WiredWX Hobby Weather ToolsLog in

 


Whistler Bootkit O.o

2 posters

descriptionWhistler Bootkit O.o EmptyWhistler Bootkit O.o

more_horiz
I'm Going Through The Same Problem As Someone Was Going Through Before With Hearing Ads And Clicking Noises With Out A Browser Being Opened I Downloaded Combo Whatever Its Call These Were The Results


ComboFix 10-07-26.04 - Owner 07/27/2010 11:06:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.251 [GMT -4]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\WINSPOOL.DRV
c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\msgsvc.dll . . . is infected!!

.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.

2010-07-27 04:21 . 2010-07-27 04:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Toolbar4
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-27 03:55 . 2010-07-27 03:55 -------- d-----w- C:\N360_BACKUP
2010-07-16 18:10 . 2010-07-16 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2010-07-05 18:05 . 2010-07-05 18:05 -------- d-----w- c:\program files\Audacity
2010-06-29 12:38 . 2010-06-29 12:38 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU Previewer
2010-06-29 12:32 . 2010-06-29 12:32 -------- d-----w- C:\3dsmax7
2010-06-29 01:40 . 2010-07-02 13:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-06-29 01:39 . 2010-06-29 01:39 -------- d-----w- c:\documents and settings\Owner\.thumbnails
2010-06-29 01:12 . 2010-07-02 13:08 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6
2010-06-29 01:11 . 2010-06-29 01:11 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 15:00 . 2010-01-19 08:19 -------- d-----w- c:\program files\Common Files\AOL
2010-07-27 14:52 . 2010-06-04 23:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Toolbar4
2010-07-27 14:31 . 2010-05-26 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU
2010-07-27 06:53 . 2010-01-04 20:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 05:56 . 2010-01-04 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 23:27 . 2010-06-04 23:48 -------- d-----w- c:\program files\CamStudio
2010-06-15 20:02 . 2010-06-15 13:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-15 13:55 . 2010-06-15 13:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-15 13:55 . 2010-06-15 13:55 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-15 13:55 . 2010-06-15 13:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-15 13:55 . 2010-06-15 13:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-15 13:55 . 2010-06-15 13:55 -------- d-----w- c:\program files\Symantec
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Norton Security Suite
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Windows Sidebar
2010-06-15 13:54 . 2010-06-15 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\NortonInstaller
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-15 13:54 . 2010-01-06 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-14 14:31 . 2010-01-04 20:25 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 02:37 . 2010-03-03 02:45 -------- d-----w- c:\program files\Logitech
2010-06-11 02:36 . 2010-06-11 02:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-06-11 02:36 . 2010-03-03 02:45 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-06-11 02:31 . 2010-03-03 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-06-04 07:00 . 2010-01-04 20:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\documents and settings\Owner\Application Data\FoxyTunes
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\program files\FoxyTunes
2010-05-06 10:41 . 2001-08-23 09:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 16:04 . 2001-08-23 09:00 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-01-04 20:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-04 20:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2010-1-4 128000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/15/2010 10:37 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/15/2010 10:37 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/12/2010 7:27 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/15/2010 10:37 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/15/2010 10:37 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/15/2010 10:37 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/23/2010 12:17 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSXpx86.sys [7/23/2010 10:58 PM 331640]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/4/2010 4:41 PM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\program files\Internet Explorer\IEXPLORE.EXE [1108] 0x852FCDA0
c:\program files\Internet Explorer\IEXPLORE.EXE [2100] 0x84C6B8D0
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"=""c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-07-27 11:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 15:30

Pre-Run: 251,974,479,872 bytes free
Post-Run: 252,020,326,400 bytes free

- - End Of File - - E9E3CEAAF5920ABC8098D0D481DA93A2



After That I'm Still Hearing Ads And Clicking Noises What's My Next Step?
Whoa!

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Sorry For Not Doing This First


OTL logfile created on: 7/27/2010 1:55:05 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 403.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 234.70 Gb Free Space | 78.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VALUED-85F37B4D
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/27 13:53:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.com
PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe
PRC - [2009/10/14 13:36:56 | 002,793,304 | ---- | M] () -- C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
PRC - [2009/10/14 13:34:18 | 000,560,472 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2009/07/16 15:35:42 | 005,458,704 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Logitech Vid\Vid.exe
PRC - [2009/04/23 07:29:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/04/23 07:29:14 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/20 23:18:26 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2001/08/23 05:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/23 05:00:00 | 000,128,000 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe


========== Modules (SafeList) ==========

MOD - [2010/07/27 13:53:13 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.com
MOD - [2010/05/14 01:35:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.2.0.12\asoehook.dll
MOD - [2009/07/12 04:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.2.0.12\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 04:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.2.0.12\microsoft.vc90.crt\msvcp90.dll
MOD - [2001/08/23 05:00:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\comctl32.dll
MOD - [2001/08/23 05:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe -- (N360)
SRV - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/20 23:18:26 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/13 22:06:51 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100726.041\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/07/13 22:06:51 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100726.041\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/15 09:55:21 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/06/14 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/14 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/28 15:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/05/22 14:16:04 | 000,691,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0402000.00C\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0402000.00C\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0402000.00C\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0402000.00C\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0402000.00C\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0402000.00C\ccHPx86.sys -- (ccHP)
DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0402000.00C\SYMDS.SYS -- (SymDS)
DRV - [2009/10/07 01:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/04/30 19:01:34 | 000,265,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/04/30 18:55:56 | 002,687,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2009/04/30 18:55:32 | 000,013,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2008/10/17 00:14:00 | 000,030,720 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l251x86.sys -- (AtcL002)
DRV - [2008/04/17 10:33:26 | 004,707,328 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/02/15 09:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/07/18 20:44:00 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2006/02/26 11:02:48 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2001/08/23 05:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: {90b49673-5506-483e-b92b-ca0265bd9ca8}:2.7.1.3
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="


FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/06/24 05:27:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/06/15 09:56:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/27 02:26:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/27 02:26:38 | 000,000,000 | ---D | M]

[2010/01/06 16:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/01/06 16:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\IMVUClientXUL@imvu.com
[2010/07/26 13:56:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions
[2010/01/05 11:06:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/10 13:16:37 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/07/18 07:11:59 | 000,000,000 | ---D | M] (IMVU Inc Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}
[2010/01/04 16:38:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2010/07/10 13:16:36 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/04 16:38:12 | 000,000,000 | ---D | M] (CustomizeGoogle) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2010/07/18 07:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\staged-xpis
[2010/07/27 02:26:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/27 02:26:38 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

O1 HOSTS File: ([2010/07/27 11:20:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKCU..\Run: [Logitech Vid] C:\Program Files\Logitech\Logitech Vid\vid.exe (Logitech Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMVU.lnk = C:\Documents and Settings\Owner\Application Data\IMVUClient\IMVUQualityAgent.exe File not found
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (Leader Technologies/Logitech)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/04 16:28:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: >{99820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\LVCodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/27 10:49:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/27 10:44:58 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/27 10:44:58 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/27 10:44:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/27 10:44:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/27 10:44:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/27 10:41:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/27 00:21:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/07/27 00:21:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/07/27 00:20:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Yahoo
[2010/07/27 00:20:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Toolbar4
[2010/07/27 00:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2010/07/26 23:55:09 | 000,000,000 | ---D | C] -- C:\N360_BACKUP
[2010/07/16 14:10:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Unity
[2010/07/05 14:05:09 | 000,000,000 | ---D | C] -- C:\Program Files\Audacity
[2010/07/05 11:13:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\ARC5AC
[2010/07/01 06:53:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\textures
[2010/06/29 08:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\IMVU Previewer
[2010/06/29 08:32:35 | 000,000,000 | ---D | C] -- C:\3dsmax7
[2010/06/28 21:40:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\gtk-2.0
[2010/06/28 21:39:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\.thumbnails
[2010/06/28 21:12:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\.gimp-2.6
[2010/06/28 21:12:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\gegl-0.0
[2010/06/28 21:11:23 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/27 13:09:12 | 000,441,454 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/27 13:09:11 | 000,071,264 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/27 13:09:10 | 000,522,498 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/27 13:04:52 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/27 13:04:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/27 13:04:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/27 13:04:25 | 1064,554,496 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/27 13:03:22 | 002,359,296 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/07/27 13:03:22 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/07/27 11:22:21 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/27 11:20:15 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/27 10:50:00 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/27 02:53:22 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/07/27 02:27:05 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/07/27 02:27:03 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/07/27 00:20:18 | 000,000,914 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
[2010/07/23 13:48:56 | 000,003,038 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\hb code.rtf
[2010/07/21 16:02:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/13 23:01:29 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
[2010/07/13 13:20:18 | 000,001,924 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\IMVU.lnk
[2010/07/11 18:49:28 | 000,003,065 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\GG code.rtf
[2010/07/11 17:15:11 | 000,003,072 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\yellow crush code.rtf
[2010/07/09 22:32:23 | 000,002,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Catologcode.rtf
[2010/07/07 20:34:57 | 000,003,083 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\graffiti code.rtf
[2010/07/07 18:59:47 | 000,003,012 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\gucci..code.rtf
[2010/07/07 17:35:08 | 000,003,071 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\jayz codes.rtf
[2010/07/07 15:45:54 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/07/05 14:05:13 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Audacity.lnk
[2010/07/03 19:22:19 | 000,001,515 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Paint (2).lnk
[2010/07/02 09:07:02 | 000,002,860 | ---- | M] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2010/06/29 08:34:51 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\IMVU Previewer.lnk
[2010/06/28 21:12:16 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/27 10:50:00 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/27 10:49:58 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/27 10:44:58 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/27 10:44:58 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/27 10:44:58 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/27 10:44:58 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/27 10:44:58 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/27 02:53:22 | 000,000,714 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/07/27 02:27:01 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/07/23 13:48:56 | 000,003,038 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\hb code.rtf
[2010/07/13 23:01:28 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
[2010/07/11 18:49:28 | 000,003,065 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\GG code.rtf
[2010/07/11 17:15:11 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\yellow crush code.rtf
[2010/07/09 22:32:23 | 000,002,576 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Catologcode.rtf
[2010/07/07 20:34:57 | 000,003,083 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\graffiti code.rtf
[2010/07/07 18:57:33 | 000,003,012 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\gucci..code.rtf
[2010/07/07 15:45:50 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/07/06 21:18:03 | 000,003,071 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\jayz codes.rtf
[2010/07/05 14:05:12 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Audacity.lnk
[2010/07/03 19:22:19 | 000,001,515 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Paint (2).lnk
[2010/07/02 09:07:02 | 000,002,860 | ---- | C] () -- C:\Documents and Settings\Owner\.recently-used.xbel
[2010/06/29 08:32:42 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\IMVU Previewer.lnk
[2010/06/28 21:12:16 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[2010/03/02 23:27:34 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/01/04 16:23:31 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2010/01/04 16:23:31 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2010/01/04 16:23:31 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2010/01/04 11:06:43 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2010/01/04 11:04:00 | 000,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/10/07 01:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 01:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2001/08/23 05:00:00 | 000,033,280 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\cryptdll.dll
[2001/08/23 05:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iphlpapi.dll
[2001/08/23 05:00:00 | 000,071,680 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msacm32.dll
[2001/08/23 05:00:00 | 000,156,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msls31.dll
[2001/08/23 05:00:00 | 000,061,440 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvcrt40.dll
[2001/08/23 05:00:00 | 000,237,056 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rasapi32.dll
[2001/08/23 05:00:00 | 000,061,440 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rasman.dll
[2001/08/23 05:00:00 | 000,044,032 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\rtutils.dll
[2001/08/23 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\sensapi.dll
[2001/08/23 05:00:00 | 000,713,216 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\sxs.dll
[2001/08/23 05:00:00 | 000,181,760 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\tapi32.dll
[2001/08/23 05:00:00 | 002,897,920 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\xpsp2res.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/04 11:02:33 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/04 11:02:33 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/04 11:02:33 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2001/08/23 05:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2001/08/23 05:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2001/08/23 05:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2001/08/23 05:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2001/08/23 05:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2001/08/23 05:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2001/08/23 05:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2001/08/23 05:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2001/08/23 05:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2001/08/23 05:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2001/08/23 05:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2001/08/23 05:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2001/08/23 05:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2001/08/23 05:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2001/08/23 05:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2001/08/23 05:00:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/05/02 12:04:16 | 001,860,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2009/10/07 01:23:08 | 000,013,584 | ---- | M] () -- C:\WINDOWS\system32\drivers\iKeyLFT2.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010/01/04 16:28:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/01/04 16:20:23 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/27 10:50:00 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/07/27 11:30:46 | 000,017,096 | ---- | M] () -- C:\ComboFix.txt
[2010/01/04 16:28:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/07/27 13:04:25 | 1064,554,496 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/04 16:28:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/19 04:19:27 | 000,000,459 | -H-- | M] () -- C:\IPH.PH
[2010/01/04 16:28:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2001/08/23 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2001/08/23 05:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/27 13:04:23 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys

< %PROGRAMFILES%\*. >
[2010/01/04 16:39:36 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/05/25 15:10:28 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/07/05 14:05:11 | 000,000,000 | ---D | M] -- C:\Program Files\Audacity
[2010/07/24 19:27:41 | 000,000,000 | ---D | M] -- C:\Program Files\CamStudio
[2010/01/04 16:39:24 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/01/04 16:40:12 | 000,000,000 | ---D | M] -- C:\Program Files\CDBurnerXP
[2010/07/27 11:14:46 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2010/01/04 16:24:46 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/01/05 11:06:17 | 000,000,000 | ---D | M] -- C:\Program Files\Firefox
[2010/05/31 08:59:23 | 000,000,000 | ---D | M] -- C:\Program Files\FoxyTunes
[2010/06/28 21:11:33 | 000,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0
[2010/03/02 22:50:22 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/06/10 22:20:59 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/01/04 16:39:30 | 000,000,000 | ---D | M] -- C:\Program Files\IZArc
[2010/01/19 06:46:04 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/01/04 16:40:48 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2010/06/10 22:37:02 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2010/07/27 02:53:23 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/04 16:22:40 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/03/03 04:00:36 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2010/01/04 16:34:12 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/06/04 03:00:29 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2010/03/11 04:03:59 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/07/27 02:26:46 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/01/04 16:31:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/01/04 16:22:03 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2010/01/04 16:22:36 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/01/04 16:23:26 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2010/01/04 16:26:18 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/06/15 09:54:57 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Security Suite
[2010/06/15 09:54:29 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2010/01/04 16:27:01 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/01/04 16:40:46 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/05/13 12:39:30 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/05/25 15:11:51 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/01/04 16:31:24 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/03/18 16:53:47 | 000,000,000 | ---D | M] -- C:\Program Files\SecondLifeBetaViewer
[2010/01/05 12:00:44 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/15 09:55:21 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/01/04 16:45:44 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/01/04 16:39:34 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2010/01/05 04:20:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2010/01/04 16:26:52 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/01/04 16:28:37 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/01/04 16:22:27 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/06/15 09:54:56 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2010/01/04 16:27:06 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010/01/04 16:34:12 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/01/06 16:35:38 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< %appdata%\*.* >
[2010/01/04 11:14:28 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2010/04/05 15:29:56 | 000,000,760 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\setup_ldm.iss


< MD5 for: ATAPI.SYS >
[2008/04/13 20:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 20:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2001/08/23 05:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=47B6AAEC570F2C11D8BAD80A064D8ED1 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2001/08/23 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2001/08/23 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2001/08/23 05:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2001/08/23 05:00:00 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2001/08/23 05:00:00 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2001/08/23 05:00:00 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=DAB13813B25B3D009B2AC1194CF5D0A2 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2001/08/23 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2001/08/23 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2001/08/23 05:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2008/04/14 01:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/14 01:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-14 07:02:06
< End of report >

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see this topic.


  • Please leave all text at its default color so it is easier to read.

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





We need to do some diagnostics to get started.

1. Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

2. Download MBRCheck to your desktop.
  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • MBRCheck log (2)
  • Cheetah log (3)


Thanks! Smile...

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
I see you have posted here: http://forums.techguy.org/virus-other-malware-removal/938776-hearing-ads-links-clicking-help.html

Please reply to that topic at TechGuy, and tell them you are getting help here.

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Ok I Did...Thanks

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 07/27/2010 at 20:05:39.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Owner\My Documents\Downloads\rkill.com


Rkill completed on 07/27/2010 at 20:05:46.



When I Download It Doesn't Give Me The Option To Save It To My Desk Top Im Using Firefox And I Can't Seem To Find It To Delete It What To I dO To Find It...

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Unknown MBR code





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...







Cheetah-Anti-Rogue v1.5.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 07/27/2010 - Time: 20:24:27 - Arch.: x86


-- Malware removal tools check --
CCleaner
Malwarebytes' Anti-Malware


-- Known infection --

C:\DOCUME~1\Owner\LOCALS~1\Temp\B.tmp (PDF.GEN-Exploit)
C:\DOCUME~1\Owner\LOCALS~1\Temp\8.tmp (HEUR:::Trj.Bredavi-Backdoor)
C:\WINDOWS\system32\dllcache\ndis.sys (HEUR:::Rtk.Agent)(!!The legit C:\WINDOWS\system32\drivers\ndis.sys may be infected!!)


Extra message: Detection only.


EOF


Sad tearing lol I Did It...O.o

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Oh Yea I Found It To Delete It...

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Fix MBR using MBRCheck

  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • When asked Do you want to fix the MBR code? type in YES and press enter
  • Restart your PC.





ComboFix

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix Whistler Bootkit O.o Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Whistler Bootkit O.o Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Whistler Bootkit O.o RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.





In your next reply, please provide the following logs along with a list of current symptoms after the scan was run:
  • Re-run MBRCheck and post a new log.
  • ComboFix log

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
ComboFix 10-07-27.02 - Owner 07/28/2010 1:07.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.636 [GMT -4:00]
Running from: c:\documents and settings\Owner\desktop\combo-fix.exe
Command switches used :: /killall
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-28 00:46 . 2010-07-28 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVUClient
2010-07-27 04:21 . 2010-07-27 04:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Yahoo
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Toolbar4
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-07-27 04:20 . 2010-07-27 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-27 03:55 . 2010-07-27 03:55 -------- d-----w- C:\N360_BACKUP
2010-07-16 18:10 . 2010-07-16 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2010-07-05 18:05 . 2010-07-05 18:05 -------- d-----w- c:\program files\Audacity
2010-06-29 12:38 . 2010-06-29 12:38 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU Previewer
2010-06-29 12:32 . 2010-06-29 12:32 -------- d-----w- C:\3dsmax7
2010-06-29 01:40 . 2010-07-02 13:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-06-29 01:39 . 2010-06-29 01:39 -------- d-----w- c:\documents and settings\Owner\.thumbnails
2010-06-29 01:12 . 2010-07-02 13:08 -------- d-----w- c:\documents and settings\Owner\.gimp-2.6
2010-06-29 01:11 . 2010-06-29 01:11 -------- d-----w- c:\program files\GIMP-2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 05:20 . 2010-05-26 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\IMVU
2010-07-27 15:00 . 2010-01-19 08:19 -------- d-----w- c:\program files\Common Files\AOL
2010-07-27 14:52 . 2010-06-04 23:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Toolbar4
2010-07-27 06:53 . 2010-01-04 20:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 05:56 . 2010-01-04 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-24 23:27 . 2010-06-04 23:48 -------- d-----w- c:\program files\CamStudio
2010-06-15 20:02 . 2010-06-15 13:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-15 13:55 . 2010-06-15 13:55 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-15 13:55 . 2010-06-15 13:55 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-15 13:55 . 2010-06-15 13:55 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-15 13:55 . 2010-06-15 13:55 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-15 13:55 . 2010-06-15 13:55 -------- d-----w- c:\program files\Symantec
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Norton Security Suite
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\Windows Sidebar
2010-06-15 13:54 . 2010-06-15 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\program files\NortonInstaller
2010-06-15 13:54 . 2010-06-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-15 13:54 . 2010-01-06 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-14 14:31 . 2010-01-04 20:25 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 02:37 . 2010-03-03 02:45 -------- d-----w- c:\program files\Logitech
2010-06-11 02:36 . 2010-06-11 02:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-06-11 02:36 . 2010-03-03 02:45 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-06-11 02:31 . 2010-03-03 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2010-06-04 07:00 . 2010-01-04 20:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\documents and settings\Owner\Application Data\FoxyTunes
2010-05-31 12:59 . 2010-05-31 12:59 -------- d-----w- c:\program files\FoxyTunes
2010-05-06 10:41 . 2001-08-23 09:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 16:04 . 2001-08-23 09:00 1860352 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-01-04 20:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-01-04 20:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-27_15.22.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 05:18 . 2010-07-28 05:18 16384 c:\windows\Temp\Perflib_Perfdata_84.dat
+ 2010-07-28 05:19 . 2010-07-28 05:19 16384 c:\windows\Temp\Perflib_Perfdata_148.dat
- 2001-08-23 09:00 . 2010-07-27 15:00 71264 c:\windows\system32\perfc009.dat
+ 2001-08-23 09:00 . 2010-07-28 04:55 71264 c:\windows\system32\perfc009.dat
+ 2010-01-04 20:35 . 2010-07-27 23:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-04 20:35 . 2010-07-27 15:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-04 20:35 . 2010-07-27 15:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-04 20:35 . 2010-07-27 23:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-07-28 05:18 . 2009-10-07 05:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
- 2010-07-27 15:19 . 2010-07-27 15:22 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll
- 2001-08-23 09:00 . 2010-07-27 15:00 441454 c:\windows\system32\perfh009.dat
+ 2001-08-23 09:00 . 2010-07-28 04:55 441454 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Owner\Application Data\IMVUClient\IMVUQualityAgent.exe [2010-7-12 21760]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2010-1-4 128000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/15/2010 10:37 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/15/2010 10:37 PM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/12/2010 7:27 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/15/2010 10:37 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/15/2010 10:37 PM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/15/2010 10:37 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/23/2010 12:17 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSXpx86.sys [7/23/2010 10:58 PM 331640]
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2fgjljis.default\extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 01:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"=""c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe" /s "N360" /m "c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,91,33,86,3e,4d,61,b4,41,ab,8f,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-07-28 01:27:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-28 05:27
ComboFix2.txt 2010-07-28 05:01
ComboFix3.txt 2010-07-27 15:30

Pre-Run: 251,397,509,120 bytes free
Post-Run: 251,379,601,408 bytes free

- - End Of File - - ED5968F64F40250DBD930F0D469A10D1







MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...


descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

  • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  • Once inside the interface, do not fix anything. Click on the Report tab.
  • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAlertResumeThread, Type: Address change 0x805D4B4E-->85622448 [Unknown module filename]
ntkrnlpa.exe-->NtAlertThread, Type: Address change 0x805D4AFE-->8612DD30 [Unknown module filename]
ntkrnlpa.exe-->NtAllocateVirtualMemory, Type: Address change 0x805A8AAC-->85557840 [Unknown module filename]
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x805D6612-->85613050 [Unknown module filename]
ntkrnlpa.exe-->NtConnectPort, Type: Address change 0x805A45C2-->861479B8 [Unknown module filename]
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x806237F8-->A8FAD210 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtCreateMutant, Type: Address change 0x80616DA6-->8554BE00 [Unknown module filename]
ntkrnlpa.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x805C39D2-->855454B0 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x805D1002-->861F5E78 [Unknown module filename]
ntkrnlpa.exe-->NtDebugActiveProcess, Type: Address change 0x8064323E-->8559A050 [Unknown module filename]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x80623C94-->A8FAD490 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x80623E64-->A8FAD9F0 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x805BDFE0-->85557AD8 [Unknown module filename]
ntkrnlpa.exe-->NtFreeVirtualMemory, Type: Address change 0x805B2F8A-->85556EB8 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateAnonymousToken, Type: Address change 0x805F8A80-->85CFC540 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateThread, Type: Address change 0x805D77D2-->85CDDC88 [Unknown module filename]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x8058413A-->861F9320 [Unknown module filename]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x805B2012-->85556CD8 [Unknown module filename]
ntkrnlpa.exe-->NtOpenEvent, Type: Address change 0x8060E764-->8559F050 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805CB42A-->85557DB8 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcessToken, Type: Address change 0x805ED736-->8613D388 [Unknown module filename]
ntkrnlpa.exe-->NtOpenSection, Type: Address change 0x805AA3DE-->85CCE050 [Unknown module filename]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x805CB6B6-->85557C28 [Unknown module filename]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x805B83F6-->85545B80 [Unknown module filename]
ntkrnlpa.exe-->NtResumeThread, Type: Address change 0x805D498A-->861CEE90 [Unknown module filename]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x805D1724-->855AB050 [Unknown module filename]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Address change 0x805CDE74-->85556A40 [Unknown module filename]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x8060F41C-->85614050 [Unknown module filename]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80621D6A-->A8FADC40 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
ntkrnlpa.exe-->NtSuspendProcess, Type: Address change 0x805D4A52-->85CD5050 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x805D48C4-->85CDE050 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x805D29B2-->861DA340 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x805D2BAC-->85CE0050 [Unknown module filename]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Address change 0x805B2E20-->8617F128 [Unknown module filename]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x805B43A4-->855573B0 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F546C-->86444FD0 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF83C8BA-->86442A60 [Unknown module filename]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF878E45-->8647EB40 [Unknown module filename]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF81C743-->86444718 [Unknown module filename]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0xBF9162ED-->86468008 [Unknown module filename]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EE6D-->8633A5A8 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF8082E6-->86378B20 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF87EA68-->86352338 [Unknown module filename]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF878F05-->86461E38 [Unknown module filename]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8F97F8-->85621E98 [Unknown module filename]
==============================================
>Processes
==============================================
0x865C4A00 [4] System
0x8522F7D0 [132] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x8622F938 [192] C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe (Symantec Corporation, Symantec Service Framework)
0x850DB990 [328] C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe (Symantec Corporation, Symantec Service Framework)
0x85EB9378 [424] C:\Program Files\CDBurnerXP\NMSAccessU.exe
0x84FA8990 [460] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x851CB378 [536] C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc., AutoUpater Service Module)
0x8645EDA0 [608] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x85348930 [656] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x84FB02D8 [680] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x862F8DA0 [724] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x86390BC8 [736] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x851B2B98 [744] C:\WINDOWS\system32\searchindexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0x8633C5E0 [904] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84FC1DA0 [972] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x863AB9A0 [1068] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8626C020 [1164] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8623E570 [1292] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84FFB730 [1372] C:\WINDOWS\system32\searchprotocolhost.exe (Microsoft Corporation, Microsoft Windows Search Protocol Host)
0x84FFB378 [1424] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x850E4990 [2008] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84C4A108 [2056] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x858F8DA0 [2120] C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation, Internet Explorer)
0x86314DA0 [2136] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x84F4F8D8 [2524] C:\PROGRA~1\IZArc\IZArc.exe (IZSoftware, IZArc Archiver)
0x859114E8 [2528] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc., Yahoo! Messenger)
0x84F37020 [2840] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x84D6B188 [2960] C:\WINDOWS\system32\searchfilterhost.exe (Microsoft Corporation, Microsoft Windows Search Filter Host)
0x84E9C020 [2992] C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation, WMI)
0x84F48020 [3024] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation, igfxTray Module)
0x84F669C0 [3036] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation, hkcmd Module)
0x84F61020 [3096] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation, persistence Module)
0x84F48990 [3152] C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation, igfxsrvc Module)
0x85067690 [3164] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp., Realtek HD Audio Control Panel)
0x84F09020 [3324] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc., Java(TM) Platform SE binary)
0x851DB990 [3416] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe (-, -)
0x84EFBB98 [3488] C:\Program Files\Logitech\Logitech Vid\Vid.exe (Logitech Inc., Logitech Vid)
0x84EE4020 [3544] C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation, Windows Search System Tray)
0x84EDC580 [3580] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x84EC3DA0 [3732] C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org, OpenOffice.org 3.1)
0x84EAD460 [3760] C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org, OpenOffice.org 3.1)
0x84EB0B98 [3772] C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe (-, -)
0x8463ADA0 [3808] C:\Documents and Settings\Owner\Desktop\RkU3.8.388.590\MustBeRandomlyNamed\gpHna2G6cu0.exe (UG North, RKULE, SR2 Normandy)
0x85CEB498 [3856] C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation, Internet Explorer)
0x84DE6DA0 [3992] C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc., Java(TM) Update Checker)
==============================================
>Drivers
==============================================
0xF57A4000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5857280 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xAA31A000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4874240 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xBF1E7000 C:\WINDOWS\System32\igxpdx32.DLL 2699264 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xA75AD000 C:\WINDOWS\system32\DRIVERS\LV302V32.SYS 2682880 bytes (Logitech Inc., Logitech Webcam Software Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04F000 C:\WINDOWS\System32\igxpdv32.DLL 1671168 bytes (Intel Corporation, Component GHAL Driver)
0xA55FC000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100728.002\NAVEX15.SYS 1359872 bytes (Symantec Corporation, AV Engine)
0xA7CCF000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys 704512 bytes (Symantec Corporation, BASH Driver)
0xF72B8000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA7D7B000 C:\WINDOWS\system32\drivers\N360\0402000.00C\ccHPx86.sys 520192 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0xA7F15000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA7E17000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF55EB000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA9039000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA5D74000 C:\WINDOWS\System32\Drivers\N360\0402000.00C\SRTSP.SYS 356352 bytes (Symantec Corporation, Symantec AutoProtect)
0xA6E2D000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xA8FBC000 C:\WINDOWS\System32\Drivers\N360\0402000.00C\SYMTDI.SYS 356352 bytes (Symantec Corporation, Network Dispatch Driver)
0xF739B000 SYMDS.SYS 352256 bytes
0xA5A12000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100726.001\IDSxpx86.sys 348160 bytes (Symantec Corporation, IDS Core Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA670C000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA756D000 C:\WINDOWS\system32\DRIVERS\lvrs.sys 262144 bytes (Logitech Inc., Logitech Kernel Audio Improvement Filter Driver)
0xF7459000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF728B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF735C000 SYMEFA.SYS 184320 bytes
0xA6EAC000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 176128 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xA55BD000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA7F85000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF5768000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA8F1A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA9013000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA8F97000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xAA2F6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF5744000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF570D000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA8EF8000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134528 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134528 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73F1000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7429000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA8ED9000 C:\WINDOWS\system32\drivers\N360\0402000.00C\Ironx86.SYS 126976 bytes (Symantec Corporation, Iron Driver)
0xA7DFA000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xF7271000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7411000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA752D000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7345000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF56DA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA71A8000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA55E8000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100728.002\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xF5730000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF5790000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA9092000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF7389000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7448000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF56C9000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF5D6A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7678000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA7E85000 C:\WINDOWS\system32\DRIVERS\rspndr.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0xF7658000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7768000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7688000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA72F5000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF5D8A000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xF7778000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF75C8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7648000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7638000 C:\WINDOWS\system32\DRIVERS\l251x86.sys 53248 bytes (Atheros Communications, Inc., Atheros Fast Ethernet Controller ndis miniport driver)
0xF76E8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75A8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7708000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF5DBA000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7668000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7598000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76F8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7588000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7738000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF5DCA000 C:\WINDOWS\system32\drivers\N360\0402000.00C\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xF7728000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75B8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7628000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF5D9A000 C:\WINDOWS\system32\drivers\LVUSBSta.sys 36864 bytes (Logitech Inc., USB Statistic Driver)
0xF7718000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7798000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA5938000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF5DAA000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7928000 C:\combo-fix\catchme.sys 32768 bytes
0xF7898000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78A8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7988000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7990000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7808000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7858000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7820000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7958000 C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys 24576 bytes
0xF7850000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7980000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7888000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7878000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7908000 C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)
0xF7890000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7810000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7868000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7870000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7860000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF78C0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF6ACB000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA741D000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF6ADF000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7998000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAA2F2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7A7C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 12288 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF6AD7000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7A80000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7ADC000 C:\WINDOWS\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xF7AFC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B08000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7A88000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B02000 C:\WINDOWS\system32\DRIVERS\lv302af.sys 8192 bytes (Logitech Inc., Audio filter for Express Plus)
0xF7AFE000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AEC000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7AD8000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF7B00000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AF0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AFA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A8A000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C1B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7BD7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7C01000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B50000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0002D4B0, Type: Inline - RelativeJump 0x805044B0-->8050450C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[2120]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->ntdll.dll+0x00015CCE, Type: Inline - RelativeJump 0x7C915CCE-->00000000 [unknown_code_page]
[2120]IEXPLORE.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C915CD3-->00000000 [ntdll.dll]
[2120]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E42B3C6-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00000000 [ieframe.dll]
[2120]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->00000000 [aclayers.dll]
[2120]IEXPLORE.EXE-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2120]IEXPLORE.EXE-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->00000000 [aclayers.dll]
[2528]YahooMessenger.exe-->gdi32.dll-->GetStockObject, Type: IAT modification 0x00747190-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00747398-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x007473C8-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x00747434-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x007473D8-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->gdi32.dll-->GetStockObject, Type: IAT modification 0x7C9C1134-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->AnimateWindow, Type: IAT modification 0x7C9C1D18-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->DefWindowProcA, Type: IAT modification 0x7C9C1D48-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->DefWindowProcW, Type: IAT modification 0x7C9C1EA4-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->GetSysColor, Type: IAT modification 0x7C9C1E3C-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->GetSysColorBrush, Type: IAT modification 0x7C9C1EE4-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->TrackPopupMenu, Type: IAT modification 0x7C9C1F90-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->shell32.dll-->user32.dll-->TrackPopupMenuEx, Type: IAT modification 0x7C9C1D34-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->DefWindowProcW, Type: IAT modification 0x00747C24-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->gdi32.dll-->GetStockObject, Type: IAT modification 0x7E411130-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->GetSysColor, Type: IAT modification 0x00747C28-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->GetSysColorBrush, Type: IAT modification 0x00747D38-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification 0x00747DF4-->00000000 [yui.dll]
[2528]YahooMessenger.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification 0x00747E7C-->00000000 [yui.dll]
[2840]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2840]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2840]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[2840]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2840]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2840]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[2840]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3416]LWS.exe-->kernel32.dll-->FindResourceA, Type: IAT modification 0x0050A2F4-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->FindResourceExW, Type: IAT modification 0x0050A2F0-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->FindResourceW, Type: IAT modification 0x0050A4CC-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->FreeResource, Type: IAT modification 0x0050A3F8-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->GetProfileIntA, Type: IAT modification 0x0050A2EC-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->GetProfileIntW, Type: IAT modification 0x0050A388-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->LoadResource, Type: IAT modification 0x0050A4D0-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->LockResource, Type: IAT modification 0x0050A4D4-->00000000 [LWS.exe]
[3416]LWS.exe-->kernel32.dll-->SizeofResource, Type: IAT modification 0x0050A4D8-->00000000 [LWS.exe]
[3416]LWS.exe-->user32.dll-->LoadMenuA, Type: IAT modification 0x0050A7E0-->00000000 [LWS.exe]
[3416]LWS.exe-->user32.dll-->LoadMenuW, Type: IAT modification 0x0050A6E8-->00000000 [LWS.exe]
[3416]LWS.exe-->user32.dll-->LoadStringA, Type: IAT modification 0x0050A7DC-->00000000 [LWS.exe]
[3416]LWS.exe-->user32.dll-->LoadStringW, Type: IAT modification 0x0050A7D8-->00000000 [LWS.exe]
[3856]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]
[3856]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->00000000 [aclayers.dll]
[3856]IEXPLORE.EXE-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[3856]IEXPLORE.EXE-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->00000000 [aclayers.dll]
[744]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump 0x7C810E27-->00000000 [mssrch.dll]
[744]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2C [unknown_code_page]
[744]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2D [unknown_code_page]

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


P.S My Norton Was Going Off Like Crazy Forcing Me To Reboot...While That Scann Was Going On...Is That Normal?

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
Please disable Norton products, see here: http://www.bleepingcomputer.com/forums/topic114351.html

Then, re-run RootkitUnhooker and post a log.

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
ok will do...

descriptionWhistler Bootkit O.o EmptyRe: Whistler Bootkit O.o

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum