6b\esent(3843).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.0.6000.16386_none_7a5e8b9dc1569c4b\wer(5956).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-eventlog-api_31bf3856ad364e35_6.0.6000.16386_none_0618dba420bc92c9\wevtapi(5965).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-feclient_31bf3856ad364e35_6.0.6000.16386_none_18c1eab313073542\feclient(3867).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6000.16386_none_d3b3cce94c58000b\wersvc(5963).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6000.16386_none_b366838404c3ebcd\gdi32(3921).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.0.6000.16386_none_03baf20015f8bdae\lpk(4274).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6000.16386_none_820b3b66a2750667\gpapi(3924).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6000.16386_none_820b3b66a2750667\gpsvc(3938).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-gdi-painting_31bf3856ad364e35_6.0.6000.16386_none_d153b1a2d77e7223\msimg32(4674).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-hid-user_31bf3856ad364e35_6.0.6000.16386_none_309421f542e10899\hid(3952).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16575_none_0ed4c4d1923510bb\urlmon(5654).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-i..nal-core-locale-nls_31bf3856ad364e35_6.0.6000.16386_none_c4a00a6164b82233\locale(4263).nls
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-imm32_31bf3856ad364e35_6.0.6000.16386_none_b63df79e35dd5d64\imm32(4075).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6000.16386_none_5d6257b36ef71f63\msi(4667).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_97029d05e0b6d9f9\kernel32.dll(3630).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.0.6000.16386_none_eda5bec911bde910\kernel32(4128).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6000.16386_none_4d24211f11de143d\Wldap32(6041).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-lmhsvc_31bf3856ad364e35_6.0.6000.16386_none_aca8c1eeabc89b45\lmhsvc(4260).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e08fadd9520db789\lsasrv.dll(3664).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-lua_31bf3856ad364e35_6.0.6000.16386_none_003236ba183dcbda\appinfo(2778).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-mprapi_31bf3856ad364e35_6.0.6000.16386_none_6df45e740e76fb9b\mprapi(4619).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-mpr_31bf3856ad364e35_6.0.6000.16386_none_07bda2fa1363b203\mpr(4618).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16386_none_2141ef5260d3c38d\msasn1(4627).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6000.16386_none_aeec1d1f74d43aec\MMDevAPI(4607).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-msvcp60_31bf3856ad364e35_6.0.6000.16386_none_9c896e186cd1e301\msvcp60(4713).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6000.16386_none_2b3d0fa85a587e0f\msvcrt(4714).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6000.16500_none_e2a69b92520d055a\msxml3(4720).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6000.16500_none_e2a69b92520d055a\msxml3r(4721).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a81da3690005e7ae\bfe.dll(3545).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.0.6000.16386_none_06051a504aa34722\NapiNSP(4739).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-n..ssprotection-common_31bf3856ad364e35_6.0.6000.16386_none_0e4d63213a95f66f\QUTIL(5122).DLL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6000.16386_none_b7c62f19ad0e6f05\ncrypt(4753).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16386_none_e71bf49abd023e94\netapi32(4765).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-netshell_31bf3856ad364e35_6.0.6000.16386_none_2f6b445ac97d298f\netshell(4787).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.0.6000.16386_none_270c4970e5fd386b\BFE(2831).DLL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-network-security_31bf3856ad364e35_6.0.6000.16386_none_270c4970e5fd386b\FWPUCLNT(3895).DLL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.0.6000.16386_none_c16dcf4ec65ca5c7\ncsi(4755).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.0.6000.16386_none_c16dcf4ec65ca5c7\nlaapi(4810).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.0.6000.16386_none_c16dcf4ec65ca5c7\nlasvc(4811).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-ntlanman_31bf3856ad364e35_6.0.6000.16386_none_89f8ef4c9e1280b1\ntlanman(4914).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6000.16386_none_0552d358b4979a52\cscapi(2968).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-o..nefiles-extend-apis_31bf3856ad364e35_6.0.6000.16386_none_e6da96beefbe15d3\cscobj(2971).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6000.16600_none_1738876bb6b1136d\oleaut32(4960).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6000.16386_none_b2beb7c9b7a00c78\ntdll(4912).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.0.6000.16386_none_cb66ef3adde6f56b\pnrpnsp(5052).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-propsys_31bf3856ad364e35_6.0.6000.16386_none_5c454044e9e118c8\propsys(5084).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-r..neenforcementclient_31bf3856ad364e35_6.0.6000.16386_none_97b56d93135ca152\rasqec(5158).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasapi_31bf3856ad364e35_6.0.6000.16386_none_c71f58f20af792de\rasapi32(5138).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.0.6000.16386_none_69c1d83e20c57fc5\rasadhlp(5137).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.0.6000.16518_none_6815f53d35a70ee0\kmddsp(4131).tsp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.0.6000.16518_none_6815f53d35a70ee0\ndptsp(4762).tsp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-raschap_31bf3856ad364e35_6.0.6000.16386_none_6ca6dc8d32bed748\raschap(5142).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasdlg.resources_31bf3856ad364e35_6.0.6000.16386_en-us_0ff60ba603752e20\rasdlg.dll(3737).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasdlg_31bf3856ad364e35_6.0.6000.16386_none_c6fb15960b134e13\rasdlg(5147).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasmanservice_31bf3856ad364e35_6.0.6000.16386_none_f8a56fc95c1ae3bb\rasmans(5151).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasppp_31bf3856ad364e35_6.0.6000.16386_none_c67c8aa60b71e964\rasppp(5157).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6000.16386_none_66fd6d98a5ecefff\rtutils(5283).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rastapi_31bf3856ad364e35_6.0.6000.16386_none_68cc03e1354f61a6\rastapi(5160).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasman_31bf3856ad364e35_6.0.6000.16386_none_c68e23a40b66e636\rasman(5150).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rasplap_31bf3856ad364e35_6.0.6000.16386_none_6c1e4eb93324a7e1\rasplap(5156).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rastls_31bf3856ad364e35_6.0.6000.16386_none_c64d05760b9640af\rastls(5161).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_6.0.6000.16525_none_0e225ba90056e912\rpcrt4(5273).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6000.16386_none_b9aee94f6cb6d936\rsaenh(5276).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..cardsubsystemclient_31bf3856ad364e35_6.0.6000.16386_none_72cc53cb350b98e1\WinSCard(6015).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_6.0.6000.16386_none_130cbd3b440d0ab3\scesrv(5301).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..icensing-slc-client_31bf3856ad364e35_6.0.6000.16509_none_1f60b881611c2311\SLC(5374).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6000.16386_none_94099cbb2fc6cc80\authz(2806).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.0.6000.16386_none_94099cbb2fc6cc80\ntmarta(4915).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_294799ef88bb616c\services(5332).exe
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_91f5bbe3948dcf74\scecli(5300).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-secondarylogonservice_31bf3856ad364e35_6.0.6000.16386_none_464c38b35709272e\seclogon(5321).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.16386_none_94b5249f3827742b\wdigest(5948).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.16386_none_40beb6b36c3ff05a\kerberos(4127).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.16386_none_d69ac65b1dfd237a\msv1_0(4712).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16508_none_7c56a85610728497\schannel(5302).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-sfc_31bf3856ad364e35_6.0.6000.16386_none_011d9cd417a405da\sfc_os(5352).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.0.6000.16386_none_9383f8889369e3dc\comctl32(2936).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_6.0.6000.16386_none_1da00af75d026533\credssp(2955).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_6.0.6000.16386_none_1da00af75d026533\TSpkg(5618).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_579f90caf36c48b9\netlogon(4777).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-sens-client_31bf3856ad364e35_6.0.6000.16386_none_5b2a884e78939c87\SensApi(5330).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-shell32_31bf3856ad364e35_6.0.6000.16513_none_c659b6c7cd3838d3\shell32(5356).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-shfolder_31bf3856ad364e35_6.0.6000.16386_none_49054794da86fccf\shfolder(5357).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_6.0.6000.16386_none_53c18b8c60214bac\shlwapi(5361).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16386_none_271836b1d85ff744\shsvcs(5365).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-smss_31bf3856ad364e35_6.0.6000.16386_none_06228184d4a4001c\smss(5396).exe
