View Full Version : click.giftload and bluescreens
randman111
2011-04-27, 05:10
Hi. Like many others, my computer has been infected with click.giftload and the "microsoft.windowssecuritycenter_disabled" problem. I found both after running SSD but whenever I try to reboot, I always encountered a bluescreen (either IRQL or Internal Power Supply BOD). The only time I didn't encounter a bluescreen was when I tried to do a system restore, but of course I got a message saying that system restore failed. Unfortunately, neither giftload nor the windowssecuritycenter_disabled problems have been fixed and are still being found by SSD
THANK YOU IN ADVANCE FOR ALL YOUR HELP! I notice a lot of other people having similar problems so I'm glad you guys are here.
Here is my dds:
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 21:35:32.58 on Tue 04/26/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2258 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Razer\Reclusa\razerhid.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SoundTray] c:\program files\analog devices\soundmax\SoundTray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reclusa] c:\program files\razer\reclusa\razerhid.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: mysoros.com\www
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {8A922AEB-17B1-46BA-A1D3-07A38C9F344A} = 8.8.8.8,8.8.4.4
TCP: {E2A39950-BE22-4D80-B17B-2487235659E2} = 8.8.8.8,8.8.4.4
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\13mzop8p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2010-12-9 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2010-12-9 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110419.001\BHDrvx86.sys [2011-4-19 802936]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110425.001\IDSvix86.sys [2011-4-25 353912]
R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\drivers\NEOFLTR_650_14951.SYS [2010-6-30 85288]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2010-12-9 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2010-12-9 330360]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2010-12-9 130000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-22 102448]
R3 RecFltr;Reclusa Keyboard;c:\windows\system32\drivers\RecFltr.sys [2008-7-25 41984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-11-21 569344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2011-04-27 00:05:46 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-26 23:52:38 -------- d-----w- c:\users\owner\appdata\local\temp
2011-04-26 23:42:50 -------- d-----w- C:\ComboFix
2011-04-22 01:39:52 98816 ----a-w- c:\windows\sed.exe
2011-04-22 01:39:52 89088 ----a-w- c:\windows\MBR.exe
2011-04-22 01:39:52 256512 ----a-w- c:\windows\PEV.exe
2011-04-22 01:39:52 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 00:06:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 00:05:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 00:05:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-19 02:53:50 123392 --sha-r- c:\windows\system32\cryptuiw.dll
2011-04-15 20:02:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-15 19:52:18 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5eaed8d6-91fa-4019-9529-a682830eb8bc}\mpengine.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-30 11:00:41 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-12 08:39:53 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 21:38:32.02 ===============
shelf life
2011-05-01, 03:20
hi randman111,
Looks like you already ran combofix. Post its log.
randman111
2011-05-05, 05:22
but where do i find the combofix log?
Thanks
randman111
2011-05-05, 05:29
i think i just found it. Thanks again.
ComboFix 11-04-25.01 - Owner 04/26/2011 19:45:56.2.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.1897 [GMT -4:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
Command switches used :: /u
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\windows\system32\drivers\ytukbxys.sys
C:\Windows\TEMP\logishrd\LVPrcInj01.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_wcdlb
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
2011-04-26 23:52:38 . 2011-04-27 00:02:36 -------- d-----w- C:\Users\Owner\AppData\Local\temp
2011-04-26 23:52:38 . 2011-04-26 23:52:38 -------- d-----w- C:\Users\Randy\AppData\Local\temp
2011-04-20 00:06:00 . 2010-12-20 22:09:00 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-04-20 00:05:12 . 2011-04-20 00:06:35 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-04-20 00:05:12 . 2010-12-20 22:08:40 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-04-19 17:32:24 . 2011-04-19 17:32:24 -------- d-----w- C:\Users\Owner\AppData\Roaming\HPAppData
2011-04-19 11:38:03 . 2011-04-19 11:38:03 -------- d-----w- C:\Users\Default\AppData\Roaming\Apple Computer
2011-04-19 11:38:03 . 2011-04-19 11:38:03 -------- d-----w- C:\Users\Default\AppData\Local\Apple Computer
2011-04-19 02:53:50 . 2011-04-19 02:53:53 123392 --sha-r- C:\Windows\system32\cryptuiw.dll
2011-04-15 20:02:43 . 2011-03-02 15:44:27 86528 ----a-w- C:\Windows\system32\dnsrslvr.dll
2011-04-15 19:52:18 . 2011-03-15 04:05:43 6792528 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5EAED8D6-91FA-4019-9529-A682830EB8BC}\mpengine.dll
2011-04-14 07:39:02 . 2011-04-14 07:39:02 103864 ----a-w- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 . 2011-04-14 07:39:02 103864 ----a-w- C:\Program Files\Internet Explorer\Plugins\nppdf32.dll
2011-03-30 11:00:41 . 2009-08-20 04:50:31 22872 ----a-r- C:\Windows\system32\AdobePDFUI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2011-04-09 19:34:47 . 2010-06-24 15:33:56 18328 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-22 14:13:01 . 2011-03-23 00:27:07 288768 ----a-w- C:\Windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 . 2011-03-23 00:27:07 1068544 ----a-w- C:\Windows\system32\DWrite.dll
2011-02-22 13:33:09 . 2011-03-23 00:27:07 797696 ----a-w- C:\Windows\system32\FntCache.dll
2011-02-18 21:36:58 . 2011-02-18 21:36:58 41984 ----a-w- C:\Windows\system32\drivers\usbaapl.sys
2011-02-18 21:36:58 . 2011-02-18 21:36:58 4184352 ----a-w- C:\Windows\system32\usbaaplrc.dll
2011-02-02 22:11:20 . 2010-01-04 17:21:27 222080 ------w- C:\Windows\system32\MpSigStub.exe
2008-09-03 22:45:54 . 2008-09-03 22:45:54 8192 ----a-w- C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-09-03 22:44:36 . 2008-09-03 22:44:36 81920 ----a-w- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-09-03 22:44:58 . 2008-09-03 22:44:58 86016 ----a-w- C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-09-03 22:44:48 . 2008-09-03 22:44:48 16384 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-09-03 22:43:36 . 2008-09-03 22:43:36 200704 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-09-03 22:44:48 . 2008-09-03 22:44:48 26112 ----a-w- C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-09-03 22:45:42 . 2008-09-03 22:45:42 34816 ----a-w- C:\Program Files\mozilla firefox\plugins\icalogon.dll
2008-02-07 23:19:26 . 2008-02-07 23:19:26 479232 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-02-07 23:19:26 . 2008-02-07 23:19:26 548864 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-02-07 23:19:28 . 2008-02-07 23:19:28 626688 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2008-06-12 17:49:34 . 2008-06-12 17:49:34 981170 ----a-w- C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-09-03 22:44:38 . 2008-09-03 22:44:38 18944 ----a-w- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2011-03-18 17:53:24 . 2011-03-23 00:05:59 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 00:03:40 152872]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:23:22 125952]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 06:28:03 1233920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 19:53:42 49152]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 20:57:24 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 13:47:24 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 13:47:02 1057064]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 01:24:46 32768]
"Reclusa"="C:\Program Files\Razer\Reclusa\razerhid.exe" [2007-03-07 22:49:28 167936]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 19:01:21 1037736]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 00:23:22 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 15:36:42 50472]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 05:36:36 38840]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 22:11:26 640440]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-06-06 06:35:18 1261568]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 17:08:54 49208]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 18:37:40 932288]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 17:36:56 2793304]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 04:28:52 47904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 08:44:43 35760]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"Microsoft Default Manager"="C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 22:43:04 288088]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 20:33:40 421160]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\Windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-164121268-3062729603-3089187675-1000]
"EnableNotificationsRef"=dword:00000001
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 17:16:28 130384]
R3 BBSvc;Bing Bar Update Service;C:\Program Files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 22:44:14 183560]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr28u.sys [2007-11-21 08:35:06 569344]
R3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 17:16:28 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 02:21:30 16896]
S0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 02:28:36 340016]
S0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 02:59:55 652336]
S1 BHDrvx86;BHDrvx86;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110419.001\BHDrvx86.sys [2011-04-15 20:29:05 802936]
S1 IDSVix86;IDSVix86;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110425.001\IDSvix86.sys [2011-03-14 18:58:33 353912]
S1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);C:\Windows\system32\Drivers\NEOFLTR_650_14951.SYS [2009-12-09 13:28:04 85288]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 01:45:33 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 05:23:59 330360]
S2 NIS;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 02:21:18 130000]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-20 06:00:00 102448]
S3 RecFltr;Reclusa Keyboard;C:\Windows\system32\Drivers\RecFltr.sys [2007-01-18 14:21:38 41984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
------- Supplementary Scan -------
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: mysoros.com\www
TCP: {8A922AEB-17B1-46BA-A1D3-07A38C9F344A} = 8.8.8.8,8.8.4.4
TCP: {E2A39950-BE22-4D80-B17B-2487235659E2} = 8.8.8.8,8.8.4.4
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\13mzop8p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
shelf life
2011-05-05, 23:55
Thanks for the info. We will use combofix again to remove a file.
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\Windows\system32\cryptuiw.dll
Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log. Post the new log.
Is a updated malwareybytes coming up clean after a scan?
please post the new combofix log
randman111
2011-05-07, 00:36
Hi Shelflife--
Thank you very much for your time. . .it's greatly appreciated.
So I did as you instructed in terms of creating and dragging the .txt file over CF and it ran. However, I am getting a IRQL-related blue screen whenever CF attempts to run.
I ran TDSSKILLer it reported zero problems. I also ran Malware but it found no problems other than deleting two AV programs (the log is below). I also ran SB and it continued to find the click.giftload infection.
Any suggestions on how to fix the BSOD so we can get CF working?
Thanks again.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6417
Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421
5/6/2011 5:28:40 PM
mbam-log-2011-05-06 (17-28-40).txt
Scan type: Quick scan
Objects scanned: 174389
Time elapsed: 4 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Owner\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\Users\Owner\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
randman111
2011-05-07, 00:44
Also, I get a BSOD whenever I try to shut down the computer as well.
shelf life
2011-05-07, 05:19
Try using the combofix CFScript.txt while you are in safe mode. To reach safe mode you would tap the f8 key during a computer reboot, chose the first option on the list: safe mode. Log into your usual account. once at the safe mode desktop try using combofix.
Are these BSOD all resent happenings?
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. You may have to right click and "run as admin."
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply.
randman111
2011-05-09, 14:07
The bsods started after I caught the click.giftload virus. I tried to run CF under safe mode but was still getting a BSOD as CF was attempting to load.
I ran aswMBR.exe as you suggested. Here is the log:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-05-09 07:03:51
-----------------------------
07:03:51.637 OS Version: Windows 6.0.6002 Service Pack 2
07:03:51.637 Number of processors: 4 586 0x1707
07:03:51.637 ComputerName: RANDY-MAIN UserName: Owner
07:03:52.667 Initialize success
07:03:58.782 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
07:03:58.782 Disk 0 Vendor: ST31000340NS SN05 Size: 953869MB BusType: 3
07:03:58.798 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-9
07:03:58.798 Disk 1 Vendor: ST31000340NS SN04 Size: 953869MB BusType: 3
07:03:58.798 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP5T0L0-6
07:03:58.798 Disk 2 Vendor: WDC_WD1002FBYS-02A6B0 03.00C06 Size: 953869MB BusType: 3
07:03:58.798 Disk 0 MBR read error
07:03:58.798 Disk 0 MBR scan
07:03:58.798 MBR BIOS signature not found 0
07:03:58.798 Disk 0 scanning sectors +1953521664
07:03:58.813 Disk 0 scanning C:\Windows\system32\drivers
07:04:02.479 Service scanning
07:04:03.447 Disk 0 trace - called modules:
07:04:03.447 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85e4f4f0]<<
07:04:03.447 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e18270]
07:04:03.447 3 CLASSPNP.SYS[8b5cf8b3] -> nt!IofCallDriver -> [0x85ba4918]
07:04:03.447 5 acpi.sys[828996bc] -> nt!IofCallDriver -> [0x85155b98]
07:04:03.462 \Driver\atapi[0x85e34d68] -> IRP_MJ_CREATE -> 0x85e4f4f0
07:04:03.462 Scan finished successfully
07:04:06.863 Disk 0 MBR fix error
shelf life
2011-05-10, 02:27
See if you can generate a Gmer log. Before running it please shut down any running Antivirus or antimalware. If it gives you problems you can also try running it in safe mode.
See step 8 here. (http://www.bleepingcomputer.com/forums/topic34773.html)
Are you getting redirected when your on the internet?
randman111
2011-05-11, 05:06
Yes, I am getting redirected on the internet. I'm trying to run GMER but it keeps crashing on me. I'll give it a few more attempts.
Thanks
shelf life
2011-05-12, 00:19
I would suggest you use the machine as little as possible. Once you download tdsskiller and post the log you should lose the network connectivity. If your not sure how to do this I would just power it off.
You can try running gmer in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option: safe mode, log in to your usual account.
You can also get another download;
Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. Vista and Windows 7 right click as "run as admin.." After it initializes click the start scan button.
"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
A report can also be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)
Please post the log report
randman111
2011-05-14, 03:26
I was able to run TDSSKILLER under normal mode. Here is the log:
2011/05/12 23:03:55.0275 4256 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/05/12 23:03:55.0291 4256 ================================================================================
2011/05/12 23:03:55.0291 4256 SystemInfo:
2011/05/12 23:03:55.0291 4256
2011/05/12 23:03:55.0291 4256 OS Version: 6.0.6002 ServicePack: 2.0
2011/05/12 23:03:55.0291 4256 Product type: Workstation
2011/05/12 23:03:55.0291 4256 ComputerName: RANDY-MAIN
2011/05/12 23:03:55.0291 4256 UserName: Owner
2011/05/12 23:03:55.0291 4256 Windows directory: C:\Windows
2011/05/12 23:03:55.0291 4256 System windows directory: C:\Windows
2011/05/12 23:03:55.0291 4256 Processor architecture: Intel x86
2011/05/12 23:03:55.0291 4256 Number of processors: 4
2011/05/12 23:03:55.0291 4256 Page size: 0x1000
2011/05/12 23:03:55.0291 4256 Boot type: Normal boot
2011/05/12 23:03:55.0291 4256 ================================================================================
2011/05/12 23:03:56.0086 4256 Initialize success
2011/05/12 23:03:57.0771 4332 ================================================================================
2011/05/12 23:03:57.0771 4332 Scan started
2011/05/12 23:03:57.0771 4332 Mode: Manual;
2011/05/12 23:03:57.0771 4332 ================================================================================
2011/05/12 23:04:01.0515 4332 ================================================================================
2011/05/12 23:04:01.0515 4332 Scan finished
2011/05/12 23:04:01.0515 4332 ================================================================================
randman111
2011-05-14, 03:41
I was able to finally get GMER to complete under normal mode (took about 10 tries). I need to break up the log into several pieces. Thanks again for your patience!
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-13 20:36:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort3 ST31000340NS rev.SN05
Running: gmer.exe; Driver: C:\Users\Owner\AppData\Local\Temp\fgryrpob.sys
---- System - GMER 1.0.15 ----
SSDT 886B00B0 ZwAlertResumeThread
SSDT 8860AFA0 ZwAlertThread
SSDT 885903D0 ZwAllocateVirtualMemory
SSDT 882BEDE8 ZwAlpcConnectPort
SSDT 884D73C0 ZwAssignProcessToJobObject
SSDT 8816CDC8 ZwCreateMutant
SSDT 88219618 ZwCreateSymbolicLinkObject
SSDT 88252248 ZwCreateThread
SSDT 88738A28 ZwDebugActiveProcess
SSDT 8812EC28 ZwDuplicateObject
SSDT 88240718 ZwFreeVirtualMemory
SSDT 88EDDA70 ZwImpersonateAnonymousToken
SSDT 88533328 ZwImpersonateThread
SSDT 882BED70 ZwLoadDriver
SSDT 88404098 ZwMapViewOfSection
SSDT 885DB908 ZwOpenEvent
SSDT 886EE310 ZwOpenProcess
SSDT 8850D300 ZwOpenProcessToken
SSDT 88576298 ZwOpenSection
SSDT 88102008 ZwOpenThread
SSDT 881450F8 ZwProtectVirtualMemory
SSDT 886E1358 ZwResumeThread
SSDT 8853A3C0 ZwSetContextThread
SSDT 881CD838 ZwSetInformationProcess
SSDT 885DB970 ZwSetSystemInformation
SSDT 88586898 ZwSuspendProcess
SSDT 88DC5FD0 ZwSuspendThread
SSDT 884862C0 ZwTerminateProcess
SSDT 88E2DFD0 ZwTerminateThread
SSDT 88486218 ZwUnmapViewOfSection
SSDT 88404110 ZwWriteVirtualMemory
SSDT 883FB098 ZwCreateThreadEx
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 11D 822F78A0 8 Bytes [B0, 00, 6B, 88, A0, AF, 60, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822F78B4 4 Bytes [D0, 03, 59, 88]
.text ntkrnlpa.exe!KeSetEvent + 13D 822F78C0 4 Bytes CALL C5B7A4B2
.text ntkrnlpa.exe!KeSetEvent + 191 822F7914 4 Bytes [C0, 73, 4D, 88] {SAL BYTE [EBX+0x4d], 0x88}
.text ntkrnlpa.exe!KeSetEvent + 1F5 822F7978 4 Bytes [C8, CD, 16, 88] {ENTER 0x16cd, 0x88}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtProtectVirtualMemory 775E4B84 5 Bytes JMP 001B000A
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtWriteVirtualMemory 775E54C4 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!KiUserExceptionDispatcher 775E5BF8 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1116] ole32.dll!CoCreateInstance 77219F3E 5 Bytes JMP 005C000A
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!GetCursorPos 776F0B88 5 Bytes JMP 00F6000A
.text C:\Windows\Explorer.EXE[1688] ntdll.dll!NtProtectVirtualMemory 775E4B84 5 Bytes JMP 0063000A
.text C:\Windows\Explorer.EXE[1688] ntdll.dll!NtWriteVirtualMemory 775E54C4 5 Bytes JMP 0064000A
.text C:\Windows\Explorer.EXE[1688] ntdll.dll!KiUserExceptionDispatcher 775E5BF8 5 Bytes JMP 0060000A
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Files - GMER 1.0.15 ----
File C:\Digital Pictures\Mobile Phone\IMG_0001.JPG 431593 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0003.JPG 423507 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0005.JPG 350230 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0006.JPG 380542 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0007.JPG 400070 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0008.JPG 396007 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0009.JPG 350807 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0010.JPG 598010 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0011.JPG 611759 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0012.JPG 410922 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0013.JPG 408213 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0014.JPG 377315 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0015.JPG 451658 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0016.JPG 432756 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0017.JPG 441048 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0020.JPG 461141 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0025.JPG 290208 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0026.JPG 532188 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0027.JPG 492038 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0029.JPG 600477 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0030.JPG 441165 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0031.JPG 439829 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0032.JPG 506567 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0033.JPG 466063 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0034.JPG 498111 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0042.JPG 578327 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0043.JPG 440559 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0044.JPG 436912 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0045.JPG 450276 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0046.JPG 522628 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0047.JPG 485123 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0048.JPG 336629 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0049.JPG 432790 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0050.JPG 497914 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0051.JPG 505280 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0052.JPG 506248 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0054.JPG 533477 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0055.JPG 517519 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0056.JPG 519354 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0057.JPG 507456 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0058.JPG 466616 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0059.JPG 465408 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0060.JPG 444875 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0061.JPG 351371 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0062.JPG 440506 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0063.JPG 384813 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0064.JPG 414115 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0065.JPG 452271 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0067.JPG 465306 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0068.JPG 534693 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0069.JPG 536986 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0070.JPG 559273 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0071.JPG 495638 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0073.JPG 465358 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0074.JPG 497247 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0075.JPG 475023 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0076.JPG 406502 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0077.JPG 385370 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0079.JPG 455183 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0080.JPG 412716 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0081.JPG 440101 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0082.JPG 416361 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0083.JPG 416122 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0084.JPG 467880 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0085.JPG 461956 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0086.JPG 470611 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0087.JPG 462544 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0088.JPG 464087 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0089.JPG 715060 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0090.JPG 721077 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0092.JPG 602784 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0093.JPG 611039 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0111.MOV 9425594 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0112.JPG 1564041 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0113.JPG 1537876 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0116.JPG 1125640 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0117.JPG 1245844 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0118.JPG 1026103 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0119.JPG 1086371 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0120.JPG 1282288 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0121.JPG 1329140 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0122.JPG 1347656 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0123.JPG 1312046 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0124.JPG 1331222 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0125.JPG 1281676 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0127.MOV 11347439 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0128.JPG 1104217 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0129.JPG 1192158 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0130.JPG 1200858 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0131.JPG 1212251 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0132.JPG 1215057 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0133.JPG 1307361 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0134.JPG 1238503 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0135.JPG 1231766 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0136.JPG 1170779 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0137.MOV 17015172 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0139.JPG 1180275 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0140.JPG 1111095 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0141.JPG 1395911 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0142.JPG 1205533 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0143.JPG 1223423 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0146.JPG 1284752 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0149.JPG 1309853 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0150.JPG 1309762 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0152.JPG 1114489 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0153.JPG 1154478 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0154.JPG 1145409 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0155.JPG 1123870 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0156.JPG 1160983 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0157.JPG 782072 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0158.JPG 1052375 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0159.JPG 986411 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0161.JPG 990755 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0162.JPG 1203173 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0163.JPG 1214005 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0164.JPG 1113520 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0165.JPG 1143452 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0166.JPG 1182155 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0167.JPG 1039880 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0172.JPG 975821 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0173.JPG 1085087 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0174.JPG 1015786 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0175.JPG 1537405 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0176.JPG 1252987 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0177.JPG 1248965 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0178.JPG 1307096 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0179.JPG 1260463 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0180.JPG 975413 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0181.JPG 1168240 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0182.JPG 1153503 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0183.JPG 1152456 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0184.JPG 1054737 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0185.JPG 921691 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0186.JPG 1299628 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0187.JPG 1257894 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0188.JPG 1300205 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0190.JPG 1328776 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0191.JPG 1389477 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0192.JPG 1443789 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0194.JPG 1248688 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0196.JPG 1382357 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0197.JPG 1415485 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0198.JPG 1148414 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0199.JPG 1160444 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0200.JPG 1198819 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0201.JPG 1325319 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0202.JPG 1335913 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0203.JPG 976023 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0204.JPG 1118407 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0205.JPG 951543 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0206.JPG 1575718 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0207.JPG 1492439 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0208.JPG 888934 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0212.JPG 1225283 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0219.JPG 1007351 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0220.JPG 1023512 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0221.JPG 1377057 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0222.JPG 1320065 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0223.JPG 1318416 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0224.JPG 951278 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0225.JPG 1364718 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0226.JPG 1062499 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0227.JPG 1050620 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0228.JPG 1223564 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0229.JPG 1242012 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0230.JPG 1253267 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0231.JPG 1126984 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0232.JPG 1325963 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0233.JPG 1262778 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0235.JPG 1335186 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0237.JPG 1264046 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0238.JPG 1340702 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0239.JPG 1133095 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0240.JPG 1014354 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0241.JPG 1054172 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0242.JPG 837325 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0243.JPG 714270 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0244.JPG 1356175 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0246.MOV 14592531 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0247.JPG 928033 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0248.JPG 1034742 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0004.JPG 436879 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0028.JPG 487434 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0053.JPG 538301 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0072.JPG 463105 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0091.JPG 701483 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0126.JPG 1093253 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0147.JPG 1263243 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0171.JPG 1015093 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0189.JPG 1311708 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0211.JPG 1130773 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0236.JPG 1312239 bytes
File C:\$RECYCLE.BIN\S-1-5-21-164121268-3062729603-3089187675-1002 0 bytes
File C:\Backup Files 0 bytes
File C:\Backup Files\Notebook backup 0 bytes
File C:\Backup Files\Notebook backup\notebook outlook certificate.pfx 2598 bytes
File C:\Backup Files\Notebook backup\notebook outlook me again.pfx 2630 bytes
File C:\Backup Files\Notebook backup\notebook outlook me.pfx 2678 bytes
File C:\Backup Files\Notebook backup\Schwab 0 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout 0 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup 0 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\01222009Trader.lyt 390815 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\01222009traderreference.lyt 393106 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\01232009traderreference.lyt 393083 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\02112009Randy.lyt 393853 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\02122009Randy.lyt 393863 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\02162009Randy.lyt 393857 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Options.lyt 390570 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Randy.lyt 393830 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Randynew.lyt 393863 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Sector.lyt 390763 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Technical.lyt 391999 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Trader.lyt 390815 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\traderreference.lyt 392539 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Velocity.lyt 174191 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml 1488 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\52f7c457-cefd-11dd-a881-002186a2108e.vhd 847461888 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\52f7c45e-cefd-11dd-a881-002186a2108e.vhd 1443495424 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml 3188 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Components.xml 13852 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_RegistryExcludes.xml 5266 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml 2344 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml 1484 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml 4732 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml 5556 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml 7686 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writere8132975-6f93-4464-a53e-1050253ae220.xml 2095626 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Catalog 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Catalog\BackupGlobalCatalog 4590 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Catalog\GlobalCatalog 6256 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\MediaId 16 bytes
File C:\Backup Files\Office backup 0 bytes
File C:\Backup Files\Office backup\MMfiles 0 bytes
File C:\Backup Files\Office backup\MMfiles\jfonda8.jpg 54400 bytes
File C:\Backup Files\Office backup\MMfiles\scan0001.jpg 8049610 bytes
File C:\Backup Files\Office backup\MMfiles\scan0003.jpg 4627907 bytes
File C:\Backup Files\Office backup\MMfiles\scccourtneysimpson_512k.wmv 63948601 bytes
File C:\Backup Files\Office backup\MMfiles\scene 1_domination.avi 340520960 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3.rm 6468276 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3204.rm 6030393 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3399.rm 6559163 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3461.rm 6498495 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3522.rm 5985461 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3629.rm 6076925 bytes
File C:\Backup Files\Office backup\MMfiles\scrow.jpg 38812 bytes
File C:\Backup Files\Office backup\MMfiles\0466_02.wmv 119352188 bytes
File C:\Backup Files\Office backup\MMfiles\0466_03.wmv 74302160 bytes
File C:\Backup Files\Office backup\MMfiles\0466_04.wmv 147481448 bytes
File C:\Backup Files\Office backup\MMfiles\0468_01.wmv 87150736 bytes
randman111
2011-05-14, 03:47
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mcsubdb.dat 359 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mcvsps.dll 173384 bytes executable
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mvsscan.dll 451912 bytes executable
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mytilus3.dll 66880 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mytilus3_worker.dll 251200 bytes executable
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\Settings.dat 364 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\signlic.txt 6163 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\vsusbinfolog.log 1484 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\McVsUStb_3.0.144.7.u3p 12887647 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\CruzerSync_U3Edition_v6_2_040_0.u3p 11354394 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Data 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_EN.chm 891589 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_FR.chm 641604 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_GE.chm 1002100 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_IT.chm 946386 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_JP.chm 921517 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_SC.chm 419029 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_SP.chm 980519 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_TC.chm 593815 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data\affcode.inf 40 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data\settings.txt 3040 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data\source.inf 16 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Exec 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\sudoku.u3p 3502717 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\LPDB.xml 1063 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\LPGDB.xml File C:\Backup Files\Office backup\MMfiles\0786_07.wmv 83062550 bytes
File C:\Backup Files\Office backup\MMfiles\0786_09.wmv 61765596 bytes
File C:\Backup Files\Office backup\MMfiles\0832_03.wmv 52677194 bytes
File C:\Backup Files\Office backup\MMfiles\0844_01.wmv 154649784 bytes
File C:\Backup Files\Office backup\Outlook Files 0 bytes
File C:\Backup Files\Office backup\Outlook Files\bookmark.htm 12758 bytes
File C:\Backup Files\Office backup\Outlook Files\cookies.txt 1838301 bytes
File C:\Backup Files\Office backup\Outlook Files\Outlook backup.pst 49030144 bytes
File C:\Backup Files\Office backup\Outlook Files\Outlook.pst 99566592 bytes
File C:\Backup Files\Office backup\Outlook Files\outlook12-31.pst 729367552 bytes
File C:\Backup Files\Office backup\Outlook Files\outlookpersonalfolder1-2-09.pst 87376896 bytes
File C:\Backup Files\Office backup\Outlook Files\outlookyuenr@me1-2-09.pst 672482304 bytes
File C:\Backup Files\Office backup\Outlook Files\OutlYuenR@me.com-00000002 backup.pst -1745910784 bytes
File C:\Backup Files\Office backup\SaveData.MIG -775667683 bytes
File C:\Documents\Art\Art\Art S.lnk 381 bytes
File C:\Documents\Art\Art\Art's Ntwk Files.lnk 431 bytes
File C:\Documents\Art\Art\emssetup121.exe 6068775 bytes executable
File C:\Documents\Art\Art S.lnk 381 bytes
File C:\Documents\Art\emssetup121.exe 6068775 bytes executable
File C:\Documents\Art\Shortcut to Art.lnk 290 bytes
File C:\Documents\Shortcut to Northwind.lnk 419 bytes
File C:\Documents\WRDFILES\Netg123.com 64512 bytes
File C:\Home\Favorites\desktop.ini 156 bytes
File C:\Install Files\Vista\197.45_desktop_win7_winvista_32bit_english_whql.exe 93869296 bytes executable
File C:\Install Files\Vista\Firefox Setup 4.0.exe 12580112 bytes executable
File C:\Install Files\Vista\hosts 759 bytes
File C:\Install Files\Vista\install_flash_player.exe (size mismatch) 2568656/2790864 bytes executable
File C:\Install Files\Vista\iTunesSetup.exe (size mismatch) 74840872/68756776 bytes executable
File C:\Install Files\Vista\MobileMeSetup.exe (size mismatch) 5291808/1688864 bytes executable
File C:\Install Files\Vista\OJP8500vA909_full_12_en.exe 230858208 bytes executable
File C:\Install Files\Vista\ReadMe.txt 4212 bytes
File C:\Install Files\Vista\setup.exe 676816 bytes
File C:\Install Files\Vista\Setup_QuickBooks_Premier_2008.exe 559128 bytes executable
File C:\Install Files\Vista\sotrt0107.exe 184108805 bytes executable
File C:\Install Files\Vista\sotrt050710.exe 221512993 bytes executable
File C:\Install Files\XviD_1.0alpha.dmg 4337967 bytes
File C:\Music Files\Install Files 0 bytes
File C:\Music Files\Install Files\Vista 0 bytes
File C:\Music Files\Install Files\Vista\ac3filter_1_51a.exe 2462200 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\AsAcpiIns.exe 36864 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\install.ini 419 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\2000UNIN.EXE 45056 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\asacpi.sys 5810 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\ATK2000.CAT 7790 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\ATK2000.INF 2093 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA\asacpi.cat 8014 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA\AsAcpi.inf 1465 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA\AsAcpi.sys 7680 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\AsAcpiIns.exe 38400 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\install.ini 419 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000\Asacpi.sys 8192 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000\ATK2000.CAT 7814 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000\ATK2000.INF 2160 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA\asacpi.cat 8014 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA\AsAcpi.inf 1532 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA\Asacpi.sys 15680 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\AsusSetup.exe 495616 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\AsusSetup.ini 2310 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\data1.cab 808250 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\data1.hdr 21661 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\data2.cab 3355637 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\English.ini 172 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\French.ini 175 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\German.ini 175 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\ikernel.ex_ 346602 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO.dll 24576 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO.VXD 5764 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO32.sys 12664 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO64.sys 13632 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIoIns.exe 106496 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIoUnins.exe 122880 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\Version.ini 57 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Japanese.ini 172 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\layout.bin 417 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\SChinese.ini 348 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Setup.exe 168448 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Setup.ini 201 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\setup.inx 140991 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\setup.iss 410 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\setup.log 168 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\TChinese.ini 346 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\usetup.iss 498 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015.zip 5033989 bytes
File C:\Music Files\Install Files\Vista\BL06.zip 847473 bytes
File C:\Music Files\Install Files\Vista\bridge 0 bytes
File C:\Music Files\Install Files\Vista\bridge\Autorun.inf 27 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation 0 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_DataFieldDefinitions.pdf 406131 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_BDDE_RefGuide.pdf 218942 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_BDDE_UserGuide.pdf 510176 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_ControlObjects.pdf 422372 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_ConvertUtility.pdf 267238 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_DataWallDesign.pdf 177448 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_DesignMode.pdf 352662 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_EXE&OCXTrees.pdf 355963 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_GettingStarted.pdf 766546 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_InitializationFiles.pdf 269960 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_InstallationGuide.pdf 653451 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_MsgWindows.pdf 276585 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_Optimization.pdf 229110 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_PortfolioFields.pdf 124839 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_Publishers.pdf 163176 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_RDIFConfigUtility.pdf 280400 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_RelNotes.pdf 133228 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_RListEditor.pdf 363499 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_SSL&RMDSConfigFile.pdf 124733 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_Troubleshooting.pdf 156526 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_VBAGuide.pdf 809290 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_VBA_RbwsObjects.pdf 622788 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Reuters83_Est_and_RAS.pdf 476202 bytes
File C:\Music Files\Install Files\Vista\bridge\EXPORT.TXT 267 bytes
File C:\Music Files\Install Files\Vista\bridge\RS83.msi 81783168 bytes
File C:\Music Files\Install Files\Vista\bridge\setup.exe 2084780 bytes executable
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter 0 bytes
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter\No 6x Converter v511.exe 1281179 bytes executable
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter\Rbws83_ConvertUtility.pdf 267238 bytes
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter\Read_Me_First.txt 276 bytes
File C:\Music Files\Install Files\Vista\CyberLink.PowerDVD.8.Deluxe.1730D(b).080611.exe 90379152 bytes executable
File C:\Music Files\Install Files\Vista\dfxInstall-Real.exe 1808992 bytes executable
File C:\Music Files\Install Files\Vista\dfxInstall-WMP.exe 2029464 bytes executable
File C:\Music Files\Install Files\Vista\exports 0 bytes
File C:\Music Files\Install Files\Vista\exports\bookmark.htm 167710 bytes
File C:\Music Files\Install Files\Vista\exports\cookies.txt 620588 bytes
File C:\Music Files\Install Files\Vista\FontPack90_ja_JP.msi 10486272 bytes
File C:\Music Files\Install Files\Vista\FontPack90_ko_KR.msi 4136448 bytes
File C:\Music Files\Install Files\Vista\FontPack90_zh_TW.msi 7208960 bytes
File C:\Music Files\Install Files\Vista\NIS081550.exe 71665576 bytes executable
File C:\Music Files\Install Files\Vista\Norton_Removal_Tool.exe 667648 bytes
File C:\Music Files\Install Files\Vista\pse_300_enu.exe 17580000 bytes executable
File C:\Music Files\Install Files\WinXP 0 bytes
File C:\Music Files\Install Files\WinXP\Macros.EXE 434808 bytes executable
File C:\Music Files\Install Files\WinXP\aaw6plus.exe 2336899 bytes executable
File C:\Music Files\Install Files\WinXP\aawseplus.exe 4229261 bytes executable
File C:\Music Files\Install Files\WinXP\AutoCorrect Backup Document.doc 273920 bytes
File C:\Music Files\Install Files\WinXP\cso_eula.htm 33123 bytes
File C:\Music Files\Install Files\WinXP\dfxInstall-Musicmatch.exe 1799720 bytes executable
File C:\Music Files\Install Files\WinXP\dm_3089135165120142225236.exe 171088 bytes executable
File C:\Music Files\Install Files\WinXP\FileFormatConverters.exe 28868320 bytes
File C:\Music Files\Install Files\WinXP\Installing-Diskeeper-English.rtf 844885 bytes
File C:\Music Files\Install Files\WinXP\IP5_0ENG.exe 6530272 bytes executable
File C:\Music Files\Install Files\WinXP\mmsetup_10004033_ENU_PROMO_MIG1.exe 27519384 bytes executable
File C:\Music Files\Install Files\WinXP\Norton_Removal_Tool.exe 1000792 bytes executable
File C:\Music Files\Install Files\WinXP\PalmDesktopWin414e.zip 43423968 bytes
File C:\Music Files\Install Files\WinXP\palmoutlook2007conduits.zip 7573054 bytes
File C:\Music Files\Install Files\WinXP\Professional 0 bytes
File C:\Music Files\Install Files\WinXP\Professional\License.dal 1209 bytes
File C:\Music Files\Install Files\WinXP\Professional\X64 0 bytes
File C:\Music Files\Install Files\WinXP\Professional\X64\License.rtf 9045 bytes
File C:\Music Files\Install Files\WinXP\Professional\X64\Readme.txt 21176 bytes
File C:\Music Files\Install Files\WinXP\Professional\X86 0 bytes
File C:\Music Files\Install Files\WinXP\Professional\X86\License.rtf 9045 bytes
File C:\Music Files\Install Files\WinXP\Professional\X86\Readme.txt 21176 bytes
File C:\Music Files\Install Files\WinXP\sites.txt 112825 bytes
File C:\Music Files\Install Files\WinXP\ucr61s2b.zip 1495970 bytes
File C:\Music Files\Install Files\WinXP\vis_gforce_1s.mmz 771274 bytes
File C:\Music Files\Install Files\WinXP\vis_whitecap_1s.mmz 814099 bytes
File C:\Music Files\Install Files\WinXP\vivopwrp.exe 3198733 bytes
File C:\Music Files\Install Files\WinXP\WindowsDesktopSearch-KB917013-V301-XP-x86-enu.exe 4880248 bytes executable
File C:\Music Files\Tricky\Vulnerable\07 - Tricky - What Is Wrong - Vulnerable.mp3 4281660 bytes
File C:\Music Files\Tricky\Vulnerable\01 - Tricky - Stay - Vulnerable.mp3 4600312 bytes
File C:\Music Files\Tricky\Vulnerable\02 - Tricky - Antimatter - Vulnerable.mp3 3603082 bytes
File C:\Music Files\Tricky\Vulnerable\03 - Tricky - Ice Pick - Vulnerable.mp3 3788510 bytes
File C:\Music Files\Tricky\Vulnerable\04 - Tricky - Car Crash - Vulnerable.mp3 4467129 bytes
File C:\Music Files\Tricky\Vulnerable\05 - Tricky - Dear God - Vulnerable.mp3 4567398 bytes
File C:\Music Files\Tricky\Vulnerable\06 - Tricky - How High - Vulnerable.mp3 3875759 bytes
File C:\Music Files\Tricky\Vulnerable\08 - Tricky - Hollow - Vulnerable.mp3 5034425 bytes
File C:\Music Files\Tricky\Vulnerable\09 - Tricky - Moody - Vulnerable.mp3 4036151 bytes
File C:\Music Files\Tricky\Vulnerable\10 - Tricky - Wait For God - Vulnerable.mp3 4868328 bytes
File C:\Music Files\Tricky\Vulnerable\11 - Tricky - Where I'm From - Vulnerable.mp3 3384176 bytes
File C:\Music Files\Tricky\Vulnerable\12 - Tricky - The Love Cats - Vulnerable.mp3 3467246 bytes
File C:\Music Files\Tricky\Vulnerable\13 - Tricky - Search, Search, Survive - Vulnerable.mp3 3755073 bytes
File C:\System Volume Information\{056a1607-392a-11df-a8d7-39ddaf4bb433}{3808876b-c176-4e48-b7ae-04046e6cc752} 1665773568 bytes
File C:\System Volume Information\{0c475673-2daf-11de-8abc-0015af4bb433}{3808876b-c176-4e48-b7ae-04046e6cc752} 301690880 bytes
File C:\System Volume Information\{8ce3e76e-3e4a-11df-8cce-001e8c1089b5}{3808876b-c176-4e48-b7ae-04046e6cc752} 545259520 bytes
File C:\System Volume Information\{d6b33952-8f1b-11de-a297-0015af4bb433}{3808876b-c176-4e48-b7ae-04046e6cc752} -325722112 bytes
File C:\WindowsImageBackup 0 bytes
File C:\WindowsImageBackup\randy-main 0 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033 0 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml 1484 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\49384ebf-57c9-11dd-9faa-806e6f6e6963.vhd 1431448576 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml 3188 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Components.xml 14090 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_RegistryExcludes.xml 6944 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml 3582 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml 1488 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml 4732 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml 5560 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml 7686 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writere8132975-6f93-4464-a53e-1050253ae220.xml 2180360 bytes
File C:\WindowsImageBackup\randy-main\Catalog 0 bytes
File C:\WindowsImageBackup\randy-main\Catalog\BackupGlobalCatalog 10554 bytes
File C:\WindowsImageBackup\randy-main\Catalog\GlobalCatalog 11338 bytes
File C:\WindowsImageBackup\randy-main\MediaId 16 bytes
---- EOF - GMER 1.0.15 ----
shelf life
2011-05-15, 00:17
All inconclusive, other than your still getting redirected. Shutdown any running antivirus or antimalware first, then try running combofix again after a normal boot up, not safe mode. If your connected combofix will probably update itself and restart.
If you have a router check its DNS setting and make sure they havn't been changed in the router set up from:
8.8.8.8 and 8.8.8.4
I assume you changed these to use google public DNS?
randman111
2011-05-15, 03:43
You're right, I changed the connectivity settings to use the google DNS.
I keep getting an "IRQL not less or equal" bsod every time I run CF either under normal or safe mode. Any suggestions?
Thanks
shelf life
2011-05-15, 04:50
Combofix not running isnt helpful.
It also looks like combofix ran successfully one time. That BSOD is recent I think you said? Does your AV, malwarebytes and SpyBot run ok? Only combofix causes a BSOD?
Download mbr.exe (http://www2.gmer.net/mbr/mbr.exe) to your desktop. Right click and "run as Admin" It will create a txt file on your desktop. Please post the log.
TDsskiller has been updated. please delete your current copy and get the new one:
TDSSkiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)
randman111
2011-05-15, 21:10
Yes, I was able to run cf successfully once, but never again. Every time I run CF, as it gets close to finish loading (green progress bar near the end), I get a bsod IRQL crash. I've tried both under safe and normal mode
I ran mbr.exe. Here is the log:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST31000340NS rev.SN05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
user & kernel MBR OK
Thanks!
shelf life
2011-05-16, 02:01
Did you delete your current tdsskiller and get a new copy?
randman111
2011-05-21, 02:25
Hi shelflife--
It took me more than 5 attempts but I finally ran tdsskiller without a bsod and it did find one item, that irronically looked like a tdss.dll file. After rebooting--and more importantly without a bsod--I ran it again and it came back clean. Here is the log:
2011/05/20 15:52:25.0570 4464 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/20 15:52:25.0586 4464 ================================================================================
2011/05/20 15:52:25.0586 4464 SystemInfo:
2011/05/20 15:52:25.0586 4464
2011/05/20 15:52:25.0586 4464 OS Version: 6.0.6002 ServicePack: 2.0
2011/05/20 15:52:25.0586 4464 Product type: Workstation
2011/05/20 15:52:25.0586 4464 ComputerName: RANDY-MAIN
2011/05/20 15:52:25.0586 4464 UserName: Owner
2011/05/20 15:52:25.0586 4464 Windows directory: C:\Windows
2011/05/20 15:52:25.0586 4464 System windows directory: C:\Windows
2011/05/20 15:52:25.0586 4464 Processor architecture: Intel x86
2011/05/20 15:52:25.0586 4464 Number of processors: 4
2011/05/20 15:52:25.0586 4464 Page size: 0x1000
2011/05/20 15:52:25.0586 4464 Boot type: Normal boot
2011/05/20 15:52:25.0586 4464 ================================================================================
2011/05/20 15:52:25.0914 4464 Initialize success
2011/05/20 15:52:27.0552 4584 ================================================================================
2011/05/20 15:52:27.0552 4584 Scan started
2011/05/20 15:52:27.0552 4584 Mode: Manual;
2011/05/20 15:52:27.0552 4584 ================================================================================
2011/05/20 15:52:28.0831 4584 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/05/20 15:52:29.0205 4584 ADIHdAudAddService (d7d7b88bc75220a67b8e9c9fd0d39951) C:\Windows\system32\drivers\ADIHdAud.sys
2011/05/20 15:52:29.0751 4584 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/05/20 15:52:29.0829 4584 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/05/20 15:52:29.0970 4584 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/05/20 15:52:30.0048 4584 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/05/20 15:52:30.0126 4584 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/05/20 15:52:30.0157 4584 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/05/20 15:52:30.0204 4584 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/20 15:52:30.0235 4584 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/05/20 15:52:30.0266 4584 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/05/20 15:52:30.0282 4584 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/05/20 15:52:30.0328 4584 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/05/20 15:52:30.0375 4584 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/05/20 15:52:30.0422 4584 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/05/20 15:52:30.0469 4584 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/05/20 15:52:30.0516 4584 AsIO (663f2fb92608073824ee3106886120f3) C:\Windows\system32\drivers\AsIO.sys
2011/05/20 15:52:30.0562 4584 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/20 15:52:30.0609 4584 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/05/20 15:52:30.0672 4584 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/20 15:52:30.0952 4584 BHDrvx86 (925a191c8c06124426c63ceb2ea93085) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110419.001\BHDrvx86.sys
2011/05/20 15:52:31.0015 4584 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/05/20 15:52:31.0062 4584 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/20 15:52:31.0077 4584 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/20 15:52:31.0108 4584 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/20 15:52:31.0140 4584 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/20 15:52:31.0171 4584 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/20 15:52:31.0186 4584 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/20 15:52:31.0202 4584 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/20 15:52:31.0218 4584 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/20 15:52:31.0311 4584 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/20 15:52:31.0358 4584 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/20 15:52:31.0389 4584 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/05/20 15:52:31.0436 4584 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/05/20 15:52:31.0483 4584 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/05/20 15:52:31.0498 4584 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
2011/05/20 15:52:31.0514 4584 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/05/20 15:52:31.0545 4584 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/05/20 15:52:31.0576 4584 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
2011/05/20 15:52:31.0608 4584 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/05/20 15:52:31.0654 4584 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/05/20 15:52:31.0717 4584 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/20 15:52:31.0842 4584 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/20 15:52:31.0873 4584 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/20 15:52:31.0920 4584 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/05/20 15:52:32.0076 4584 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/05/20 15:52:32.0169 4584 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/05/20 15:52:32.0247 4584 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/05/20 15:52:32.0294 4584 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/05/20 15:52:32.0356 4584 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/05/20 15:52:32.0388 4584 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/05/20 15:52:32.0403 4584 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/20 15:52:32.0450 4584 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/20 15:52:32.0466 4584 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/20 15:52:32.0481 4584 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/20 15:52:32.0544 4584 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/05/20 15:52:32.0590 4584 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/20 15:52:32.0622 4584 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys
2011/05/20 15:52:32.0653 4584 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/20 15:52:32.0668 4584 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/05/20 15:52:32.0715 4584 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/20 15:52:32.0793 4584 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/20 15:52:32.0840 4584 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/20 15:52:32.0871 4584 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/20 15:52:32.0902 4584 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/20 15:52:32.0934 4584 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/05/20 15:52:32.0980 4584 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/05/20 15:52:33.0012 4584 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/05/20 15:52:33.0027 4584 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/20 15:52:33.0058 4584 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/05/20 15:52:33.0246 4584 IDSVix86 (7c8ce2b83a89ee1cb0c3fee5991e62a2) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110425.001\IDSvix86.sys
2011/05/20 15:52:33.0277 4584 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/20 15:52:33.0370 4584 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\Windows\system32\drivers\InCDFs.sys
2011/05/20 15:52:33.0402 4584 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\Windows\system32\drivers\InCDPass.sys
2011/05/20 15:52:33.0417 4584 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\Windows\system32\drivers\InCDrec.sys
2011/05/20 15:52:33.0433 4584 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\Windows\system32\drivers\InCDRm.sys
2011/05/20 15:52:33.0464 4584 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/05/20 15:52:33.0526 4584 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/20 15:52:33.0573 4584 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/20 15:52:33.0620 4584 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/20 15:52:33.0651 4584 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/20 15:52:33.0682 4584 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/20 15:52:33.0698 4584 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/05/20 15:52:33.0760 4584 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/20 15:52:33.0901 4584 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/20 15:52:33.0994 4584 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/20 15:52:34.0072 4584 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/20 15:52:34.0119 4584 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/05/20 15:52:34.0166 4584 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/20 15:52:34.0244 4584 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/20 15:52:34.0306 4584 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/20 15:52:34.0338 4584 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/20 15:52:34.0369 4584 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/20 15:52:34.0400 4584 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/20 15:52:34.0431 4584 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\Windows\system32\DRIVERS\lvpopflt.sys
2011/05/20 15:52:34.0462 4584 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\Windows\system32\DRIVERS\LVPr2Mon.sys
2011/05/20 15:52:34.0509 4584 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
2011/05/20 15:52:34.0540 4584 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\Windows\system32\drivers\LVUSBSta.sys
2011/05/20 15:52:34.0977 4584 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\Windows\system32\DRIVERS\lvuvc.sys
2011/05/20 15:52:35.0086 4584 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/05/20 15:52:35.0118 4584 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/05/20 15:52:35.0196 4584 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/20 15:52:35.0242 4584 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/20 15:52:35.0289 4584 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/20 15:52:35.0305 4584 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/20 15:52:35.0430 4584 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/20 15:52:35.0461 4584 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/05/20 15:52:35.0492 4584 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/20 15:52:35.0523 4584 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/20 15:52:35.0554 4584 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/05/20 15:52:35.0586 4584 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/20 15:52:35.0617 4584 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/20 15:52:35.0648 4584 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/20 15:52:35.0664 4584 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/05/20 15:52:35.0710 4584 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/05/20 15:52:35.0882 4584 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/20 15:52:35.0898 4584 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/20 15:52:35.0929 4584 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/20 15:52:35.0944 4584 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/20 15:52:35.0976 4584 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/20 15:52:36.0007 4584 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/05/20 15:52:36.0038 4584 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/20 15:52:36.0132 4584 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/20 15:52:36.0178 4584 MTsensor (dcdaab8697a47894a554050ce18d0b56) C:\Windows\system32\DRIVERS\ASACPI.sys
2011/05/20 15:52:36.0210 4584 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/05/20 15:52:36.0256 4584 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/20 15:52:36.0568 4584 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110425.019\NAVENG.SYS
2011/05/20 15:52:36.0646 4584 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110425.019\NAVEX15.SYS
2011/05/20 15:52:36.0709 4584 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/05/20 15:52:36.0740 4584 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/20 15:52:36.0756 4584 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/20 15:52:36.0818 4584 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/20 15:52:36.0849 4584 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/20 15:52:36.0912 4584 NEOFLTR_650_14951 (0fc1898e1ebd9b22272243d4ea4168d1) C:\Windows\system32\Drivers\NEOFLTR_650_14951.SYS
2011/05/20 15:52:36.0974 4584 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/20 15:52:37.0021 4584 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/20 15:52:37.0114 4584 netr28u (df938648626332e830a9bd153110aa75) C:\Windows\system32\DRIVERS\netr28u.sys
2011/05/20 15:52:37.0161 4584 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/20 15:52:37.0208 4584 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/05/20 15:52:37.0239 4584 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/20 15:52:37.0333 4584 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/05/20 15:52:37.0395 4584 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/20 15:52:37.0411 4584 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/20 15:52:38.0004 4584 nvlddmkm (377140a534d013bd661c69f1741de43c) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/05/20 15:52:38.0191 4584 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/05/20 15:52:38.0222 4584 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/05/20 15:52:38.0269 4584 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/05/20 15:52:38.0331 4584 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/05/20 15:52:38.0378 4584 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/20 15:52:38.0409 4584 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/05/20 15:52:38.0440 4584 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/20 15:52:38.0487 4584 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/05/20 15:52:38.0518 4584 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/05/20 15:52:38.0550 4584 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/05/20 15:52:38.0581 4584 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/20 15:52:38.0643 4584 Point32 (437827d69040c0c2565d47b024ed5372) C:\Windows\system32\DRIVERS\point32k.sys
2011/05/20 15:52:38.0674 4584 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/20 15:52:38.0690 4584 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/05/20 15:52:38.0721 4584 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/20 15:52:38.0752 4584 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/05/20 15:52:38.0799 4584 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/20 15:52:38.0830 4584 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/20 15:52:38.0862 4584 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/20 15:52:38.0877 4584 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/20 15:52:38.0924 4584 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/20 15:52:38.0971 4584 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/20 15:52:39.0002 4584 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/20 15:52:39.0033 4584 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/20 15:52:39.0080 4584 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
2011/05/20 15:52:39.0096 4584 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/20 15:52:39.0111 4584 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/05/20 15:52:39.0142 4584 RecFltr (c7775140fade828e746ff8f93d2dcca0) C:\Windows\system32\Drivers\RecFltr.sys
2011/05/20 15:52:39.0189 4584 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
2011/05/20 15:52:39.0205 4584 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/20 15:52:39.0267 4584 RTL8169 (13e97cf38286b8a1d7605d3175db28ee) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/05/20 15:52:39.0298 4584 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/20 15:52:39.0345 4584 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/20 15:52:39.0392 4584 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/05/20 15:52:39.0408 4584 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/05/20 15:52:39.0439 4584 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/20 15:52:39.0470 4584 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/05/20 15:52:39.0486 4584 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/20 15:52:39.0517 4584 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/20 15:52:39.0548 4584 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/20 15:52:39.0579 4584 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/05/20 15:52:39.0610 4584 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/05/20 15:52:39.0642 4584 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/05/20 15:52:39.0688 4584 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/05/20 15:52:39.0720 4584 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/20 15:52:39.0860 4584 SRTSP (a7a104a61c4e30de9c58f8c372a5c209) C:\Windows\System32\Drivers\NIS\1205000.07D\SRTSP.SYS
2011/05/20 15:52:39.0985 4584 SRTSPX (2833445f786bd000bb14c84a9d91347a) C:\Windows\system32\drivers\NIS\1205000.07D\SRTSPX.SYS
2011/05/20 15:52:40.0063 4584 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/05/20 15:52:40.0110 4584 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/20 15:52:40.0125 4584 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/20 15:52:40.0172 4584 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2011/05/20 15:52:40.0250 4584 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/20 15:52:40.0375 4584 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/20 15:52:40.0562 4584 SymDS (bdf077b897b5f9f929b6bf0cfd436962) C:\Windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS
2011/05/20 15:52:40.0812 4584 SymEFA (7732298ad2eddd364c1d4f439d99ae7c) C:\Windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS
2011/05/20 15:52:40.0952 4584 SymEvent (5c76a63fac8a5580c5a1c4a4ed827782) C:\Windows\system32\Drivers\SYMEVENT.SYS
2011/05/20 15:52:40.0999 4584 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\Windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS
2011/05/20 15:52:41.0061 4584 SYMTDIv (c93e93bff7cba0cd1c1ea282d791b772) C:\Windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS
2011/05/20 15:52:41.0092 4584 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/20 15:52:41.0108 4584 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/20 15:52:41.0233 4584 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/05/20 15:52:41.0311 4584 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/20 15:52:41.0342 4584 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/20 15:52:41.0358 4584 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/20 15:52:41.0389 4584 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/20 15:52:41.0436 4584 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/20 15:52:41.0467 4584 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/20 15:52:41.0607 4584 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/20 15:52:41.0654 4584 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/20 15:52:41.0716 4584 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/20 15:52:41.0748 4584 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/05/20 15:52:41.0779 4584 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/20 15:52:41.0810 4584 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/20 15:52:41.0841 4584 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/05/20 15:52:41.0857 4584 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/20 15:52:41.0888 4584 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/20 15:52:41.0904 4584 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/20 15:52:41.0950 4584 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys
2011/05/20 15:52:42.0013 4584 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2011/05/20 15:52:42.0060 4584 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/20 15:52:42.0091 4584 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/20 15:52:42.0122 4584 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/20 15:52:42.0153 4584 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/20 15:52:42.0169 4584 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/05/20 15:52:42.0200 4584 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/05/20 15:52:42.0231 4584 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/20 15:52:42.0247 4584 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/20 15:52:42.0278 4584 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/20 15:52:42.0294 4584 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/20 15:52:42.0325 4584 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/05/20 15:52:42.0356 4584 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/05/20 15:52:42.0403 4584 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/05/20 15:52:42.0403 4584 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/20 15:52:42.0450 4584 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/05/20 15:52:42.0465 4584 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/05/20 15:52:42.0496 4584 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/05/20 15:52:42.0528 4584 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/20 15:52:42.0559 4584 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/20 15:52:42.0590 4584 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/20 15:52:42.0621 4584 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/05/20 15:52:42.0652 4584 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/20 15:52:42.0730 4584 winusb (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.SYS
2011/05/20 15:52:42.0762 4584 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2011/05/20 15:52:42.0824 4584 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/20 15:52:42.0840 4584 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/20 15:52:42.0886 4584 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
2011/05/20 15:52:42.0918 4584 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/20 15:52:42.0996 4584 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/05/20 15:52:43.0152 4584 ================================================================================
2011/05/20 15:52:43.0152 4584 Scan finished
2011/05/20 15:52:43.0152 4584 ================================================================================
randman111
2011-05-21, 02:27
I also attempted to run CF with the CFscript you gave earlier. It finally ran without a bsod. Here is a log of that:
ComboFix 11-05-19.02 - Owner 05/20/2011 17:10:04.3.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.1928 [GMT -4:00]
Running from: K:\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\cryptuiw.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\cryptuiw.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
---- Previous Run -------
.
c:\windows\system32\drivers\ytukbxys.sys
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_wcdlb
.
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-20 21:16 . 2011-05-20 21:21 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-05-20 21:16 . 2011-05-20 21:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-20 21:16 . 2011-05-20 21:16 -------- d-----w- c:\users\Randy\AppData\Local\temp
2011-05-10 02:18 . 2011-05-10 02:18 100480 ----a-w- C:\fgryrpob.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 01:49 . 2011-04-17 01:49 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-17 01:49 . 2011-04-17 01:49 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-17 01:49 . 2011-04-17 01:49 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-17 01:49 . 2011-04-17 01:49 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-17 01:49 . 2011-04-17 01:49 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-17 01:49 . 2011-04-17 01:49 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-17 01:49 . 2011-04-17 01:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-17 01:49 . 2011-04-17 01:49 367104 ----a-w- c:\windows\system32\html.iec
2011-04-17 01:49 . 2011-04-17 01:49 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-17 01:49 . 2011-04-17 01:49 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-17 01:49 . 2011-04-17 01:49 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-17 01:49 . 2011-04-17 01:49 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-17 01:49 . 2011-04-17 01:49 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-17 01:49 . 2011-04-17 01:49 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-17 01:49 . 2011-04-17 01:49 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-17 01:49 . 2011-04-17 01:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-17 01:49 . 2011-04-17 01:49 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-17 01:49 . 2011-04-17 01:49 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-17 01:49 . 2011-04-17 01:49 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-17 01:49 . 2011-04-17 01:49 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-17 01:49 . 2011-04-17 01:49 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-09 19:34 . 2010-06-24 15:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-15 04:05 . 2011-04-15 19:52 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5EAED8D6-91FA-4019-9529-A682830EB8BC}\mpengine.dll
2011-03-10 17:03 . 2011-04-15 20:02 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 20:02 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-15 20:02 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25 . 2011-04-15 20:02 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-15 20:02 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 00:27 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 00:27 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 00:27 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-15 20:02 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-15 20:02 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-15 20:02 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-15 20:02 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2008-09-03 22:45 . 2008-09-03 22:45 8192 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-09-03 22:44 . 2008-09-03 22:44 81920 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-09-03 22:44 . 2008-09-03 22:44 86016 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-09-03 22:44 . 2008-09-03 22:44 16384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-09-03 22:43 . 2008-09-03 22:43 200704 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-09-03 22:44 . 2008-09-03 22:44 26112 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-09-03 22:45 . 2008-09-03 22:45 34816 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-02-07 23:19 . 2008-02-07 23:19 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-02-07 23:19 . 2008-02-07 23:19 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-02-07 23:19 . 2008-02-07 23:19 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-12 17:49 . 2008-06-12 17:49 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-09-03 22:44 . 2008-09-03 22:44 18944 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-03-18 17:53 . 2011-03-23 00:05 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="c:\program files\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Reclusa"="c:\program files\Razer\Reclusa\razerhid.exe" [2007-03-07 167936]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-06-06 1261568]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-164121268-3062729603-3089187675-1000]
"EnableNotificationsRef"=dword:00000001
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 lfdt;lfdt;c:\windows\System32\drivers\mkpkkrvh.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-11-21 569344]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110419.001\BHDrvx86.sys [2011-04-15 802936]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110425.001\IDSvix86.sys [2011-03-14 353912]
S1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\Drivers\NEOFLTR_650_14951.SYS [2009-12-09 85288]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 330360]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-04-19 102448]
S3 RecFltr;Reclusa Keyboard;c:\windows\system32\Drivers\RecFltr.sys [2007-01-18 41984]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: mysoros.com\www
TCP: {8A922AEB-17B1-46BA-A1D3-07A38C9F344A} = 8.8.8.8,8.8.4.4
TCP: {E2A39950-BE22-4D80-B17B-2487235659E2} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\13mzop8p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 17:19
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(6156)
c:\program files\Common Files\Ahead\Lib\MediaLibraryNSE.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Razer\Reclusa\razertra.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-05-20 17:26:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-20 21:25
ComboFix2.txt 2011-04-22 02:10
.
Pre-Run: 368,212,770,816 bytes free
Post-Run: 369,079,365,632 bytes free
.
- - End Of File - - FE8A8B6DD68609D506284A39CCC8A4C2
randman111
2011-05-21, 02:32
Last reply. . . I just ran spybot, and unfortunately it is still coming up with the click.giftload infection. Argggh!
randman111
2011-05-22, 00:32
Shelflife--
I think that new version of tdsskiller really did the job in terms of helping. I no longer get an blue screens. The infected file was: "ROOTKIT.WIN32.TDSS.tdl4" and it was deleted.
With regards to getting rid of click.giftload, I followed a lead in another thread and used OTL.exe and a custom scan/fix with the script:
:processes
killallprocesses
:OTL
:Services
:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-
:Files
:Commands
[purity]
[emptytemp]
[RESETHOSTS]
[start explorer]
[Reboot]
That seemed to get rid of it as I just ran spybot and--for the first time--it no longer came up with any problems. The log is below:
--- Report generated: 2011-05-21 15:51 ---
Congratulations!: No immediate threats were found. (Status)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-10-30 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-05-17 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-05-17 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-05-10 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-05-17 Includes\Trojans.sbi (*)
2011-05-11 Includes\TrojansC-02.sbi (*)
2011-05-11 Includes\TrojansC-03.sbi (*)
2011-05-11 Includes\TrojansC-04.sbi (*)
2011-05-11 Includes\TrojansC-05.sbi (*)
2011-05-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
shelf life
2011-05-22, 00:54
hi,
Ok good. looks like we are done. I will post back with some final items to do.
shelf life
2011-05-22, 01:48
You can remove combofix like this;
start>run and type in combofix /u
click ok or enter
note the space after the x and before the /
You can delete the tdsskiller icon form your desktop and since you have OTL you can open it up and click the CleanUp button
The why and how for making a new restore point:
One of the features of Windows XP, Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
Since you had a rootkit I will post this after the fact;
You had a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.
The best source for information on how to do this would be the computer manufacturers website.
To clean up the machine with current utilities proceed as follows: done
And last, some tips to remain malware free;
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes, browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) Securing IE for safer Browsing. (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) How to harden FireFox (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.
10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Do you really trust the source of the file? A file can be named anything, be nothing but malware or have malware bundled in it.
More info/tips with pictures in links below.
Happy Safe Surfing.
randman111
2011-05-22, 05:01
Just to double-check that everything was clean, I re-ran tdsskiller.exe, MWbytes, and used the ESET Online-scanner. Everything looks ok for now. I then proceeded to create a new restore point and delete all older versions.
Shelflife, before I start to use my computer in normal fashion, is there anything else I should check to make sure everything is in proper working order?
Thanks! Your suggestions, thorough process, and patience are greatly appreciated!!
shelf life
2011-05-22, 14:41
Your Welcome. Really, other than clean logs and the absence of malware signs like redirection, theres really nothing else to do short of reformatting and reinstalling Windows which is some cases isnt a bad idea at all because malware is going deeper and deeper into the OS.
You can make sure your updated (Windows, Antivirus, browser etc) see item 1. Your AV up to date? Knowing how you might get malware on your computer will improve your chances of avoiding it. See list and two links.
Note that malwarebytes (free) must be updated manually and a scan started manually, its good practise to keep it up to date by checking once a week or so, even if you dont do a scan at that time. Scans also are started manually.
If you frequently have malware then its time to examine your computer habits, or lack of habits.
happy safe surfing
randman111
2011-05-22, 21:23
Everything seems to be working great. Thanks again to you and your fellow security experts on this forum. I just made a donation--so much better than paying for the online help services that the big companies offer.
shelf life
2011-05-23, 00:31
Ok Your welcome. We thank you. Happy safe surfing 'out there'.