Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute.
Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

Vundo infection [Solved]


  • This topic is locked This topic is locked

#16
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
HI

Can we try and get a GMER Log now please

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

Advertisement


#17
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
Hi,

I tried again, following every step perfectly (disabling all programs, disconnecting the Internet, etc)... but I'm still getting crashes. This time, I let it go overnight, and when I woke up the next day, Explorer was unresponsive. GMER still said "Stop" instead of "Scan", so I guess it was still "going", but it was unresponsive. I hit "Stop" then "Save" to see if I could salvage that which had already been scanned, but that completely froze Explorer, causing the GMER program to have the "Solitaire effect" (I could drag the program around and it would create "copies" of itself where I just had it -- similar to the cards bouncing offscreen after a game of Solitaire).


Any suggestions?
  • 0

#18
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
Firstly...
Could you run MBAM again please. Click on the update tab and update before running

Then...
Sysprot AntiRootkit
Download SysProt Antirootkit from Here

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

  • 0

#19
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
Here's MBAM (it didn't find anything):

Malwarebytes' Anti-Malware 1.44
Database version: 3610
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/21/2010 2:52:09 PM
mbam-log-2010-01-21 (14-52-09).txt

Scan type: Quick Scan
Objects scanned: 138013
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here's the SP log:
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 560
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 628
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 652
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 696
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 876
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1012
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1052
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1100
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1200
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1284
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PID: 1320
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1372
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1408
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PID: 1456
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PID: 1516
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lxdecoms.exe
PID: 1612
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LxrSII1s.exe
PID: 1636
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
PID: 1656
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 1692
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\PnkBstrA.exe
PID: 1712
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1752
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\Program Files\Logitech\QuickCam\Quickcam.exe
PID: 1684
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PID: 1680
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PID: 1944
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PID: 1544
Hidden: No
Window Visible: No

Name: C:\WINDOWS\RTHDCPL.exe
PID: 2116
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 2196
Hidden: No
Window Visible: No

Name: C:\Program Files\DAEMON Tools Lite\daemon.exe
PID: 2212
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
PID: 2224
Hidden: No
Window Visible: No

Name: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 2276
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PID: 2500
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PID: 2876
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3364
Hidden: No
Window Visible: No

Name: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3588
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\tammy\Desktop\SysProt\SysProt\SysProt.exe
PID: 2684
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\tammy\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: BA0E8000
Module End: BA0F3000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F7B86000
Module End: F7B88000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F7A96000
Module End: F7A99000
Hidden: No

Module Name: spkw.sys
Service Name: ---
Module Base: F7485000
Module End: F7585000
Hidden: Yes

Module Name: \WINDOWS\System32\Drivers\WMILIB.SYS
Service Name: ---
Module Base: F7B88000
Module End: F7B8A000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ---
Module Base: F746D000
Module End: F7485000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F743F000
Module End: F746D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F742E000
Module End: F743F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F7686000
Module End: F7695000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F7696000
Module End: F76A3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F76A6000
Module End: F76AF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7C4E000
Module End: F7C4F000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7906000
Module End: F790D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F76B6000
Module End: F76C1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F740F000
Module End: F742E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F7B8A000
Module End: F7B8C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F73E9000
Module End: F740F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F790E000
Module End: F7913000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F76C6000
Module End: F76D3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F73D1000
Module End: F73E9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ahcix86.sys
Service Name: ahcix86
Module Base: F7390000
Module End: F73D1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F76D6000
Module End: F76DF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F76E6000
Module End: F76F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F7370000
Module End: F7390000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F735E000
Module End: F7370000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F7347000
Module End: F735E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\WudfPf.sys
Service Name: WudfPf
Module Base: F7334000
Module End: F7347000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F72A7000
Module End: F7334000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F727A000
Module End: F72A7000
Hidden: No

Module Name: C:\WINDOWS\system32\speedfan.sys
Service Name: speedfan
Module Base: F7B8C000
Module End: F7B8E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sbp2port.sys
Service Name: sbp2port
Module Base: F76F6000
Module End: F7701000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F725F000
Module End: F727A000
Hidden: No

Module Name: C:\WINDOWS\system32\giveio.sys
Service Name: giveio
Module Base: F7C4F000
Module End: F7C50000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: F7776000
Module End: F7784000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: F722F000
Module End: F7232000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: F2416000
Module End: F2B2E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F2402000
Module End: F2416000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7786000
Module End: F7791000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Service Name: AFS2K
Module Base: F7796000
Module End: F779F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F77A6000
Module End: F77B6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F77B6000
Module End: F77C5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F23DF000
Module End: F2402000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: F79EE000
Module End: F79F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F79F6000
Module End: F79FB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F23BC000
Module End: F23DF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F79FE000
Module End: F7A05000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F2397000
Module End: F23BC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F77C6000
Module End: F77D6000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Service Name: ---
Module Base: F2360000
Module End: F2397000
Hidden: Yes

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F77D6000
Module End: F77E6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7217000
Module End: F721B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F234C000
Module End: F2360000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F77E6000
Module End: F77F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F7A6E000
Module End: F7A74000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7CBE000
Module End: F7CBF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F7846000
Module End: F7853000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F2FA5000
Module End: F2FA8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F2335000
Module End: F234C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F7856000
Module End: F7861000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F7866000
Module End: F7872000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F7A7E000
Module End: F7A83000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F2324000
Module End: F2335000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F7876000
Module End: F787F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F7A86000
Module End: F7A8B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F7A8E000
Module End: F7A93000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F22F3000
Module End: F2324000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F7886000
Module End: F7890000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F791E000
Module End: F7924000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F7BE0000
Module End: F7BE2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F22BF000
Module End: F22F3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F2F89000
Module End: F2F8D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F7896000
Module End: F78A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F78A6000
Module End: F78B5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F7BE4000
Module End: F7BE6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: EF5C5000
Module End: EFA74000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: EF5A3000
Module End: EF5C5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F78C6000
Module End: F78D5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Service Name: Flpydisk
Module Base: F79B6000
Module End: F79BB000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F7BF6000
Module End: F7BF8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7D1F000
Module End: F7D20000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F7BF8000
Module End: F7BFA000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F79C6000
Module End: F79CC000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F7BFA000
Module End: F7BFC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F7BFC000
Module End: F7BFE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F79CE000
Module End: F79D3000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F79D6000
Module End: F79DE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F7B32000
Module End: F7B35000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EF3F4000
Module End: EF407000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EF39C000
Module End: EF3F4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EF374000
Module End: EF39C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EF353000
Module End: EF374000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F2B2E000
Module End: F2B37000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EF331000
Module End: EF353000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7736000
Module End: F773F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F7756000
Module End: F7765000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EF306000
Module End: EF331000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EF297000
Module End: EF306000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7766000
Module End: F776F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: EFA84000
Module End: EFA87000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F77F6000
Module End: F77FF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F79E6000
Module End: F79ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Service Name: usbccgp
Module Base: F7A06000
Module End: F7A0E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: EFA80000
Module End: EFA83000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\LVUSBSta.sys
Service Name: LVUSBSta
Module Base: F7806000
Module End: F780F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Service Name: usbscan
Module Base: EFA7C000
Module End: EFA80000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F7A0E000
Module End: F7A15000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F7A16000
Module End: F7A1D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EF539000
Module End: EF549000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EF257000
Module End: EF26F000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7C2C000
Module End: F7C2E000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F22B3000
Module End: F22B6000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7A76000
Module End: F7A7B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7D77000
Module End: F7D78000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: BA6DC000
Module End: BA6E0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: BA48C000
Module End: BA4B8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7BD8000
Module End: F7BDA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: BA322000
Module End: BA374000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
Service Name: LxrSII1d
Module Base: BA248000
Module End: BA25A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
Service Name: LVPr2Mon
Module Base: F7A3E000
Module End: F7A43000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: BA003000
Module End: BA018000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: BA510000
Module End: BA51F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B9982000
Module End: B99C3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
Service Name: RTLE8023xp
Module Base: B9850000
Module End: B986A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B8600000
Module End: B8623000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F7A66000
Module End: F7A6D000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F74860E0
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

Function Name: ZwEnumerateKey
Address: F74A4CA2
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

Function Name: ZwEnumerateValueKey
Address: F74A5030
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

Function Name: ZwOpenKey
Address: F74860C0
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

Function Name: ZwQueryKey
Address: F74A5108
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

Function Name: ZwQueryValueKey
Address: F74A4F88
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

Function Name: ZwSetValueKey
Address: F74A519A
Driver Base: F7485000
Driver End: F7585000
Driver Name: spkw.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_CREATE
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_CLOSE
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_READ
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_WRITE
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SET_EA
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_POWER
Jump To: F748DE1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F74A2514
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: \Driver\PCI_PNP0526
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F74C9B1C
Hooking Module: spkw.sys

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F671F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86F671F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F671F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F671F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86F671F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F671F8
Hooking Module: _unknown_

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F7486000
Hooking Module: spkw.sys

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86FD81F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 861F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 868AE500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 868AE500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 868AE500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 868AE500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 868AE500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 868AE500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F681F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 868591F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 868591F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 868591F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 868591F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 868591F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\a5hmtj83.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 868591F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86851500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86851500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86851500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86851500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 86851500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 868B9500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86896500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86896500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86896500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86896500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86896500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86896500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86F651F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86F651F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86F651F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86F651F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86F651F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86F651F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ahcix86.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86FD71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ahcix86.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86FD71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ahcix86.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86FD71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ahcix86.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86FD71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ahcix86.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86FD71F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ahcix86.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86FD71F8
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************
Ports:
Local Address: GATEWAY:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: GATEWAY:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: GATEWAY:1756
Remote Address: LOCALHOST:1755
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GATEWAY:1755
Remote Address: LOCALHOST:1756
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GATEWAY:1754
Remote Address: LOCALHOST:1753
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GATEWAY:1753
Remote Address: LOCALHOST:1754
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: GATEWAY:10005
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\lxdecoms.exe
State: LISTENING

Local Address: GATEWAY:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: GATEWAY:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: GATEWAY:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: GATEWAY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GATEWAY:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: GATEWAY:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: GATEWAY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GATEWAY:44301
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\PnkBstrA.exe
State: NA

Local Address: GATEWAY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GATEWAY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: GATEWAY:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: GATEWAY:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: GATEWAY:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: GATEWAY:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found
  • 0

#20
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
Hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    a5hmtj83.SYS
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#21
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 20:24 on 23/01/2010 by tammy (Administrator - Elevation successful)

========== filefind ==========

Searching for "a5hmtj83.SYS"
No files found.

-=End Of File=-
  • 0

#22
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
AVZ

Download avz4.zip from HERE
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#23
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
Hi,

Attached are the files. Thanks!

Attached Files


  • 0

#24
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    splf.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#25
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
Hi,

Here's the result.

Thanks.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 13:12 on 26/01/2010 by tammy (Administrator - Elevation successful)

========== filefind ==========

Searching for "splf.sys"
No files found.

-=End Of File=-
  • 0
<

Advertisement


#26
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
Hi

ComboFix Script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

Killall::

Driver::
PsSdk30

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]

File::
c:\windows\system32\Drivers\PsSdk30.drv


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I need you to include in your next reply.
  • 0

#27
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
ComboFix 10-01-29.04 - tammy 01/29/2010 13:20:07.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1021.655 [GMT -7:00]
Running from: c:\documents and settings\tammy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\tammy\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\Drivers\PsSdk30.drv"
.
PEV Error: ProgramsFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\MyriadPro-Regular.otf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PSSDK30


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
.

2010-01-15 15:45 . 2010-01-15 15:45 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-15 15:45 . 2010-01-15 15:45 -------- d-----w- c:\program files\Reference Assemblies
2010-01-15 15:44 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-15 15:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-15 15:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-15 15:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-15 15:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-15 15:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-15 15:44 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-15 15:44 . 2010-01-15 15:44 -------- d-----w- C:\17fa7fbb9aa743a2b4f61dd0f96e8747
2010-01-15 15:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-15 15:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-15 15:44 . 2010-01-15 16:09 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-15 15:40 . 2010-01-15 15:40 -------- d-----w- c:\program files\MSXML 6.0
2010-01-14 05:21 . 2010-01-14 05:21 -------- d-----w- c:\windows\system32\KB905474
2010-01-14 05:21 . 2009-03-11 05:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-01-14 05:21 . 2009-03-11 05:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-01-13 04:49 . 2010-01-13 04:49 -------- d-----w- c:\windows\ServicePackFiles
2010-01-11 22:18 . 2007-04-16 16:07 986112 ------w- C:\kernel32.dll
2010-01-07 22:35 . 2010-01-07 22:35 -------- d--h--w- c:\windows\PIF
2010-01-07 21:19 . 2010-01-07 21:19 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 22:37 . 2007-12-10 01:32 458216 ----a-w- c:\documents and settings\tammy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-21 22:36 . 2009-02-21 05:29 -------- d-----w- c:\program files\The Print Shop 23
2010-01-21 21:35 . 2008-10-25 20:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 21:35 . 2010-01-07 21:27 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-21 19:27 . 2008-11-14 22:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 10:19 . 2007-12-10 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-16 10:11 . 2007-12-10 01:40 -------- d-----w- c:\program files\Microsoft Works
2010-01-15 15:45 . 2007-12-10 01:40 -------- d-----w- c:\program files\MSBuild
2010-01-11 02:43 . 2008-02-10 03:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-07 23:07 . 2008-10-25 20:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2008-10-25 20:45 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 05:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 05:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 05:56 17408 ------w- c:\windows\system32\corpol.dll
2009-12-18 04:44 . 2008-08-02 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\LxThumbs
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-21 16:36 . 2004-08-04 05:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2007-12-12 17:38 . 2007-12-12 17:38 23405072 -c--a-w- c:\program files\AdbeRdr811_en_US.exe
2007-03-17 06:00 . 2008-03-13 21:53 35979 ----a-w- c:\program files\Photoshop CS3 Read Me.html
2009-03-01 09:24 . 2009-02-26 19:46 11649056 -csha-w- c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-10-23 2363392]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2008-05-14 16862720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="c:\windows\system32\nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]

c:\documents and settings\Gaming\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\The Print Shop 23\Remind.exe [2008-7-16 344064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^tammy^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\tammy\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^tammy^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\tammy\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 03:51 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-19 18:10 267048 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 21:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 21:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 23:57 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-07-21 23:14 86016 -c----r- c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-08 23:13 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-09 08:36 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone]
2007-02-15 18:31 338944 -c--a-w- c:\program files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone Control Panel]
2007-02-15 18:29 2123264 -c--a-w- c:\program files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 23:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"StkASSrv"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\Wireless\\lxdewpss.exe"=
"c:\\WINDOWS\\system32\\lxdecfg.exe"=
"c:\\Program Files\\Logitech\\QuickCam\\Quickcam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [10/3/2008 3:28 PM 176136]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [4/5/2008 11:35 PM 70016]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [12/12/2007 2:42 PM 99248]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [1/2/2001 9:53 PM 19677]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/9/2007 6:29 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-10-23 02:55 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\User_Feed_Synchronization-{59B3E264-20D2-4BFE-864F-F7C4E1F84BFC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]

2010-01-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-14 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sparkpeople.com/websearch/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\tammy\Application Data\Mozilla\Firefox\Profiles\p04rj5jz.Default User\
FF - prefs.js: browser.startup.homepage - hxxp://www.sparkpeople.com/
FF - plugin: c:\documents and settings\tammy\Application Data\Mozilla\Firefox\Profiles\p04rj5jz.Default User\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\documents and settings\tammy\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF - HiddenExtension: XUL Cache: {DB1C0118-51D0-472E-B776-5A9BC86F3A1E} - c:\documents and settings\tammy\Local Settings\Application Data\{DB1C0118-51D0-472E-B776-5A9BC86F3A1E}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 13:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(7772)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\lxdecoms.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-01-29 13:49:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-29 20:49
ComboFix2.txt 2010-01-18 19:47
ComboFix3.txt 2010-01-14 23:16
ComboFix4.txt 2010-01-11 21:44
ComboFix5.txt 2010-01-29 20:19

Pre-Run: 4,111,503,360 bytes free
Post-Run: 4,084,948,992 bytes free

- - End Of File - - 96D1C537582D02A24D23F61B036FAEB3
  • 0

#28
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
Hi

File Scanner
There are some files I need you to upload for checking

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\windows\system32\wininet.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
    Please repeat for
    • c:\windows\system32\ieencode.dll
    • c:\windows\system32\corpol.dll

  • 0

#29
rklamer

rklamer

    Member

  • Member
  • PipPip
  • 33 posts
VirSCAN.org Scanned Report :
Scanned time : 2010/01/31 18:52:32 (MST)
Scanner results: Scanners did not find malware!
File Name : wininet.dll
File Size : 832512 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 21e7890f1ec89bef0af7c08d730ae317
SHA1 : 05bb7de583780a4745ba614a902c41907e678d07
Online report : http://virscan.org/r...2e3815a75e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100130020216 2010-01-30 4.48 -
AhnLab V3 2010.01.31.01 2010.01.31 2010-01-31 1.00 -
AntiVir 8.2.1.154 7.10.3.140 2010-01-31 0.14 -
Antiy 2.0.18 20100126.3756239 2010-01-26 0.12 -
Arcavir 2009 201001311235 2010-01-31 0.07 -
Authentium 5.1.1 201001311727 2010-01-31 5.09 -
AVAST! 4.7.4 100131-1 2010-01-31 0.05 -
AVG 8.5.720 271.1.1/2660 2010-02-01 0.26 -
BitDefender 7.81008.4959582 7.30153 2010-02-01 5.08 -
ClamAV 0.95.3 10345 2010-01-31 0.16 -
Comodo 3.13.579 3409 2010-01-31 0.97 -
CP Secure 1.3.0.5 2010.02.01 2010-02-01 0.11 -
Dr.Web 5.0.1.12222 2010.02.01 2010-02-01 5.05 -
F-Prot 4.4.4.56 20100131 2010-01-31 4.80 -
F-Secure 7.02.73807 2010.01.31.03 2010-01-31 9.51 -
Fortinet 11.443- 11.443 2010-01-31 0.21 -
GData 19.10239/19.717 20100131 2010-01-31 5.84 -
ViRobot 20100130 2010.01.30 2010-01-30 0.41 -
Ikarus T3.1.01.80 2010.01.31.75081 2010-01-31 4.38 -
JiangMin 13.0.900 2010.01.27 2010-01-27 5.32 -
Kaspersky 5.5.10 2010.01.31 2010-01-31 0.07 -
KingSoft 2009.2.5.15 2010.1.31.21 2010-01-31 0.56 -
McAfee 5.3.00 5878 2010-01-31 3.44 -
Microsoft 1.5406 2010.02.01 2010-02-01 6.58 -
Norman 6.01.09 6.01.00 2010-01-16 4.01 -
Panda 9.05.01 2010.01.31 2010-01-31 1.97 -
Trend Micro 9.120-1004 6.814.09 2010-01-31 0.00 -
Quick Heal 10.00 2010.01.30 2010-01-30 1.56 -
Rising 20.0 22.32.06.04 2010-01-31 1.04 -
Sophos 3.04.1 4.50 2010-02-01 2.88 -
Sunbelt 3.9.2396.2 5649 2010-01-31 2.82 -
Symantec 1.3.0.24 20100131.003 2010-01-31 0.09 -
nProtect 20100131.01 7067168 2010-01-31 4.40 -
The Hacker 6.5.1.0 v00174 2010-01-31 0.38 -
VBA32 3.12.12.1 20100129.0902 2010-01-29 2.79 -
VirusBuster 4.5.11.10 10.119.31/2017609 2010-02-01 3.04 -


VirSCAN.org Scanned Report :
Scanned time : 2010/01/31 18:55:16 (MST)
Scanner results: Scanners did not find malware!
File Name : ieencode.dll
File Size : 78336 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 37147e4b25a819306f6ae0afd79c3ee5
SHA1 : 3bfa1361b68c35a43eb3944cf503c915bedc9ef0
Online report : http://virscan.org/r...f1388f7967.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100130020216 2010-01-30 4.55 -
AhnLab V3 2010.01.31.01 2010.01.31 2010-01-31 1.02 -
AntiVir 8.2.1.154 7.10.3.140 2010-01-31 0.30 -
Antiy 2.0.18 20100126.3756239 2010-01-26 0.12 -
Arcavir 2009 201001311235 2010-01-31 0.04 -
Authentium 5.1.1 201001311727 2010-01-31 1.31 -
AVAST! 4.7.4 100131-1 2010-01-31 0.01 -
AVG 8.5.720 271.1.1/2660 2010-02-01 0.26 -
BitDefender 7.81008.4959582 7.30153 2010-02-01 4.98 -
ClamAV 0.95.3 10345 2010-01-31 0.02 -
Comodo 3.13.579 3409 2010-01-31 0.93 -
CP Secure 1.3.0.5 2010.02.01 2010-02-01 0.06 -
Dr.Web 5.0.1.12222 2010.02.01 2010-02-01 5.02 -
F-Prot 4.4.4.56 20100131 2010-01-31 1.29 -
F-Secure 7.02.73807 2010.01.31.03 2010-01-31 9.56 -
Fortinet 11.443- 11.443 2010-01-31 0.20 -
GData 19.10239/19.717 20100131 2010-01-31 5.97 -
ViRobot 20100130 2010.01.30 2010-01-30 0.41 -
Ikarus T3.1.01.80 2010.01.31.75081 2010-01-31 4.35 -
JiangMin 13.0.900 2010.01.27 2010-01-27 5.15 -
Kaspersky 5.5.10 2010.01.31 2010-01-31 0.07 -
KingSoft 2009.2.5.15 2010.1.31.21 2010-01-31 0.59 -
McAfee 5.3.00 5878 2010-01-31 3.42 -
Microsoft 1.5406 2010.02.01 2010-02-01 6.91 -
Norman 6.01.09 6.01.00 2010-01-16 4.01 -
Panda 9.05.01 2010.01.31 2010-01-31 2.38 -
Trend Micro 9.120-1004 6.814.09 2010-01-31 0.00 -
Quick Heal 10.00 2010.01.30 2010-01-30 1.58 -
Rising 20.0 22.32.06.04 2010-01-31 1.24 -
Sophos 3.04.1 4.50 2010-02-01 2.90 -
Sunbelt 3.9.2396.2 5649 2010-01-31 2.65 -
Symantec 1.3.0.24 20100131.003 2010-01-31 0.05 -
nProtect 20100131.01 7067168 2010-01-31 4.55 -
The Hacker 6.5.1.0 v00174 2010-01-31 0.54 -
VBA32 3.12.12.1 20100129.0902 2010-01-29 2.44 -
VirusBuster 4.5.11.10 10.119.31/2017609 2010-02-01 2.36 -


VirSCAN.org Scanned Report :
Scanned time : 2010/01/31 18:57:32 (MST)
Scanner results: Scanners did not find malware!
File Name : corpol.dll
File Size : 17408 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 900bfc468a6b4c2ee4b4a69ebd4791ce
SHA1 : ac40c5fc238de80de80da87cee3d77668a1fc8fe
Online report : http://virscan.org/r...3c881d19ca.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100130020216 2010-01-30 4.30 -
AhnLab V3 2010.01.31.01 2010.01.31 2010-01-31 1.03 -
AntiVir 8.2.1.154 7.10.3.140 2010-01-31 0.21 -
Antiy 2.0.18 20100126.3756239 2010-01-26 0.12 -
Arcavir 2009 201001311235 2010-01-31 0.03 -
Authentium 5.1.1 201001311727 2010-01-31 1.31 -
AVAST! 4.7.4 100131-1 2010-01-31 0.00 -
AVG 8.5.720 271.1.1/2660 2010-02-01 0.26 -
BitDefender 7.81008.4959582 7.30153 2010-02-01 5.03 -
ClamAV 0.95.3 10345 2010-01-31 0.01 -
Comodo 3.13.579 3409 2010-01-31 0.97 -
CP Secure 1.3.0.5 2010.02.01 2010-02-01 0.04 -
Dr.Web 5.0.1.12222 2010.02.01 2010-02-01 4.97 -
F-Prot 4.4.4.56 20100131 2010-01-31 1.26 -
F-Secure 7.02.73807 2010.01.31.03 2010-01-31 9.53 -
Fortinet 11.443- 11.443 2010-01-31 0.24 -
GData 19.10239/19.717 20100131 2010-01-31 6.26 -
ViRobot 20100130 2010.01.30 2010-01-30 0.41 -
Ikarus T3.1.01.80 2010.01.31.75081 2010-01-31 4.37 -
JiangMin 13.0.900 2010.01.27 2010-01-27 4.60 -
Kaspersky 5.5.10 2010.01.31 2010-01-31 0.07 -
KingSoft 2009.2.5.15 2010.1.31.21 2010-01-31 0.54 -
McAfee 5.3.00 5878 2010-01-31 3.46 -
Microsoft 1.5406 2010.02.01 2010-02-01 6.51 -
Norman 6.01.09 6.01.00 2010-01-16 4.01 -
Panda 9.05.01 2010.01.31 2010-01-31 1.97 -
Trend Micro 9.120-1004 6.814.09 2010-01-31 0.00 -
Quick Heal 10.00 2010.01.30 2010-01-30 1.33 -
Rising 20.0 22.32.06.04 2010-01-31 0.99 -
Sophos 3.04.1 4.50 2010-02-01 2.88 -
Sunbelt 3.9.2396.2 5649 2010-01-31 2.91 -
Symantec 1.3.0.24 20100131.003 2010-01-31 0.05 -
nProtect 20100131.01 7067168 2010-01-31 4.25 -
The Hacker 6.5.1.0 v00174 2010-01-31 0.37 -
VBA32 3.12.12.1 20100129.0902 2010-01-29 2.48 -
VirusBuster 4.5.11.10 10.119.31/2017609 2010-02-01 2.38 -
  • 0

#30
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 20,747 posts
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

Advertisement




Similar Topics: Vundo infection [Solved]     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured