Problem with msa.exe and cannot access Spybot S&D to remove properly

sedward · Aug 27, 2009

I think I may have gotten hit with msa.exe and a.exe as a result of clicking on a flash video start button (but not a hundred percent sure). I have read dozens of threads and I think this one by Katana is the closest to my issue. I think I need help with The Avenger2 by SwanDog46
http://forums.spybot.info/showthread.php?t=50599&highlight=msa.exe&page=3

I recall seeing Acrobat trying to open something and getting some notices - when I had not opened a pdf or Acrobat file.

I saw an icon get placed on my desktop for Windows Antivirus Pro (it subsequently took itself off my desktop). When I got redirected to a site (via IE) that I did not choose, I tried to run Spybot S&D (figuring something fishy just happened). I was unable to open spybot. I came to this forum and have spent several hours on this issue. I have run as many reports as I could, but don’t have much to work with. I uninstalled spybot and reinstalled getting this error message.

---------------------------
Error
---------------------------
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
The existing file is marked as read-only.
Click Retry to remove the read-only attribute and try again, Ignore to skip this file, or Abort to cancel installation.
---------------------------
Abort Retry Ignore

Yes - I was able to Download and Run GMER (which I’ll put in post number 2)
GMER has found system modification, which might have been caused by ROOTKIT activity.

Yes – I was able to download and run SysProt Antirootkit (which I’ll put in post number 3)

No – Could not run HiJackThis even after renaming the executable file.
No - Could not run HiJackThis in safemode either.
Error Message: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

No – Could not run DDS (dialog box opened and quickly closed)
No – Could not run DDS in safemode either

No – Could not run ComboFix even after renaming the executable file
No - Could not run ComboFix in safemode either.

I was able to download and start Malwarebytes Anti Malware. MalwareBytes will install and update, but very shortly after starting to run, it closes. After restarting the program, I get "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Went to C:\Documents and Settings\All Users\Application Data
I unhide files and folders and could not find any folders that had all numbers in its name eg 12365489

Thanks for any assistance.

http://forums.spybot.info/showthread.php?t=50599&highlight=msa.exe&page=3
2009-08-09, 19:23
======================

Edit: Removed instructions to run Avenger.

Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar. Regardless, please do not take fixes given to another user and apply to your own machine.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

sedward · Aug 27, 2009

GMER log

GMER 1.0.15.15077 [4nrkg1h5.exe] - http://www.gmer.net
Rootkit scan 2009-08-26 15:11:29
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

Code 861916D8 ZwEnumerateKey
Code 861906D8 ZwFlushInstructionCache
Code 861936D6 ZwSaveKey
Code 861926D6 ZwSaveKeyEx
Code 861946D6 IofCallDriver
Code 861956D6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 861946DB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 861956DB
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.exe[504] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1220] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1220] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1220] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1460] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1460] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1460] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1504] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1504] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[1504] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1592] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1592] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\spoolsv.exe[1592] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1720] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1720] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1720] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1736] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1736] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\Program Files\Bonjour\mDNSResponder.exe[1736] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1768] USER32.dll!TrackMouseEvent + 94 7E41DD7A 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1768] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\77748A8C.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1768] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\77748A8C.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\svchost.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1592] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1768] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\77748A8C.x86.dll
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1044] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1148] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1220] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1460] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [1504] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1592] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1720] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1736] 0x35670000
Library \\?\globalroot\Device\__max++>\77748A8C.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1768] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmsswuypdw.sys (*** hidden *** ) [SYSTEM] kbiwkmlnmbftko <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@imagepath \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@aid 20029
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqipyviyq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxfubsdnq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmwbkfceep.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkm.dat \systemroot\system32\kbiwkmphqbyexm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@imagepath \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@aid 20029
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqipyviyq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxfubsdnq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmwbkfceep.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkm.dat \systemroot\system32\kbiwkmphqbyexm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Old Hard Drive July 2004\Program Files\Common Files\Microsoft Shared\Artgalry\Dark 0 bytes
File C:\Old Hard Drive July 2004\Program Files\Common Files\Microsoft Shared\Artgalry\LIGHT 0 bytes
File C:\Old Hard Drive July 2004\Program Files\Common Files\Microsoft Shared\Artgalry\Pattern 0 bytes
File C:\Old Hard Drive July 2004\Program Files\Common Files\Microsoft Shared\Artgalry\PlainLrgGrout 0 bytes
File C:\Old Hard Drive July 2004\Program Files\Common Files\Microsoft Shared\Artgalry\PlainSm45 0 bytes
File C:\Old Hard Drive July 2004\Program Files\Common Files\Microsoft Shared\Artgalry\PlainSmGrout 0 bytes
File C:\old_hard_drive_April_2008\Documents and Settings\SAYER\Application Data\Microsoft\Common 0 bytes
File C:\old_hard_drive_April_2008\Documents and Settings\SAYER\Application Data\Microsoft\Dreamweaver MX 2004 0 bytes
File C:\old_hard_drive_April_2008\Documents and Settings\SAYER\Application Data\Microsoft\Flash Player 0 bytes
File C:\old_hard_drive_April_2008\Documents and Settings\SAYER\Application Data\Microsoft\Shockwave Player 0 bytes