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-sxs_31bf3856ad364e35_6.0.6000.16386_none_083475a413161b9c\sxs(5537).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-spp-main_31bf3856ad364e35_6.0.6000.16386_none_3e2ed049684f306f\spp(5495).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.0.6000.16600_en-us_c4992a30329917d1\setupapi.dll(3757).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16386_none_a0c7a96f6eb15e8b\srcore(5511).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..-platform-libraries_31bf3856ad364e35_6.0.6000.16386_none_4458c46d56c08b74\IPHLPAPI(4092).DLL
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_6.0.6000.16386_none_cfab89a1aa3779fb\msctf(4635).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..inalservices-drprov_31bf3856ad364e35_6.0.6000.16386_none_27c0a102d4b55470\drprov(3489).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_6.0.6000.16386_none_ff2ca648c5fd0fef\lsm(4279).exe
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..nalservices-drivers_31bf3856ad364e35_6.0.6000.16386_none_ab37f1cdb1ecaa70\icaapi(3982).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..nalservices-drivers_31bf3856ad364e35_6.0.6001.17052_none_ad3abb89aefe6006\icaapi(3982).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_6.0.6000.16386_none_36c7c8ec8773465d\winsta(6020).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.0.6000.16386_en-us_3679a75df848f3de\lsm.exe(3666).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6000.16386_none_e8871b500fb677c4\termsrv(5586).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.0.6001.18000_none_2dd04b7e09ba436b\BASEAL~1.XML
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-tapiservice_31bf3856ad364e35_6.0.6000.16386_none_3d24b263a064f8e1\tapisrv(5564).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-client_31bf3856ad364e35_6.0.6000.16386_none_9de2219c59c241f2\taskschd(5574).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-time-service_31bf3856ad364e35_6.0.6000.16386_none_e28f3d3728bd0591\w32time(5690).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_6.0.6000.16386_none_b0bf29938f6a7bff\ktmw32(4145).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-unimodem-core-tsp_31bf3856ad364e35_6.0.6000.16386_none_07c1cbb28b0962fa\unimdm(5645).tsp
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-unimodem-core_31bf3856ad364e35_6.0.6000.16386_none_ee800c5390004fcc\uniplat(5646).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-upnpcontrolpoint_31bf3856ad364e35_6.0.6000.16386_none_8cb747cbec339274\upnp(5650).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_97e5d151e68f9a6f\user32.dll(3799).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16438_none_275857df28a483b4\user32(5658).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-userenv_31bf3856ad364e35_6.0.6000.16386_none_ea2843fb06b53a04\userenv(5660).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.0.6000.16386_none_cc49fc6782e64104\nsi(4909).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.0.6000.16386_none_cc49fc6782e64104\nsisvc(4910).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.0.6000.16386_none_cc49fc6782e64104\winnsi(6002).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-userpowermanagement_31bf3856ad364e35_6.0.6000.16386_none_fd0177e8b84abfd3\powrprof(5063).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-usp_31bf3856ad364e35_6.0.6000.16386_none_06e2529613eec090\usp10(5662).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-uxtheme_31bf3856ad364e35_6.0.6000.16386_none_ffcc745bc201fb74\uxtheme(5667).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-version_31bf3856ad364e35_6.0.6000.16386_none_6ee628b70c581c56\version(5680).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.0.6000.16386_en-us_3f77ef288ea6d705\vsstrace.dll(3803).mui
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.0.6000.16386_none_2eceb7d83d340bb0\vssapi(5687).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-vssapi_31bf3856ad364e35_6.0.6000.16386_none_2eceb7d83d340bb0\vsstrace(5688).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-vssproxystub_31bf3856ad364e35_6.0.6000.16386_none_8aa3f9e1e563bf54\vss_ps(5685).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.0.6000.16386_none_123b308de8be1ef0\mswsock(4719).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.0.6000.16386_none_4c9f8a4a89c86626\ws2_32(6093).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-webdavredir-davclient_31bf3856ad364e35_6.0.6000.16386_none_edb542c70db19ae6\davclnt(3125).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6000.16493_none_f05bc21e5c9b4b70\WindowsCodecs(5989).dll
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_8ada9256bfc30704\wininit(5996).exe
Status: Locked to the Windows API!
Path: C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_c9aada9e9063dc57\winlogon(6000).exe
Status: Locked to the Windows API!
Path: C:\Windows\winsProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: D:\Windows\System32\audiodg.exe
PID: 1376 Status: Locked to the Windows API!
Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x864f01f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_CREATE]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_CLOSE]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_READ]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_WRITE]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_SHUTDOWN]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_POWER]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: cdrom衢, IRP_MJ_PNP]
Process: System Address: 0x886421f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8862c1f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x96c441f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x96c441f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x96c441f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x96c441f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x96c441f8 Size: 121
Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x96c441f8 Size: 121
Object: Hidden Code [Driver: netbt豔Ѕ晗䡰魨衔虉펜ݮ, IRP_MJ_CREATE]
Process: System Address: 0x9758a500 Size: 121
Object: Hidden Code [Driver: netbt豔Ѕ晗䡰魨衔虉펜ݮ, IRP_MJ_CLOSE]
Process: System Address: 0x9758a500 Size: 121
Object: Hidden Code [Driver: netbt豔Ѕ晗䡰魨衔虉펜ݮ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x9758a500 Size: 121
Object: Hidden Code [Driver: netbt豔Ѕ晗䡰魨衔虉펜ݮ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x9758a500 Size: 121
Object: Hidden Code [Driver: netbt豔Ѕ晗䡰魨衔虉펜ݮ, IRP_MJ_CLEANUP]
Process: System Address: 0x9758a500 Size: 121
Object: Hidden Code [Driver: netbt豔Ѕ晗䡰魨衔虉펜ݮ, IRP_MJ_PNP]
Process: System Address: 0x9758a500 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_CREATE]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_CLOSE]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_POWER]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: iScsiPrtІ癅, IRP_MJ_PNP]
Process: System Address: 0x886551f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x864eb1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_CREATE]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_CLOSE]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_POWER]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: nvstor32, IRP_MJ_PNP]
Process: System Address: 0x864ee1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_CREATE]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_CLOSE]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_POWER]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: aimka91e䑎楷쎠薴ൠ螾Ї慖藨, IRP_MJ_PNP]
Process: System Address: 0x8863c1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x886431f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_CREATE]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_CLOSE]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_POWER]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: sbp2port, IRP_MJ_PNP]
Process: System Address: 0x864f11f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_CREATE]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_CLOSE]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_POWER]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: nvstor, IRP_MJ_PNP]
Process: System Address: 0x864ed1f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_CREATE]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_CLOSE]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_READ]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_WRITE]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_QUERY_EA]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SET_EA]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_CLEANUP]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SET_SECURITY]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_POWER]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_SET_QUOTA]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: mrxsmb潉Ї慖㐙ꗳረꗵⷠꗦ尀峱ܠ, IRP_MJ_PNP]
Process: System Address: 0x97da61f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_CREATE]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_CLOSE]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_READ]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_WRITE]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_SHUTDOWN]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_CLEANUP]
Process: System Address: 0x97da31f8 Size: 121
Object: Hidden Code [Driver: cdfsЬ湄摯, IRP_MJ_PNP]
Process: System Address: 0x97da31f8 Size: 121
==EOF==
shelf life
2009-10-20, 04:32
hi,
Rootrepeal finally finsihed scanning? The good news is I dont see anything that looks like malware in the log. Gmer should also be negative for malware based on the rootrepeal log, both look for similar malware.
Philyteach
2009-10-20, 05:14
hi,
Rootrepeal finally finsihed scanning? The good news is I dont see anything that looks like malware in the log. Gmer should also be negative for malware based on the rootrepeal log, both look for similar malware.
Took it long enough, huh? Guess that's what happens with 3 terrabit plus drives! Gmer crashed to a BSOD (first one in Vista I've seen in ages) but after a reboot is running well. I'll post its log when it done, but I'm only doing my 32 bit boot drive instead of all 3 drives. I'm ecstatic that you don't see any malware in there. You have no idea how paranoid you get after credit card after credit card comes in with fraud charges in a month's period. Not sure where to go from here with my "investigation." I guess I'll just have to chalk it up to "shit happens."
Thanks again for your help.
Ken
Philyteach
2009-10-20, 13:27
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-20 06:26:28
Windows 6.0.6002 Service Pack 2
Running: q620ilt6.exe; Driver: D:\Users\Ken\AppData\Local\Temp\pgldqpob.sys
---- System - GMER 1.0.15 ----
INT 0x64 ? 8856ABF8
INT 0x74 ? 864E9BF8
INT 0x84 ? 864E9BF8
INT 0xB3 ? 864E9BF8
---- Kernel code sections - GMER 1.0.15 ----
? System32\Drivers\spsm.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8BB9641B 5 Bytes JMP 8856A1D8
.text ab0ixo4c.SYS 91348000 22 Bytes [82, 63, 7C, 82, 6C, 62, 7C, ...]
.text ab0ixo4c.SYS 91348017 7 Bytes [00, 32, F7, 10, 83, 3D, F5]
.text ab0ixo4c.SYS 9134801F 151 Bytes [83, E3, 51, 11, 83, EE, 52, ...]
.text ab0ixo4c.SYS 913480B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ab0ixo4c.SYS 913480CE 80 Bytes [00, 00, 27, 00, 00, 00, E0, ...]
.text ...
.text bridge.sys 916B2462 519 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [83018D92] \SystemRoot\System32\Drivers\spsm.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT D:\Windows\system32\services.exe[860] @ D:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000B0002
IAT D:\Windows\system32\services.exe[860] @ D:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000B0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 864F01F8
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \Driver\BTHUSB \Device\0000008f bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\netbt \Device\NetBT_Tcpip_{9682E726-60D3-4A0E-8221-4A316B6E7FC9} 970BA500
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
Device \FileSystem\cdfs \Cdfs 885A21F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc00202f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc00202f@0022a5c1c47a 0x31 0x00 0x66 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc00202f@00214ff62b28 0x30 0xE2 0x42 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x94 0x35 0x1A 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA4 0xAE 0x61 0x4A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x41 0x64 0xCE 0x14 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001bdc00202f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001bdc00202f@0022a5c1c47a 0x31 0x00 0x66 0xD3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001bdc00202f@00214ff62b28 0x30 0xE2 0x42 0x5D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x94 0x35 0x1A 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA4 0xAE 0x61 0x4A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x41 0x64 0xCE 0x14 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage@OUTLOOKFiles 995297213
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage@ProductFiles 995297528
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage@EXCELFiles 995296483
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage@WORDFiles 995297149
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage@WORDSharedFiles 995295278
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\000021091A0090400000000000F01FEC\Usage@OneNoteFilesIntl_1033 995295541
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\000021092B0090400000000000F01FEC\Usage@MsoExportPdf 995296440
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\000021092B0090400000000000F01FEC\Usage@MsoExportXps 995300572
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109620000000000000000F01FEC\Usage@ProductNonBootFiles 995295649
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10090400000000000F01FEC\Usage@OutlookMAPI2Intl_1033 995353087
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10090400000000000F01FEC\Usage@OUTLOOKFilesIntl_1033 995295488
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109B10090400000000000F01FEC\Usage@WORDHelpFilesIntl_1033 995295993
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109F10090400000000000F01FEC\Usage@SpellingAndGrammarFiles_1033 995297739
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109F100A0C00000000000F01FEC\Usage@SpellingAndGrammarFiles_3082 995296771
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109F100A0C00000000000F01FEC\Usage@TranslationFiles_3082 995300872
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109F100C0400000000000F01FEC\Usage@SpellingAndGrammarFiles_1036 995296255
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109F100C0400000000000F01FEC\Usage@TranslationFiles_1036 995297487
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA330100007706000000000030\Usage@PDFMakerForOutlook 995295412
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA330100007706000000000030\Usage@PDFMaker 995296433
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewCrawlNumber 423
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\12@CrawlNumberScheduled -1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ D:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
---- EOF - GMER 1.0.15 ----
shelf life
2009-10-21, 00:36
that all looks ok. you said drive(s). did you have malwarebytes and your Antivirus scan all your drives? some malware can spread to other drives, worth a check while your doing all the scanning.
you are aware of fraudulent e-mails containing links that look just like a banks web page log in?
Philyteach
2009-10-21, 04:46
that all looks ok. you said drive(s). did you have malwarebytes and your Antivirus scan all your drives? some malware can spread to other drives, worth a check while your doing all the scanning.
you are aware of fraudulent e-mails containing links that look just like a banks web page log in?
I have 3 TB drives. C is my 64 bit Vista, D is 32 bit Vista and G is storage. All drives are checked by AV, malwarebytes and SBS&D. AV for 32 bit system is AVG, 64 bit system uses Mcafee. All say clean.
I'm aware of the bank and paypal email scams. I check the actual URL of each link, not just the html tag, before clicking anything. Even better, none of my credit cards or banks ever send a link to the login page. So if there's a link to login I know straight away its phishing.
shelf life
2009-10-21, 22:23
hi,
Well the good news is I dont see any malware on your computer based on the scans. Must have happened another way. you can delete the DDS icon and the rootrepeal icon from your desktop.
If all is good on your end, some tips for you to help you stay malware free;
10 Tips for Reducing/Preventing Your Risk To Malware:
Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.
1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you frequently have malware then you should review your computer habits.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*
8) Install and understand the limitations of a software firewall.
9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0 Read the FAQ's.
10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.