Win32.TDSS.rtk

Status
Not open for further replies.
The latest hijack this log. The computer seems to be running normally. I have not noticed any slowdowns, redirects or any other signs of trouble.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:35 AM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 7920 bytes
 
Remove HijackThis entries


  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.



Show All Files And Folders Windows XP


  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Apply to confirm.
  • Click OK.



Can you go to this folder:

c:\windows\EQ09IR0AJS2BLU3C

Could you tell me what is inside?
 
Delete the folder.

Do you have any problems.

Can you post one more HijackThis log for me to see.
 
The folder deleted without resistance. here is the new hijack this log. I did notice that the "R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) " that I fixed earlier is back.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:42 AM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 7965 bytes
 
Hello!

It is a orphan entry, so it doesnt do anything.



Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

  • DDS - (You can just delete the exe file from your desktop)
  • ATF cleaner - (You can just delete the exe file from your desktop)



Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
CF_Cleanup.png

Please advise if this step is missed for any reason as it performs some important actions.

OTC

Download OTC by Old Timer and save it to your Desktop.


  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.



Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.


  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera or Google Chrome


Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
 
a long string of profanities goes here

I did the uninstalls and started updating my virus & spyware scanners. AVG came up clean. Malwarebytes came up clean. Spybot detected the same group of infected files plus one. Either this is a false positive of someone, somewhere really deserves to have his compter inserted rectally. Sideways.

Here is a fresh hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:42 PM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Python24\Doc\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Python24\Doc\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\RunOnce: [SpybotDeletingA481] command.com /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4484] cmd.exe /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1570] command.com /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1358] cmd.exe /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3970] command.com /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC788] cmd.exe /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2246] command.com /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4202] cmd.exe /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5567] command.com /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7403] cmd.exe /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4648] command.com /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8970] cmd.exe /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5495] command.com /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC924] cmd.exe /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Python24\Doc\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1578] command.com /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8031] cmd.exe /c del "C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8775] command.com /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7493] cmd.exe /c del "C:\WINDOWS\system32\geyekrbuhylhmn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5696] command.com /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4815] cmd.exe /c del "C:\WINDOWS\system32\geyekrxfenxvmc.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2929] command.com /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2988] cmd.exe /c del "C:\WINDOWS\system32\geyekrornmbpxe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3710] command.com /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7612] cmd.exe /c del "C:\WINDOWS\system32\geyekrjwmeoxta.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7014] command.com /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD930] cmd.exe /c del "C:\WINDOWS\system32\geyekrapjdskvl.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1334] command.com /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2141] cmd.exe /c del "C:\WINDOWS\system32\geyekrnrndxrqt.dat"
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Python24\Doc\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Python24\Doc\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 11886 bytes


Here is the latest log from Spybot.


--- Report generated: 2009-08-10 16:36 ---

Win32.TDSS.rtk: [SBI $1473B578] File (File, fixed)
C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Properties.size=0
Properties.md5=571F2EAA4A7488C33A786A7E56917FA7

Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrbuhylhmn.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310

Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrxfenxvmc.dll
Properties.size=0
Properties.md5=F10EAE5B4D181BD1656EF67B8398CF93

Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrornmbpxe.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310

Win32.TDSS.rtk: [SBI $5CC20837] File (File, fixed)
C:\WINDOWS\system32\geyekrjwmeoxta.dll
Properties.size=0
Properties.md5=C51243FA8F70570A881D35790D8BB310

Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrapjdskvl.dat
Properties.size=0
Properties.md5=22C4193BBD3E986AB091555972CE4A22

Win32.TDSS.rtk: [SBI $0419F0A4] File (File, fixed)
C:\WINDOWS\system32\geyekrnrndxrqt.dat
Properties.size=0
Properties.md5=D1F9B5AE88CAC902CBD9A958ACCA909D

Right Media: Tracking cookie (Internet Explorer: Karla) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-03-09 unins000.exe (51.49.0.0)
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 SDShred.exe (1.0.2.5)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-26 SDHelper.dll (1.6.2.14)
2009-01-26 Tools.dll (2.1.6.10)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2009-07-28 advcheck.dll (1.6.3.17)
2004-11-29 Includes\LSP.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-14 Includes\Malware.sbi (*)
2009-07-22 Includes\Trojans.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-08-05 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-07-30 Includes\SecurityC.sbi (*)
2009-08-04 Includes\PUPSC.sbi (*)
2009-08-05 Includes\MalwareC.sbi (*)
2009-07-30 Includes\KeyloggersC.sbi (*)
2009-08-04 Includes\HijackersC.sbi (*)
2009-08-04 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-07-30 Includes\AdwareC.sbi (*)
2009-08-04 Includes\SpywareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
 
Just to be clear, all of my angry comments are directed toward the people who write and distribute malware and such. Not you or any of the other helpers on this forum.
 
Hello!

Well lets what is going on.

I would like you to uninstall Spybot and then reboot. After reboot run combofix.

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX


  • You must download it to and run it from your Desktop
  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Double click on ComboFix.exe and follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.


IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.




Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • ComboFix log (found at C:\Combofix.txt)
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
 
combofix crashed

I uninstaled spybot and reboted. I tried to run combofix and got the blue screen of death. The system rebooted itself before I could copy any if the bsod info. Do you want me to try combofix again?

In the meantime here is a fresh hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:54 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\ComboFix\SWREG.EXE" ACL "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Beep" /RESET /Q (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 8681 bytes
 
Just found a third copy of spybot lurking about. This one apears to be 1.0.0.6
It didn't show in the add/remove programs control panel so I don't know that it was actually installed or just not deleted after updating to a newer version.

I have deleted this one as well. You want a fresh hjt log?
 
SysProt Antirootkit

Download SysProt Antirootkit from HERE (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). Unzip it into a folder on your desktop.


  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive.
  • Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.



Lets see if there is any Combofix logs present, if there isn't. Dont worry about it, just let me know.

Post Combofix log
Click Start > Run > type notepad C:\combofix.txt > OK

When Notepad opens, click Edit > Select all then Edit > Copy

Reply to this post and press Ctrl+V to paste the log in your reply.

Note: Please let me know if you get an error, and what is says, after typing the command in the Run box.


Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:

C:\qoobox In that folder you will find the ComboFix log files.

Please post the contents of each of those log files in your next reply.



Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following folders:

C:\QooBox\LastRun

If there are any log files in that folder, please post them in your next reply as well.

Thank you.
 
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\smss.exe
PID: 472
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\csrss.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\winlogon.exe
PID: 564
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SERVICES.EXE
PID: 608
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\LSASS.EXE
PID: 620
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 772
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 788
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 868
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 940
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1092
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\spoolsv.exe
PID: 1436
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\Ati2evxx.exe
PID: 1604
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1128
Hidden: No
Window Visible: No

Name: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
PID: 1304
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1592
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgwdsvc.exe
PID: 1624
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1524
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehRecvr.exe
PID: 1812
Hidden: No
Window Visible: No

Name: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 1668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\ehSched.exe
PID: 120
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 400
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 540
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1268
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 1284
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\searchindexer.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ehome\mcrdsvc.exe
PID: 2220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\dllhost.exe
PID: 2668
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\wscntfy.exe
PID: 2792
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\wbem\wmiapsrv.exe
PID: 2800
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\alg.exe
PID: 2912
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\SVCHOST.EXE
PID: 252
Hidden: No
Window Visible: No

Name: C:\WINDOWS\Explorer.EXE
PID: 1380
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\notepad.exe
PID: 3452
Hidden: No
Window Visible: Yes

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 960
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3352
Hidden: No
Window Visible: No

Name: C:\WINDOWS\System32\ctfmon.exe
PID: 3540
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProt.exe
PID: 3156
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \systemroot\system32\drivers\geyekrtivmlkya.sys
Service Name: geyekrttvogrql
Module Base: ---
Module End: ---
Hidden: Yes

Module Name: \??\C:\Documents and Settings\Karla\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: AEDDC000
Module End: AEDE7000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BADA8000
Module End: BADAA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BACB8000
Module End: BACBB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: BA779000
Module End: BA7A7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BADAA000
Module End: BADAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: BA768000
Module End: BA779000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA8A8000
Module End: BA8B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA8B8000
Module End: BA8C8000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA8C8000
Module End: BA8D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BACBC000
Module End: BACBF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BACC0000
Module End: BACC4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BAE70000
Module End: BAE71000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BAB28000
Module End: BAB2F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BADAC000
Module End: BADAE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BADAE000
Module End: BADB0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: BADB0000
Module End: BADB2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BADB2000
Module End: BADB4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: BADB4000
Module End: BADB6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA8D8000
Module End: BA8E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: BA72B000
Module End: BA74A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BADB6000
Module End: BADB8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: BA705000
Module End: BA72B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPIEC.sys
Service Name: ACPIEC
Module Base: BACC4000
Module End: BACC7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Service Name: ---
Module Base: BAE71000
Module End: BAE72000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BAB30000
Module End: BAB35000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\UBHelper.sys
Service Name: UBHelper
Module Base: BACC8000
Module End: BACCC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA8E8000
Module End: BA8F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: BACCC000
Module End: BACD0000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: BA6ED000
Module End: BA705000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: BA6D5000
Module End: BA6ED000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: BACD0000
Module End: BACD4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: BAB38000
Module End: BAB3D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: BACD4000
Module End: BACD8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: BA8F8000
Module End: BA906000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: BACD8000
Module End: BACDC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: BA908000
Module End: BA911000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: BACDC000
Module End: BACDF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: BAB40000
Module End: BAB47000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: BACE0000
Module End: BACE4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: BAB48000
Module End: BAB4D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: BAB50000
Module End: BAB55000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: BACE4000
Module End: BACE8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: BA918000
Module End: BA922000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: BA928000
Module End: BA936000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: BAB58000
Module End: BAB60000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: BAB60000
Module End: BAB67000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: BAB68000
Module End: BAB70000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: BAB70000
Module End: BAB76000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: BAB78000
Module End: BAB7E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: BADB8000
Module End: BADBA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: BA938000
Module End: BA941000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: BA6BC000
Module End: BA6D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: BAB80000
Module End: BAB85000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: BA948000
Module End: BA952000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: BA958000
Module End: BA964000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: BA968000
Module End: BA974000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: BAB88000
Module End: BAB8F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: BADBA000
Module End: BADBC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: BAB90000
Module End: BAB97000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: BACE8000
Module End: BACEC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: BA690000
Module End: BA6BC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA978000
Module End: BA981000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA988000
Module End: BA995000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: BA670000
Module End: BA690000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: BA65E000
Module End: BA670000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA998000
Module End: BA9A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Fastfat.sys
Service Name: Fastfat
Module Base: BA63A000
Module End: BA65E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: BA623000
Module End: BA63A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: BA5F6000
Module End: BA623000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sisagp.sys
Service Name: sisagp
Module Base: BA9A8000
Module End: BA9B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: BA9B8000
Module End: BA9C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: BA5DC000
Module End: BA5F6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: BA9C8000
Module End: BA9D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: BA9D8000
Module End: BA9E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: BA9E8000
Module End: BA9F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: BA9F8000
Module End: BAA03000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: BAA08000
Module End: BAA16000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: BAD68000
Module End: BAD6B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: BA345000
Module End: BA4CC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: BA331000
Module End: BA345000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: BAC00000
Module End: BAC05000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: BA30D000
Module End: BA331000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BAC08000
Module End: BAC10000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BAA18000
Module End: BAA23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BAA28000
Module End: BAA38000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BAA38000
Module End: BAA47000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: BA2EA000
Module End: BA30D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Service Name: NTIDrvr
Module Base: BADBC000
Module End: BADBE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BAC10000
Module End: BAC15000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: BA2C2000
Module End: BA2EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BAA48000
Module End: BAA55000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
Service Name: DKbFltr
Module Base: BAC18000
Module End: BAC1D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BAC20000
Module End: BAC26000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Service Name: SynTP
Module Base: BA292000
Module End: BA2C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BADBE000
Module End: BADC0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BAC28000
Module End: BAC2E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: BAD70000
Module End: BAD74000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ar5211.sys
Service Name: AR5211
Module Base: BA21A000
Module End: BA292000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
Service Name: EMSCR
Module Base: BAA58000
Module End: BAA67000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Service Name: sdbus
Module Base: BA206000
Module End: BA21A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
Service Name: ESMCR
Module Base: BA1F3000
Module End: BA206000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
Service Name: ESDCR
Module Base: BAA68000
Module End: BAA72000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BAF18000
Module End: BAF19000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: BADC0000
Module End: BADC2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BAC30000
Module End: BAC38000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Service Name: irda
Module Base: BAC38000
Module End: BAC3D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BAC40000
Module End: BAC45000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BAA78000
Module End: BAA85000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BAD78000
Module End: BAD7B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: BA1DC000
Module End: BA1F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BAA88000
Module End: BAA93000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BAA98000
Module End: BAAA4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: BA12B000
Module End: BA13C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BAAA8000
Module End: BAAB1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BAC48000
Module End: BAC4D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BAC50000
Module End: BAC55000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Service Name: RimVSerPort
Module Base: BAC58000
Module End: BAC5F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: BA0FB000
Module End: BA12B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BAAB8000
Module End: BAAC2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BADC2000
Module End: BADC4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: BA075000
Module End: BA0D3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: BAD8C000
Module End: BAD90000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BAAC8000
Module End: BAAD2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BAAF8000
Module End: BAB07000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: B1B71000
Module End: B1FAC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B1B4D000
Module End: B1B71000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BAB08000
Module End: BAB17000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Service Name: HSXHWAZL
Module Base: B1B13000
Module End: B1B4D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Service Name: HSF_DPV
Module Base: B1A1C000
Module End: B1B13000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Service Name: winachsf
Module Base: B1965000
Module End: B1A1C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: BA500000
Module End: BA503000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BADC6000
Module End: BADC8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BAF6B000
Module End: BAF6C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BADC8000
Module End: BADCA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BAC80000
Module End: BAC87000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BAC88000
Module End: BAC8E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BADCA000
Module End: BADCC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BADCC000
Module End: BADCE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\BisonCam.sys
Service Name: Cam5603D
Module Base: B1750000
Module End: B1815000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\STREAM.SYS
Service Name: ---
Module Base: BA5BC000
Module End: BA5C9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BAC90000
Module End: BAC95000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BAC98000
Module End: BACA0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: BA4F8000
Module End: BA4FB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B173D000
Module End: B1750000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B16E4000
Module End: B173D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B1694000
Module End: B16BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B166E000
Module End: B1694000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B164C000
Module End: B166E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA5AC000
Module End: BA5B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA59C000
Module End: BA5A5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B1621000
Module End: B164C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B15B1000
Module End: B1621000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA57C000
Module End: BA587000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Service Name: AvgMfx86
Module Base: BACA0000
Module End: BACA6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\avgldx86.sys
Service Name: AvgLdx86
Module Base: B1560000
Module End: B15B1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA55C000
Module End: BA56C000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B1507000
Module End: B151F000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BADCE000
Module End: BADD0000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: BA0E7000
Module End: BA0EA000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BACA8000
Module End: BACAD000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BAFF0000
Module End: BAFF1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\irda.sys
Service Name: ---
Module Base: AF199000
Module End: AF1AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: AF2DF000
Module End: AF2E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: AEF54000
Module End: AEF69000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: AF119000
Module End: AF128000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: AECCF000
Module End: AECFC000
Hidden: No

Module Name: \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
Service Name: DritekPortIO
Module Base: AF01D000
Module End: AF021000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: AEA5E000
Module End: AEA9F000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\int15.sys
Service Name: int15
Module Base: AEA25000
Module End: AEA36000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: AE983000
Module End: AE9D5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: AEA3A000
Module End: AEA3E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Service Name: Secdrv
Module Base: AF159000
Module End: AF163000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\tvicport.sys
Service Name: tvicport
Module Base: AE9F5000
Module End: AE9F8000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\zntport.sys
Service Name: zntport
Module Base: BAF05000
Module End: BAF06000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Service Name: ---
Module Base: BAE3E000
Module End: BAE40000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Karla\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: B189D000
Module End: B18A5000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: AE2F0000
Module End: AE31B000
Hidden: No

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwSaveKeyEx
At Address: 8062534A
Jump To: 8A5630F2
Module Name: _unknown_

Hooked Function: ZwSaveKey
At Address: 80625264
Jump To: 8A56B67A
Module Name: _unknown_

Hooked Function: ZwFlushInstructionCache
At Address: 805B6812
Jump To: 8A8A8694
Module Name: _unknown_

Hooked Function: ZwEnumerateKey
At Address: 80623FF0
Jump To: 8A5630BC
Module Name: _unknown_

Hooked Function: IofCompleteRequest
At Address: 804EF236
Jump To: 8A6FBAF3
Module Name: _unknown_

Hooked Function: IofCallDriver
At Address: 804EF1A6
Jump To: 8A56B6B3
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: COMPUTADORA.SERENITY:2869
Remote Address: 192.168.0.1:1307
Type: TCP
Process: System
State: CLOSE_WAIT

Local Address: COMPUTADORA.SERENITY:1113
Remote Address: 192.168.0.1:5678
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: ESTABLISHED

Local Address: COMPUTADORA.SERENITY:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: COMPUTADORA:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: COMPUTADORA:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: COMPUTADORA:5152
Remote Address: LOCALHOST:1092
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: COMPUTADORA:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: COMPUTADORA:1028
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\alg.exe
State: LISTENING

Local Address: COMPUTADORA:9999
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
State: LISTENING

Local Address: COMPUTADORA:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING

Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: COMPUTADORA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: LISTENING

Local Address: COMPUTADORA.SERENITY:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMPUTADORA.SERENITY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA.SERENITY:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: COMPUTADORA.SERENITY:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: COMPUTADORA.SERENITY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:1046
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: COMPUTADORA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\SVCHOST.EXE
State: NA

Local Address: COMPUTADORA:63057
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMPUTADORA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA

Local Address: COMPUTADORA:3776
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\ehome\mcrdsvc.exe
State: NA

Local Address: COMPUTADORA:1027
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\spoolsv.exe
State: NA

Local Address: COMPUTADORA:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: COMPUTADORA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\LSASS.EXE
State: NA

Local Address: COMPUTADORA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Status: Hidden

Object: C:\WINDOWS\system32\geyekrbuhylhmn.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrapjdskvl.dat
Status: Hidden

Object: C:\WINDOWS\system32\geyekrxfenxvmc.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrnrndxrqt.dat
Status: Hidden

Object: C:\WINDOWS\system32\geyekrornmbpxe.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrjwmeoxta.dll
Status: Hidden

Object: C:\Documents and Settings\Karla\Local Settings\Temp\geyekr000
Status: Hidden
 
ComboFix 09-08-10.06 - Karla 08/11/2009 17:54.6.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1912 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-10 00:32 . 2009-08-10 00:32 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-09 23:14 . 2009-08-09 23:15 -------- d-----w- c:\documents and settings\Karla\.idlerc
2009-08-09 18:11 . 2009-08-09 18:11 -------- d-----w- c:\program files\ESET
2009-08-08 18:51 . 2009-08-08 18:51 -------- d-----w- c:\program files\Trend Micro
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\Karla\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 01:01 . 2006-06-01 21:59 150912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-04 19:46 . 2008-06-26 01:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\AVG Security Toolbar
2009-06-26 22:55 . 2009-06-26 22:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:53 . 2009-01-30 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 22:53 . 2007-02-20 01:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk.disabled [2006-6-1 1585]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/25/2008 9:26 PM 335752]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 10:32 PM 298776]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Notify-cscdll - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 18:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-11 18:02
ComboFix-quarantined-files.txt 2009-08-11 22:02

Pre-Run: 21,429,616,640 bytes free
Post-Run: 21,599,191,040 bytes free

144 --- E O F --- 2009-08-10 23:04
 
Otherjohn said:
SysProt AntiRootkit v1.0.1.0
by swatkat



******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
Status: Hidden

Object: C:\WINDOWS\system32\geyekrbuhylhmn.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrapjdskvl.dat
Status: Hidden

Object: C:\WINDOWS\system32\geyekrxfenxvmc.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrnrndxrqt.dat
Status: Hidden

Object: C:\WINDOWS\system32\geyekrornmbpxe.dll
Status: Hidden

Object: C:\WINDOWS\system32\geyekrjwmeoxta.dll
Status: Hidden

Object: C:\Documents and Settings\Karla\Local Settings\Temp\geyekr000
Status: Hidden
Click to expand...

These are the files that spybot kept flagging as the win32.tdss.rtk trojan. Sysprot and spybot have been the only utilities that have been able to find these files. I cannot see them browsing through the folders. Even with show hidden and system files options set. I can not see them browsing usinging the dos command prompt.
 
Hello!

It is rootkit know as TDDS and combofix should have taken care of it. I am going to do script for you to when i get back home today.

In the meanwhile you can do this: delete the copy of Combofix and re download it and before you ave it. Save it as otherjohn.exe.
 
Hello!

Sorry for the delay. I had few family life problems. I do apologize for the delay. Make sure you have combofix on the desktop before you continue.

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: 
File::
[FONT=Times New Roman]C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
C:\WINDOWS\system32\geyekrbuhylhmn.dll
C:\WINDOWS\system32\geyekrapjdskvl.dat
C:\WINDOWS\system32\geyekrxfenxvmc.dll
C:\WINDOWS\system32\geyekrnrndxrqt.dat
C:\WINDOWS\system32\geyekrornmbpxe.dll
C:\WINDOWS\system32\geyekrjwmeoxta.dll
[/FONT][SIZE=2]Rootkit::
[/SIZE][FONT=Times New Roman]C:\WINDOWS\system32\drivers\geyekrtivmlkya.sys
C:\WINDOWS\system32\geyekrbuhylhmn.dll
C:\WINDOWS\system32\geyekrapjdskvl.dat
C:\WINDOWS\system32\geyekrxfenxvmc.dll
C:\WINDOWS\system32\geyekrnrndxrqt.dat
C:\WINDOWS\system32\geyekrornmbpxe.dll
C:\WINDOWS\system32\geyekrjwmeoxta.dll
Driver::
geyekrttvogrql
[/FONT][SIZE=2]
  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    CFScriptExample.jpg
  • Refering to the picture below, drag CFScript into ComboFix.exe

    CFScriptB-4.gif
  • When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
  • A description of how your computer is behaving
[/SIZE]
 
New combofix log
ComboFix 09-08-10.06 - Karla 08/15/2009 9:20.8.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.2023 [GMT -4:00]
Running from: c:\documents and settings\Karla\Desktop\otherjohn.exe
Command switches used :: c:\documents and settings\Karla\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\geyekrtivmlkya.sys"
"c:\windows\system32\geyekrapjdskvl.dat"
"c:\windows\system32\geyekrbuhylhmn.dll"
"c:\windows\system32\geyekrjwmeoxta.dll"
"c:\windows\system32\geyekrnrndxrqt.dat"
"c:\windows\system32\geyekrornmbpxe.dll"
"c:\windows\system32\geyekrxfenxvmc.dll"
.

((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-15 13:29 . 2009-08-15 13:29 -------- d-sh--w- C:\FOUND.007
2009-08-15 02:31 . 2009-08-15 02:31 -------- d-----w- c:\windows\system32\NtmsData
2009-08-15 01:41 . 2009-08-15 01:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 19:32 . 2009-08-14 19:32 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Downloaded Installations
2009-08-12 09:40 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 00:32 . 2009-08-10 00:32 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-09 23:14 . 2009-08-09 23:15 -------- d-----w- c:\documents and settings\Karla\.idlerc
2009-08-09 02:58 . 2009-08-15 13:24 40960 ----a-w- c:\windows\system32\geyekrjwmeoxta.dll
2009-08-08 23:04 . 2009-08-15 13:24 40960 ----a-w- c:\windows\system32\geyekrornmbpxe.dll
2009-08-08 18:51 . 2009-08-08 18:51 -------- d-----w- c:\program files\Trend Micro
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\documents and settings\Karla\Application Data\Malwarebytes
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\Karla\APPLIC~1\Malwarebytes
2009-08-08 14:43 . 2009-08-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-21 01:22 . 2009-07-21 01:22 91 ------w- c:\windows\system32\geyekrnrndxrqt.dat
2009-07-21 01:22 . 2009-07-21 01:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-21 01:12 . 2009-08-15 13:24 17408 ----a-w- c:\windows\system32\geyekrxfenxvmc.dll
2009-07-21 01:11 . 2009-07-21 01:22 1384 ------w- c:\windows\system32\geyekrapjdskvl.dat
2009-07-21 01:11 . 2009-08-15 13:24 40960 ----a-w- c:\windows\system32\geyekrbuhylhmn.dll
2009-07-21 01:11 . 2009-08-15 13:24 66048 ----a-w- c:\windows\system32\drivers\geyekrtivmlkya.sys
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 03:02 . 2006-06-01 21:59 118896 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-15 00:15 . 2009-08-15 00:15 251 ----a-w- c:\program files\wt3d.ini
2009-08-05 09:01 . 2004-08-11 00:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-20 19:01 . 2008-08-11 01:32 256 ----a-w- c:\windows\system32\pool.bin
2009-07-17 19:01 . 2004-08-11 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-11 00:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-01-09 15:02 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-11 00:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 00:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 00:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 00:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-11 00:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 00:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-11 00:00 92928 ------w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 00:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-11 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-11 00:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 00:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-11 00:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-11 00:00 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-11 00:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-06-28 22:55 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_22.14.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 13:30 . 2009-08-15 13:30 16384 c:\windows\temp\Perflib_Perfdata_a2c.dat
+ 2008-01-15 22:43 . 2008-11-10 15:41 67472 c:\windows\system32\spool\drivers\w32x86\msonpui.dll
+ 2008-01-15 22:43 . 2008-11-10 15:41 67472 c:\windows\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2006-06-01 20:51 . 2009-08-15 00:20 76342 c:\windows\system32\perfc009.dat
+ 2008-01-15 22:43 . 2008-11-10 15:41 32656 c:\windows\system32\msonpmon.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
- 2008-01-15 22:44 . 2009-08-12 23:05 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 35088 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 18704 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 20240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-07-24 14:50 . 2006-07-24 14:50 47920 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\VBAME.DLL
+ 2006-07-24 14:50 . 2006-07-24 14:50 92976 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\MSADDNDR.DLL
+ 2008-01-15 22:41 . 2008-01-15 22:41 12096 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\WORDPOL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12080 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\VBIDEPOL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 64288 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\VBIDEPIA.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 15672 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\SMARTTAGINSTALL.EXE
+ 2006-10-26 23:49 . 2006-10-26 23:49 34104 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\SETLANG.EXE
+ 2006-10-27 00:12 . 2006-10-27 00:12 40424 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\REFIEBAR.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12112 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\PPTPOL.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 46936 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OSETUPPS.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 18760 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OPHPROXY.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 16728 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OMUOPTINPS.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 23392 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OISCTRL.DLL
+ 2006-10-27 19:11 . 2006-10-27 19:11 54680 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OFFRHD.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 11544 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OFFICEPL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12104 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSTAGPOL.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 20280 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSTAGPIA.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 43832 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSSH.DLL
+ 2006-10-27 19:26 . 2006-10-27 19:26 35152 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOSTYLE.DLL
+ 2006-10-26 23:56 . 2006-10-26 23:56 67408 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSONPUI.DLL
+ 2006-10-26 23:56 . 2006-10-26 23:56 32592 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSONPMON.DLL
+ 2006-10-26 23:52 . 2006-10-26 23:52 66368 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOMSE.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 67896 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOHTMED.EXE
+ 2006-10-27 19:01 . 2006-10-27 19:01 76088 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSOHEV.DLL
+ 2006-10-26 23:59 . 2006-10-26 23:59 19768 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSMH.DLL
+ 2006-10-26 23:52 . 2006-10-26 23:52 48424 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSE7.EXE
+ 2006-10-27 00:12 . 2006-10-27 00:12 89400 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\METCONV.DLL
+ 2006-10-27 01:41 . 2006-10-27 01:41 66368 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\INLAUNCH.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 12096 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\GRAPHPOL.DLL
+ 2008-01-15 22:39 . 2008-01-15 22:39 12096 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\EXCELPOL.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 53576 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\AUTHZAX.DLL
+ 2006-10-27 01:18 . 2006-10-27 01:18 94016 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\ACCOLK.DLL
+ 2009-08-15 02:57 . 2009-08-15 02:57 10576 c:\windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11112 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11136 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11152 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11128 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 11144 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Excel.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 63336 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 19320 c:\windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.SmartTag.dll
+ 2008-01-15 22:43 . 2008-11-10 15:41 864144 c:\windows\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2008-01-15 22:43 . 2008-11-10 15:41 864144 c:\windows\system32\spool\drivers\w32x86\3\msonpdrv.dll
+ 2006-06-01 20:51 . 2009-08-15 00:20 458654 c:\windows\system32\perfh009.dat
+ 2006-06-01 22:19 . 2009-08-15 03:00 391184 c:\windows\system32\FNTCACHE.DAT
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-15 19:23 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-03-20 15:48 . 2009-03-20 15:48 183808 c:\windows\Installer\bf155.msp
- 2008-01-15 22:44 . 2009-08-12 23:05 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 888080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 272648 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 922384 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 845584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 217864 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 184080 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 159504 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-08-15 02:55 . 2009-08-15 02:55 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
- 2009-06-20 03:56 . 2009-06-20 03:56 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-06-07 23:51 . 2007-06-07 23:51 125320 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\SSGEN.DLL
+ 2007-06-07 23:51 . 2007-06-07 23:51 465800 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.6425\OUTLFLTR.DLL
+ 2006-10-27 00:49 . 2006-10-27 00:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\WRD12CVR.DLL
+ 2006-10-27 01:07 . 2006-10-27 01:07 368968 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\PPSLAX.DLL
+ 2006-10-20 12:37 . 2006-10-20 12:37 637744 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OGALEGIT.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 416544 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\OFFICE.DLL
+ 2006-10-26 23:55 . 2006-10-26 23:55 145688 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSTORE.EXE
+ 2006-10-26 18:47 . 2006-10-26 18:47 727840 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSPROOF6.DLL
+ 2006-10-26 23:56 . 2006-10-26 23:56 864080 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSONPDRV.DLL
+ 2006-10-26 17:58 . 2006-10-26 17:58 290576 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MSCDM.DLL
+ 2006-10-26 23:52 . 2006-10-26 23:52 460616 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\MODHELP.DLL
+ 2006-10-27 00:00 . 2006-10-27 00:00 178488 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\IETAG.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 150320 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\GRAPHPIA.DLL
+ 2006-10-27 00:12 . 2006-10-27 00:12 106824 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\DSSM.EXE
+ 2009-08-15 02:57 . 2009-08-15 02:57 609160 c:\windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Client.Internal.Host\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 118176 c:\windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Infopath.Client.Internal.Host.Interop.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 423784 c:\windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-08-15 02:57 . 2009-08-15 02:57 870256 c:\windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll
+ 2009-08-15 02:57 . 2009-08-15 02:57 149352 c:\windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll
+ 2008-11-21 03:06 . 2008-11-21 03:06 1194848 c:\windows\system32\FM20.DLL
+ 2009-04-04 21:10 . 2009-04-04 21:10 1282560 c:\windows\Installer\bf14a.msp
+ 2009-04-04 21:10 . 2009-04-04 21:10 7888384 c:\windows\Installer\bf142.msp
+ 2009-04-04 21:10 . 2009-04-04 21:10 9926144 c:\windows\Installer\bf138.msp
+ 2009-04-04 14:14 . 2009-04-04 14:14 1094656 c:\windows\Installer\bef65.msp
+ 2008-01-15 22:44 . 2009-08-15 02:58 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 1172240 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-01-15 22:44 . 2009-08-15 02:58 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
- 2008-01-15 22:44 . 2009-08-12 23:05 1165584 c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-10-26 18:47 . 2006-10-26 18:47 1512304 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\NLSD0000.DLL
+ 2008-01-15 22:40 . 2008-01-15 22:40 1276720 c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\EXCELPIA.DLL
+ 2009-08-15 02:57 . 2009-08-15 02:57 1279848 c:\windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Excel.dll
+ 2009-04-04 21:09 . 2009-04-04 21:09 15190016 c:\windows\Installer\bef86.msp
+ 2009-04-04 15:36 . 2009-04-04 15:36 21390848 c:\windows\Installer\bef66.msp
+ 2009-04-04 21:08 . 2009-04-04 21:08 343058432 c:\windows\Installer\bf12d.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-6-1 1665]
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-8-14 51984]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
Desktop Manager.lnk.disabled [2008-8-12 1649]
Microsoft Find Fast.lnk.disabled [2006-11-1 669]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ntiMUI"=c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ehTray"=c:\windows\ehome\ehtray.exe
"Boot"=c:\acer\Empowering Technology\ePower\Boot.exe
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"Alcmtr"=ALCMTR.EXE
"Acer ePresentation HPD"=c:\acer\Empowering Technology\ePresentation\ePresentation.exe
"LaunchApp"=
"Mouse Suite 98 Daemon"=ICO.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\System32\\taskmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [3/19/2009 4:36 PM 18944]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [3/19/2009 4:36 PM 17920]
S3 SKYSCOUT;Celestron SkyScout driver;c:\windows\system32\drivers\UsbScout.sys [3/25/2007 2:42 PM 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 09:30
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]
"imagepath"="\systemroot\system32\drivers\geyekrtivmlkya.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\geyekrttvogrql]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\geyekrtivmlkya.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-08-15 9:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-15 13:34
ComboFix2.txt 2009-08-13 22:16
ComboFix3.txt 2009-08-11 22:02

Pre-Run: 30,040,981,504 bytes free
Post-Run: 30,144,987,136 bytes free

315 --- E O F --- 2009-08-12 23:06
 
New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:21 AM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Desktop Manager.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--
End of file - 6501 bytes
 
Status
Not open for further replies.
Back
Top