Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need Malware Help. Not sure of infection name. Primary symptom is Vima

Started by stekun , Apr 18 2009 08:48 PM

  • This topic is locked This topic is locked

#1
stekun
Posted 18 April 2009 - 08:48 PM

stekun

    New Member

  • Member
  • Pip
  • 9 posts
Hello,

Thanks in advance for your help. Here is my situation.

Problem:
I have apparently been infected with some sort of malware. There are three main symptoms:
  • Inappropriate advertisements for Vimax and other similar products appear in the adspace of many different web pages.
  • My virus scanning software (McAfee VirusScan) has been disabled and I am unable to start it.
  • Occasionally, when doing a Google search, I will click on a link but will be redirected to pages advertising various adult-themed products.

What I have done so far:
  • Booted in Safe Mode and ran several different virus removal tools including McAfee VirusScan and Malwarebytes. Initially they found a removed about 20 infections. Now they no longer find infections, but the symptoms continue to persist.
  • Ran ATF Cleaner
  • Ran Windows Update
  • Made a valid restore point
  • Backed up my registry with ERUNT
  • Ran virus scan software again
  • I have rebooted my computer multiple times during this process
  • In short, I have followed all of the instructions I have been able to find on this forum and others. Although the steps have been somewhat successful, the major symptoms outlined above still remain.

Possible cause of infection:
I am not sure. I do not download movies or pirated software in any form. However, my roommates do use my computer on occasion. They do not think they downloaded anything harmful, but it's impossible to tell for sure.

System setup:
Windows Vista, SP1, fully updated.
McAfee VirusScan (software provided by the university I attend)
Firefox 3.0 is default browser, though I do use the most recent version of IE on occasion.
Anything else you need to know about my setup?

My level of technical knowledge is intermediate-advanced. I'm not stupid when it comes to receiving instruction about how to work with a computer, but I don't have a deep level of knowledge about specific procedures such as editing the registry.

My log files are posted below as requested. Thanks in advance for your help!!!

Steve

Rooter.txt
Microsoft Windows Vista Home Edition (6.0.6001) Service Pack 1

C:\ [Fixed] - NTFS - (Total:295304 Mo/Free:1311 Mo)
D:\ [Fixed] - NTFS - (Total:9938 Mo/Free:344 Mo)
E:\ [CD-Rom] (Total:2652 Mo/Free:0 Mo)
F:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)

04/18/2009 Sat|22:27

----------------------\\ Processes..

--Locked-- [System Process]
--Locked-- System
---------- \SystemRoot\System32\smss.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\wininit.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\services.exe
---------- C:\Windows\system32\lsass.exe
---------- C:\Windows\system32\lsm.exe
---------- C:\Windows\system32\winlogon.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\Ati2evxx.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\AUDIODG.EXE
---------- C:\Windows\system32\SLsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\spoolsv.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\Dwm.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\Explorer.EXE
---------- C:\Windows\system32\taskeng.exe
---------- C:\Program Files\Google\Update\GoogleUpdate.exe
---------- C:\Program Files\Windows Defender\MSASCui.exe
---------- C:\Windows\zHotkey.exe
---------- C:\Windows\ModPS2Key.exe
---------- C:\Windows\sttray.exe
---------- C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
---------- C:\Program Files\Lexmark 2400 Series\ezprint.exe
---------- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
---------- C:\Windows\713xRMT.exe
---------- C:\Program Files\Logitech\QuickCam\Quickcam.exe
---------- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Windows Sidebar\sidebar.exe
---------- C:\Windows\ehome\ehtray.exe
---------- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
---------- C:\Program Files\Windows Media Player\wmpnscfg.exe
---------- C:\Windows\system32\Ati2evxx.exe
---------- C:\Windows\ehome\ehmsas.exe
---------- C:\Program Files\Windows Sidebar\sidebar.exe
---------- C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
---------- C:\Program Files\LSI SoftModem\agrsmsvc.exe
---------- C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
---------- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
---------- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
---------- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
---------- C:\Windows\system32\mfevtps.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\SearchIndexer.exe
---------- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
---------- C:\Windows\system32\WUDFHost.exe
---------- C:\Program Files\McAfee\Common Framework\McTray.exe
---------- C:\Windows\system32\lxcrcoms.exe
---------- C:\Windows\System32\mobsync.exe
---------- C:\Program Files\Windows Media Player\wmpnetwk.exe
---------- C:\Windows\system32\SearchProtocolHost.exe
---------- C:\Windows\system32\SearchFilterHost.exe
---------- C:\Windows\system32\wbem\wmiprvse.exe
---------- C:\Windows\servicing\TrustedInstaller.exe
---------- \\?\C:\Windows\system32\wbem\WMIADAP.EXE
---------- C:\Windows\system32\wbem\wmiprvse.exe
---------- C:\Windows\system32\DllHost.exe
---------- C:\Windows\system32\DllHost.exe
---------- C:\Users\Steve\Downloads\Rooter.exe
---------- C:\Windows\system32\cmd.exe
---------- C:\Windows\system32\conime.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.85,85.255.112.180
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.85,85.255.112.180
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
NameServer REG_SZ 85.255.112.85,85.255.112.180
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\..\{45BC915F-F40D-4B11-A0E0-26D5F7452FE1}]
NameServer REG_SZ 85.255.112.85,85.255.112.180
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{45BC915F-F40D-4B11-A0E0-26D5F7452FE1}]
NameServer REG_SZ 85.255.112.85,85.255.112.180
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{45BC915F-F40D-4B11-A0E0-26D5F7452FE1}]
NameServer REG_SZ 85.255.112.85,85.255.112.180
==> WAREOUT <==

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - 04/18/2009 Sat|22:28

----------------------\\ Scan completed at 22:28


OTListIt.txt
OTListIt logfile created on: 4/18/2009 10:29:23 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Users\Steve\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.38 Gb Total Space | 113.28 Gb Free Space | 39.28% Space Free | Partition Type: NTFS
Drive D: | 9.71 Gb Total Space | 4.34 Gb Free Space | 44.68% Space Free | Partition Type: NTFS
Drive E: | 2.59 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPY
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Windows\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Windows\system32\AUDIODG.EXE (Microsoft Corporation)
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Windows\zHotkey.exe ()
PRC - C:\Windows\ModPS2Key.exe (Chicony)
PRC - C:\Windows\sttray.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Lexmark 2400 Series\lxcrmon.exe ()
PRC - C:\Program Files\Lexmark 2400 Series\ezprint.exe (Lexmark International Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\Windows\713xRMT.exe ()
PRC - C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc.)
PRC - C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
PRC - C:\Windows\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe ()
PRC - C:\Program Files\LSI SoftModem\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe ()
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Windows\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc.)
PRC - C:\Windows\system32\WUDFHost.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Windows\system32\lxcrcoms.exe ( )
PRC - C:\Windows\System32\mobsync.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
PRC - \?\C:\Windows\system32\wbem\WMIADAP.EXE File not found
PRC - C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Windows\system32\conime.exe (Microsoft Corporation)
PRC - C:\Users\Steve\Downloads\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AgereModemAudio [Auto | Running]) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe (Agere Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati External Event Utility [Auto | Running]) -- C:\Windows\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (bckwfs [Auto | Running]) -- C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe ()
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gupdate1c9b80066ee597c [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (LVPrcSrv [Auto | Running]) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (lxcr_device [On_Demand | Running]) -- C:\Windows\system32\lxcrcoms.exe ( )
SRV - (McAfeeEngineService [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe (McAfee, Inc.)
SRV - (McAfeeFramework [Auto | Running]) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (McShield [Auto | Stopped]) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe (McAfee, Inc.)
SRV - (McTaskManager [Auto | Running]) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (Microsoft Corporation)
SRV - (mfevtp [Unknown | Running]) -- C:\Windows\system32\mfevtps.exe (McAfee, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (WinDefend [Auto | Running]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Running]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (3xHybrid [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\3xHybrid.sys (NXP Semiconductors Germany GmbH)
DRV - (adp94xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (adpu160m [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (adpu320 [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (aic78xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [Disabled | Stopped]) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (arc [Disabled | Stopped]) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (arcsas [Disabled | Stopped]) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (atikmdag [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV - (bckd [System | Running]) -- C:\Windows\system32\drivers\bckd.sys ()
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (Brserid [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (cmdide [Disabled | Stopped]) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (E100B [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (E1G60 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\E1G60I32.sys (Intel Corporation)
DRV - (elxstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (HpCISSs [Disabled | Stopped]) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (iaStorV [Boot | Running]) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (iirsp [Disabled | Stopped]) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (iteatapi [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (iteraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (LSI_FC [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (LSI_SAS [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (LSI_SCSI [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LVPr2Mon [On_Demand | Running]) -- C:\Windows\system32\Drivers\LVPr2Mon.sys ()
DRV - (LVRS [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\lvrs.sys (Logitech Inc.)
DRV - (LVUSBSta [On_Demand | Running]) -- C:\Windows\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (LVUVC [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\lvuvc.sys (Logitech Inc.)
DRV - (megasas [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (mfeapfk [On_Demand | Stopped]) -- C:\Windows\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfeavfk [On_Demand | Stopped]) -- C:\Windows\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Stopped]) -- C:\Windows\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [Boot | Running]) -- C:\Windows\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdet [On_Demand | Stopped]) -- C:\Windows\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik [System | Running]) -- C:\Windows\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (Mraid35x [Disabled | Stopped]) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (nfrd960 [Disabled | Stopped]) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (ntrigdigi [Disabled | Stopped]) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (nvraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (pfc [On_Demand | Running]) -- C:\Windows\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (ql2300 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (R300 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (SiSRaid4 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (STHDA [On_Demand | Running]) -- C:\Windows\system32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (Symc8xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_hi [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Sym_u3 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (tbhsd [On_Demand | Stopped]) -- C:\Windows\system32\drivers\tbhsd.sys (RapidSolution Software AG)
DRV - (uliahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (UlSata [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (ulsata2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (usbaudio [On_Demand | Running]) -- C:\Windows\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (usbbus [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lgusbbus.sys (LG Electronics Inc.)
DRV - (USBModem [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\lgusbmodem.sys (LG Electronics Inc.)
DRV - (viaide [Disabled | Stopped]) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (vsmraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (WsAudio_DeviceS(1) [On_Demand | Stopped]) -- C:\Windows\system32\drivers\WsAudio_DeviceS(1).sys (Wondershare)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.foxnews.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.8

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/02/27 18:37:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Components: C:\PROGRAM FILES\MOZILLA\FIREFOX\COMPONENTS [2009/04/18 13:08:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.8\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA\FIREFOX\PLUGINS [2009/03/29 08:15:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Components: C:\PROGRAM FILES\MOZILLA\THUNDERBIRD\COMPONENTS [2009/04/18 13:08:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.21\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA\THUNDERBIRD\PLUGINS [2009/03/29 08:15:43 | 00,000,000 | ---D | M]

[2009/02/27 18:24:14 | 00,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\mozilla\Extensions
[2009/02/27 18:24:14 | 00,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/03/05 10:40:05 | 00,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\mozilla\Firefox\Profiles\pibymdh4.default\extensions

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CHotkey] zHotkey.exe ()
O4 - HKLM..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe" (Lexmark International Inc.)
O4 - HKLM..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s ()
O4 - HKLM..\Run: [LaunchList] "C:\Program Files\Pinnacle\Studio 8\LaunchList.exe" File not found
O4 - HKLM..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide ()
O4 - HKLM..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 ()
O4 - HKLM..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" ()
O4 - HKLM..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (McAfee, Inc.)
O4 - HKLM..\Run: [ModPS2] ModPS2Key.exe (Chicony)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [ShowWnd] ShowWnd.exe ()
O4 - HKLM..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TV Card Remote Control Device Monitor] C:\Windows\713xRMT.exe ()
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [googletalk] C:\Users\Steve\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart (Google)
O4 - HKCU..\Run: [Power2GoExpress] File not found
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.85,85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{45BC915F-F40D-4B11-A0E0-26D5F7452FE1}\\NameServer = 85.255.112.85,85.255.112.180
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\autoexec.bat () - [ NTFS ]
O33 - MountPoints2\{c3032282-0c46-11de-aa4f-0019d139ee82}\Shell\AutoRun\command - "" = WD_Windows_Tools\Setup.exe
O33 - MountPoints2\K\Shell\AutoRun\command - "" = WD_Windows_Tools\Setup.exe
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\Windows\*.tmp files]
[2009/04/18 22:27:33 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/18 22:26:38 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/04/18 22:26:38 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 22:26:36 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/04/18 22:26:35 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/04/18 22:26:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/18 22:22:00 | 02,389,464 | -H-- | C] () -- C:\Users\Steve\AppData\Local\IconCache.db
[2009/04/18 22:16:07 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/04/18 22:15:27 | 00,000,733 | ---- | C] () -- C:\Users\Steve\Desktop\NTREGOPT.lnk
[2009/04/18 22:15:27 | 00,000,714 | ---- | C] () -- C:\Users\Steve\Desktop\ERUNT.lnk
[2009/04/18 22:15:26 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/18 18:59:18 | 00,081,984 | ---- | C] () -- C:\Windows\System32\bdod.bin
[2009/04/18 17:52:12 | 00,001,874 | ---- | C] () -- C:\Users\Steve\Desktop\HijackThis.lnk
[2009/04/18 17:52:12 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/18 17:33:58 | 00,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2009/04/18 17:20:44 | 00,000,850 | ---- | C] () -- C:\Windows\System32\ProductTweaks.xml
[2009/04/18 17:20:44 | 00,000,385 | ---- | C] () -- C:\Windows\System32\user_gensett.xml
[2009/04/18 13:43:41 | 00,000,680 | ---- | C] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat
[2009/04/18 13:25:56 | 00,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\GetRightToGo
[2009/04/18 13:04:59 | 00,000,000 | ---D | C] -- C:\Windows\System32\logs
[2009/04/18 13:04:52 | 00,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\BitDefender
[2009/04/18 13:04:15 | 00,000,000 | ---D | C] -- C:\ProgramData\BitDefender
[2009/04/18 13:04:15 | 00,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2009/04/18 13:04:13 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/04/18 13:03:10 | 00,000,000 | ---D | C] -- C:\Windows\System32\URTTEMP
[2009/04/18 13:02:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[2009/04/18 09:31:17 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/04/18 09:30:52 | 21,928,7319 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/04/18 00:35:02 | 00,000,000 | ---D | C] -- C:\RECYCLER
[2009/04/18 00:20:55 | 00,000,000 | ---D | C] -- C:\Program Files\PixiePack Codec Pack
[2009/04/18 00:17:08 | 00,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\WinRAR
[2009/04/18 00:16:56 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/04/15 22:59:15 | 00,000,000 | ---D | C] -- C:\ProgramData\RapidSolution
[2009/04/15 22:59:15 | 00,000,000 | ---D | C] -- C:\Program Files\RapidSolution
[2009/04/15 22:56:05 | 00,016,640 | ---- | C] (Wondershare) -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys
[2009/04/15 21:03:42 | 01,454,626 | ---- | C] () -- C:\Users\Steve\Desktop\2008IR22.pdf
[2009/04/15 21:03:32 | 00,107,503 | ---- | C] () -- C:\Users\Steve\Desktop\2008IR22__INST.pdf
[2009/04/15 08:45:12 | 00,376,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winhttp.dll
[2009/04/15 08:45:09 | 00,562,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdtcprx.dll
[2009/04/15 08:45:08 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xolehlp.dll
[2009/04/15 08:45:02 | 03,599,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2009/04/15 08:45:02 | 03,547,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2009/04/15 08:45:02 | 00,551,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rpcss.dll
[2009/04/15 08:45:01 | 00,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2009/04/15 08:45:00 | 00,183,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sdohlp.dll
[2009/04/15 08:45:00 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iasrecst.dll
[2009/04/15 08:45:00 | 00,054,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iasads.dll
[2009/04/15 08:45:00 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iasdatastore.dll
[2009/04/15 08:45:00 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2009/04/15 08:45:00 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iashost.exe
[2009/04/15 08:44:57 | 01,255,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2009/04/15 08:44:57 | 00,888,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\kernel32.dll
[2009/04/15 08:44:56 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secur32.dll
[2009/04/15 08:44:56 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\amxread.dll
[2009/04/15 08:44:56 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\apilogen.dll
[2009/04/15 08:44:52 | 03,580,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/04/15 08:44:50 | 06,068,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/04/15 08:44:50 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/04/15 08:44:49 | 00,827,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/04/15 08:44:49 | 00,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/04/15 08:44:48 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/04/15 08:44:48 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/04/15 08:44:48 | 00,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2009/04/15 08:44:48 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/04/15 08:44:48 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/04/15 08:44:47 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/04/15 08:44:47 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/04/15 08:44:47 | 00,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2009/04/15 08:44:47 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2009/04/15 08:44:47 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/04/12 16:02:57 | 01,044,480 | ---- | C] (eHelp Corporation.) -- C:\Windows\System32\ROBOEX32.DLL
[2009/04/12 16:02:57 | 00,000,000 | ---D | C] -- C:\Program Files\DesignPro
[2009/04/09 21:44:04 | 00,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Google
[2009/04/08 16:26:15 | 15,066,05056 | ---- | C] () -- C:\Users\Steve\Desktop\HanaYoriDango_Final.avi
[2009/04/08 00:13:42 | 00,000,880 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachine.job
[2009/04/08 00:13:29 | 00,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\Google
[2009/04/08 00:13:11 | 00,000,000 | ---D | C] -- C:\ProgramData\Google Updater
[2009/04/08 00:13:10 | 00,000,868 | ---- | C] () -- C:\Windows\tasks\Google Software Updater.job
[2009/04/08 00:13:09 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/04/05 02:37:42 | 00,000,000 | ---D | C] -- C:\Program Files\KeyHoleTV
[2009/04/05 00:53:10 | 00,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2009/03/13 15:29:14 | 00,000,023 | ---- | C] () -- C:\Windows\VBCTL3D.INI
[2009/03/13 15:27:47 | 00,581,872 | ---- | C] () -- C:\Windows\System32\wodCertificate.dll
[2009/03/13 15:27:37 | 00,631,768 | ---- | C] () -- C:\Windows\System32\brgrt.dll
[2009/03/08 00:01:47 | 00,000,000 | ---- | C] () -- C:\Windows\vstudio.INI
[2009/03/07 23:45:43 | 00,000,906 | ---- | C] () -- C:\Windows\Ulead32.ini
[2009/03/07 23:45:43 | 00,000,259 | ---- | C] () -- C:\Windows\vidwiz.ini
[2009/03/07 23:45:43 | 00,000,026 | ---- | C] () -- C:\Windows\dswplug.ini
[2009/03/07 23:45:43 | 00,000,011 | ---- | C] () -- C:\Windows\Msdevctl.ini
[2009/03/05 00:39:26 | 00,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/03/04 23:25:22 | 00,000,158 | ---- | C] () -- C:\Windows\matlab.ini
[2009/02/28 17:19:33 | 00,237,568 | ---- | C] () -- C:\Windows\System32\rmc_rtspdl.dll
[2009/02/28 15:37:43 | 00,004,468 | ---- | C] () -- C:\Windows\cool.ini
[2009/02/28 10:33:03 | 00,081,110 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009/02/28 02:09:13 | 00,000,165 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2009/02/28 01:48:00 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/28 00:12:39 | 00,303,104 | ---- | C] () -- C:\Windows\System32\lxcrcoin.dll
[2009/02/28 00:11:06 | 00,040,960 | ---- | C] () -- C:\Windows\System32\LXPRMON.DLL
[2009/02/28 00:11:06 | 00,032,768 | ---- | C] () -- C:\Windows\System32\LXPMONUI.DLL
[2009/02/28 00:10:12 | 01,183,744 | ---- | C] ( ) -- C:\Windows\System32\lxcrserv.dll
[2009/02/28 00:10:12 | 00,995,328 | ---- | C] ( ) -- C:\Windows\System32\lxcrusb1.dll
[2009/02/28 00:10:12 | 00,233,472 | ---- | C] () -- C:\Windows\System32\LXCRinst.dll
[2009/02/28 00:10:11 | 00,536,576 | ---- | C] ( ) -- C:\Windows\System32\lxcrlmpm.dll
[2009/02/28 00:10:11 | 00,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxcrprox.dll
[2009/02/28 00:10:11 | 00,114,688 | ---- | C] ( ) -- C:\Windows\System32\lxcrpplc.dll
[2009/02/28 00:10:10 | 00,610,304 | ---- | C] ( ) -- C:\Windows\System32\lxcrcomc.dll
[2009/02/28 00:10:10 | 00,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxcrcomm.dll
[2009/02/27 23:50:41 | 00,532,544 | ---- | C] () -- C:\Windows\PIC.dll
[2009/02/27 23:50:41 | 00,024,576 | ---- | C] () -- C:\Windows\HKNTDLL.dll
[2009/02/04 05:00:08 | 00,011,264 | ---- | C] () -- C:\Windows\System32\atimuixx.dll
[2009/01/13 19:39:06 | 00,072,992 | ---- | C] () -- C:\Windows\System32\drivers\bckd.sys
[2008/12/16 22:58:54 | 00,025,624 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2008/12/16 22:50:56 | 00,013,584 | ---- | C] () -- C:\Windows\System32\drivers\iKeyLgFT.dll
[2008/11/06 12:37:32 | 03,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/11/06 12:34:00 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2008/11/06 12:34:00 | 00,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest
[2008/11/06 12:33:02 | 00,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2008/06/18 14:59:56 | 00,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/04/28 13:13:33 | 00,000,310 | ---- | C] () -- C:\Windows\primopdf.ini
[2007/06/23 04:44:50 | 00,009,760 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll
[2007/02/05 21:05:26 | 00,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2006/11/22 15:16:18 | 00,003,612 | ---- | C] () -- C:\Windows\ReaderString.ini
[2006/11/21 11:50:06 | 00,000,037 | ---- | C] () -- C:\Windows\sunkist.ini
[2006/11/02 08:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 06:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 06:23:31 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 03:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/02/02 23:01:44 | 00,393,216 | ---- | C] ( ) -- C:\Windows\System32\lxcriesc.dll
[2006/02/02 22:59:12 | 00,409,600 | ---- | C] ( ) -- C:\Windows\System32\lxcrinpa.dll
[2006/01/23 02:43:48 | 00,065,536 | ---- | C] () -- C:\Windows\System32\lxcrcaps.dll
[2006/01/22 13:47:36 | 00,684,032 | ---- | C] () -- C:\Windows\System32\lxcrdrs.dll
[2005/12/20 12:54:04 | 00,061,440 | ---- | C] () -- C:\Windows\System32\lxcrcnv4.dll
[2005/07/08 04:11:22 | 00,040,960 | ---- | C] () -- C:\Windows\System32\lxcrvs.dll
[2005/01/03 12:10:44 | 00,319,488 | ---- | C] () -- C:\Windows\System32\DLXAPI32.DLL