---- EOF - GMER 1.0.15 ----

sedward · Aug 27, 2009

SysProt AntiRootkit log

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 704
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 728
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 976
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1044
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1148
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1592
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1692
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1720
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1736
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 1892
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 240
Hidden: No
Window Visible: No

Name: C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PID: 492
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 680
Hidden: No
Window Visible: No

Name: C:\WINDOWS\RTHDCPL.exe
PID: 1132
Hidden: No
Window Visible: No

Name: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PID: 1196
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PID: 1244
Hidden: No
Window Visible: No

Name: C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe
PID: 1200
Hidden: No
Window Visible: No

Name: C:\Program Files\iTunes\iTunesHelper.exe
PID: 1504
Hidden: No
Window Visible: No

Name: C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
PID: 1512
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 504
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 944
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1768
Hidden: No
Window Visible: No

Name: C:\Program Files\iPod\bin\iPodService.exe
PID: 2052
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2504
Hidden: No
Window Visible: No

Name: C:\32788R22FWJFW\grep.cfxxe
PID: 3180
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3436
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\find.exe
PID: 3604
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\find.exe
PID: 3712
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\notepad.exe
PID: 3728
Hidden: No
Window Visible: Yes

Name: C:\Documents and Settings\Ed\Desktop\sysProt\SysProt\SysProt\SysProt.exe
PID: 2628
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Service Name: kbiwkmlnmbftko
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Ed\Desktop\sysProt\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B8E54000
Module End: B8E5F000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FD000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FD000
Module End: 8071DD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7987000
Module End: F7989000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7897000
Module End: F789A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F7438000
Module End: F7466000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F7989000
Module End: F798B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7427000
Module End: F7438000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F7487000
Module End: F7490000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A4F000
Module End: F7A50000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7707000
Module End: F770E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F7497000
Module End: F74A2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7408000
Module End: F7427000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F798B000
Module End: F798D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F73E2000
Module End: F7408000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F770F000
Module End: F7714000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74A7000
Module End: F74B4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73CA000
Module End: F73E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: F74B7000
Module End: F74C5000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ---
Module Base: F73B2000
Module End: F73CA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F74C7000
Module End: F74D0000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F74D7000
Module End: F74E4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F7392000
Module End: F73B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7380000
Module End: F7392000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7369000
Module End: F7380000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F72DC000
Module End: F7369000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F72AF000
Module End: F72DC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sbp2port.sys
Service Name: sbp2port
Module Base: F74E7000
Module End: F74F2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F74F7000
Module End: F7506000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7507000
Module End: F7514000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7294000
Module End: F72AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F6DED000
Module End: F6DF6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F6DDD000
Module End: F6DED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F6A4A000
Module End: F6A4E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F782F000
Module End: F7836000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nvsmu.sys
Service Name: nvsmu
Module Base: F6A46000
Module End: F6A49000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F7837000
Module End: F783C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6A1B000
Module End: F6A3E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F783F000
Module End: F7846000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F6DCD000
Module End: F6DD8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F6DBD000
Module End: F6DCA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F6DAD000
Module End: F6DBC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F69F8000
Module End: F6A1B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F6A42000
Module End: F6A45000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F69D3000
Module End: F69F8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F6D9D000
Module End: F6DAD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
Service Name: HSFHWBS2
Module Base: F699D000
Module End: F69D3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
Service Name: HSF_DP
Module Base: F689E000
Module End: F699D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
Service Name: winachsf
Module Base: F67F6000
Module End: F689E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F7857000
Module End: F785F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F616C000
Module End: F67F6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6158000
Module End: F616C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Service Name: nvnetbus
Module Base: F6D8D000
Module End: F6D97000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Service Name: ---
Module Base: F607F000
Module End: F6158000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F791B000
Module End: F791E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7B98000
Module End: F7B99000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F6D7D000
Module End: F6D8A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F791F000
Module End: F7922000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6068000
Module End: F607F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F6D6D000
Module End: F6D78000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7617000
Module End: F7623000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F785F000
Module End: F7864000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6057000
Module End: F6068000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7627000
Module End: F7630000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7867000
Module End: F786C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F786F000
Module End: F7874000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F6026000
Module End: F6057000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7637000
Module End: F7641000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7877000
Module End: F787D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F787F000
Module End: F7885000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79F1000
Module End: F79F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F5FCD000
Module End: F6026000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F793F000
Module End: F7943000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Service Name: NVENETFD
Module Base: F76F7000
Module End: F7705000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7537000
Module End: F7541000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7547000
Module End: F7556000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79F7000
Module End: F79F9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: F7270000
Module End: F7274000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: F20BB000
Module End: F2544000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F1F52000
Module End: F1F74000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F5F5D000
Module End: F5F6C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F77FF000
Module End: F7804000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7A19000
Module End: F7A1B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F1618000
Module End: F1619000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7A1B000
Module End: F7A1D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F781F000
Module End: F7826000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7827000
Module End: F782D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7A1D000
Module End: F7A1F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7A1F000
Module End: F7A21000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F3B48000
Module End: F3B50000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: F1E74000
Module End: F1E78000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: usbstor
Module Base: F07C1000
Module End: F07C8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F0791000
Module End: F0796000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F0789000
Module End: F0791000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F1563000
Module End: F1566000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EF462000
Module End: EF475000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EF40A000
Module End: EF462000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EF3E2000
Module End: EF40A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EF3C1000
Module End: EF3E2000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EF39F000
Module End: EF3C1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F061F000
Module End: F0628000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F05FF000
Module End: F0608000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EF374000
Module End: EF39F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F05EF000
Module End: F05FE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EF305000
Module End: EF374000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F0AE8000
Module End: F0AEB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F0466000
Module End: F046F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F0456000
Module End: F045F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F0549000
Module End: F0550000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Service Name: HPZius12
Module Base: F0541000
Module End: F0547000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Service Name: kbdhid
Module Base: F0106000
Module End: F010A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
Service Name: LHidFilt
Module Base: F01ED000
Module End: F01F4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Service Name: ---
Module Base: EF23D000
Module End: EF24A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Service Name: Wdf01000
Module Base: EE757000
Module End: EE7D2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F00F2000
Module End: F00F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
Service Name: LMouFilt
Module Base: F01AD000
Module End: F01B4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HPZid412.sys
Service Name: HPZid412
Module Base: EF1A8000
Module End: EF1B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
Service Name: HPZipr12
Module Base: F0AD8000
Module End: F0ADC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EF1B8000
Module End: EF1C8000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EB114000
Module End: EB12C000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: EEAB1000
Module End: EEAB3000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EE4C0000
Module End: EE4C3000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F1E20000
Module End: F1E25000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: EE7EE000
Module End: EE7EF000
Hidden: No

Module Name: \systemroot\win32k.sys:1
Service Name: ---
Module Base: F07A9000
Module End: F07AE000
Hidden: Yes

Module Name: \systemroot\win32k.sys:2
Service Name: ---
Module Base: F0C0E000
Module End: F0C1D000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F0579000
Module End: F057D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: BADAC000
Module End: BADD8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: F5E2C000
Module End: F5E2F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: BACE2000
Module End: BAD34000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: BAC7D000
Module End: BAC92000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EF48F000
Module End: EF49E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B9E32000
Module End: B9E73000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B9D6F000
Module End: B9D92000
Hidden: No

Module Name: \??\C:\DOCUME~1\Ed\LOCALS~1\Temp\aujasnkj.sys
Service Name: aujasnkj
Module Base: B8DA4000
Module End: B8DB9000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B8D79000
Module End: B8DA4000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 806532AB
Jump To: 861926DA
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 80653213
Jump To: 861936DA
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 80585F1C
Jump To: 861906DC
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 805783A4
Jump To: 861916DC
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804E17BD
Jump To: 861956DB
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804E13A7
Jump To: 861946DB
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: SAYER:27015
Remote Address: LOCALHOST:1030
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: SAYER:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: SAYER:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: SAYER:1030
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: SAYER:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: SAYER:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: SAYER:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: SAYER:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: SAYER:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SAYER:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SAYER:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: SAYER:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SAYER:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: SAYER:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: SAYER:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: SAYER:55825
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: SAYER:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: SAYER:1027
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: SAYER:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: SAYER:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Ed\My Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\02 ????·??·???.m4a
Status: Hidden

Object: C:\Documents and Settings\Ed\My Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\03 ???·??·???.m4a
Status: Hidden

Object: C:\Documents and Settings\Ed\My Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\05 ??????·???.m4a
Status: Hidden

Object: C:\Documents and Settings\Ed\My Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\06 ???·???.m4a
Status: Hidden

Object: C:\Documents and Settings\Ed\My Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\07 ?????·?????.m4a
Status: Hidden

Object: C:\Documents and Settings\Ed\My Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\09 ???·??·??·???.m4a
Status: Hidden

Object: C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\02 ????·??·???.m4a
Status: Hidden

Object: C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\03 ???·??·???.m4a
Status: Hidden

Object: C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\05 ??????·???.m4a
Status: Hidden

Object: C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\06 ???·???.m4a
Status: Hidden

Object: C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\07 ?????·?????.m4a
Status: Hidden

Object: C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\My Music\iTunes\iTunes Music\Michael Jackson\Thriller\09 ???·??·??·???.m4a
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{0AB16BD1-A7E7-48B0-AE94-B14A97538217}
Status: Access denied

tashi · Aug 27, 2009

Hello sedward,

Due to the volume of posts to your own thread, it would appear to volunteer analysts that you are already being assisted as they look for topics with no response.

Please start a new topic, state you cannot run HJT and provide a link back to this page.

Do NOT run 'FIXES' before helpers have analyzed the HJT log

Or in this case advised when one cannot run HJT.

Best regards.

Problem with msa.exe and cannot access Spybot S&D to remove properly

sedward

New member

sedward

New member

sedward

New member

tashi

Member of Team Spybot