========== Files - Modified Within 30 Days ==========

[3 C:\Windows\*.tmp files]
[2009/04/18 22:30:38 | 00,704,434 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/04/18 22:30:38 | 00,595,748 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/04/18 22:30:38 | 00,105,078 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/04/18 22:26:38 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 22:25:50 | 00,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2009/04/18 22:23:14 | 00,003,792 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/04/18 22:23:14 | 00,003,792 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/04/18 22:23:12 | 00,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachine.job
[2009/04/18 22:23:11 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/04/18 22:23:09 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/04/18 22:23:05 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2009/04/18 22:22:00 | 02,389,464 | -H-- | M] () -- C:\Users\Steve\AppData\Local\IconCache.db
[2009/04/18 22:19:36 | 00,081,984 | ---- | M] () -- C:\Windows\System32\bdod.bin
[2009/04/18 22:15:27 | 00,000,733 | ---- | M] () -- C:\Users\Steve\Desktop\NTREGOPT.lnk
[2009/04/18 22:15:27 | 00,000,714 | ---- | M] () -- C:\Users\Steve\Desktop\ERUNT.lnk
[2009/04/18 21:36:03 | 00,000,680 | ---- | M] () -- C:\Users\Steve\AppData\Local\d3d9caps.dat
[2009/04/18 17:52:12 | 00,001,874 | ---- | M] () -- C:\Users\Steve\Desktop\HijackThis.lnk
[2009/04/18 17:20:44 | 00,000,850 | ---- | M] () -- C:\Windows\System32\ProductTweaks.xml
[2009/04/18 17:20:44 | 00,000,385 | ---- | M] () -- C:\Windows\System32\user_gensett.xml
[2009/04/18 12:09:28 | 00,006,545 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\PrimoPDFSet.xml
[2009/04/18 09:31:16 | 21,928,7319 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/04/15 21:03:44 | 01,454,626 | ---- | M] () -- C:\Users\Steve\Desktop\2008IR22.pdf
[2009/04/15 21:03:33 | 00,107,503 | ---- | M] () -- C:\Users\Steve\Desktop\2008IR22__INST.pdf
[2009/04/14 00:12:10 | 00,082,944 | ---- | M] () -- C:\Users\Steve\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/13 14:52:14 | 00,016,640 | ---- | M] (Wondershare) -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys
[2009/04/13 08:36:33 | 01,642,424 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/04/12 16:31:20 | 00,076,512 | ---- | M] () -- C:\Users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/04/12 16:06:05 | 00,682,197 | ---- | M] () -- C:\Users\Steve\Documents\Campus Cops.ncor
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/03/30 22:26:25 | 00,073,376 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\GDIPFONTCACHEV1.DAT
< End of report >

Extras.txt
OTListIt Extras logfile created on: 4/18/2009 10:29:23 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Users\Steve\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.38 Gb Total Space | 113.28 Gb Free Space | 39.28% Space Free | Partition Type: NTFS
Drive D: | 9.71 Gb Total Space | 4.34 Gb Free Space | 44.68% Space Free | Partition Type: NTFS
Drive E: | 2.59 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPY
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla\Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"DisableNotifications" = 0
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F28237D-8AA8-45A5-86CF-F771BFD47EF7}" = Catalyst Control Center Core Implementation
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 13
"{2CC982C0-7EAE-11D4-ACC3-0050568AD318}" = Avery DesignPro
"{32A3A4F4-B792-11D6-A78A-00B0D0160120}" = Java™ SE Development Kit 6 Update 12
"{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}" = Macromedia Flash MX
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{42705D0C-0DF6-804C-D718-57C53F733C32}" = ccc-utility
"{43545ABC-41F6-40E2-B0FF-B4735003A7CC}" = Catalyst Control Center Graphics Full Existing
"{45A8F574-2F1C-3696-B803-746965390DBB}" = Catalyst Control Center HydraVision Full
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{53EF6570-21A4-47ED-A40A-E6470A5677A3}" = Studio 8
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{548EAC70-EE00-11DD-908C-005056806466}" = Google Earth
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{6395D480-9F3B-4930-8204-B91C8882F967}" = Stata 10
"{6772B9B1-ACAE-ECF8-9C6F-DAD5A3C1A001}" = Skins
"{68CC21AD-B6EC-4DB8-954D-F27AD0D9A83F}" = TV Expert
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7066F2DB-5032-4B6F-A8E7-A6F946043438}" = Adobe Setup
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DD0FFB0-387C-EF62-1591-41C05FE60642}" = Catalyst Control Center Graphics Previews Common
"{7E1B2F63-CB3E-F73A-AE05-CD452BB23023}" = ATI Catalyst Install Manager
"{80E8BC6A-5061-0188-A628-6DD17A5ED0A2}" = Catalyst Control Center InstallProxy
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90D43604-FAC9-62BD-186C-6F5692CBD48E}" = Catalyst Control Center Graphics Previews Vista
"{90D4CD58-6CA9-2B7E-21FF-1145A9E3A1DD}" = ccc-core-static
"{930B2432-43D4-11D5-9871-00C04F8EEB39}" = Macromedia Fireworks MX
"{937B232D-9776-471E-92BD-D424E514EF14}" = Logitech QuickCam
"{998D6972-F58E-479D-9248-8F179E55AE38}" = Java DB 10.4.1.3
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A638557B-1F13-40A0-9627-C892FBCA6960}" = McAfee Agent
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1041-7B44-A91000000001}" = Adobe Reader 9.1 - Japanese
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}" = PixiePack Codec Pack
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BB81360F-041C-4CF7-B15E-71380D154244}" = Adobe Setup
"{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61}" = Digital Media Reader
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem driver
"{CABD1344-150F-8A13-FE4F-64D18C6962AD}" = Catalyst Control Center Graphics Full New
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD3E2AB0-305C-84D6-4C6E-20BFC33C3ECA}" = Catalyst Control Center Graphics Light
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{D5C92012-A0A0-53E1-4A18-8DCC4463CA34}" = CCC Help English
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{E24A7D40-D12E-4A11-8DEC-7BB21BE4614D}" = Wolfram Notebook Indexer 1.1
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{F1D93F5B-881F-49E3-BA56-B4B8FA991059}" = Adobe Encore CS3 Library
"{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
"{FC10C290-6E4D-4C6B-A8B3-33700C21F9E6}" = Mathematica 5.2 for Students
"{FF262740-C85A-11D5-BBEC-00D0B740900A}" = PS2 Multimedia Keyboard Driver
"{FFB278E6-2945-4FF0-8F3F-268CDD09FCF6}" = Adobe OnLocation CS3
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_32fdd767b4383606e8168e834af5d90" = Adobe Premiere Pro CS3
"Adobe_54503dca4c8f2a99b3c8c810699cd75" = Adobe Encore CS3
"AFPL Ghostscript 8.54" = AFPL Ghostscript 8.54
"AFPL Ghostscript Fonts" = AFPL Ghostscript Fonts
"Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
"Aspell" = Aspell Data
"Aspell6-Dictionary-en" = Aspell 0.6 Dictionary (Language: en)
"Avidemux 2.4" = Avidemux 2.4
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"Blue Coat K9 Web Protection" = Blue Coat® K9 Web Protection 4.0.288
"BREE5" = Brownstone Equation Editor 5
"camcodec" = CamStudio Lossless Codec
"CamStudio" = CamStudio
"Collectorz.com Book Collector" = Collectorz.com Book Collector
"Cool Edit 96" = Cool Edit 96
"Core FTP LE 1.3c" = Core FTP LE 1.3c
"Diploma" = Diploma
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"ffdshow_is1" = ffdshow [rev 2744] [2009-03-05]
"Google Updater" = Google Updater
"Gradebook" = Gradebook
"GSview 4.9" = GSview 4.9
"HijackThis" = HijackThis 2.0.2
"HUFFYUV" = Huffyuv AVI lossless video codec (Remove Only)
"ImTOO AVI MPEG Converter" = ImTOO AVI MPEG Converter
"InstallShield_{BE2CC4A5-2128-4EA2-941D-14F7A6A1AB61}" = Digital Media Reader
"InstallShield_{FC10C290-6E4D-4C6B-A8B3-33700C21F9E6}" = Mathematica 5.2 for Students
"InstallShield_{FFB278E6-2945-4FF0-8F3F-268CDD09FCF6}" = Adobe OnLocation CS3
"KeyHoleTV" = KeyHoleTV
"Lexmark 2400 Series" = Lexmark 2400 Series
"Lexmark Fax Solutions" = Lexmark Fax Solutions
"lvdrivers_11.90" = Logitech QuickCam Driver Package
"LyX" = LyX 1.6.1-1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2007a" = MATLAB R2007a
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MiKTeX 2.7" = MiKTeX 2.7
"Mozilla Firefox (3.0.8)" = Mozilla Firefox (3.0.8)
"Mozilla Thunderbird (2.0.0.21)" = Mozilla Thunderbird (2.0.0.21)
"PrimoPDF4.1.0.9" = PrimoPDF
"PROSet" = Intel® PRO Network Connections Drivers
"SHAZAM Standard Edition" = SHAZAM Standard Edition
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SubtitleWorkshop" = Subtitle Workshop 2.51
"TeXnicCenter_is1" = TeXnicCenter Version 1.0 Stable RC1
"V CAST Music with Rhapsody" = V CAST Music with Rhapsody
"WinRAR archiver" = WinRAR archiver
"XEmacs_is1" = XEmacs 21.4.21

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/18/2009 7:00:46 PM | Computer Name = COMPY | Source = McLogEvent | ID = 5004
Description = Could not contact Filter Driver. Error = 0x7d1 : The specified driver
is invalid.

Error - 4/18/2009 7:04:27 PM | Computer Name = COMPY | Source = EventSystem | ID = 4609
Description =

Error - 4/18/2009 7:07:04 PM | Computer Name = COMPY | Source = Application Error | ID = 1000
Description = Faulting application DllHost.exe, version 6.0.6000.16386, time stamp
0x4549b14e, faulting module CEVideoEncoder.dll, version 1.7.13.7301, time stamp
0x45e6b50a, exception code 0xc0000005, fault offset 0x0000cc1e, process id 0x65c,
application start time 0x01c9c07a4b385d45.

Error - 4/18/2009 10:13:49 PM | Computer Name = COMPY | Source = McLogEvent | ID = 5004
Description = Could not contact Filter Driver. Error = 0x7d1 : The specified driver
is invalid.

Error - 4/18/2009 10:17:20 PM | Computer Name = COMPY | Source = SPP | ID = 16387
Description =

Error - 4/18/2009 10:17:20 PM | Computer Name = COMPY | Source = System Restore | ID = 8193
Description =

Error - 4/18/2009 10:19:30 PM | Computer Name = COMPY | Source = SPP | ID = 16387
Description =

Error - 4/18/2009 10:19:30 PM | Computer Name = COMPY | Source = System Restore | ID = 8193
Description =

Error - 4/18/2009 10:21:28 PM | Computer Name = COMPY | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.36.0.0, time stamp 0x2a425e19,
faulting module mbam.exe, version 1.36.0.0, time stamp 0x2a425e19, exception code
0x80000003, fault offset 0x00009a94, process id 0xbdc, application start time 0x01c9c0958ba22e8a.

Error - 4/18/2009 10:23:40 PM | Computer Name = COMPY | Source = McLogEvent | ID = 5004
Description = Could not contact Filter Driver. Error = 0x7d1 : The specified driver
is invalid.

[ Media Center Events ]
Error - 3/2/2009 1:14:08 AM | Computer Name = COMPY | Source = ehRecvr | ID = 4
Description =

Error - 3/5/2009 9:00:41 PM | Computer Name = COMPY | Source = ehRecvr | ID = 3
Description =

[ System Events ]
Error - 4/18/2009 7:04:32 PM | Computer Name = COMPY | Source = DCOM | ID = 10005
Description =

Error - 4/18/2009 7:05:04 PM | Computer Name = COMPY | Source = Service Control Manager | ID = 7001
Description =

Error - 4/18/2009 7:05:04 PM | Computer Name = COMPY | Source = Service Control Manager | ID = 7001
Description =

Error - 4/18/2009 7:05:04 PM | Computer Name = COMPY | Source = Service Control Manager | ID = 7001
Description =

Error - 4/18/2009 7:05:04 PM | Computer Name = COMPY | Source = Service Control Manager | ID = 7026
Description =

Error - 4/18/2009 10:13:26 PM | Computer Name = COMPY | Source = HTTP | ID = 15016
Description =

Error - 4/18/2009 10:14:58 PM | Computer Name = COMPY | Source = Service Control Manager | ID = 7000
Description =

Error - 4/18/2009 10:20:07 PM | Computer Name = COMPY | Source = DCOM | ID = 10010
Description =

Error - 4/18/2009 10:23:11 PM | Computer Name = COMPY | Source = HTTP | ID = 15016
Description =

Error - 4/18/2009 10:24:48 PM | Computer Name = COMPY | Source = Service Control Manager | ID = 7000
Description =


< End of report >

Edited by stekun, 19 April 2009 - 12:26 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 19 April 2009 - 06:22 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
don't put the logs in code

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
stekun
Posted 19 April 2009 - 10:59 AM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I downloaded ComboFix to my desktop and attempted to run it. I received the following alert:

Posted Image

Clicking okay closes the program and automatically deletes ComboFix.

I have tried downloading from both links provided and got the same results. I disabled my Anti Virus software before downloading, but still get the same results. I'll keep trying and post my log if I get it. Any ideas as to why this result?

Edit: I had the idea to try running it in Safe Mode, but experienced the same problem.

Thanks!

Edited by stekun, 19 April 2009 - 01:55 PM.

  • 0

#4
Rorschach112
Posted 20 April 2009 - 07:44 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
weird, is that your anti-virus saying that ?


Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#5
stekun
Posted 20 April 2009 - 08:44 AM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
As far as I can tell, it's ComboFix giving me the alert. My anti-virus is disabled and in fact, I completely unloaded it from memory. I also get the same report from ComboFix in safe mode and normal mode.

Here's my log from RootRepeal:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/20 10:24
Program Version: Version 1.2.3.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x902E6000 Size: 90112 File Visible: -
Status: Hidden from Windows API!

Name: dump_iaStorV.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStorV.sys
Address: 0x90332000 Size: 659456 File Visible: No
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8EF6F000 Size: 36864 File Visible: -
Status: Hidden from Windows API!

Name: gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys
Image Path: C:\Windows\system32\drivers\gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys
Address: 0x8EFC3000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9A77B000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{43dc3c48-29ba-11de-9985-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{445b93f6-1ffe-11de-883b-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{445b9414-1ffe-11de-883b-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0AD6B~1
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0ad6beb3-242c-11de-8400-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fd4f-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fd69-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fd92-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fdb0-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{24404~1
Status: Locked to the Windows API!

Path: C:\System Volume Information\{24404181-2b7b-11de-9917-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2440418d-2b7b-11de-9917-caff033ce74f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{840fde8f-29fb-11de-9656-edd17930dcff}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{840fde95-29fb-11de-9656-edd17930dcff}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{840fde9e-29fb-11de-9656-edd17930dcff}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a2228409-2827-11de-bf60-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb79c50f-25c8-11de-b183-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb79c549-25c8-11de-b183-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb79c592-25c8-11de-b183-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\SoftwareDistribution\ReportingEvents.log
Status: Allocation size mismatch (API: 409600, Raw: 405504)

Path: C:\Windows\System32\gxvxccounter
Status: Invisible to the Windows API!

Path: C:\Windows\System32\gxvxcxjfegxtdpfvwiwemnxrhbpisbpsplndo.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\Blue Coat K9 Web Protection\logs\k9log.log
Status: Allocation size mismatch (API: 655360, Raw: 503808)

Path: C:\Windows\System32\drivers\gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys
Status: Invisible to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.163_none_43f0c1d77830fb9e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_8a15b53c6beb8591.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_2d5b556b1cf03df9\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_2d5b556b1cf03df9\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_2d5b556b1cf03df9\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_2df29b2236034119\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_2df29b2236034119\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_2df29b2236034119\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_2f5265b91a094b03\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_2f5265b91a094b03\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_2f5265b91a094b03\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_2f9e23da3354de78\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_2f9e23da3354de78\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_2f9e23da3354de78\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b
887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: C:\Users\Steve\AppData\Local\Temp\etilqs_i8u2vufC9nRJldCireJA
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Users\Steve\AppData\Roaming\skypePM\2009-04-20-1.ezlog
Status: Size mismatch (API: 36504, Raw: 36376)

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.48.gthr
Status: Allocation size mismatch (API: 4096, Raw: 544)

Path: C:\Users\Steve\AppData\Local\Mozilla\Firefox\Profiles\pibymdh4.default\Cache\_CACHE_003_
Status: Allocation size mismatch (API: 8540160, Raw: 8523776)

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1128) Address: 0x020d0000 Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1128) Address: 0x02780000 Size: 323584

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 1128) Address: 0x6bf30000 Size: 1589248

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1128) Address: 0x72310000 Size: 8192

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1128) Address: 0x74390000 Size: 163840

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1128) Address: 0x75710000 Size: 258048

Object: Hidden Module [Name: LOG.Foundation.DLL]
Process: MOM.exe (PID: 2476) Address: 0x00430000 Size: 45056

Object: Hidden Module [Name: MOM.Implementation.DLL]
Process: MOM.exe (PID: 2476) Address: 0x00410000 Size: 118784

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
Process: MOM.exe (PID: 2476) Address: 0x00a80000 Size: 45056

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
Process: MOM.exe (PID: 2476) Address: 0x00a90000 Size: 69632

Object: Hidden Module [Name: MOM.Foundation.DLL]
Process: MOM.exe (PID: 2476) Address: 0x01a70000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
Process: MOM.exe (PID: 2476) Address: 0x03da0000 Size: 28672

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: MOM.exe (PID: 2476) Address: 0x03f60000 Size: 307200

Object: Hidden Module [Name: CCC.Implementation.DLL]
Process: MOM.exe (PID: 2476) Address: 0x04630000 Size: 36864

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
Process: MOM.exe (PID: 2476) Address: 0x04650000 Size: 36864

Object: Hidden Module [Name: System.Web.dll]
Process: MOM.exe (PID: 2476) Address: 0x05cf0000 Size: 5255168

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x061e0000 Size: 77824

Object: Hidden Module [Name: CCC.Implementation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x00630000 Size: 36864

Object: Hidden Module [Name: LOG.Foundation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x00650000 Size: 45056

Object: Hidden Module [Name: MOM.Foundation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x00660000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x007f0000 Size: 28672

Object: Hidden Module [Name: CLI.Foundation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x007d0000 Size: 86016

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x00800000 Size: 69632

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x01ba0000 Size: 45056

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: CCC.exe (PID: 2832) Address: 0x01b50000 Size: 307200

Object: Hidden Module [Name: CLI.Foundation.XManifest.DLL]
Process: CCC.exe (PID: 2832) Address: 0x03f80000 Size: 36864

Object: Hidden Module [Name: CLI.Component.SkinFactory.DLL]
Process: CCC.exe (PID: 2832) Address: 0x03f60000 Size: 69632

Object: Hidden Module [Name: MOM.Implementation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x03f40000 Size: 118784

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04040000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04020000 Size: 86016

Object: Hidden Module [Name: CLI.Foundation.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04050000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04060000 Size: 28672

Object: Hidden Module [Name: AEM.Server.DLL]
Process: CCC.exe (PID: 2832) Address: 0x040a0000 Size: 53248

Object: Hidden Module [Name: ATICCCom.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04080000 Size: 45056

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x040b0000 Size: 36864

Object: Hidden Module [Name: LOCALIZATION.Foundation.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x040c0000 Size: 28672

Object: Hidden Module [Name: Interop.WBOCXLib.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04bb0000 Size: 36864

Object: Hidden Module [Name: AEM.Plugin.Source.Kit.Server.DLL]
Process: CCC.exe (PID: 2832) Address: 0x041b0000 Size: 53248

Object: Hidden Module [Name: AxInterop.WBOCXLib.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04130000 Size: 36864

Object: Hidden Module [Name: AEM.Server.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x041a0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.Hotkeys.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04a90000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.DPPE.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04aa0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.WinMessages.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04c00000 Size: 28672

Object: Hidden Module [Name: DEM.Foundation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04c50000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0601.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04c40000 Size: 53248

Object: Hidden Module [Name: ATIDEMGX.dll]
Process: CCC.exe (PID: 2832) Address: 0x04f70000 Size: 454656

Object: Hidden Module [Name: DEM.Graphics.DLL]
Process: CCC.exe (PID: 2832) Address: 0x04e60000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.HydraVision.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05180000 Size: 28672

Object: Hidden Module [Name: LOCALIZATION.Foundation.Implementation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05100000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.HydraVision.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05170000 Size: 36864

Object: Hidden Module [Name: AEM.Actions.CCAA.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x051a0000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x057b0000 Size: 69632

Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x057f0000 Size: 36864

Object: Hidden Module [Name: DEM.OS.I0602.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05940000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0709.dll]
Process: CCC.exe (PID: 2832) Address: 0x05960000 Size: 28672

Object: Hidden Module [Name: DEM.OS.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05950000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05dc0000 Size: 299008

Object: Hidden Module [Name: AEM.Plugin.GD.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05e10000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0804.dll]
Process: CCC.exe (PID: 2832) Address: 0x05f60000 Size: 28672

Object: Hidden Module [Name: ATIDEMOS.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05f20000 Size: 94208

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05fe0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05fc0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x05ff0000 Size: 77824

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.Shared.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06010000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06030000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06140000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x061a0000 Size: 45056

Object: Hidden Module [Name: DEM.Graphics.I0805.dll]
Process: CCC.exe (PID: 2832) Address: 0x06180000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06170000 Size: 45056

Object: Hidden Module [Name: DEM.Graphics.I0706.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06190000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x061c0000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08370000 Size: 413696

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06320000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06310000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06330000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06370000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06360000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06380000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06710000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x066e0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x066d0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x066f0000 Size: 69632

Object: Hidden Module [Name: DEM.Graphics.I0712.dll]
Process: CCC.exe (PID: 2832) Address: 0x06720000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06db0000 Size: 94208

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06c40000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06c70000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06df0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06dd0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06de0000 Size: 53248

Object: Hidden Module [Name: APM.Server.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06e00000 Size: 69632

Object: Hidden Module [Name: APM.Foundation.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06e20000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Runtime.Extension.EEU.DLL]
Process: CCC.exe (PID: 2832) Address: 0x06fa0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x075b0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Client.Shared.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07370000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Systemtray.DLL]
Process: CCC.exe (PID: 2832) Address: 0x072e0000 Size: 552960

Object: Hidden Module [Name: CLI.Component.Client.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x073a0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.EEU.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07380000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x073b0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x074f0000 Size: 413696

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x073e0000 Size: 36864

Object: Hidden Module [Name: Branding.dll]
Process: CCC.exe (PID: 2832) Address: 0x073d0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07560000 Size: 53248

Object: Hidden Module [Name: atixclib.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07570000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.HydraVision.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07590000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07bf0000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.Private.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07bd0000 Size: 28672

Object: Hidden Module [Name: System.Web.dll]
Process: CCC.exe (PID: 2832) Address: 0x076c0000 Size: 5255168

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07be0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07c10000 Size: 479232

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07c00000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07c90000 Size: 102400

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x07f60000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08080000 Size: 217088

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x081d0000 Size: 1699840

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08910000 Size: 724992

Object: Hidden Module [Name: CLI.Aspect.Welcome.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08720000 Size: 151552

Object: Hidden Module [Name: CLI.Aspect.HydraVision.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x085a0000 Size: 315392

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x083e0000 Size: 372736

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x084f0000 Size: 700416

Object: Hidden Module [Name: CLI.Component.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x085f0000 Size: 1085440

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08790000 Size: 135168

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08750000 Size: 233472

Object: Hidden Module [Name: CLI.Caste.HydraVision.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x087e0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08dc0000 Size: 389120

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08af0000 Size: 684032

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x089d0000 Size: 446464

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08c70000 Size: 806912

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08d40000 Size: 462848

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08e20000 Size: 602112

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2832) Address: 0x08f90000 Size: 823296

Object: Hidden Code [ETHREAD: 0x84386030]
Process: System Address: 0x8ac65298 Size: -

Object: Hidden Code [ETHREAD: 0x84389020]
Process: System Address: Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\Windows\system32\drivers\gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys
  • 0

#6
Rorschach112
Posted 20 April 2009 - 08:53 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Open RootRepeal, click the Driver tab, click Scan. Right click and select Force Delete on this

gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys


click the hidden file tab, click Scan. Right click and select Force Delete on these

C:\Windows\system32\drivers\gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys
C:\Windows\System32\gxvxccounter
C:\Windows\System32\gxvxcxjfegxtdpfvwiwemnxrhbpisbpsplndo.dll
C:\Windows\System32\drivers\gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys


click the hidden hidden services tab, click Scan. Right click and select Force Delete on these

gxvxcserv.sys


Reboot and post a new RootRepeal log
  • 0

#7
stekun
Posted 20 April 2009 - 09:34 PM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks. Everything force deleted fine except the one in Hidden Services. I keep getting errors when I try to force delete it. I have already noticed some of the symptoms improve though, so that's a good sign!

Here's my new RootRepeal log.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/20 23:08
Program Version: Version 1.2.3.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x900E5000 Size: 90112 File Visible: -
Status: Hidden from Windows API!

Name: dump_iaStorV.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStorV.sys
Address: 0x90131000 Size: 659456 File Visible: No
Status: -

Name: fastfat.SYS
Image Path: C:\Windows\System32\Drivers\fastfat.SYS
Address: 0x9A7B0000 Size: 163840 File Visible: -
Status: Hidden from Windows API!

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8ED75000 Size: 36864 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9A7A5000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{43dc3c48-29ba-11de-9985-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{445b93f6-1ffe-11de-883b-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{445b9414-1ffe-11de-883b-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0AD6B~1
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0ad6beb3-242c-11de-8400-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fd4f-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fd69-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fd92-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{21c3fdb0-2120-11de-9f06-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{24404~1
Status: Locked to the Windows API!

Path: C:\System Volume Information\{24404181-2b7b-11de-9917-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2440418d-2b7b-11de-9917-caff033ce74f}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{840fde8f-29fb-11de-9656-edd17930dcff}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{840fde95-29fb-11de-9656-edd17930dcff}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{840fde9e-29fb-11de-9656-edd17930dcff}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a2228409-2827-11de-bf60-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb79c50f-25c8-11de-b183-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb79c549-25c8-11de-b183-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bb79c592-25c8-11de-b183-0019d139ee82}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.163_none_43f0c1d77830fb9e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_8a15b53c6beb8591.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.163_none_0c187ef99ee1d25a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_2d5b556b1cf03df9\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_2d5b556b1cf03df9\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_2d5b556b1cf03df9\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_2df29b2236034119\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_2df29b2236034119\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_2df29b2236034119\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_2f5265b91a094b03\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_2f5265b91a094b03\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_2f5265b91a094b03\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_2f9e23da3354de78\WINDOW~1.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_2f9e23da3354de78\WINDOW~4.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_2f9e23da3354de78\WINDOW~3.WAV
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b
887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Locked to the Windows API!

Path: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.48.gthr
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1136) Address: 0x02110000 Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1136) Address: 0x02530000 Size: 323584

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 1136) Address: 0x6b7b0000 Size: 1589248

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1136) Address: 0x6dbc0000 Size: 8192

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1136) Address: 0x73dd0000 Size: 163840

Object: Hidden Module [Name: MpEvMsg.dll]
Process: svchost.exe (PID: 1136) Address: 0x73d80000 Size: 57344

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1136) Address: 0x750d0000 Size: 258048

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
Process: MOM.exe (PID: 2296) Address: 0x03d40000 Size: 45056

Object: Hidden Module [Name: MOM.Implementation.DLL]
Process: MOM.exe (PID: 2296) Address: 0x01bb0000 Size: 118784

Object: Hidden Module [Name: LOG.Foundation.DLL]
Process: MOM.exe (PID: 2296) Address: 0x01bd0000 Size: 45056

Object: Hidden Module [Name: MOM.Foundation.DLL]
Process: MOM.exe (PID: 2296) Address: 0x03d70000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
Process: MOM.exe (PID: 2296) Address: 0x03d50000 Size: 69632

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: MOM.exe (PID: 2296) Address: 0x03e30000 Size: 307200

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
Process: MOM.exe (PID: 2296) Address: 0x03da0000 Size: 28672

Object: Hidden Module [Name: CCC.Implementation.DLL]
Process: MOM.exe (PID: 2296) Address: 0x04630000 Size: 36864

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
Process: MOM.exe (PID: 2296) Address: 0x04650000 Size: 36864

Object: Hidden Module [Name: System.Web.dll]
Process: MOM.exe (PID: 2296) Address: 0x05ca0000 Size: 5255168

Object: Hidden Module [Name: CLI.Foundation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x00e60000 Size: 86016

Object: Hidden Module [Name: CCC.Implementation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x00e20000 Size: 36864

Object: Hidden Module [Name: LOG.Foundation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x00e40000 Size: 45056

Object: Hidden Module [Name: MOM.Foundation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x00e50000 Size: 28672

Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x00e80000 Size: 28672

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: CCC.exe (PID: 2876) Address: 0x00fc0000 Size: 307200

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x00fa0000 Size: 69632

Object: Hidden Module [Name: LOG.Foundation.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x01020000 Size: 45056

Object: Hidden Module [Name: CLI.Foundation.XManifest.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03ec0000 Size: 36864

Object: Hidden Module [Name: CLI.Component.SkinFactory.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03ea0000 Size: 69632

Object: Hidden Module [Name: MOM.Implementation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03e80000 Size: 118784

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03fb0000 Size: 53248

Object: Hidden Module [Name: LOCALIZATION.Foundation.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03f60000 Size: 28672

Object: Hidden Module [Name: AxInterop.WBOCXLib.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03f70000 Size: 36864

Object: Hidden Module [Name: CLI.Component.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03f90000 Size: 86016

Object: Hidden Module [Name: CLI.Component.Runtime.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03fd0000 Size: 28672

Object: Hidden Module [Name: CLI.Foundation.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03fc0000 Size: 53248

Object: Hidden Module [Name: AEM.Server.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03ff0000 Size: 53248

Object: Hidden Module [Name: ATICCCom.DLL]
Process: CCC.exe (PID: 2876) Address: 0x03fe0000 Size: 45056

Object: Hidden Module [Name: NEWAEM.Foundation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04680000 Size: 36864

Object: Hidden Module [Name: AEM.Server.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04970000 Size: 28672

Object: Hidden Module [Name: Interop.WBOCXLib.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04830000 Size: 36864

Object: Hidden Module [Name: LOCALIZATION.Foundation.Implementation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04860000 Size: 36864

Object: Hidden Module [Name: AEM.Plugin.DPPE.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x049b0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.Source.Kit.Server.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04990000 Size: 53248

Object: Hidden Module [Name: AEM.Plugin.Hotkeys.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x049c0000 Size: 28672

Object: Hidden Module [Name: AEM.Plugin.WinMessages.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x049e0000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0601.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04a10000 Size: 53248

Object: Hidden Module [Name: DEM.Foundation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04a20000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04a30000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0709.dll]
Process: CCC.exe (PID: 2876) Address: 0x05520000 Size: 28672

Object: Hidden Module [Name: ATIDEMGX.dll]
Process: CCC.exe (PID: 2876) Address: 0x04c70000 Size: 454656

Object: Hidden Module [Name: CLI.Caste.HydraVision.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04b60000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.HydraVision.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04e40000 Size: 28672

Object: Hidden Module [Name: AEM.Actions.CCAA.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04f60000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04f70000 Size: 69632

Object: Hidden Module [Name: DEM.OS.I0602.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04fb0000 Size: 28672

Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x04fa0000 Size: 36864

Object: Hidden Module [Name: DEM.OS.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05510000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x054c0000 Size: 299008

Object: Hidden Module [Name: AEM.Plugin.GD.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05540000 Size: 28672

Object: Hidden Module [Name: ATIDEMOS.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05550000 Size: 94208

Object: Hidden Module [Name: DEM.Graphics.I0804.dll]
Process: CCC.exe (PID: 2876) Address: 0x055d0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05800000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05630000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05620000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05640000 Size: 77824

Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x057e0000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.Shared.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x057c0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x057d0000 Size: 53248

Object: Hidden Module [Name: DEM.Graphics.I0706.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05820000 Size: 28672

Object: Hidden Module [Name: DEM.Graphics.I0805.dll]
Process: CCC.exe (PID: 2876) Address: 0x05810000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05830000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05850000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x058c0000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x058b0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05890000 Size: 77824

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x058d0000 Size: 45056

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05920000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05900000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05910000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05950000 Size: 45056

Object: Hidden Module [Name: DEM.Graphics.I0712.dll]
Process: CCC.exe (PID: 2876) Address: 0x059d0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x059a0000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05990000 Size: 36864

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x059c0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05e60000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05e40000 Size: 69632

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x05e90000 Size: 94208

Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Runtime.DLL]
Process: CCC.exe (PID: 2876) Address: 0x060d0000 Size: 53248

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x060c0000 Size: 61440

Object: Hidden Module [Name: CLI.Aspect.PowerPlayDPPE.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x060e0000 Size: 36864

Object: Hidden Module [Name: APM.Foundation.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06210000 Size: 28672

Object: Hidden Module [Name: APM.Server.DLL]
Process: CCC.exe (PID: 2876) Address: 0x061f0000 Size: 69632

Object: Hidden Module [Name: AEM.Plugin.EEU.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06240000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Runtime.Extension.EEU.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06280000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Client.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x062f0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Client.Shared.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x062e0000 Size: 53248

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06300000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Wizard.Shared.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06430000 Size: 36864

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06420000 Size: 53248

Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x068c0000 Size: 28672

Object: Hidden Module [Name: CLI.Component.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06550000 Size: 413696

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x068e0000 Size: 102400

Object: Hidden Module [Name: Branding.dll]
Process: CCC.exe (PID: 2876) Address: 0x068d0000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06910000 Size: 53248

Object: Hidden Module [Name: atixclib.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06920000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06a30000 Size: 217088

Object: Hidden Module [Name: CLI.Aspect.HydraVision.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07df0000 Size: 315392

Object: Hidden Module [Name: CLI.Component.Systemtray.DLL]
Process: CCC.exe (PID: 2876) Address: 0x072e0000 Size: 552960

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x06f80000 Size: 372736

Object: Hidden Module [Name: CLI.Caste.HydraVision.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07370000 Size: 28672

Object: Hidden Module [Name: System.Web.dll]
Process: CCC.exe (PID: 2876) Address: 0x07830000 Size: 5255168

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07610000 Size: 413696

Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07590000 Size: 479232

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07d40000 Size: 700416

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08570000 Size: 1699840

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.Private.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07e40000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07e50000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x07f80000 Size: 86016

Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08100000 Size: 233472

Object: Hidden Module [Name: CLI.Aspect.Welcome.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x080d0000 Size: 151552

Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.DLL]
Process: CCC.exe (PID: 2876) Address: 0x080c0000 Size: 28672

Object: Hidden Module [Name: CLI.Caste.HydraVision.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08180000 Size: 28672

Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08140000 Size: 135168

Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08dd0000 Size: 684032

Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08b40000 Size: 446464

Object: Hidden Module [Name: CLI.Component.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08820000 Size: 1085440

Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08930000 Size: 724992

Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08c60000 Size: 389120

Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x09020000 Size: 462848

Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x08f50000 Size: 806912

Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x090a0000 Size: 602112

Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Dashboard.DLL]
Process: CCC.exe (PID: 2876) Address: 0x09210000 Size: 823296

Object: Hidden Code [ETHREAD: 0x84386030]
Process: System Address: 0x8ac54438 Size: -

Object: Hidden Code [ETHREAD: 0x84389020]
Process: System Address: 0x8d15c198 Size: -

Object: Hidden Code [ETHREAD: 0x84389d78]
Process: System Address: 0x84389f6c Size: -

Object: Hidden Code [ETHREAD: 0x84389ad0]
Process: System Address: 0x84389cc4 Size: -

Object: Hidden Code [ETHREAD: 0x84389828]
Process: System Address: 0x84389a1c Size: -

Object: Hidden Code [ETHREAD: 0x84389580]
Process: System Address: 0x92b6c460 Size: -

Object: Hidden Code [ETHREAD: 0x843892d8]
Process: System Address: 0xa158fcf0 Size: -

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\Windows\system32\drivers\gxvxciftyiwodtpeokbtkavvvnvygpmfbssqv.sys
  • 0

#8
Rorschach112
Posted 21 April 2009 - 06:39 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#9
stekun
Posted 21 April 2009 - 10:46 PM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here's my ComboFix log:

ComboFix 09-04-22.03 - Steve 2/2009 Wed 0:32.1 - NTFSx86
Running from: c:\users\Steve\Desktop\Combo-Fix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated)
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *disabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-8-7-77-100008278-100014811-100009287-2003.com
c:\windows\TEMP\logishrd\LVPrcInj01.dll
d:\recycler\Desktop.ini
d:\recycler\Folder.htt
d:\recycler\Protect.ed
d:\recycler\S-1-4-52-100032102-100002834-100029395-2201.com
d:\recycler\S-8-7-77-100008278-100014811-100009287-2003.com
d:\recycler\Warning.bmp
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-19 02:27 . 2009-04-19 02:28 -------- d-----w C:\Rooter$
2009-04-18 22:59 . 2009-04-19 02:19 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-18 21:33 . 2009-04-18 21:33 -------- d-----w c:\users\All Users\WindowsSearch
2009-04-18 21:33 . 2009-04-18 21:33 -------- d-----w c:\programdata\WindowsSearch
2009-04-18 21:20 . 2009-04-18 21:20 850 ----a-w c:\windows\system32\ProductTweaks.xml
2009-04-18 21:20 . 2009-04-18 21:20 385 ----a-w c:\windows\system32\user_gensett.xml
2009-04-18 17:43 . 2009-04-19 01:36 680 ----a-w c:\users\Steve\AppData\Local\d3d9caps.dat
2009-04-18 17:25 . 2009-04-18 17:27 -------- d-----w c:\users\Steve\AppData\Roaming\GetRightToGo
2009-04-18 17:04 . 2009-04-18 17:04 -------- d-----w c:\windows\system32\logs
2009-04-18 17:04 . 2009-04-18 17:04 -------- d-----w c:\users\Steve\AppData\Roaming\BitDefender
2009-04-18 17:04 . 2009-04-18 17:07 -------- d-----w c:\users\All Users\BitDefender
2009-04-18 17:04 . 2009-04-18 17:07 -------- d-----w c:\programdata\BitDefender
2009-04-18 17:03 . 2009-04-18 17:03 -------- d-----w c:\windows\system32\URTTEMP
2009-04-18 13:30 . 2009-04-18 13:31 219287319 ----a-w c:\windows\MEMORY.DMP
2009-04-16 02:59 . 2009-04-18 04:39 -------- d-----w c:\users\All Users\RapidSolution
2009-04-16 02:59 . 2009-04-18 04:39 -------- d-----w c:\programdata\RapidSolution
2009-04-16 02:56 . 2009-04-13 18:52 16640 ----a-w c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2009-04-15 12:44 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-12 20:02 . 2000-11-07 20:36 1044480 ----a-w c:\windows\system32\ROBOEX32.DLL
2009-04-08 04:13 . 2009-04-10 01:44 -------- d-----w c:\users\Steve\AppData\Local\Google
2009-04-08 04:13 . 2009-04-22 03:14 -------- d-----w c:\users\All Users\Google Updater
2009-04-08 04:13 . 2009-04-22 03:14 -------- d-----w c:\programdata\Google Updater
2009-04-05 04:53 . 2009-04-05 04:53 -------- d-----w c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 04:41 . 2009-02-28 04:45 -------- d-----w c:\users\Steve\AppData\Roaming\Skype
2009-04-22 04:40 . 2009-02-28 04:46 -------- d-----w c:\users\Steve\AppData\Roaming\skypePM
2009-04-22 04:39 . 2009-03-03 04:04 -------- d-----w c:\program files\Blue Coat K9 Web Protection
2009-04-22 04:38 . 2009-02-27 22:26 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-04-22 03:10 . 2009-03-04 03:31 76512 ----a-w c:\users\Steve\AppData\Roaming\GDIPFONTCACHEV1.DAT
2009-04-22 01:53 . 2009-02-28 03:47 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 01:53 . 2009-04-22 01:53 -------- d-----w c:\programdata\Seagate
2009-04-22 01:53 . 2009-04-22 01:53 -------- d-----w c:\program files\Seagate
2009-04-19 02:28 . 2009-04-19 02:28 5464 ----a-w C:\Rooter.txt
2009-04-19 02:20 . 2009-04-18 17:04 -------- d-----w c:\program files\BitDefender
2009-04-19 02:20 . 2009-04-18 17:02 -------- d-----w c:\program files\Common Files\BitDefender
2009-04-19 02:15 . 2009-04-19 02:15 -------- d-----w c:\program files\ERUNT
2009-04-18 21:52 . 2009-04-18 21:52 -------- d-----w c:\program files\Trend Micro
2009-04-18 17:05 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-18 17:05 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-18 17:05 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-18 04:20 . 2009-04-18 04:20 -------- d-----w c:\program files\PixiePack Codec Pack
2009-04-16 02:59 . 2009-04-16 02:59 -------- d-----w c:\program files\RapidSolution
2009-04-15 20:24 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-15 13:40 . 2009-03-07 05:36 -------- d-----w c:\users\Steve\AppData\Roaming\uTorrent
2009-04-12 20:31 . 2009-02-27 22:13 76512 ----a-w c:\users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-12 20:05 . 2009-04-12 20:02 -------- d-----w c:\program files\DesignPro
2009-04-12 20:02 . 2009-04-12 20:02 25588 ----a-w C:\MDacLog.txt
2009-04-08 04:14 . 2009-04-08 04:13 -------- d-----w c:\program files\Google
2009-04-05 06:37 . 2009-04-05 06:37 -------- d-----w c:\program files\KeyHoleTV
2009-04-04 14:01 . 2009-03-05 04:18 -------- d-----w c:\program files\Java
2009-03-29 12:15 . 2009-02-28 04:52 -------- d-----w c:\program files\Common Files\Adobe
2009-03-19 02:07 . 2009-03-19 02:07 -------- d-----w c:\program files\Common Files\Real
2009-03-19 02:07 . 2009-03-19 02:07 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-19 02:07 . 2009-03-19 02:06 -------- d-----w c:\program files\V CAST Music with Rhapsody
2009-03-19 01:53 . 2009-03-19 01:53 -------- d-----w c:\program files\LG Electronics
2009-03-17 03:38 . 2009-04-15 12:44 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 12:44 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 12:44 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-13 19:29 . 2009-03-13 19:27 -------- d-----w c:\program files\Diploma 6
2009-03-13 19:22 . 2009-03-13 19:22 -------- d-----w c:\users\Steve\AppData\Roaming\Diploma
2009-03-11 05:10 . 2009-03-11 05:10 -------- d-----w c:\programdata\Minnetonka Audio Software
2009-03-10 15:24 . 2009-03-10 15:24 -------- d-----w c:\program files\ffdshow
2009-03-10 15:19 . 2000-08-23 21:00 33280 ----a-w c:\windows\System32\HUFFYUV.DLL
2009-03-10 15:09 . 2009-02-28 04:40 -------- d-----w c:\program files\DivX
2009-03-10 02:08 . 2009-03-10 02:08 -------- d-----w c:\program files\iSkysoft
2009-03-10 02:00 . 2009-03-10 02:00 -------- d-----w c:\users\Steve\AppData\Roaming\AVS4YOU
2009-03-10 02:00 . 2009-03-10 02:00 -------- d-----w c:\programdata\AVS4YOU
2009-03-10 02:00 . 2009-03-10 01:59 -------- d-----w c:\program files\AVS4YOU
2009-03-10 02:00 . 2009-03-10 02:00 -------- d-----w c:\program files\Common Files\AVSMedia
2009-03-09 22:42 . 2009-03-09 22:42 -------- d-----w c:\program files\CamStudio
2009-03-09 22:42 . 2008-09-30 23:35 65536 ----a-w c:\windows\System32\camcodec.dll
2009-03-09 22:42 . 2008-09-30 23:33 1461 ----a-w c:\windows\system32\drivers\camcodec.inf
2009-03-09 09:19 . 2009-03-05 04:21 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-08 05:33 . 1999-11-19 20:49 265797 ----a-w c:\windows\System32\pdvcodec.dll
2009-03-07 05:36 . 2009-03-07 05:36 -------- d-----w c:\program files\uTorrent
2009-03-05 17:35 . 2009-03-05 03:39 -------- d-----w c:\users\Steve\AppData\Roaming\CoreFTP
2009-03-05 14:33 . 2009-03-01 19:24 -------- d-----w c:\programdata\NOS
2009-03-05 14:33 . 2009-03-01 19:24 -------- d-----w c:\program files\NOS
2009-03-05 06:28 . 2009-03-05 05:18 -------- d-----w c:\users\Steve\AppData\Roaming\lyx16
2009-03-05 05:25 . 2009-03-05 04:51 -------- d-----w c:\program files\LaTeX
2009-03-05 05:05 . 2009-03-05 05:05 -------- d-----w c:\programdata\Aspell
2009-03-05 05:00 . 2009-03-05 05:00 -------- d-----w c:\programdata\MiKTeX
2009-03-05 04:39 . 2009-03-05 04:39 -------- d-----w c:\program files\activePDF
2009-03-05 04:22 . 2009-03-05 04:22 -------- d-----w c:\program files\Sun
2009-03-05 03:35 . 2009-03-05 03:33 -------- d-----w c:\program files\eclipse
2009-03-05 03:32 . 2009-03-05 03:32 -------- d-----w c:\program files\URUSoft
2009-03-05 03:32 . 2009-03-05 03:32 -------- d-----w c:\program files\CoreFTP
2009-03-05 03:29 . 2009-03-05 03:29 -------- d-----w c:\program files\Collectorz
2009-03-05 03:29 . 2009-03-05 03:28 -------- d-----w c:\program files\OmegaT
2009-03-05 03:25 . 2009-03-05 03:25 -------- d-----w c:\users\Steve\AppData\Roaming\MathWorks
2009-03-05 03:13 . 2009-03-05 03:13 -------- d-----w c:\program files\MATLAB
2009-03-04 05:57 . 2009-03-04 05:57 -------- d---a-r c:\program files\mplayer
2009-03-03 04:46 . 2009-04-15 12:45 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 12:45 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-15 12:44 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-15 12:45 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 12:45 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 12:45 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 12:44 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-15 12:45 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 12:45 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:37 . 2009-04-15 12:45 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-15 12:45 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 12:45 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-15 12:44 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-01 20:28 . 2009-03-01 20:28 -------- d-----w c:\program files\shazam
2009-03-01 20:18 . 2009-03-01 20:14 -------- d-----w c:\program files\Common Files\Macromedia
2009-03-01 20:18 . 2009-03-01 20:11 -------- d-----w c:\program files\Macromedia
2009-03-01 19:27 . 2009-03-01 19:27 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-01 06:21 . 2009-03-01 06:21 -------- d-----w c:\program files\MSXML 4.0
2009-03-01 06:18 . 2009-03-01 06:18 -------- d-----w c:\program files\VistaCodecPack
2009-03-01 06:16 . 2009-03-01 06:16 -------- d-----w c:\programdata\VistaCodecs
2009-03-01 05:15 . 2009-03-01 05:14 -------- d-----w c:\program files\Virtual Dub
2009-03-01 04:53 . 2009-03-01 04:52 -------- d-----w c:\users\Steve\AppData\Roaming\avidemux
2009-03-01 04:52 . 2009-03-01 04:52 -------- d-----w c:\program files\Avidemux 2.4
2009-03-01 04:21 . 2009-03-01 04:21 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-02-28 21:19 . 2009-02-28 21:19 237568 ----a-w c:\windows\System32\rmc_rtspdl.dll
2009-02-28 21:19 . 2009-02-28 21:19 156672 ----a-w c:\windows\System32\rmc_fixasf.exe
2009-02-28 21:19 . 2009-02-28 21:19 323584 ----a-w c:\windows\System32\AUDIOGENIE2.DLL
2009-02-28 20:30 . 2009-02-28 20:30 -------- d-----w c:\program files\QuickTime
2009-02-28 20:30 . 2009-02-28 20:30 -------- d-----w c:\programdata\Apple Computer
2009-02-28 20:28 . 2009-02-28 20:28 -------- d-----w c:\program files\Apple Software Update
2009-02-28 20:28 . 2009-02-28 20:28 -------- d-----w c:\programdata\Apple
2009-02-28 20:12 . 2009-02-28 18:43 -------- d-----w c:\program files\ImTOO
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"googletalk"="c:\users\Steve\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 286720]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"TV Card Remote Control Device Monitor"="c:\windows\713xRMT.exe" [2008-05-27 466944]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2006-11-07 547840]
"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2005-01-27 36864]
"ModPS2"="ModPS2Key.exe" - c:\windows\ModPS2Key.exe [2006-11-07 53248]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2006-11-02 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9C116D00-718B-4CD4-B71B-3C7A05222A66}"= UDP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{E6F8D565-1BF1-48D4-974C-603B6161B7E8}"= TCP:c:\windows\System32\lxcrcoms.exe:Lexmark Communications System
"{7DF4C94A-6B52-4435-9A6D-E6D5721FA817}"= Disabled:UDP:135:TCP Port 135
"{1E11573F-E5BF-4C0A-8002-1340697D97D7}"= Disabled:UDP:5000:TCP Port 5000
"{3CC7489A-E5F4-4084-B056-8A0E0F892737}"= Disabled:UDP:5001:TCP Port 5001
"{1C938604-144A-4971-BA60-3AB0175244FD}"= Disabled:UDP:5002:TCP Port 5002
"{3A0401EE-73BE-4F78-9D59-5B80075C4791}"= Disabled:UDP:5003:TCP Port 5003
"{EC3ADDFB-E1E2-4E7D-9755-84DDE9B19F2E}"= Disabled:UDP:5004:TCP Port 5004
"{3FE692F3-718F-4F5E-BBD1-1610AFDE2F25}"= Disabled:UDP:5005:TCP Port 5005
"{F86CC01F-537E-4B90-B5F0-8853743E642B}"= Disabled:UDP:5006:TCP Port 5006
"{90B42768-00AE-4E8A-A5B0-6AF1BCB94683}"= Disabled:UDP:5007:TCP Port 5007
"{11DA7187-04B4-4925-992A-BC97CEE85A60}"= Disabled:UDP:5008:TCP Port 5008
"{A58C38E8-4314-4B51-B995-B85309FB5714}"= Disabled:UDP:5009:TCP Port 5009
"{2B333846-34DD-41C8-BC20-AA63C73D4D0C}"= Disabled:UDP:5010:TCP Port 5010
"{81A6A0C3-283C-4F34-8217-D4C2E217E316}"= Disabled:UDP:5011:TCP Port 5011
"{DF2B3EAA-E292-471A-B232-EC4FA5EBEC2A}"= Disabled:UDP:5012:TCP Port 5012
"{A90240B8-CA84-4992-ADB5-935212B1FF3F}"= Disabled:UDP:5013:TCP Port 5013
"{C1E59CE0-01CE-4B83-A5D9-894B685114B9}"= Disabled:UDP:5014:TCP Port 5014
"{788553F1-26C0-48F2-9A70-FCAF68BEC0BC}"= Disabled:UDP:5015:TCP Port 5015
"{47820D95-4A0C-48F1-8346-AEC910FE4852}"= Disabled:UDP:5016:TCP Port 5016
"{43A409A1-B9D1-4647-B226-F72BDCB3D2B5}"= Disabled:UDP:5017:TCP Port 5017
"{657DE3A2-E343-4324-9539-418F3AB8F04E}"= Disabled:UDP:5018:TCP Port 5018
"{378BFE1C-797B-42CF-AB45-74EDAD79451D}"= Disabled:UDP:5019:TCP Port 5019
"{26416C89-BE7C-4E32-9C40-B21CFDF39571}"= Disabled:UDP:5020:TCP Port 5020
"{456CC666-8498-44C8-ADB7-4C52704070D8}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D2A343B1-E345-4987-8CDC-C127E01AE5DF}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{9D272B03-84C0-4336-BE2E-E4050B0043DA}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{ED88208A-01A4-4334-9786-B6ADF94954C4}"= Disabled:UDP:135:TCP Port 135
"{3F8BE821-0266-4A9F-979F-578927E1D0A7}"= UDP:c:\program files\uTorrent\uTorrent.exe:μTorrent (TCP-In)
"{5A0D9BA6-DE8A-44B7-8130-6CECEF8213CF}"= TCP:c:\program files\uTorrent\uTorrent.exe:μTorrent (UDP-In)
"TCP Query User{D027478D-9992-41A9-9AEC-1C74DCD09117}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{CF911C13-5959-4288-81E5-C34136F1AE80}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"TCP Query User{7B85B10B-5D9D-4DE1-ACA7-0DB80B6B9EAE}c:\\program files\\keyholetv\\keyholetv.exe"= UDP:c:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"UDP Query User{F348CBCB-C346-4BD5-949D-B82AA2AE1722}c:\\program files\\keyholetv\\keyholetv.exe"= TCP:c:\program files\keyholetv\keyholetv.exe:KeyHole TV Main Application
"TCP Query User{EC3A31E4-4CA7-4701-B044-335670DCA753}c:\\program files\\v cast music with rhapsody\\rhapsody.exe"= UDP:c:\program files\v cast music with rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{EDBC6063-DB30-4961-9D8B-537EEB98E414}c:\\program files\\v cast music with rhapsody\\rhapsody.exe"= TCP:c:\program files\v cast music with rhapsody\rhapsody.exe:RealNetworks Rhapsody

R2 gupdate1c9b80066ee597c;Google Update Service (gupdate1c9b80066ee597c);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 133104]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-04-13 16640]
S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-01-13 72992]
S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [2009-01-13 1078560]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2008-09-29 19456]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
S3 3xHybrid;SAA713x TV Card Service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-07-07 906368]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\shell\AutoRun\command - WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3032282-0c46-11de-aa4f-0019d139ee82}]
\shell\AutoRun\command - WD_Windows_Tools\Setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-08 04:13]

2009-04-22 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-08 04:13]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)
HKLM-Run-LaunchList - c:\program files\Pinnacle\Studio 8\LaunchList.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\pibymdh4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\program files\Mozilla\Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla\Firefox\components\Scriptff.dll
FF - component: c:\program files\Mozilla\Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla\Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 00:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(9164)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\microsoft shared\VS7Debug\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\conime.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\lxcrcoms.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\logishrd\LQCVFX\COCIManager.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-04-22 0:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 04:44

Pre-Run: 122,186,629,120 bytes free
Post-Run: 122,377,904,128 bytes free

324 --- E O F --- 2009-04-15 13:44
  • 0

#10
stekun
Posted 21 April 2009 - 10:48 PM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is a HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:06 AM, on 4/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Windows\sttray.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Windows\713xRMT.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\Windows\713xRMT.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\Steve\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1c9b80066ee597c) (gupdate1c9b80066ee597c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: lxcr_device - - C:\Windows\system32\lxcrcoms.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe

--
End of file - 6210 bytes
  • 0

Advertisements

#11
Rorschach112
Posted 22 April 2009 - 04:25 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#12
stekun
Posted 22 April 2009 - 01:54 PM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is the Malewarebytes log

Malwarebytes' Anti-Malware 1.36
Database version: 2025
Windows 6.0.6001 Service Pack 1

4/22/2009 9:20:25 AM
mbam-log-2009-04-22 (09-20-25).txt

Scan type: Quick Scan
Objects scanned: 65306
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\HeroCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Here is the Kaspersky log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 22, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 22, 2009 15:15:09
Records in database: 2068970
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 277425
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:16:53

No malware has been detected. The scan area is clean.

The selected area was scanned.
  • 0

#13
stekun
Posted 22 April 2009 - 01:55 PM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Incidentally, the symptoms I was experiencing all seem to be gone.
  • 0

#14
Rorschach112
Posted 22 April 2009 - 03:31 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



Download ToolsCleaner2 to your desktop and run it ( by de A.Rothstein & Dj Quiou )
  • Click the Pt. Restauration button and press OK to the prompts.
  • Click the Corbeille button and press OK to the prompt.
  • Click the Fichiers temp button and press OK to the prompt.
  • Click the Recherche button and let it run ( it may look like it freezes but let it continue )
  • Once it is done click the Suppression button and let it remove anything it finds.
  • Close the program


Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here


    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#15
stekun
Posted 22 April 2009 - 04:56 PM

stekun

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you so much for your help! I have taken the steps you outline here. I appreciate you walking me through this. The symptoms I was experience are gone. Thanks again!!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP